Documentation ¶
Index ¶
- Constants
- func CertificatesToPool(certs []*x509.Certificate) *x509.CertPool
- func DecodePEMCertPool(txt string) (*x509.CertPool, error)
- func DecodePEMCertificates(txt string) (certs []*x509.Certificate, err error)
- func EncodeCertificatesPEM(crts ...*x509.Certificate) string
- func EncodePrivateKeyP8(k *ecdsa.PrivateKey) []byte
- func EncodePrivateKeyPEM(k *ecdsa.PrivateKey) ([]byte, error)
- func GenerateKey() (*ecdsa.PrivateKey, error)
- type CA
- type Cred
- type Crt
- type FsCredsWatcher
- func (fscw *FsCredsWatcher) ProcessEvents(log *log.Entry, certVal *atomic.Value, updateEvent <-chan struct{}, ...)
- func (fscw *FsCredsWatcher) StartWatching(ctx context.Context) error
- func (fscw *FsCredsWatcher) UpdateCert(certVal *atomic.Value) error
- func (fscw *FsCredsWatcher) WithFilePaths(certFilePath, keyFilePath string) *FsCredsWatcher
- type GenericPrivateKey
- type Issuer
- type Validity
Constants ¶
const ( // DefaultLifetime configures certificate validity. // // Initially all certificates will be valid for one year. // // TODO: Shorten the validity duration of CA and end-entity certificates downward. DefaultLifetime = (24 * 365) * time.Hour // DefaultClockSkewAllowance indicates the maximum allowed difference in clocks // in the network. // // TODO: make it tunable. // // TODO: Reconsider how this interacts with the similar logic in the webpki // verifier; since both are trying to account for clock skew, there is // somewhat of an over-correction. DefaultClockSkewAllowance = 10 * time.Second )
Variables ¶
This section is empty.
Functions ¶
func CertificatesToPool ¶
func CertificatesToPool(certs []*x509.Certificate) *x509.CertPool
CertificatesToPool converts a slice of certificates into a cert pool
func DecodePEMCertPool ¶
DecodePEMCertPool parses a string containing PE-encoded certificates into a CertPool.
func DecodePEMCertificates ¶
func DecodePEMCertificates(txt string) (certs []*x509.Certificate, err error)
DecodePEMCertificates parses a string containing PEM-encoded certificates.
func EncodeCertificatesPEM ¶
func EncodeCertificatesPEM(crts ...*x509.Certificate) string
EncodeCertificatesPEM encodes the collection of provided certificates as a text blob of PEM-encoded certificates.
func EncodePrivateKeyP8 ¶
func EncodePrivateKeyP8(k *ecdsa.PrivateKey) []byte
EncodePrivateKeyP8 encodes the provided key as PEM-encoded text
func EncodePrivateKeyPEM ¶
func EncodePrivateKeyPEM(k *ecdsa.PrivateKey) ([]byte, error)
EncodePrivateKeyPEM encodes the provided key as PEM-encoded text
func GenerateKey ¶
func GenerateKey() (*ecdsa.PrivateKey, error)
GenerateKey creates a new P-256 ECDSA private key from the default random source.
Types ¶
type CA ¶
type CA struct { // Cred contains the CA's credentials. Cred Cred // Validity configures the NotBefore and NotAfter parameters for certificates // issued by this CA. // // Currently this is used for the CA's validity too, but nothing should // assume that the CA's validity period is the same as issued certificates' // validity. Validity Validity // contains filtered or unexported fields }
CA provides a certificate authority for TLS-enabled installs. Issuing certificates concurrently is not supported.
func CreateRootCA ¶
CreateRootCA configures a new root CA with the given settings
func GenerateRootCAWithDefaults ¶
GenerateRootCAWithDefaults generates a new root CA with default settings.
func (*CA) GenerateCA ¶
GenerateCA generates a new intermediate CA.
func (*CA) GenerateEndEntityCred ¶
GenerateEndEntityCred creates a new certificate that is valid for the given DNS name, generating a new keypair for it.
func (*CA) IssueEndEntityCrt ¶
func (ca *CA) IssueEndEntityCrt(csr *x509.CertificateRequest) (Crt, error)
IssueEndEntityCrt creates a new certificate that is valid for the given DNS name, generating a new keypair for it.
