Documentation ¶
Overview ¶
Package x509 provides wrapper around standard crypto/* packages.
Index ¶
- Constants
- func Hash(crt *x509.Certificate) string
- func MatchSPKIFingerprints(fingerprints ...Fingerprint) func(tls.ConnectionState) error
- func NewECDSACSRAndIdentity(setters ...Option) (*CertificateSigningRequest, *PEMEncodedCertificateAndKey, error)
- func NewEd25519CSRAndIdentity(setters ...Option) (*CertificateSigningRequest, *PEMEncodedCertificateAndKey, error)
- func NewRSACSRAndIdentity(setters ...Option) (*CertificateSigningRequest, *PEMEncodedCertificateAndKey, error)
- func NewSerialNumber() (*big.Int, error)
- type Certificate
- type CertificateAuthority
- func ECDSACertificateAuthority(template *x509.Certificate) (*CertificateAuthority, error)
- func Ed25519CertificateAuthority(template *x509.Certificate) (*CertificateAuthority, error)
- func NewCertificateAuthorityFromCertificateAndKey(p *PEMEncodedCertificateAndKey) (*CertificateAuthority, error)
- func NewSelfSignedCertificateAuthority(setters ...Option) (*CertificateAuthority, error)
- func RSACertificateAuthority(template *x509.Certificate, opts *Options) (*CertificateAuthority, error)
- type CertificateSigningRequest
- type ECDSAKey
- type Ed25519Key
- type Fingerprint
- type Key
- type KeyPair
- type Option
- func Bits(o int) Option
- func CommonName(o string) Option
- func DNSNames(o []string) Option
- func ECDSA(o bool) Option
- func ECDSASHA512(o bool) Option
- func ExtKeyUsage(o []x509.ExtKeyUsage) Option
- func IPAddresses(o []net.IP) Option
- func KeyUsage(o x509.KeyUsage) Option
- func NotAfter(o time.Time) Option
- func NotBefore(o time.Time) Option
- func Organization(o ...string) Option
- func OverrideSubject(f func(*pkix.Name)) Option
- func RSA(o bool) Option
- func SignatureAlgorithm(o x509.SignatureAlgorithm) Option
- type Options
- type PEMEncodedCertificate
- func (p *PEMEncodedCertificate) DeepCopy() *PEMEncodedCertificate
- func (p *PEMEncodedCertificate) DeepCopyInto(out *PEMEncodedCertificate)
- func (p *PEMEncodedCertificate) GetCert() (*x509.Certificate, error)
- func (p *PEMEncodedCertificate) MarshalYAML() (interface{}, error)
- func (p *PEMEncodedCertificate) UnmarshalYAML(unmarshal func(interface{}) error) error
- type PEMEncodedCertificateAndKey
- func NewCertficateAndKey(crt *x509.Certificate, key interface{}, setters ...Option) (*PEMEncodedCertificateAndKey, error)deprecated
- func NewCertificateAndKey(crt *x509.Certificate, key interface{}, setters ...Option) (*PEMEncodedCertificateAndKey, error)
- func NewCertificateAndKeyFromCertificateAuthority(ca *CertificateAuthority) *PEMEncodedCertificateAndKey
- func NewCertificateAndKeyFromFiles(crt, key string) (*PEMEncodedCertificateAndKey, error)
- func NewCertificateAndKeyFromKeyPair(keyPair *KeyPair) *PEMEncodedCertificateAndKey
- func (p *PEMEncodedCertificateAndKey) DeepCopy() *PEMEncodedCertificateAndKey
- func (p *PEMEncodedCertificateAndKey) DeepCopyInto(out *PEMEncodedCertificateAndKey)
- func (p *PEMEncodedCertificateAndKey) GetCert() (*x509.Certificate, error)
- func (p *PEMEncodedCertificateAndKey) GetECDSAKey() (*ecdsa.PrivateKey, error)
- func (p *PEMEncodedCertificateAndKey) GetEd25519Key() (ed25519.PrivateKey, error)
- func (p *PEMEncodedCertificateAndKey) GetKey() (interface{}, error)
- func (p *PEMEncodedCertificateAndKey) GetRSAKey() (*rsa.PrivateKey, error)
- func (p *PEMEncodedCertificateAndKey) MarshalYAML() (interface{}, error)
- func (p *PEMEncodedCertificateAndKey) UnmarshalYAML(unmarshal func(interface{}) error) error
- type PEMEncodedKey
- func (p *PEMEncodedKey) DeepCopy() *PEMEncodedKey
