crypto

package
v0.0.0-...-64d8d9e Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Nov 27, 2024 License: Apache-2.0 Imports: 27 Imported by: 277

Documentation

Index

Constants

View Source
const (
	DefaultCertificateLifetimeInDays   = 365 * 2 // 2 years
	DefaultCACertificateLifetimeInDays = 365 * 5 // 5 years

)

Variables

This section is empty.

Functions

func CertsFromPEM

func CertsFromPEM(pemCerts []byte) ([]*x509.Certificate, error)

func CipherSuite

func CipherSuite(cipherName string) (uint16, error)

func CipherSuiteToNameOrDie

func CipherSuiteToNameOrDie(intVal uint16) string

CipherSuiteToNameOrDie given a cipher suite as an int, return its readable name

func CipherSuitesOrDie

func CipherSuitesOrDie(cipherNames []string) []uint16

func CipherSuitesToNamesOrDie

func CipherSuitesToNamesOrDie(intVals []uint16) []string

CipherSuitesToNamesOrDie given a list of cipher suites as ints, return their readable names

func DefaultCiphers

func DefaultCiphers() []uint16

func DefaultTLSVersion

func DefaultTLSVersion() uint16

func EncodeCertificates

func EncodeCertificates(certs ...*x509.Certificate) ([]byte, error)

func EncodeKey

func EncodeKey(key crypto.PrivateKey) ([]byte, error)

func FilterExpiredCerts

func FilterExpiredCerts(certs ...*x509.Certificate) []*x509.Certificate

FilterExpiredCerts checks are all certificates in the bundle valid, i.e. they have not expired. The function returns new bundle with only valid certificates or error if no valid certificate is found.

func GolangTLSVersions

func GolangTLSVersions() []string

TLS versions that are known to golang, but may not necessarily be enabled.

func IPAddressesDNSNames

func IPAddressesDNSNames(hosts []string) ([]net.IP, []string)

func NewClientCertificateTemplate

func NewClientCertificateTemplate(subject pkix.Name, expireDays int, currentTime func() time.Time) *x509.Certificate

Can be used as a certificate in http.Transport TLSClientConfig

func NewClientCertificateTemplateForDuration

func NewClientCertificateTemplateForDuration(subject pkix.Name, lifetime time.Duration, currentTime func() time.Time) *x509.Certificate

Can be used as a certificate in http.Transport TLSClientConfig

func NewKeyPair

func NewKeyPair() (crypto.PublicKey, crypto.PrivateKey, error)

func OpenSSLToIANACipherSuites

func OpenSSLToIANACipherSuites(ciphers []string) []string

OpenSSLToIANACipherSuites maps input OpenSSL Cipher Suite names to their IANA counterparts. Unknown ciphers are left out.

func SecureTLSConfig

func SecureTLSConfig(config *tls.Config) *tls.Config

SecureTLSConfig enforces the default minimum security settings for the cluster.

func TLSVersion

func TLSVersion(versionName string) (uint16, error)

func TLSVersionOrDie

func TLSVersionOrDie(versionName string) uint16

func TLSVersionToNameOrDie

func TLSVersionToNameOrDie(intVal uint16) string

TLSVersionToNameOrDie given a tls version as an int, return its readable name

func UserToSubject

func UserToSubject(u user.Info) pkix.Name

func ValidCipherSuites

func ValidCipherSuites() []string

func ValidTLSVersions

func ValidTLSVersions() []string

Returns the build enabled TLS versions.

Types

type CA

type CA struct {
	Config *TLSCertificateConfig

	SerialGenerator SerialGenerator
}

func EnsureCA

func EnsureCA(certFile, keyFile, serialFile, name string, expireDays int) (*CA, bool, error)

EnsureCA returns a CA, whether it was created (as opposed to pre-existing), and any error if serialFile is empty, a RandomSerialGenerator will be used

func GetCA

func GetCA(certFile, keyFile, serialFile string) (*CA, error)

if serialFile is empty, a RandomSerialGenerator will be used

func GetCAFromBytes

func GetCAFromBytes(certBytes, keyBytes []byte) (*CA, error)

func MakeSelfSignedCA

func MakeSelfSignedCA(certFile, keyFile, serialFile, name string, expireDays int) (*CA, error)

if serialFile is empty, a RandomSerialGenerator will be used

func (*CA) EnsureClientCertificate

func (ca *CA) EnsureClientCertificate(certFile, keyFile string, u user.Info, expireDays int) (*TLSCertificateConfig, bool, error)

func (*CA) EnsureServerCert

func (ca *CA) EnsureServerCert(certFile, keyFile string, hostnames sets.Set[string], expireDays int) (*TLSCertificateConfig, bool, error)

func (*CA) EnsureSubCA

func (ca *CA) EnsureSubCA(certFile, keyFile, serialFile, name string, expireDays int) (*CA, bool, error)

EnsureSubCA returns a subCA signed by the `ca`, whether it was created (as opposed to pre-existing), and any error that might occur during the subCA creation. If serialFile is an empty string, a RandomSerialGenerator will be used.

