Documentation ¶
Overview ¶
this is copied from https://github.com/openshift/library-go/tree/master/pkg/crypto. We cannot just import it because library-go depends on Kubernetes libraries, which would lead to a cyclic dependency.
Index ¶
- Constants
- func CertsFromPEM(pemCerts []byte) ([]*x509.Certificate, error)
- func CipherSuite(cipherName string) (uint16, error)
- func CipherSuiteToNameOrDie(intVal uint16) string
- func CipherSuitesOrDie(cipherNames []string) []uint16
- func CipherSuitesToNamesOrDie(intVals []uint16) []string
- func DefaultCiphers() []uint16
- func DefaultTLSVersion() uint16
- func EncodeCertificates(certs ...*x509.Certificate) ([]byte, error)
- func GolangTLSVersions() []string
- func IPAddressesDNSNames(hosts []string) ([]net.IP, []string)
- func NewKeyPair() (crypto.PublicKey, crypto.PrivateKey, error)
- func OpenSSLToIANACipherSuites(ciphers []string) []string
- func SecureTLSConfig(config *tls.Config) *tls.Config
- func TLSVersion(versionName string) (uint16, error)
- func TLSVersionOrDie(versionName string) uint16
- func TLSVersionToNameOrDie(intVal uint16) string
- func ValidCipherSuites() []string
- func ValidTLSVersions() []string
- type CA
- func EnsureCA(certFile, keyFile, serialFile, name string, expireDays int) (*CA, bool, error)
- func GetCA(certFile, keyFile, serialFile string) (*CA, error)
- func GetCAFromBytes(certBytes, keyBytes []byte) (*CA, error)
- func MakeSelfSignedCA(certFile, keyFile, serialFile, name string, expireDays int) (*CA, error)
- func (ca *CA) EnsureClientCertificate(certFile, keyFile string, u user.Info, expireDays int) (*TLSCertificateConfig, bool, error)
- func (ca *CA) EnsureServerCert(certFile, keyFile string, hostnames sets.Set[string], expireDays int) (*TLSCertificateConfig, bool, error)
- func (ca *CA) MakeAndWriteServerCert(certFile, keyFile string, hostnames sets.Set[string], expireDays int) (*TLSCertificateConfig, error)
- func (ca *CA) MakeClientCertificate(certFile, keyFile string, u user.Info, expireDays int) (*TLSCertificateConfig, error)
- func (ca *CA) MakeClientCertificateForDuration(u user.Info, lifetime time.Duration) (*TLSCertificateConfig, error)
- func (ca *CA) MakeServerCert(hostnames sets.Set[string], expireDays int, fns ...CertificateExtensionFunc) (*TLSCertificateConfig, error)
- func (ca *CA) MakeServerCertForDuration(hostnames sets.Set[string], lifetime time.Duration, ...) (*TLSCertificateConfig, error)
- type CertificateExtensionFunc
- type RandomSerialGenerator
- type SerialFileGenerator
- type SerialGenerator
- type TLSCARoots
- type TLSCertificateConfig
- func GetServerCert(certFile, keyFile string, hostnames sets.Set[string]) (*TLSCertificateConfig, error)
- func GetTLSCertificateConfig(certFile, keyFile string) (*TLSCertificateConfig, error)
- func GetTLSCertificateConfigFromBytes(certBytes, keyBytes []byte) (*TLSCertificateConfig, error)
- func MakeCAConfigForDuration(name string, caLifetime time.Duration, issuer *CA) (*TLSCertificateConfig, error)
- func MakeSelfSignedCAConfig(name string, expireDays int) (*TLSCertificateConfig, error)
- func MakeSelfSignedCAConfigForDuration(name string, caLifetime time.Duration) (*TLSCertificateConfig, error)
- func MakeSelfSignedCAConfigForSubject(subject pkix.Name, expireDays int) (*TLSCertificateConfig, error)
Constants ¶
const ( DefaultCertificateLifetimeInDays = 365 * 2 // 2 years DefaultCACertificateLifetimeInDays = 365 * 5 // 5 years )
Variables ¶
This section is empty.
Functions ¶
func CertsFromPEM ¶
func CertsFromPEM(pemCerts []byte) ([]*x509.Certificate, error)
func CipherSuite ¶
func CipherSuiteToNameOrDie ¶
CipherSuiteToNameOrDie given a cipher suite as an int, return its readable name
func CipherSuitesOrDie ¶
func CipherSuitesToNamesOrDie ¶
CipherSuitesToNamesOrDie given a list of cipher suites as ints, return their readable names
func DefaultCiphers ¶
func DefaultCiphers() []uint16
func DefaultTLSVersion ¶
func DefaultTLSVersion() uint16
func EncodeCertificates ¶
func EncodeCertificates(certs ...*x509.Certificate) ([]byte, error)
func GolangTLSVersions ¶
func GolangTLSVersions() []string
TLS versions that are known to golang, but may not necessarily be enabled.