type Cred ¶
type Cred struct { PrivateKey GenericPrivateKey Crt }
Cred is a container for a certificate, trust chain, and private key.
func ReadPEMCreds ¶
ReadPEMCreds reads PEM-encoded credentials from the named files.
func ValidateAndCreateCreds ¶
ValidateAndCreateCreds reads PEM-encoded credentials from strings and validates them
func (*Cred) EncodePrivateKeyP8 ¶
EncodePrivateKeyP8 encodes the provided key to the PKCS#8 binary form.
func (*Cred) EncodePrivateKeyPEM ¶
EncodePrivateKeyPEM emits the private key as PEM-encoded text.
type Crt ¶
type Crt struct { Certificate *x509.Certificate TrustChain []*x509.Certificate }
Crt is a container for a certificate and trust chain.
The trust chain stores all issuer certificates from the root at the head to the direct issuer at the tail.
func DecodePEMCrt ¶
DecodePEMCrt decodes PEM-encoded certificates from leaf to root.
func (*Crt) EncodeCertificatePEM ¶
EncodeCertificatePEM emits the Crt's leaf certificate as PEM-encoded text.
func (*Crt) EncodePEM ¶
EncodePEM emits a certificate and trust chain as a series of PEM-encoded certificates from leaf to root.
func (*Crt) ExtractRaw ¶
ExtractRaw extracts the DER-encoded certificates in the Crt from leaf to root.
type FsCredsWatcher ¶
type FsCredsWatcher struct { EventChan chan<- struct{} ErrorChan chan<- error // contains filtered or unexported fields }
FsCredsWatcher is used to monitor tls credentials on the filesystem
func NewFsCredsWatcher ¶
func NewFsCredsWatcher(certRootPath string, updateEvent chan<- struct{}, errEvent chan<- error) *FsCredsWatcher
NewFsCredsWatcher constructs a FsCredsWatcher instance
func (*FsCredsWatcher) ProcessEvents ¶
func (fscw *FsCredsWatcher) ProcessEvents( log *log.Entry, certVal *atomic.Value, updateEvent <-chan struct{}, errEvent <-chan error, )
ProcessEvents reads from the update and error channels and reloads the certs when necessary
func (*FsCredsWatcher) StartWatching ¶
func (fscw *FsCredsWatcher) StartWatching(ctx context.Context) error
StartWatching starts watching the filesystem for cert updates
func (*FsCredsWatcher) UpdateCert ¶
func (fscw *FsCredsWatcher) UpdateCert(certVal *atomic.Value) error
UpdateCert reads the cert and key files and stores the key pair in certVal
func (*FsCredsWatcher) WithFilePaths ¶
func (fscw *FsCredsWatcher) WithFilePaths(certFilePath, keyFilePath string) *FsCredsWatcher
WithFilePaths completes the FsCredsWatcher instance with the cert and key files locations
type GenericPrivateKey ¶
type GenericPrivateKey interface {
// contains filtered or unexported methods
}
GenericPrivateKey represents either an EC or an RSA private key
func DecodePEMKey ¶
func DecodePEMKey(txt string) (GenericPrivateKey, error)
DecodePEMKey parses a PEM-encoded private key from the named path.
type Issuer ¶
type Issuer interface {
IssueEndEntityCrt(*x509.CertificateRequest) (Crt, error)
}
Issuer implementors signs certificate requests.
type Validity ¶
type Validity struct { // Validity is the duration for which issued certificates are valid. This // is approximately cert.NotAfter - cert.NotBefore with some additional // allowance for clock skew. // // Currently this is used for the CA's validity too, but nothing should // assume that the CA's validity period is the same as issued certificates' // validity. Lifetime time.Duration // ClockSkewAllowance is the maximum supported clock skew. Everything that // processes the certificates must have a system clock that is off by no // more than this allowance in either direction. ClockSkewAllowance time.Duration // ValidFrom is the point in time from which the certificate is valid. // This is cert.NotBefore with some clock skew allowance. ValidFrom *time.Time }
Validity configures the expiry times of issued certificates.