pkiutil

package
v1.0.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Dec 5, 2022 License: MIT Imports: 20 Imported by: 0

Documentation

Overview

Package pkiutil provides utilities to help with certificates and keys. NOTE: The code in this package originates from kubernetes/kubernetes repo's kubeadm component. After a re-organization of the certificate and key helper libraries (refer https://github.com/kubernetes/kubernetes/issues/71004), a lot of the cert related code was moved to kubeadm component. In operator-toolkit, this package is used for self signed certificate generation for admission controller. To avoid dependency on k/k, the code in this package has been modified to comment out the functions that are not required for cert generation. The package tests in the upstream are kubeadm specific. Since no functionality is changed, the tests have not been copied. The code should be updated from the upstream repo from time to time.

Index

Constants

View Source 
const (
	// PrivateKeyBlockType is a possible value for pem.Block.Type.
	PrivateKeyBlockType = "PRIVATE KEY"
	// PublicKeyBlockType is a possible value for pem.Block.Type.
	PublicKeyBlockType = "PUBLIC KEY"
	// CertificateBlockType is a possible value for pem.Block.Type.
	CertificateBlockType = "CERTIFICATE"
	// RSAPrivateKeyBlockType is a possible value for pem.Block.Type.
	RSAPrivateKeyBlockType = "RSA PRIVATE KEY"

	// CertificateValidity defines the validity for all the signed
	// certificates.
	CertificateValidity = time.Hour * 24 * 365
)

Variables

View Source 
var NewPrivateKey = GeneratePrivateKey

NewPrivateKey returns a new private key.

Functions

func CSROrKeyExist 

func CSROrKeyExist(csrDir, name string) bool

CSROrKeyExist returns true if one of the CSR or key exists

func CertOrKeyExist 

func CertOrKeyExist(pkiPath, name string) bool

CertOrKeyExist returns a boolean whether the cert or the key exists

func CertificateRequestFromFile 

func CertificateRequestFromFile(file string) (*x509.CertificateRequest, error)

CertificateRequestFromFile returns the CertificateRequest from a given PEM-encoded file. Returns an error if the file could not be read or if the CSR could not be parsed.

func EncodeCSRPEM 

func EncodeCSRPEM(csr *x509.CertificateRequest) []byte

EncodeCSRPEM returns PEM-encoded CSR data

func EncodeCertBundlePEM 

func EncodeCertBundlePEM(certs []*x509.Certificate) ([]byte, error)

EncodeCertBundlePEM returns PEM-endcoded certificate bundle

func EncodeCertPEM 

func EncodeCertPEM(cert *x509.Certificate) []byte

EncodeCertPEM returns PEM-endcoded certificate data

func EncodePrivateKeyPEM 

func EncodePrivateKeyPEM(key *rsa.PrivateKey) []byte

EncodePrivateKeyPEM returns PEM-encoded private key data

func EncodePublicKeyPEM 

func EncodePublicKeyPEM(key crypto.PublicKey) ([]byte, error)

EncodePublicKeyPEM returns PEM-encoded public data

func GeneratePrivateKey 

func GeneratePrivateKey(keyType x509.PublicKeyAlgorithm) (crypto.Signer, error)

func HasServerAuth 

func HasServerAuth(cert *x509.Certificate) bool

HasServerAuth returns true if the given certificate is a ServerAuth

func NewCSR 

func NewCSR(cfg CertConfig, key crypto.Signer) (*x509.CertificateRequest, error)

NewCSR creates a new CSR

func NewCSRAndKey 

func NewCSRAndKey(config *CertConfig) (*x509.CertificateRequest, crypto.Signer, error)

NewCSRAndKey generates a new key and CSR and that could be signed to create the given certificate

func NewCertAndKey 

func NewCertAndKey(caCert *x509.Certificate, caKey crypto.Signer, config *CertConfig) (*x509.Certificate, crypto.Signer, error)

NewCertAndKey creates new certificate and key by passing the certificate authority certificate and key

func NewCertificateAuthority 

func NewCertificateAuthority(config *CertConfig) (*x509.Certificate, crypto.Signer, error)

NewCertificateAuthority creates new certificate and private key for the certificate authority

func NewIntermediateCertificateAuthority 

func NewIntermediateCertificateAuthority(parentCert *x509.Certificate, parentKey crypto.Signer, config *CertConfig) (*x509.Certificate, crypto.Signer, error)

