Documentation ¶
Overview ¶
Package rootcerts exists to support creating Docker images `FROM scratch`.
For a Go binary to be able to run in a `FROM scratch` image, it needs a few things: 1. It must be compiled with `CGO_ENABLED=0`. 2. It must have access to timezone data (if it handles time data). 3. It must have access to a CA trust store.
The first two are easy, and natively supported by the Go runtime, but third is not.
This package provides a vendored set of root certificates downloaded from Mozilla, embedded into Go source files. CI will check if this list is up-to-date, and fail the lint job if it is not.
For most use-cases, calling rootcerts.UpdateDefaultTransport will be all you need to do from consuming code (e.g. using Go's HTTP client).
Some systems (like the Go AWS SDK) require passing the results of rootcerts.DERReader to setup the trust store there.
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func AddPEM ¶
AddPEM Adds a the supplied PEM formatted Certificate to the set of certs used by Rootcerts. This is useful when an individual CA needs to be added to the trust chain.
AddPEM only support Certificates, it doesn't support Private keys.
func ServerCertPool ¶
ServerCertPool returns a pool containing all root CA certificates that are trusted for issuing server certificates.
func UpdateDefaultTransport ¶
func UpdateDefaultTransport() error
UpdateDefaultTransport updates the configuration for http.DefaultTransport to use the root CA certificates defined here when used as an HTTP client.
It will return an error if the DefaultTransport is not actually an *http.Transport.
Types ¶
type Cert ¶
type Cert struct { Label string Serial string Trust TrustLevel DER []byte }
A Cert defines a single unparsed certificate.
func Certs ¶
func Certs() []Cert
Certs returns all trusted certificates extracted from certdata.txt.
func CertsByTrust ¶
func CertsByTrust(t TrustLevel) (result []Cert)
CertsByTrust returns only those certificates that match all bits of the specified TrustLevel.
func (*Cert) X509Cert ¶
func (c *Cert) X509Cert() *x509.Certificate
X509Cert parses the certificate into a *x509.Certificate.
type TrustLevel ¶
type TrustLevel int
TrustLevel defines for which purposes the certificate is trusted to issue certificates (ie. to act as a CA)
const ( ServerTrustedDelegator TrustLevel = 1 << iota // Trusted for issuing server certificates EmailTrustedDelegator // Trusted for issuing email certificates CodeTrustedDelegator // Trusted for issuing code signing certificates )