tls

package
v0.5.1-0...-d6d0c94 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Oct 16, 2024 License: Apache-2.0 Imports: 20 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	// DefaultLifetime configures certificate validity.
	//
	// Initially all certificates will be valid for one year.
	//
	// TODO: Shorten the validity duration of CA and end-entity certificates downward.
	DefaultLifetime = (24 * 365) * time.Hour

	// DefaultClockSkewAllowance indicates the maximum allowed difference in clocks
	// in the network.
	//
	// TODO: make it tunable.
	//
	// TODO: Reconsider how this interacts with the similar logic in the webpki
	// verifier; since both are trying to account for clock skew, there is
	// somewhat of an over-correction.
	DefaultClockSkewAllowance = 10 * time.Second
)

Variables

This section is empty.

Functions

func CertificatesToPool 

func CertificatesToPool(certs []*x509.Certificate) *x509.CertPool

CertificatesToPool converts a slice of certificates into a cert pool

func DecodePEMCertPool 

func DecodePEMCertPool(txt string) (*x509.CertPool, error)

DecodePEMCertPool parses a string containing PE-encoded certificates into a CertPool.

func DecodePEMCertificates 

func DecodePEMCertificates(txt string) (certs []*x509.Certificate, err error)

DecodePEMCertificates parses a string containing PEM-encoded certificates.

func EncodeCertificatesPEM 

func EncodeCertificatesPEM(crts ...*x509.Certificate) string

EncodeCertificatesPEM encodes the collection of provided certificates as a text blob of PEM-encoded certificates.

func EncodePrivateKeyP8 

func EncodePrivateKeyP8(k *ecdsa.PrivateKey) []byte

EncodePrivateKeyP8 encodes the provided key as PEM-encoded text

func EncodePrivateKeyPEM 

func EncodePrivateKeyPEM(k *ecdsa.PrivateKey) ([]byte, error)

EncodePrivateKeyPEM encodes the provided key as PEM-encoded text

func GenerateKey 

func GenerateKey() (*ecdsa.PrivateKey, error)

GenerateKey creates a new P-256 ECDSA private key from the default random source.

Types

type CA 

type CA struct {
	// Cred contains the CA's credentials.
	Cred Cred

	// Validity configures the NotBefore and NotAfter parameters for certificates
	// issued by this CA.
	//
	// Currently this is used for the CA's validity too, but nothing should
	// assume that the CA's validity period is the same as issued certificates'
	// validity.
	Validity Validity
	// contains filtered or unexported fields
}

CA provides a certificate authority for TLS-enabled installs. Issuing certificates concurrently is not supported.

func CreateRootCA 

func CreateRootCA(
	name string,
	key *ecdsa.PrivateKey,
	validity Validity,
) (*CA, error)

CreateRootCA configures a new root CA with the given settings

func GenerateRootCAWithDefaults 

func GenerateRootCAWithDefaults(name string) (*CA, error)

GenerateRootCAWithDefaults generates a new root CA with default settings.

func NewCA 

func NewCA(cred Cred, validity Validity) *CA

NewCA initializes a new CA with default settings.

func (*CA) GenerateCA 

func (ca *CA) GenerateCA(name string, maxPathLen int) (*CA, error)

GenerateCA generates a new intermediate CA.

func (*CA) GenerateEndEntityCred 

func (ca *CA) GenerateEndEntityCred(dnsName string) (*Cred, error)

GenerateEndEntityCred creates a new certificate that is valid for the given DNS name, generating a new keypair for it.

func (*CA) IssueEndEntityCrt 

func (ca *CA) IssueEndEntityCrt(csr *x509.CertificateRequest) (Crt, error)

IssueEndEntityCrt creates a new certificate that is valid for the given DNS name, generating a new keypair for it.

type Cred 

type Cred struct {
	PrivateKey GenericPrivateKey
	Crt
}

Cred is a container for a certificate, trust chain, and private key.

func ReadPEMCreds 

func ReadPEMCreds(keyPath, crtPath string) (*Cred, error)

ReadPEMCreds reads PEM-encoded credentials from the named files.

func ValidateAndCreateCreds 

func ValidateAndCreateCreds(crt, key string) (*Cred, error)

ValidateAndCreateCreds reads PEM-encoded credentials from strings and validates them

func (*Cred) EncodePrivateKeyP8 

func (cred *Cred) EncodePrivateKeyP8() ([]byte, error)

EncodePrivateKeyP8 encodes the provided key to the PKCS#8 binary form.

func (*Cred) EncodePrivateKeyPEM 

func (cred *Cred) EncodePrivateKeyPEM() string

EncodePrivateKeyPEM emits the private key as PEM-encoded text.

func (*Cred) SignCrt 

func (cred *Cred) SignCrt(template *x509.Certificate) (Crt, error)

SignCrt uses this Cred to sign a new certificate.