NewIntermediateCertificateAuthority creates new certificate and private key for an intermediate certificate authority

func NewSignedCert 

func NewSignedCert(cfg *CertConfig, key crypto.Signer, caCert *x509.Certificate, caKey crypto.Signer, isCA bool) (*x509.Certificate, error)

NewSignedCert creates a signed certificate using the given CA certificate and key

func NewSignedCertWithValidity 

func NewSignedCertWithValidity(cfg *CertConfig, key crypto.Signer, caCert *x509.Certificate, caKey crypto.Signer, isCA bool, validity time.Time) (*x509.Certificate, error)

NewSignedCertWithValidity creates a signed certificate with a given validity. NOTE: This has been modified to allow setting the validity. Upstream always sets the validity to 1 year. NewSignedCert() still uses 1 year validity.

func PathsForCertAndKey 

func PathsForCertAndKey(pkiPath, name string) (string, string)

PathsForCertAndKey returns the paths for the certificate and key given the path and basename.

func RemoveDuplicateAltNames 

func RemoveDuplicateAltNames(altNames *certutil.AltNames)

RemoveDuplicateAltNames removes duplicate items in altNames.

func TryLoadCSRAndKeyFromDisk 

func TryLoadCSRAndKeyFromDisk(pkiPath, name string) (*x509.CertificateRequest, crypto.Signer, error)

TryLoadCSRAndKeyFromDisk tries to load the CSR and key from the disk

func TryLoadCSRFromDisk 

func TryLoadCSRFromDisk(pkiPath, name string) (*x509.CertificateRequest, error)

TryLoadCSRFromDisk tries to load the CSR from the disk

func TryLoadCertAndKeyFromDisk 

func TryLoadCertAndKeyFromDisk(pkiPath, name string) (*x509.Certificate, crypto.Signer, error)

TryLoadCertAndKeyFromDisk tries to load a cert and a key from the disk and validates that they are valid

func TryLoadCertChainFromDisk 

func TryLoadCertChainFromDisk(pkiPath, name string) (*x509.Certificate, []*x509.Certificate, error)

TryLoadCertChainFromDisk tries to load the cert chain from the disk

func TryLoadCertFromDisk 

func TryLoadCertFromDisk(pkiPath, name string) (*x509.Certificate, error)

TryLoadCertFromDisk tries to load the cert from the disk

func TryLoadKeyFromDisk 

func TryLoadKeyFromDisk(pkiPath, name string) (crypto.Signer, error)

TryLoadKeyFromDisk tries to load the key from the disk and validates that it is valid

func TryLoadPrivatePublicKeyFromDisk 

func TryLoadPrivatePublicKeyFromDisk(pkiPath, name string) (*rsa.PrivateKey, *rsa.PublicKey, error)

TryLoadPrivatePublicKeyFromDisk tries to load the key from the disk and validates that it is valid

func ValidateCertPeriod 

func ValidateCertPeriod(cert *x509.Certificate, offset time.Duration) error

ValidateCertPeriod checks if the certificate is valid relative to the current time (+/- offset)

func VerifyCertChain 

func VerifyCertChain(cert *x509.Certificate, intermediates []*x509.Certificate, root *x509.Certificate) error

VerifyCertChain verifies that a certificate has a valid chain of intermediate CAs back to the root CA

func WriteCSR 

func WriteCSR(csrDir, name string, csr *x509.CertificateRequest) error

WriteCSR writes the pem-encoded CSR data to csrPath. The CSR file will be created with file mode 0600. If the CSR file already exists, it will be overwritten. The parent directory of the csrPath will be created as needed with file mode 0700.

func WriteCert 

func WriteCert(pkiPath, name string, cert *x509.Certificate) error

WriteCert stores the given certificate at the given location

func WriteCertAndKey 

func WriteCertAndKey(pkiPath string, name string, cert *x509.Certificate, key crypto.Signer) error

WriteCertAndKey stores certificate and key at the specified location

func WriteCertBundle 

func WriteCertBundle(pkiPath, name string, certs []*x509.Certificate) error

WriteCertBundle stores the given certificate bundle at the given location

func WriteKey 

func WriteKey(pkiPath, name string, key crypto.Signer) error

WriteKey stores the given key at the given location

func WritePublicKey 

func WritePublicKey(pkiPath, name string, key crypto.PublicKey) error

WritePublicKey stores the given public key at the given location

Types

type CertConfig 

type CertConfig struct {
	certutil.Config
	PublicKeyAlgorithm x509.PublicKeyAlgorithm
}

CertConfig is a wrapper around certutil.Config extending it with PublicKeyAlgorithm.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.