certificates

package
v0.0.0-...-31b55c1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jan 15, 2024 License: Apache-2.0 Imports: 39 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	Organization    = "research.ibm.com"
	CertName        = "tls.crt"
	PrivateKeyName  = "tls.key"
	SymetricKeyName = "sym.key"
	RotUrlName      = "rot-url"

	RotCaName = "rot-ca"
	PeerName  = "peer"
)
View Source 
const (
	SEAL_MOUNTPOINT = "/run/seal/"
	SEAL_REF        = "_SEAL_REF"
	SEAL_CONFIG     = "_SEAL_CONFIG"
	SEAL_ENV        = "_SEAL_ENV"
	SEAL_DIR        = "_SEAL_DIR"
	SEAL_MOUNT      = "_SEAL_MOUNT"
)
View Source 
const (
	KmeUnknown      = 0
	KmeUnauthorized = 1
	KmeNoAccess     = 2
)

Variables

This section is empty.

Functions

func AddFile 

func AddFile(path string, data []byte, options map[string]string)

func CANotFound 

func CANotFound(workloadName string) bool

func CreateRotService 

func CreateRotService() (*tls.Certificate, *x509.CertPool, error)

func InitRemoteKubeMgr 

func InitRemoteKubeMgr(contextName string) (*kubernetes.Clientset, error)

func InitRotKubeMgr 

func InitRotKubeMgr() error

func LoadRotCa 

func LoadRotCa() error

func RenewCA 

func RenewCA(kubeMgr *KubeMgrStruct, workloadName string, keyRing *KeyRing) error

func RenewSymetricKey 

func RenewSymetricKey(kubeMgr *KubeMgrStruct, workloadName string, keyRing *KeyRing) error

func Rot_service 

func Rot_service(w http.ResponseWriter, r *http.Request)

func UnsealArgs 

func UnsealArgs(symetricKey []byte, sealRef string, argsIn []string, config map[string]string) (cmd string, args []string, err error)

func UnsealConfig 

func UnsealConfig(symetricKey []byte, sealRef string, sealConfigStr string) (config map[string]string, err error)

func UnsealDir 

func UnsealDir(srcname string, dstname string, symetricKey []byte, sealRef string, sealDir string, config map[string]string) error

func UnsealEnv 

func UnsealEnv(symetricKey []byte, sealRef string, sealEnv string, envIn []string, config map[string]string) (env []string, err error)

func UnsealFile 

func UnsealFile(src_path string, dest_path string, symetricKey []byte, options map[string]string)

func UnsealFiles 

func UnsealFiles(src_path string, dest_path string) bool

func UnsealMount 

func UnsealMount(symetricKey []byte, sealRef string, sealMount string, config map[string]string) (mounts []string, err error)

func UpdateCA 

func UpdateCA(workloadName string, keyRing *KeyRing) error

func ValidateHostname 

func ValidateHostname(hostname string) error

func ValidateSevriceName 

func ValidateSevriceName(servicename string) error

func ValidateWorkloadName 

func ValidateWorkloadName(workload string) error

Types

type InitEgg 

type InitEgg struct {
	RotUrl     string   `json:"rot"`
	EncPmr     []byte   `json:"epmr"`
	PrivateKey string   `json:"prk"`
	Cert       string   `json:"cert"`
	Ca         []string `json:"ca"`
}

func CreateInit 

func CreateInit(workloadName string, serviceName string) (*InitEgg, error)

func NewInitEgg 

func NewInitEgg() *InitEgg

func (*InitEgg) AddCa 

func (egg *InitEgg) AddCa(ca []byte)

func (*InitEgg) Decode 

func (egg *InitEgg) Decode(eegg string) error

func (*InitEgg) Encode 

func (egg *InitEgg) Encode() (string, error)

func (*InitEgg) GetCaPool 

func (egg *InitEgg) GetCaPool() (*x509.CertPool, error)

func (*InitEgg) GetCert 

func (egg *InitEgg) GetCert() (*tls.Certificate, error)

func (*InitEgg) SetCert 

func (egg *InitEgg) SetCert(cert []byte)

func (*InitEgg) SetEncPmr 

func (egg *InitEgg) SetEncPmr(symenticKey []byte, workloadName string, serviceName string) error

func (*InitEgg) SetPrivateKey 

func (egg *InitEgg) SetPrivateKey(privateKey []byte)

func (*InitEgg) SetTorUrl 

func (egg *InitEgg) SetTorUrl(url string)