func (*CA) MakeAndWriteServerCert

func (ca *CA) MakeAndWriteServerCert(certFile, keyFile string, hostnames sets.Set[string], expireDays int) (*TLSCertificateConfig, error)

func (*CA) MakeAndWriteSubCA

func (ca *CA) MakeAndWriteSubCA(certFile, keyFile, serialFile, name string, expireDays int) (*CA, error)

MakeAndWriteSubCA returns a new sub-CA configuration. New cert/key pair is generated while using this function. If serialFile is an empty string, a RandomSerialGenerator will be used.

func (*CA) MakeClientCertificate

func (ca *CA) MakeClientCertificate(certFile, keyFile string, u user.Info, expireDays int) (*TLSCertificateConfig, error)

func (*CA) MakeClientCertificateForDuration

func (ca *CA) MakeClientCertificateForDuration(u user.Info, lifetime time.Duration) (*TLSCertificateConfig, error)

func (*CA) MakeServerCert

func (ca *CA) MakeServerCert(hostnames sets.Set[string], expireDays int, fns ...CertificateExtensionFunc) (*TLSCertificateConfig, error)

func (*CA) MakeServerCertForDuration

func (ca *CA) MakeServerCertForDuration(hostnames sets.Set[string], lifetime time.Duration, fns ...CertificateExtensionFunc) (*TLSCertificateConfig, error)

func (*CA) SignCertificate

func (ca *CA) SignCertificate(template *x509.Certificate, requestKey crypto.PublicKey) (*x509.Certificate, error)

type CertificateExtensionFunc

type CertificateExtensionFunc func(*x509.Certificate) error

CertificateExtensionFunc is passed a certificate that it may extend, or return an error if the extension attempt failed.

type RandomSerialGenerator

type RandomSerialGenerator struct {
}

RandomSerialGenerator returns a serial based on time.Now and the subject

func (*RandomSerialGenerator) Next

func (s *RandomSerialGenerator) Next(template *x509.Certificate) (int64, error)

type SerialFileGenerator

type SerialFileGenerator struct {
	SerialFile string

	Serial int64
	// contains filtered or unexported fields
}

SerialFileGenerator returns a unique, monotonically increasing serial number and ensures the CA on disk records that value.

func NewSerialFileGenerator

func NewSerialFileGenerator(serialFile string) (*SerialFileGenerator, error)

func (*SerialFileGenerator) Next

func (s *SerialFileGenerator) Next(template *x509.Certificate) (int64, error)

Next returns a unique, monotonically increasing serial number and ensures the CA on disk records that value.

type SerialGenerator

type SerialGenerator interface {
	Next(template *x509.Certificate) (int64, error)
}

SerialGenerator is an interface for getting a serial number for the cert. It MUST be thread-safe.

type TLSCARoots

type TLSCARoots struct {
	Roots []*x509.Certificate
}

type TLSCertificateConfig

type TLSCertificateConfig struct {
	Certs []*x509.Certificate
	Key   crypto.PrivateKey
}

func GetClientCertificate

func GetClientCertificate(certFile, keyFile string, u user.Info) (*TLSCertificateConfig, error)

func GetServerCert

func GetServerCert(certFile, keyFile string, hostnames sets.Set[string]) (*TLSCertificateConfig, error)

func GetTLSCertificateConfig

func GetTLSCertificateConfig(certFile, keyFile string) (*TLSCertificateConfig, error)

func GetTLSCertificateConfigFromBytes

func GetTLSCertificateConfigFromBytes(certBytes, keyBytes []byte) (*TLSCertificateConfig, error)

func MakeCAConfigForDuration

func MakeCAConfigForDuration(name string, caLifetime time.Duration, issuer *CA) (*TLSCertificateConfig, error)

func MakeSelfSignedCAConfig

func MakeSelfSignedCAConfig(name string, expireDays int) (*TLSCertificateConfig, error)

func MakeSelfSignedCAConfigForDuration

func MakeSelfSignedCAConfigForDuration(name string, caLifetime time.Duration) (*TLSCertificateConfig, error)

func MakeSelfSignedCAConfigForSubject

func MakeSelfSignedCAConfigForSubject(subject pkix.Name, expireDays int) (*TLSCertificateConfig, error)

func UnsafeMakeSelfSignedCAConfigForDurationAtTime

func UnsafeMakeSelfSignedCAConfigForDurationAtTime(name string, currentTime func() time.Time, caLifetime time.Duration) (*TLSCertificateConfig, error)

func (*TLSCertificateConfig) GetPEMBytes

func (c *TLSCertificateConfig) GetPEMBytes() ([]byte, []byte, error)

func (*TLSCertificateConfig) WriteCertConfig

func (c *TLSCertificateConfig) WriteCertConfig(certFile, keyFile io.Writer) error

func (*TLSCertificateConfig) WriteCertConfigFile

func (c *TLSCertificateConfig) WriteCertConfigFile(certFile, keyFile string) error

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL