certificate

package
v0.8.4 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: May 17, 2021 License: Apache-2.0 Imports: 10 Imported by: 0

README

Package: Certificate

This package contains tools for issuing and renewing certificates for the service mesh.

For design and details on mTLS and certificate issuance please see docs/patterns/certificates.md.

Interfaces

In types.go we define 2 interfaces:

  1. certificate.Manager - is the interface exposing a particular certificate provider. The certificate manager is responsible for issuing and renewing certificates. It abstracts away the particular methods of signing, renewing, and storing certificates away from the rest of the service mesh components.
  2. certificate.Certificater - an abstraction over an actual certificate, which is signed by our CA, has an expiration, and certain properties common to all PEM encoded certificates issued by any certificate provider implemented.

Providers

The directory providers contains implementations of certificate issuers (certificate.Managers):

  1. tresor is a minimal internal implementation of a certificate issuer, which leverages Go's crypto library and uses Kubernetes' etcd for storage.
  2. keyvault is a certificate issuer leveraging Azure Key Vault for secrets storage.
  3. vault is another implementation of the certificate.Manager interface, which provides a way for all service mesh certificates to be stored on and signed by Hashicorp Vault.
  4. cert-manager is a certificate issuer leveraging cert-manager to sign certificates from Issuers.

Certificate Rotation

In the rotor directory we implement a certificate rotation mechanism, which may or may not be leveraged by the certificate issuers (providers).

Documentation

Overview

Package certificate is a generated GoMock package.

Package certificate implements utility routines to endcode and decode certificates, and provides the interface definitions for Certificate and Certificate Manager.

Index

Constants

View Source 
const (
	// TypeCertificate is a string constant to be used in the generation of a certificate.
	TypeCertificate = "CERTIFICATE"

	// TypePrivateKey is a string constant to be used in the generation of a private key for a certificate.
	TypePrivateKey = "PRIVATE KEY"

	// TypeCertificateRequest is a string constant to be used in the generation
	// of a certificate requests.
	TypeCertificateRequest = "CERTIFICATE REQUEST"
)

Variables

This section is empty.

Functions

func DecodePEMCertificate 

func DecodePEMCertificate(certPEM []byte) (*x509.Certificate, error)

DecodePEMCertificate converts a certificate from PEM to x509 encoding

func DecodePEMPrivateKey 

func DecodePEMPrivateKey(keyPEM []byte) (*rsa.PrivateKey, error)

DecodePEMPrivateKey converts a certificate from PEM to x509 encoding

func EncodeCertDERtoPEM 

func EncodeCertDERtoPEM(derBytes []byte) (pem.Certificate, error)

EncodeCertDERtoPEM encodes the certificate provided in DER format into PEM format More information on the 2 formats is available in the following article: https://support.ssl.com/Knowledgebase/Article/View/19/0/der-vs-crt-vs-cer-vs-pem-certificates-and-how-to-convert-them

func EncodeCertReqDERtoPEM added in v0.4.0 

func EncodeCertReqDERtoPEM(derBytes []byte) (pem.CertificateRequest, error)

EncodeCertReqDERtoPEM encodes the certificate request provided in DER format into PEM format.

func EncodeKeyDERtoPEM 

func EncodeKeyDERtoPEM(priv *rsa.PrivateKey) (pem.PrivateKey, error)

EncodeKeyDERtoPEM converts a DER encoded private key into a PEM encoded key

Types

type Certificater 

type Certificater interface {

	// GetCommonName retrieves the name of the certificate.
	GetCommonName() CommonName

	// GetCertificateChain retrieves the cert chain.
	GetCertificateChain() []byte

	// GetPrivateKey returns the private key.
	GetPrivateKey() []byte

	// GetIssuingCA returns the root certificate for the given cert.
	GetIssuingCA() []byte

	// GetExpiration returns the time the certificate would expire.
	GetExpiration() time.Time

	// GetSerialNumber returns the serial number of the given certificate.
	GetSerialNumber() SerialNumber
}

Certificater is the interface declaring methods each Certificate object must have.

type CommonName 

type CommonName string

CommonName is the Subject Common Name from a given SSL certificate.

