certificate

package
v1.0.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jan 25, 2022 License: Apache-2.0 Imports: 10 Imported by: 0

README

Package: Certificate

This package contains tools for issuing and renewing certificates for the service mesh.

For design and details on mTLS and certificate issuance please see docs/patterns/certificates.md.

Interfaces

In types.go we define 2 interfaces:

  1. certificate.Manager - is the interface exposing a particular certificate provider. The certificate manager is responsible for issuing and renewing certificates. It abstracts away the particular methods of signing, renewing, and storing certificates away from the rest of the service mesh components.
  2. certificate.Certificater - an abstraction over an actual certificate, which is signed by our CA, has an expiration, and certain properties common to all PEM encoded certificates issued by any certificate provider implemented.

Providers

The directory providers contains implementations of certificate issuers (certificate.Managers):

  1. tresor is a minimal internal implementation of a certificate issuer, which leverages Go's crypto library and uses Kubernetes' etcd for storage.
  2. keyvault is a certificate issuer leveraging Azure Key Vault for secrets storage.
  3. vault is another implementation of the certificate.Manager interface, which provides a way for all service mesh certificates to be stored on and signed by Hashicorp Vault.
  4. cert-manager is a certificate issuer leveraging cert-manager to sign certificates from Issuers.

Certificate Rotation

In the rotor directory we implement a certificate rotation mechanism, which may or may not be leveraged by the certificate issuers (providers).

Documentation

Overview

Package certificate is a generated GoMock package.

Package certificate implements utility routines to endcode and decode certificates, and provides the interface definitions for Certificate and Certificate Manager.

Index

Constants

View Source
const (
	// TypeCertificate is a string constant to be used in the generation of a certificate.
	TypeCertificate = "CERTIFICATE"

	// TypePrivateKey is a string constant to be used in the generation of a private key for a certificate.
	TypePrivateKey = "PRIVATE KEY"

	// TypeCertificateRequest is a string constant to be used in the generation
	// of a certificate requests.
	TypeCertificateRequest = "CERTIFICATE REQUEST"
)

Variables

View Source
var ErrNoCertificateInPEM = errors.New("no certificate in PEM")

ErrNoCertificateInPEM is the errror for no certificate in PEM

Functions

func DecodePEMCertificate

func DecodePEMCertificate(certPEM []byte) (*x509.Certificate, error)

DecodePEMCertificate converts a certificate from PEM to x509 encoding

func DecodePEMPrivateKey

func DecodePEMPrivateKey(keyPEM []byte) (*rsa.PrivateKey, error)

DecodePEMPrivateKey converts a certificate from PEM to x509 encoding

func EncodeCertDERtoPEM

func EncodeCertDERtoPEM(derBytes []byte) (pem.Certificate, error)

EncodeCertDERtoPEM encodes the certificate provided in DER format into PEM format More information on the 2 formats is available in the following article: https://support.ssl.com/Knowledgebase/Article/View/19/0/der-vs-crt-vs-cer-vs-pem-certificates-and-how-to-convert-them

func EncodeCertReqDERtoPEM added in v0.4.0

func EncodeCertReqDERtoPEM(derBytes []byte) (pem.CertificateRequest, error)

EncodeCertReqDERtoPEM encodes the certificate request provided in DER format into PEM format.

func EncodeKeyDERtoPEM

func EncodeKeyDERtoPEM(priv *rsa.PrivateKey) (pem.PrivateKey, error)

EncodeKeyDERtoPEM converts a DER encoded private key into a PEM encoded key

Types

type Certificater

type Certificater interface {

	// GetCommonName retrieves the name of the certificate.
	GetCommonName() CommonName

	// GetCertificateChain retrieves the cert chain.
	GetCertificateChain() []byte

	// GetPrivateKey returns the private key.
	GetPrivateKey() []byte

	// GetIssuingCA returns the root certificate for the given cert.
	GetIssuingCA() []byte

	// GetExpiration returns the time the certificate would expire.
	GetExpiration() time.Time

	// GetSerialNumber returns the serial number of the given certificate.
	GetSerialNumber() SerialNumber
}

Certificater is the interface declaring methods each Certificate object must have.