type KeyRing 

type KeyRing struct {
	// contains filtered or unexported fields
}

func CreateNewCA 

func CreateNewCA(workloadName string, rotUrl string) (keyRing *KeyRing, errout error)

func GetCA 

func GetCA(workloadName string) (keyRing *KeyRing, errout error)

func NewKeyRing 

func NewKeyRing() *KeyRing

func (*KeyRing) Add 

func (kr *KeyRing) Add(name string, item []byte) error

when adding a cert block use Add(name, pem.EncodeToMemory(cert))

func (*KeyRing) AddCert 

func (kr *KeyRing) AddCert(subname string, cert []byte) error

func (*KeyRing) AddCertAt 

func (kr *KeyRing) AddCertAt(current int, cert []byte) error

func (*KeyRing) AddPeer 

func (kr *KeyRing) AddPeer(subname string, servers string) error

func (*KeyRing) AddPrivateKey 

func (kr *KeyRing) AddPrivateKey(subname string, privateKey []byte) error

func (*KeyRing) AddPrivateKeyAt 

func (kr *KeyRing) AddPrivateKeyAt(current int, privateKey []byte) error

func (*KeyRing) AddSymetricKey 

func (kr *KeyRing) AddSymetricKey(subname string, symenticKey []byte) error

func (*KeyRing) AddSymetricKeyAt 

func (kr *KeyRing) AddSymetricKeyAt(current int, symenticKey []byte) error

func (*KeyRing) AppendCert 

func (kr *KeyRing) AppendCert(cert []byte) error

func (*KeyRing) AppendPrivateKey 

func (kr *KeyRing) AppendPrivateKey(privateKey []byte) error

func (*KeyRing) AppendSymetricKey 

func (kr *KeyRing) AppendSymetricKey(symenticKey []byte) error

func (*KeyRing) Consolidate 

func (kr *KeyRing) Consolidate() error

func (*KeyRing) GetSymetricKey 

func (kr *KeyRing) GetSymetricKey() []byte

func (*KeyRing) NumCerts 

func (kr *KeyRing) NumCerts() int

func (*KeyRing) NumPrivateKeys 

func (kr *KeyRing) NumPrivateKeys() int

func (*KeyRing) NumSymetricKeys 

func (kr *KeyRing) NumSymetricKeys() int

func (*KeyRing) Peers 

func (kr *KeyRing) Peers() map[string]string

func (*KeyRing) RotUrl 

func (kr *KeyRing) RotUrl() string

func (*KeyRing) SetPeer 

func (kr *KeyRing) SetPeer(client string, servers string) error

func (*KeyRing) SetRotUrl 

func (kr *KeyRing) SetRotUrl(rotUrl string) error

type KubeMgrError 

type KubeMgrError struct {
	Value       int
	Description string
}

func (*KubeMgrError) Error 

func (kme *KubeMgrError) Error() string

type KubeMgrStruct 

type KubeMgrStruct struct {
	RotCaKeyRing *KeyRing
	// contains filtered or unexported fields
}
var KubeMgr *KubeMgrStruct

func (*KubeMgrStruct) CreateCa 

func (kubeMgr *KubeMgrStruct) CreateCa(workloadName string) (*corev1.Secret, error)

func (*KubeMgrStruct) DeleteCa 

func (kubeMgr *KubeMgrStruct) DeleteCa(workloadName string) error

func (*KubeMgrStruct) GetCa 

func (kubeMgr *KubeMgrStruct) GetCa(workloadName string) (*corev1.Secret, error)

func (*KubeMgrStruct) ListCas 

func (kubeMgr *KubeMgrStruct) ListCas() ([]string, error)

func (*KubeMgrStruct) SetConfigMap 

func (kubeMgr *KubeMgrStruct) SetConfigMap(client *kubernetes.Clientset, configmap *corev1.ConfigMap) error

func (*KubeMgrStruct) SetDeployment 

func (kubeMgr *KubeMgrStruct) SetDeployment(client *kubernetes.Clientset, deployment *appsv1.Deployment) error

func (*KubeMgrStruct) SetSecret 

func (kubeMgr *KubeMgrStruct) SetSecret(client *kubernetes.Clientset, secret *corev1.Secret) error

func (*KubeMgrStruct) UpdateCA 

func (kubeMgr *KubeMgrStruct) UpdateCA(secret *corev1.Secret) (*corev1.Secret, error)

type MutualTls 

type MutualTls struct {
	IsServer bool
	Cert     *tls.Certificate
	CaPool   *x509.CertPool
	Peers    []string
}

func (*MutualTls) AddPeer 

func (mt *MutualTls) AddPeer(name string)

func (*MutualTls) Client 

func (mt *MutualTls) Client() *http.Client

func (*MutualTls) GetTlsConfig 

func (mt *MutualTls) GetTlsConfig() *tls.Config

func (*MutualTls) Server 

func (mt *MutualTls) Server(mux *http.ServeMux, address string) *http.Server

func (*MutualTls) Verify 

func (mt *MutualTls) Verify() func(cs tls.ConnectionState) error

type PodData 

type PodData struct {
	ServiceName  string         `json:"servicename"`
	WorkloadName string         `json:"workloadname"`
	Clients      []string       `json:"clients"`
	Servers      []string       `json:"servers"`
	CurrentWKey  int            `json:"current"`
	WorkloadKey  map[int]string `json:"key"`
	PrivateKey   string         `json:"prk"`
	Cert         string         `json:"cert"`
	Ca           []string       `json:"ca"`
}

func NewPodData 

func NewPodData(pmr *PodMessageReq, pm *PodMessage) *PodData

func Rot_client 

func Rot_client(eegg string, hostnames []string) (*PodData, error)

func (*PodData) GetCaPem 

func (pd *PodData) GetCaPem() ([]byte, error)

func (*PodData) GetCas 

func (pd *PodData) GetCas() ([][]byte, error)

func (*PodData) GetCert 

func (pd *PodData) GetCert() ([]byte, error)

func (*PodData) GetClients 

func (pd *PodData) GetClients() []string

func (*PodData) GetPrivateKeyPem 

func (pd *PodData) GetPrivateKeyPem() string

func (*PodData) GetServers 

func (pd *PodData) GetServers() []string

func (*PodData) GetTlsFromPodMessage 

func (pd *PodData) GetTlsFromPodMessage() (*tls.Certificate, *x509.CertPool, error)
func CreatePodMessage2(pmr *PodMessageReq) (*PodMessage, error) {
	workload := pmr.secret.WorkloadName
	servicename := pmr.secret.ServiceName
	workloadCaKeyRing, err := GetCA(workload)
	if err != nil {
		return nil, fmt.Errorf("failed to get a CA %s: %v", workload, err)
	}
	//sans := []string{"any", strings.ToLower(pmr.PodName), "myapp-default.myos-e621c7d733ece1fad737ff54a8912822-0000.us-south.containers.appdomain.cloud"}
	sans := []string{"any", strings.ToLower(servicename)}
	sans = append(sans, pmr.Hostnames...)

	privateKeyBlock, certBlock, err := createPodCert(workloadCaKeyRing.prkPem, workloadCaKeyRing.certPem, workload, sans...)
	if err != nil {
		return nil, fmt.Errorf("cannot create pod cert for pod %s: %w", servicename, err)
	}
	podMessage := NewPodMessage(servicename)

	podMessage.SetCa(workloadCaKeyRing.certs[workloadCaKeyRing.latestCert])
	for index, cert := range workloadCaKeyRing.certs {
		if index != workloadCaKeyRing.latestCert {
			podMessage.SetCa(cert)
		}
	}
	podMessage.SetCert(pem.EncodeToMemory(certBlock))
	podMessage.SetPrivateKey(pem.EncodeToMemory(privateKeyBlock))
	err = podMessage.SetWorkloadKey(workloadCaKeyRing.sKeys[workloadCaKeyRing.latestSKey], workloadCaKeyRing.latestSKey)
	if err != nil {
		return nil, fmt.Errorf("cannot set workload key for pod %s: %w", servicename, err)
	}
	for index, cert := range workloadCaKeyRing.sKeys {
		if index != workloadCaKeyRing.latestSKey {
			if err != nil {
				return nil, fmt.Errorf("cannot decode string workload key for pod %s: %w", servicename, err)
			}
			err = podMessage.SetWorkloadKey(cert, index)
			if err != nil {
				return nil, fmt.Errorf("cannot set workload key for pod %s: %w", servicename, err)
			}
		}
	}
	podMessage.AddClient(servicename)
	podMessage.AddServer(servicename)
	for client, servers := range workloadCaKeyRing.peers {
		serverSlice := strings.Split(servers, ",")
		if client == servicename {
			for _, server := range serverSlice {
				podMessage.AddServer(server)
			}
		} else {
			for _, server := range serverSlice {
				if server == servicename {
					podMessage.AddServer(client)
				}
			}
		}
	}