func (CommonName) String 

func (cn CommonName) String() string

type Manager 

type Manager interface {
	// IssueCertificate issues a new certificate.
	IssueCertificate(CommonName, time.Duration) (Certificater, error)

	// GetCertificate returns a certificate given its Common Name (CN)
	GetCertificate(CommonName) (Certificater, error)

	// RotateCertificate rotates an existing certificate.
	RotateCertificate(CommonName) (Certificater, error)

	// GetRootCertificate returns the root certificate in PEM format and its expiration.
	GetRootCertificate() (Certificater, error)

	// ListCertificates lists all certificates issued
	ListCertificates() ([]Certificater, error)

	// ReleaseCertificate informs the underlying certificate issuer that the given cert will no longer be needed.
	// This method could be called when a given payload is terminated. Calling this should remove certs from cache and free memory if possible.
	ReleaseCertificate(CommonName)
}

Manager is the interface declaring the methods for the Certificate Manager.

type MockCertificater added in v0.6.0 

type MockCertificater struct {
	// contains filtered or unexported fields
}

MockCertificater is a mock of Certificater interface

func NewMockCertificater added in v0.6.0 

func NewMockCertificater(ctrl *gomock.Controller) *MockCertificater

NewMockCertificater creates a new mock instance

func (*MockCertificater) EXPECT added in v0.6.0 

func (m *MockCertificater) EXPECT() *MockCertificaterMockRecorder

EXPECT returns an object that allows the caller to indicate expected use

func (*MockCertificater) GetCertificateChain added in v0.6.0 

func (m *MockCertificater) GetCertificateChain() []byte

GetCertificateChain mocks base method

func (*MockCertificater) GetCommonName added in v0.6.0 

func (m *MockCertificater) GetCommonName() CommonName

GetCommonName mocks base method

func (*MockCertificater) GetExpiration added in v0.6.0 

func (m *MockCertificater) GetExpiration() time.Time

GetExpiration mocks base method

func (*MockCertificater) GetIssuingCA added in v0.6.0 

func (m *MockCertificater) GetIssuingCA() []byte

GetIssuingCA mocks base method

func (*MockCertificater) GetPrivateKey added in v0.6.0 

func (m *MockCertificater) GetPrivateKey() []byte

GetPrivateKey mocks base method

func (*MockCertificater) GetSerialNumber added in v0.6.0 

func (m *MockCertificater) GetSerialNumber() SerialNumber

GetSerialNumber mocks base method

type MockCertificaterMockRecorder added in v0.6.0 

type MockCertificaterMockRecorder struct {
	// contains filtered or unexported fields
}

MockCertificaterMockRecorder is the mock recorder for MockCertificater

func (*MockCertificaterMockRecorder) GetCertificateChain added in v0.6.0 

func (mr *MockCertificaterMockRecorder) GetCertificateChain() *gomock.Call

GetCertificateChain indicates an expected call of GetCertificateChain

func (*MockCertificaterMockRecorder) GetCommonName added in v0.6.0 

func (mr *MockCertificaterMockRecorder) GetCommonName() *gomock.Call

GetCommonName indicates an expected call of GetCommonName

func (*MockCertificaterMockRecorder) GetExpiration added in v0.6.0 

func (mr *MockCertificaterMockRecorder) GetExpiration() *gomock.Call

GetExpiration indicates an expected call of GetExpiration

func (*MockCertificaterMockRecorder) GetIssuingCA added in v0.6.0 

func (mr *MockCertificaterMockRecorder) GetIssuingCA() *gomock.Call

GetIssuingCA indicates an expected call of GetIssuingCA

func (*MockCertificaterMockRecorder) GetPrivateKey added in v0.6.0 

func (mr *MockCertificaterMockRecorder) GetPrivateKey() *gomock.Call

GetPrivateKey indicates an expected call of GetPrivateKey

func (*MockCertificaterMockRecorder) GetSerialNumber added in v0.8.0 

func (mr *MockCertificaterMockRecorder) GetSerialNumber() *gomock.Call

GetSerialNumber indicates an expected call of GetSerialNumber

type MockManager added in v0.6.0 

type MockManager struct {
	// contains filtered or unexported fields
}

MockManager is a mock of Manager interface

func NewMockManager added in v0.6.0 

func NewMockManager(ctrl *gomock.Controller) *MockManager

NewMockManager creates a new mock instance

func (*MockManager) EXPECT added in v0.6.0 

func (m *MockManager) EXPECT() *MockManagerMockRecorder

EXPECT returns an object that allows the caller to indicate expected use

func (*MockManager) GetCertificate added in v0.6.0 

func (m *MockManager) GetCertificate(arg0 CommonName) (Certificater, error)