type CommonName

type CommonName string

CommonName is the Subject Common Name from a given SSL certificate.

func (CommonName) String

func (cn CommonName) String() string

type Manager

type Manager interface {
	// IssueCertificate issues a new certificate.
	IssueCertificate(CommonName, time.Duration) (Certificater, error)

	// GetCertificate returns a certificate given its Common Name (CN)
	GetCertificate(CommonName) (Certificater, error)

	// RotateCertificate rotates an existing certificate.
	RotateCertificate(CommonName) (Certificater, error)

	// GetRootCertificate returns the root certificate in PEM format and its expiration.
	GetRootCertificate() (Certificater, error)

	// ListCertificates lists all certificates issued
	ListCertificates() ([]Certificater, error)

	// ReleaseCertificate informs the underlying certificate issuer that the given cert will no longer be needed.
	// This method could be called when a given payload is terminated. Calling this should remove certs from cache and free memory if possible.
	ReleaseCertificate(CommonName)
}

Manager is the interface declaring the methods for the Certificate Manager.

type MockCertificater added in v0.6.0

type MockCertificater struct {
	// contains filtered or unexported fields
}

MockCertificater is a mock of Certificater interface.

func NewMockCertificater added in v0.6.0

func NewMockCertificater(ctrl *gomock.Controller) *MockCertificater

NewMockCertificater creates a new mock instance.

func (*MockCertificater) EXPECT added in v0.6.0

EXPECT returns an object that allows the caller to indicate expected use.

func (*MockCertificater) GetCertificateChain added in v0.6.0

func (m *MockCertificater) GetCertificateChain() []byte

GetCertificateChain mocks base method.

func (*MockCertificater) GetCommonName added in v0.6.0

func (m *MockCertificater) GetCommonName() CommonName

GetCommonName mocks base method.

func (*MockCertificater) GetExpiration added in v0.6.0

func (m *MockCertificater) GetExpiration() time.Time

GetExpiration mocks base method.

func (*MockCertificater) GetIssuingCA added in v0.6.0

func (m *MockCertificater) GetIssuingCA() []byte

GetIssuingCA mocks base method.

func (*MockCertificater) GetPrivateKey added in v0.6.0

func (m *MockCertificater) GetPrivateKey() []byte

GetPrivateKey mocks base method.

func (*MockCertificater) GetSerialNumber added in v0.6.0

func (m *MockCertificater) GetSerialNumber() SerialNumber

GetSerialNumber mocks base method.

type MockCertificaterMockRecorder added in v0.6.0

type MockCertificaterMockRecorder struct {
	// contains filtered or unexported fields
}

MockCertificaterMockRecorder is the mock recorder for MockCertificater.

func (*MockCertificaterMockRecorder) GetCertificateChain added in v0.6.0

func (mr *MockCertificaterMockRecorder) GetCertificateChain() *gomock.Call

GetCertificateChain indicates an expected call of GetCertificateChain.

func (*MockCertificaterMockRecorder) GetCommonName added in v0.6.0

func (mr *MockCertificaterMockRecorder) GetCommonName() *gomock.Call

GetCommonName indicates an expected call of GetCommonName.

func (*MockCertificaterMockRecorder) GetExpiration added in v0.6.0

func (mr *MockCertificaterMockRecorder) GetExpiration() *gomock.Call

GetExpiration indicates an expected call of GetExpiration.

func (*MockCertificaterMockRecorder) GetIssuingCA added in v0.6.0

func (mr *MockCertificaterMockRecorder) GetIssuingCA() *gomock.Call

GetIssuingCA indicates an expected call of GetIssuingCA.

func (*MockCertificaterMockRecorder) GetPrivateKey added in v0.6.0

func (mr *MockCertificaterMockRecorder) GetPrivateKey() *gomock.Call

GetPrivateKey indicates an expected call of GetPrivateKey.

func (*MockCertificaterMockRecorder) GetSerialNumber added in v0.8.0

func (mr *MockCertificaterMockRecorder) GetSerialNumber() *gomock.Call

GetSerialNumber indicates an expected call of GetSerialNumber.

type MockManager added in v0.6.0

type MockManager struct {
	// contains filtered or unexported fields
}

MockManager is a mock of Manager interface.