This may fail if the Cred contains an end-entity certificate.

type Crt 

type Crt struct {
	Certificate *x509.Certificate
	TrustChain  []*x509.Certificate
}

Crt is a container for a certificate and trust chain.

The trust chain stores all issuer certificates from the root at the head to the direct issuer at the tail.

func DecodePEMCrt 

func DecodePEMCrt(txt string) (*Crt, error)

DecodePEMCrt decodes PEM-encoded certificates from leaf to root.

func (*Crt) CertPool 

func (crt *Crt) CertPool() *x509.CertPool

CertPool returns a CertPool containing this Crt.

func (*Crt) EncodeCertificatePEM 

func (crt *Crt) EncodeCertificatePEM() string

EncodeCertificatePEM emits the Crt's leaf certificate as PEM-encoded text.

func (*Crt) EncodePEM 

func (crt *Crt) EncodePEM() string

EncodePEM emits a certificate and trust chain as a series of PEM-encoded certificates from leaf to root.

func (*Crt) ExtractRaw 

func (crt *Crt) ExtractRaw() [][]byte

ExtractRaw extracts the DER-encoded certificates in the Crt from leaf to root.

func (*Crt) Verify 

func (crt *Crt) Verify(roots *x509.CertPool, name string, currentTime time.Time) error

Verify the validity of the provided certificate

type FsCredsWatcher 

type FsCredsWatcher struct {
	EventChan chan<- struct{}
	ErrorChan chan<- error
	// contains filtered or unexported fields
}

FsCredsWatcher is used to monitor tls credentials on the filesystem

func NewFsCredsWatcher 

func NewFsCredsWatcher(certRootPath string, updateEvent chan<- struct{}, errEvent chan<- error) *FsCredsWatcher

NewFsCredsWatcher constructs a FsCredsWatcher instance

func (*FsCredsWatcher) ProcessEvents 

func (fscw *FsCredsWatcher) ProcessEvents(
	log *log.Entry,
	certVal *atomic.Value,
	updateEvent <-chan struct{},
	errEvent <-chan error,
)

ProcessEvents reads from the update and error channels and reloads the certs when necessary

func (*FsCredsWatcher) StartWatching 

func (fscw *FsCredsWatcher) StartWatching(ctx context.Context) error

StartWatching starts watching the filesystem for cert updates

func (*FsCredsWatcher) UpdateCert 

func (fscw *FsCredsWatcher) UpdateCert(certVal *atomic.Value) error

UpdateCert reads the cert and key files and stores the key pair in certVal

func (*FsCredsWatcher) WithFilePaths 

func (fscw *FsCredsWatcher) WithFilePaths(certFilePath, keyFilePath string) *FsCredsWatcher

WithFilePaths completes the FsCredsWatcher instance with the cert and key files locations

type GenericPrivateKey 

type GenericPrivateKey interface {
	// contains filtered or unexported methods
}

GenericPrivateKey represents either an EC or an RSA private key

func DecodePEMKey 

func DecodePEMKey(txt string) (GenericPrivateKey, error)

DecodePEMKey parses a PEM-encoded private key from the named path.

type Issuer 

type Issuer interface {
	IssueEndEntityCrt(*x509.CertificateRequest) (Crt, error)
}

Issuer implementors signs certificate requests.

type Validity 

type Validity struct {
	// Validity is the duration for which issued certificates are valid. This
	// is approximately cert.NotAfter - cert.NotBefore with some additional
	// allowance for clock skew.
	//
	// Currently this is used for the CA's validity too, but nothing should
	// assume that the CA's validity period is the same as issued certificates'
	// validity.
	Lifetime time.Duration

	// ClockSkewAllowance is the maximum supported clock skew. Everything that
	// processes the certificates must have a system clock that is off by no
	// more than this allowance in either direction.
	ClockSkewAllowance time.Duration

	// ValidFrom is the point in time from which the certificate is valid.
	// This is cert.NotBefore with some clock skew allowance.
	ValidFrom *time.Time
}

Validity configures the expiry times of issued certificates.

func (*Validity) Window 

func (v *Validity) Window(t time.Time) (time.Time, time.Time)

Window returns the time window for which a certificate should be valid.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.