GetCertificate mocks base method

func (*MockManager) GetRootCertificate added in v0.6.0 

func (m *MockManager) GetRootCertificate() (Certificater, error)

GetRootCertificate mocks base method

func (*MockManager) IssueCertificate added in v0.6.0 

func (m *MockManager) IssueCertificate(arg0 CommonName, arg1 time.Duration) (Certificater, error)

IssueCertificate mocks base method

func (*MockManager) ListCertificates added in v0.6.0 

func (m *MockManager) ListCertificates() ([]Certificater, error)

ListCertificates mocks base method

func (*MockManager) ReleaseCertificate added in v0.6.0 

func (m *MockManager) ReleaseCertificate(arg0 CommonName)

ReleaseCertificate mocks base method

func (*MockManager) RotateCertificate added in v0.6.0 

func (m *MockManager) RotateCertificate(arg0 CommonName) (Certificater, error)

RotateCertificate mocks base method

type MockManagerMockRecorder added in v0.6.0 

type MockManagerMockRecorder struct {
	// contains filtered or unexported fields
}

MockManagerMockRecorder is the mock recorder for MockManager

func (*MockManagerMockRecorder) GetCertificate added in v0.6.0 

func (mr *MockManagerMockRecorder) GetCertificate(arg0 interface{}) *gomock.Call

GetCertificate indicates an expected call of GetCertificate

func (*MockManagerMockRecorder) GetRootCertificate added in v0.6.0 

func (mr *MockManagerMockRecorder) GetRootCertificate() *gomock.Call

GetRootCertificate indicates an expected call of GetRootCertificate

func (*MockManagerMockRecorder) IssueCertificate added in v0.6.0 

func (mr *MockManagerMockRecorder) IssueCertificate(arg0, arg1 interface{}) *gomock.Call

IssueCertificate indicates an expected call of IssueCertificate

func (*MockManagerMockRecorder) ListCertificates added in v0.6.0 

func (mr *MockManagerMockRecorder) ListCertificates() *gomock.Call

ListCertificates indicates an expected call of ListCertificates

func (*MockManagerMockRecorder) ReleaseCertificate added in v0.6.0 

func (mr *MockManagerMockRecorder) ReleaseCertificate(arg0 interface{}) *gomock.Call

ReleaseCertificate indicates an expected call of ReleaseCertificate

func (*MockManagerMockRecorder) RotateCertificate added in v0.6.0 

func (mr *MockManagerMockRecorder) RotateCertificate(arg0 interface{}) *gomock.Call

RotateCertificate indicates an expected call of RotateCertificate

type SerialNumber added in v0.7.0 

type SerialNumber string

SerialNumber is the Serial Number of the given certificate.

func (SerialNumber) String added in v0.7.0 

func (sn SerialNumber) String() string

Source Files

View all Source files

Directories

Path Synopsis
Package pem defines the types for the attributes of a Certificate.
 Package pem defines the types for the attributes of a Certificate.
Package providers implements generic certificate provider related functionality
 Package providers implements generic certificate provider related functionality
certmanager
Package certmanager implements the certificate.Manager interface for cert-manager.io as the certificate provider.
 Package certmanager implements the certificate.Manager interface for cert-manager.io as the certificate provider.
tresor
Package tresor implements the certificate.Manager interface for Tresor, a custom certificate provider in OSM.
 Package tresor implements the certificate.Manager interface for Tresor, a custom certificate provider in OSM.
vault
Package vault implements the certificate.Manager interface for Hashicorp Vault as the certificate provider.
 Package vault implements the certificate.Manager interface for Hashicorp Vault as the certificate provider.
Package rotor implements functionality to rotate certificates provided by a certificate provider.
 Package rotor implements functionality to rotate certificates provided by a certificate provider.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.