- func (p *PEMEncodedKey) DeepCopyInto(out *PEMEncodedKey)
- func (p *PEMEncodedKey) GetECDSAKey() (*ECDSAKey, error)
- func (p *PEMEncodedKey) GetEd25519Key() (*Ed25519Key, error)
- func (p *PEMEncodedKey) GetKey() (Key, error)
- func (p *PEMEncodedKey) GetRSAKey() (*RSAKey, error)
- func (p *PEMEncodedKey) MarshalYAML() (interface{}, error)
- func (p *PEMEncodedKey) UnmarshalYAML(unmarshal func(interface{}) error) error
- type RSAKey
Constants ¶
const ( PEMTypeRSAPrivate = "RSA PRIVATE KEY" PEMTypeRSAPublic = "PUBLIC KEY" PEMTypeECPrivate = "EC PRIVATE KEY" PEMTypeECPublic = "EC PUBLIC KEY" PEMTypeEd25519Private = "ED25519 PRIVATE KEY" PEMTypeEd25519Public = "ED25519 PUBLIC KEY" PEMTypeCertificate = "CERTIFICATE" PEMTypeCertificateRequest = "CERTIFICATE REQUEST" )
PEM Block Header Types.
const DefaultCertificateValidityDuration = 24 * time.Hour
DefaultCertificateValidityDuration is a default certificate lifetime.
const Redacted = "******"
Redacted is a special string that is used to indicate that a private key should be YAML-marshaled without the base64 encoding.
If the value of a private key is exactly this string (in bytes), it will be marshaled as-is into YAML, without the base64 encoding.
Variables ¶
This section is empty.
Functions ¶
func Hash ¶
func Hash(crt *x509.Certificate) string
Hash calculates the SHA-256 hash of the Subject Public Key Information (SPKI) object in an x509 certificate (in DER encoding). It returns the full hash as a hex encoded string (suitable for passing to Set.Allow). See https://github.com/kubernetes/kubernetes/blob/f557e0f7e3ee9089769ed3f03187fdd4acbb9ac1/cmd/kubeadm/app/util/pubkeypin/pubkeypin.go
func MatchSPKIFingerprints ¶
func MatchSPKIFingerprints(fingerprints ...Fingerprint) func(tls.ConnectionState) error
MatchSPKIFingerprints can be injected as tls.Config.VerifyConnection handler to deny connection if peer certificates don't match the fingerprints.
func NewECDSACSRAndIdentity ¶
func NewECDSACSRAndIdentity(setters ...Option) (*CertificateSigningRequest, *PEMEncodedCertificateAndKey, error)
NewECDSACSRAndIdentity generates and PEM encoded certificate and key, along with a CSR for the generated key.
func NewEd25519CSRAndIdentity ¶
func NewEd25519CSRAndIdentity(setters ...Option) (*CertificateSigningRequest, *PEMEncodedCertificateAndKey, error)
NewEd25519CSRAndIdentity generates and PEM encoded certificate and key, along with a CSR for the generated key.
func NewRSACSRAndIdentity ¶
func NewRSACSRAndIdentity(setters ...Option) (*CertificateSigningRequest, *PEMEncodedCertificateAndKey, error)
NewRSACSRAndIdentity generates and PEM encoded certificate and key, along with a CSR for the generated key.
func NewSerialNumber ¶
NewSerialNumber generates a random serial number for an X.509 certificate.
Types ¶
type Certificate ¶
type Certificate struct { X509Certificate *x509.Certificate X509CertificatePEM []byte }
Certificate represents an X.509 certificate.
func NewCertificateFromCSR ¶
func NewCertificateFromCSR(ca *x509.Certificate, key interface{}, csr *x509.CertificateRequest, setters ...Option) (*Certificate, error)
NewCertificateFromCSR creates and signs X.509 certificate using the provided CSR.
func NewCertificateFromCSRBytes ¶
func NewCertificateFromCSRBytes(ca, key, csr []byte, setters ...Option) (*Certificate, error)
NewCertificateFromCSRBytes creates a signed certificate using the provided certificate, key, and CSR.
type CertificateAuthority ¶
type CertificateAuthority struct { Crt *x509.Certificate CrtPEM []byte Key interface{} KeyPEM []byte }
CertificateAuthority represents a CA.
