Documentation
¶
Index ¶
- Constants
- func CanonicalName(name []byte) ([]byte, error)
- func CanonicalString(s string) string
- func GenerateHashLinks(dir string, certPaths []string) error
- func SplitCerts(path string, certDir string) ([]string, error)
- func SubjectNameHash(cert *x509.Certificate) (uint32, error)
- type Build
- type Detect
- type ExecD
- type TrustedCACerts
Constants ¶
const ( // EnvCAPath is the environment variable that can be used to set CApath EnvCAPath string = "SSL_CERT_DIR" // EnvCAFile is the environment variable that can be used to set CAfile EnvCAFile string = "SSL_CERT_FILE" // DefaultCAFile provides the default CAfile on ubuntu DefaultCAFile string = "/etc/ssl/certs/ca-certificates.crt" )
Environment variables and defaults used by openssl to load trusted CA certificates (see https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_default_verify_paths.html)
const ( // PlanEntryCACerts if present in the build plan indicates that certificates should be added to the // truststore at build time. PlanEntryCACerts = "ca-certificates" // PlanEntryCACertsHelper if present in the build plan indicates the the ca-cert-helper binary should be // contributed to the app image. PlanEntryCACertsHelper = "ca-certificates-helper" )
const ( CACertsDir = "ca-certificates" EmbedCertsDir = "embedded-certs" )
const (
BindingType = "ca-certificates" // BindingType is used to resolve bindings containing CA certificates
)
const ( // ExecutableCACertsHelper provides the name of the exec.d executable that adds CA certificates to the truststore // at runtime. ExecutableCACertsHelper = "ca-certificates-helper" )
Variables ¶
This section is empty.
Functions ¶
func CanonicalName ¶
CanonicalName accepts a DER encoded subject name and returns a "Canonical Encoding" matching that returned by the x509_name_canon function in openssl. All string values are transformed with CanonicalString and UTF8 encoded and the leading SEQ header is removed.
For more information see https://stackoverflow.com/questions/34095440/hash-algorithm-for-certificate-crl-directory.
func CanonicalString ¶
CanonicalString transforms the given string. All leading and trailing whitespace is trimmed where whitespace is defined as a space, formfeed, tab, newline, carriage return, or vertical tab character. Any remaining sequence of one or more consecutive whitespace characters in replaced with a single ' '.
This is a reimplementation of the asn1_string_canon in openssl
func GenerateHashLinks ¶
GenerateHashLinks generates symlinks the given directory point to the given certificates paths. The name of each symlink file will be of the format HHHHHHHH.D where HHHHHHHH is the 8 character hexidecimal representation of the SubjectNameHash. D shall be the integer '0' unless there is a hash conflict in which case D shall be incremented for the latter of the conflicting certs.
These links are used by openssl to lookup a given CA by subject name.
func SubjectNameHash ¶
func SubjectNameHash(cert *x509.Certificate) (uint32, error)
SubjectNameHash is a reimplementation of the X509_subject_name_hash in openssl. It computes the SHA-1 of the canonical encoding of the certificate's subject name and returns the 32-bit integer represented by the first four bytes of the hash using little-endian byte order.
Types ¶
type Build ¶
func (Build) Build ¶
func (b Build) Build(context libcnb.BuildContext) (libcnb.BuildResult, error)
Build returns a libcnb.BuildResult for the given context. Build always contributes a launch layer containing the ca-cert-helper executable.
If the buildpack plan contains an entry with name "ca-certificates" Build will contribute a build layer that adds the ca certificates at the paths provided in the plan entry metadata to the system truststore.
type Detect ¶
type Detect struct{}
func (Detect) Detect ¶
func (d Detect) Detect(context libcnb.DetectContext) (libcnb.DetectResult, error)
Detect always passes by default and optionally provides ca-certificates. If there is a binding of type "ca-certificates" Detect also requires ca-certificates and provides an array of certificate paths in the plan entry metadata.
To prevent default detection, users can set the BP_RUNTIME_CERT_BINDING_DISABLED environment variable to "true" at build-time. This will disable the helper layer, and the buildpack will only detect if there is no ca-certificates binding present at build-time.
type ExecD ¶
type TrustedCACerts ¶
type TrustedCACerts struct {
CertPaths []string
EmbeddedCerts bool
GenerateHashLinks func(dir string, certPaths []string) error
LayerContributor libpak.LayerContributor
Logger bard.Logger
}
func NewTrustedCACerts ¶
func NewTrustedCACerts(paths []string, embedCACerts bool) *TrustedCACerts
func (TrustedCACerts) Contribute ¶
Contribute create build layer adding the certificates at Layer.CAPaths to the set of trusted CAs.
func (*TrustedCACerts) ContributeEmbedCACerts ¶ added in v3.2.0
func (l *TrustedCACerts) ContributeEmbedCACerts(layer libcnb.Layer) error
func (TrustedCACerts) Name ¶
func (TrustedCACerts) Name() string
Source Files