	return podMessage, nil
}

func (*PodData) GetWKeysFromPodData 

func (pd *PodData) GetWKeysFromPodData() (map[int][]byte, int, error)

func (*PodData) GetWorkloadKey 

func (pd *PodData) GetWorkloadKey() (map[int][]byte, int, error)

type PodMessage 

type PodMessage struct {
	//Name        string         `json:"name"`
	Clients     []string       `json:"clients"`
	Servers     []string       `json:"servers"`
	CurrentWKey int            `json:"current"`
	WorkloadKey map[int]string `json:"key"`
	//PrivateKey  string         `json:"prk"`
	Cert string   `json:"cert"`
	Ca   []string `json:"ca"`
}

func CreatePodMessage 

func CreatePodMessage(pmr *PodMessageReq) (*PodMessage, error)

func NewPodMessage 

func NewPodMessage() *PodMessage

func (*PodMessage) AddClient 

func (pm *PodMessage) AddClient(client string)

func (*PodMessage) AddServer 

func (pm *PodMessage) AddServer(server string)

func (*PodMessage) SetCa 

func (pm *PodMessage) SetCa(ca []byte)

func (*PodMessage) SetCert 

func (pm *PodMessage) SetCert(cert []byte)

func (*PodMessage) SetWorkloadKey 

func (pm *PodMessage) SetWorkloadKey(symetricKey []byte, index int) error

type PodMessageReq 

type PodMessageReq struct {
	Secret    []byte   // Encrypted Secret
	Hostnames []string // more names requested for the certificate
	Csr       []byte   // Certificate request
	// contains filtered or unexported fields
}

func NewPodMessageReq 

func NewPodMessageReq(workloadName string, serviceName string) (*PodMessageReq, error)

func (*PodMessageReq) Decrypt 

func (pmr *PodMessageReq) Decrypt(key []byte) error

func (*PodMessageReq) Encrypt 

func (pmr *PodMessageReq) Encrypt(key []byte) error

func (*PodMessageReq) Validate 

func (pmr *PodMessageReq) Validate() error

type PodMessageReqSecret 

type PodMessageReqSecret struct {
	ServiceName  string // Lower case, Allocated by KMS, Stored in the encrypted init image
	WorkloadName string // Lower case, Allocated by KMS, stored in the encrypted init image
}

type SealDataMap 

type SealDataMap struct {
	UnsealedMap map[string][]byte
	SealedMap   map[string][]byte
}

func NewSealData 

func NewSealData() *SealDataMap

func Unseal 

func Unseal(symetricKey []byte, sealRef string, cypher string) (sealedDataMap *SealDataMap, err error)

func (*SealDataMap) AddSealed 

func (sd *SealDataMap) AddSealed(key string, val []byte)

func (*SealDataMap) AddUnsealed 

func (sd *SealDataMap) AddUnsealed(key string, val []byte)

func (SealDataMap) Decrypt 

func (sd SealDataMap) Decrypt(key []byte, reference string, sealedtext []byte) error
func (sd SealDataMap) DecryptItems(key []byte, reference string) error {
	for k, sealed := range sd.SealedMap {
		unsealed, err := sd.DecryptItem(key, reference, sealed)
		if err != nil {
			//	sd.AddUnsealed(k, []byte(sealedtext))
			fmt.Printf("Fail to DecryptItem %s - %v", k, err)
			continue
			//return fmt.Errorf("fail to DecryptItem %s: %w", k, err)
		}
		sd.AddUnsealed(k, unsealed)
	}
	return nil
}

func (SealDataMap) DecryptItem 

func (sd SealDataMap) DecryptItem(key []byte, reference string, sealed []byte) (unsealed []byte, err error)

DecryptItem() Unseal a single item key - a 16 byte key reference - string identifying teh full context of this value sealedtext - the text to unseal

func (*SealDataMap) Encrypt 

func (sd *SealDataMap) Encrypt(key []byte, reference string) (sealed []byte, err error)

func (*SealDataMap) EncryptItem 

func (sd *SealDataMap) EncryptItem(key []byte, reference string, unsealed []byte) (sealed []byte, err error)

EncryptItem() Seals a single item key - a 16 byte key reference - string identifying the full context of this value unsealed - the text to seal Note EncryptItem may be destructive to the array behind sealedtext If needed, use sealedtext := append([]T(nil), sealedtext...) to create a new array priot to calling EncryptItem

func (*SealDataMap) EncryptItems 

func (sd *SealDataMap) EncryptItems(key []byte, reference string) error

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.