func NewMockManager added in v0.6.0

func NewMockManager(ctrl *gomock.Controller) *MockManager

NewMockManager creates a new mock instance.

func (*MockManager) EXPECT added in v0.6.0

func (m *MockManager) EXPECT() *MockManagerMockRecorder

EXPECT returns an object that allows the caller to indicate expected use.

func (*MockManager) GetCertificate added in v0.6.0

func (m *MockManager) GetCertificate(arg0 CommonName) (Certificater, error)

GetCertificate mocks base method.

func (*MockManager) GetRootCertificate added in v0.6.0

func (m *MockManager) GetRootCertificate() (Certificater, error)

GetRootCertificate mocks base method.

func (*MockManager) IssueCertificate added in v0.6.0

func (m *MockManager) IssueCertificate(arg0 CommonName, arg1 time.Duration) (Certificater, error)

IssueCertificate mocks base method.

func (*MockManager) ListCertificates added in v0.6.0

func (m *MockManager) ListCertificates() ([]Certificater, error)

ListCertificates mocks base method.

func (*MockManager) ReleaseCertificate added in v0.6.0

func (m *MockManager) ReleaseCertificate(arg0 CommonName)

ReleaseCertificate mocks base method.

func (*MockManager) RotateCertificate added in v0.6.0

func (m *MockManager) RotateCertificate(arg0 CommonName) (Certificater, error)

RotateCertificate mocks base method.

type MockManagerMockRecorder added in v0.6.0

type MockManagerMockRecorder struct {
	// contains filtered or unexported fields
}

MockManagerMockRecorder is the mock recorder for MockManager.

func (*MockManagerMockRecorder) GetCertificate added in v0.6.0

func (mr *MockManagerMockRecorder) GetCertificate(arg0 interface{}) *gomock.Call

GetCertificate indicates an expected call of GetCertificate.

func (*MockManagerMockRecorder) GetRootCertificate added in v0.6.0

func (mr *MockManagerMockRecorder) GetRootCertificate() *gomock.Call

GetRootCertificate indicates an expected call of GetRootCertificate.

func (*MockManagerMockRecorder) IssueCertificate added in v0.6.0

func (mr *MockManagerMockRecorder) IssueCertificate(arg0, arg1 interface{}) *gomock.Call

IssueCertificate indicates an expected call of IssueCertificate.

func (*MockManagerMockRecorder) ListCertificates added in v0.6.0

func (mr *MockManagerMockRecorder) ListCertificates() *gomock.Call

ListCertificates indicates an expected call of ListCertificates.

func (*MockManagerMockRecorder) ReleaseCertificate added in v0.6.0

func (mr *MockManagerMockRecorder) ReleaseCertificate(arg0 interface{}) *gomock.Call

ReleaseCertificate indicates an expected call of ReleaseCertificate.

func (*MockManagerMockRecorder) RotateCertificate added in v0.6.0

func (mr *MockManagerMockRecorder) RotateCertificate(arg0 interface{}) *gomock.Call

RotateCertificate indicates an expected call of RotateCertificate.

type SerialNumber added in v0.7.0

type SerialNumber string

SerialNumber is the Serial Number of the given certificate.

func (SerialNumber) String added in v0.7.0

func (sn SerialNumber) String() string

Directories

Path Synopsis
Package pem defines the types for the attributes of a Certificate.
Package pem defines the types for the attributes of a Certificate.
Package providers implements generic certificate provider related functionality
Package providers implements generic certificate provider related functionality
certmanager
Package certmanager implements the certificate.Manager interface for cert-manager.io as the certificate provider.
Package certmanager implements the certificate.Manager interface for cert-manager.io as the certificate provider.
tresor
Package tresor implements the certificate.Manager interface for Tresor, a custom certificate provider in OSM.
Package tresor implements the certificate.Manager interface for Tresor, a custom certificate provider in OSM.
vault
Package vault implements the certificate.Manager interface for Hashicorp Vault as the certificate provider.
Package vault implements the certificate.Manager interface for Hashicorp Vault as the certificate provider.
Package rotor implements functionality to rotate certificates provided by a certificate provider.
Package rotor implements functionality to rotate certificates provided by a certificate provider.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL