Affected by GO-2023-1800 and 2 other vulnerabilities

GO-2023-1800: Pomerium vulnerable to Incorrect Authorization with specially crafted requests in github.com/pomerium/pomerium

GO-2024-2965: Pomerium exposed OAuth2 access and ID tokens in user info endpoint response in github.com/pomerium/pomerium

GO-2024-3179: Pomerium service account access token may grant unintended access to databroker API in github.com/pomerium/pomerium

derivecert

package

v0.22.1 Latest Latest Go to latest Published: May 4, 2023 License: Apache-2.0 Imports: 15 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/pomerium/pomerium

Links

Open Source Insights

Documentation ¶

Overview ¶

Package derivecert is used to deterministically generate TLS certificate authority and certificates out of pre-shared key

Index ¶

type CA
- func CAFromPEM(p PEM) (*CA, string, error)
- func NewCA(psk []byte) (*CA, error)
type PEM
- func ToPEM(key *ecdsa.PrivateKey, certDer []byte) (*PEM, error)
- func (p *PEM) KeyCert() (*ecdsa.PrivateKey, *x509.Certificate, error)
- func (p *PEM) TLS() (tls.Certificate, error)

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

This section is empty.

Types ¶

type CA ¶

type CA struct {
	// contains filtered or unexported fields
}

CA is certificate authority

func NewCA ¶

func NewCA(psk []byte) (*CA, error)

NewCA creates new certificate authority using a pre-shared key. This certificate authority is generated on the fly and would yield the same private key every time for the given PSK.

That allows services that have a certain pre-shared key (i.e. shared_secret) to have automatic TLS without need to share and distribute certs, and provides a better alternative to plaintext communication, but is not a replacement for proper mTLS.

func (*CA) Key ¶

func (ca *CA) Key() *ecdsa.PrivateKey

Key returns CA private key

func (*CA) NewServerCert ¶

func (ca *CA) NewServerCert(domains []string, configure ...func(*x509.Certificate)) (*PEM, error)

NewServerCert generates certificate for the given domain name(s)

func (*CA) PEM ¶

func (ca *CA) PEM() (*PEM, error)

PEM returns PEM-encoded cert and key

type PEM ¶

type PEM struct {
	Cert []byte
	Key  []byte
}

PEM representation of certificate authority data, serializable to JSON

func ToPEM ¶

func ToPEM(key *ecdsa.PrivateKey, certDer []byte) (*PEM, error)

ToPEM converts private key and certificate into PEM representation

func (*PEM) KeyCert ¶

func (p *PEM) KeyCert() (*ecdsa.PrivateKey, *x509.Certificate, error)

KeyCert parses private key and cert from PEM encoded format

func (*PEM) TLS ¶

func (p *PEM) TLS() (tls.Certificate, error)

TLS parses PEM and returns TLS certificate

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
config Package config implements derived certs in the Pomerium Configuration	Package config implements derived certs in the Pomerium Configuration

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL

Documentation ¶

Overview ¶

Index ¶

Constants ¶

Variables ¶

Functions ¶

Types ¶

type CA ¶

func CAFromPEM ¶

func NewCA ¶

func (*CA) Key ¶

func (*CA) NewServerCert ¶

func (*CA) PEM ¶

type PEM ¶

func ToPEM ¶

func (*PEM) KeyCert ¶

func (*PEM) TLS ¶

Source Files ¶

Directories ¶