func NewKeyPair ¶
func NewKeyPair() (crypto.PublicKey, crypto.PrivateKey, error)
func OpenSSLToIANACipherSuites ¶
OpenSSLToIANACipherSuites maps input OpenSSL Cipher Suite names to their IANA counterparts. Unknown ciphers are left out.
func SecureTLSConfig ¶
SecureTLSConfig enforces the default minimum security settings for the cluster.
func TLSVersion ¶
func TLSVersionOrDie ¶
func TLSVersionToNameOrDie ¶
TLSVersionToNameOrDie given a tls version as an int, return its readable name
func ValidCipherSuites ¶
func ValidCipherSuites() []string
Types ¶
type CA ¶
type CA struct { Config *TLSCertificateConfig SerialGenerator SerialGenerator }
func EnsureCA ¶
EnsureCA returns a CA, whether it was created (as opposed to pre-existing), and any error if serialFile is empty, a RandomSerialGenerator will be used
func GetCAFromBytes ¶
func MakeSelfSignedCA ¶
if serialFile is empty, a RandomSerialGenerator will be used
func (*CA) EnsureClientCertificate ¶
func (*CA) EnsureServerCert ¶
func (*CA) MakeAndWriteServerCert ¶
func (*CA) MakeClientCertificate ¶
func (*CA) MakeClientCertificateForDuration ¶
func (*CA) MakeServerCert ¶
func (ca *CA) MakeServerCert(hostnames sets.Set[string], expireDays int, fns ...CertificateExtensionFunc) (*TLSCertificateConfig, error)
func (*CA) MakeServerCertForDuration ¶
func (ca *CA) MakeServerCertForDuration(hostnames sets.Set[string], lifetime time.Duration, fns ...CertificateExtensionFunc) (*TLSCertificateConfig, error)
type CertificateExtensionFunc ¶
type CertificateExtensionFunc func(*x509.Certificate) error
CertificateExtensionFunc is passed a certificate that it may extend, or return an error if the extension attempt failed.
type RandomSerialGenerator ¶
type RandomSerialGenerator struct { }
RandomSerialGenerator returns a serial based on time.Now and the subject
func (*RandomSerialGenerator) Next ¶
func (s *RandomSerialGenerator) Next(template *x509.Certificate) (int64, error)
type SerialFileGenerator ¶
type SerialFileGenerator struct { SerialFile string Serial int64 // contains filtered or unexported fields }
SerialFileGenerator returns a unique, monotonically increasing serial number and ensures the CA on disk records that value.
func NewSerialFileGenerator ¶
func NewSerialFileGenerator(serialFile string) (*SerialFileGenerator, error)
func (*SerialFileGenerator) Next ¶
func (s *SerialFileGenerator) Next(template *x509.Certificate) (int64, error)
Next returns a unique, monotonically increasing serial number and ensures the CA on disk records that value.
type SerialGenerator ¶
type SerialGenerator interface {
Next(template *x509.Certificate) (int64, error)
}
SerialGenerator is an interface for getting a serial number for the cert. It MUST be thread-safe.
type TLSCARoots ¶
type TLSCARoots struct {
Roots []*x509.Certificate
}
type TLSCertificateConfig ¶
type TLSCertificateConfig struct { Certs []*x509.Certificate Key crypto.PrivateKey }
func GetServerCert ¶
func GetTLSCertificateConfig ¶
func GetTLSCertificateConfig(certFile, keyFile string) (*TLSCertificateConfig, error)
func GetTLSCertificateConfigFromBytes ¶
func GetTLSCertificateConfigFromBytes(certBytes, keyBytes []byte) (*TLSCertificateConfig, error)
func MakeCAConfigForDuration ¶
func MakeSelfSignedCAConfig ¶
func MakeSelfSignedCAConfig(name string, expireDays int) (*TLSCertificateConfig, error)
func MakeSelfSignedCAConfigForDuration ¶
func MakeSelfSignedCAConfigForDuration(name string, caLifetime time.Duration) (*TLSCertificateConfig, error)
func MakeSelfSignedCAConfigForSubject ¶
func MakeSelfSignedCAConfigForSubject(subject pkix.Name, expireDays int) (*TLSCertificateConfig, error)
func (*TLSCertificateConfig) GetPEMBytes ¶
func (c *TLSCertificateConfig) GetPEMBytes() ([]byte, []byte, error)
func (*TLSCertificateConfig) WriteCertConfig ¶
func (c *TLSCertificateConfig) WriteCertConfig(certFile, keyFile io.Writer) error
func (*TLSCertificateConfig) WriteCertConfigFile ¶
func (c *TLSCertificateConfig) WriteCertConfigFile(certFile, keyFile string) error