func ECDSACertificateAuthority ¶
func ECDSACertificateAuthority(template *x509.Certificate) (*CertificateAuthority, error)
ECDSACertificateAuthority creates an ECDSA CA.
func Ed25519CertificateAuthority ¶
func Ed25519CertificateAuthority(template *x509.Certificate) (*CertificateAuthority, error)
Ed25519CertificateAuthority creates an Ed25519 CA.
func NewCertificateAuthorityFromCertificateAndKey ¶
func NewCertificateAuthorityFromCertificateAndKey(p *PEMEncodedCertificateAndKey) (*CertificateAuthority, error)
NewCertificateAuthorityFromCertificateAndKey builds CertificateAuthority from PEMEncodedCertificateAndKey.
func NewSelfSignedCertificateAuthority ¶
func NewSelfSignedCertificateAuthority(setters ...Option) (*CertificateAuthority, error)
NewSelfSignedCertificateAuthority creates a self-signed CA configured for server and client authentication.
func RSACertificateAuthority ¶
func RSACertificateAuthority(template *x509.Certificate, opts *Options) (*CertificateAuthority, error)
RSACertificateAuthority creates an RSA CA.
type CertificateSigningRequest ¶
type CertificateSigningRequest struct { X509CertificateRequest *x509.CertificateRequest X509CertificateRequestPEM []byte }
CertificateSigningRequest represents a CSR.
func NewCertificateSigningRequest ¶
func NewCertificateSigningRequest(key interface{}, setters ...Option) (*CertificateSigningRequest, error)
NewCertificateSigningRequest creates a CSR. If the IPAddresses or DNSNames options are not specified, the CSR will be generated with the default values set in NewDefaultOptions.
type ECDSAKey ¶
type ECDSAKey struct { KeyPEM []byte PublicKeyPEM []byte // contains filtered or unexported fields }
ECDSAKey represents an ECDSA key.
func (*ECDSAKey) GetPrivateKeyPEM ¶
GetPrivateKeyPEM implements Key interface.
func (*ECDSAKey) GetPublicKeyPEM ¶
GetPublicKeyPEM implements Key interface.
type Ed25519Key ¶
type Ed25519Key struct { PublicKey ed25519.PublicKey PrivateKey ed25519.PrivateKey PublicKeyPEM []byte PrivateKeyPEM []byte }
Ed25519Key represents an Ed25519 key.
func NewEd25519Key ¶
func NewEd25519Key() (*Ed25519Key, error)
NewEd25519Key generates an Ed25519 key pair.
func (*Ed25519Key) GetPrivateKeyPEM ¶
func (k *Ed25519Key) GetPrivateKeyPEM() []byte
GetPrivateKeyPEM implements Key interface.
func (*Ed25519Key) GetPublicKeyPEM ¶
func (k *Ed25519Key) GetPublicKeyPEM() []byte
GetPublicKeyPEM implements Key interface.
type Fingerprint ¶
type Fingerprint []byte
Fingerprint represents SPKI certificate fingerprint.
func ParseFingerprint ¶
func ParseFingerprint(s string) (Fingerprint, error)
ParseFingerprint parses string representation of the fingerprint.
func SPKIFingerprint ¶
func SPKIFingerprint(cert *x509.Certificate) Fingerprint
SPKIFingerprint computes SPKI certificate fingerprint.
func SPKIFingerprintFromDER ¶
func SPKIFingerprintFromDER(certDER []byte) (Fingerprint, error)
SPKIFingerprintFromDER computes SPKI certificate fingerprint from ASN.1 DER representation of the x509 certificate.
func SPKIFingerprintFromPEM ¶
func SPKIFingerprintFromPEM(certPEM []byte) (Fingerprint, error)
SPKIFingerprintFromPEM computes SPKI certificate fingerprint from PEM representation of the x509 certificate.
func (Fingerprint) Equal ¶
func (f Fingerprint) Equal(other Fingerprint) bool
Equal checks is Fingerprints match.
func (Fingerprint) String ¶
func (f Fingerprint) String() string
type KeyPair ¶
type KeyPair struct { *tls.Certificate CrtPEM []byte KeyPEM []byte }
KeyPair represents a certificate and key pair.
func NewKeyPair ¶
func NewKeyPair(ca *CertificateAuthority, setters ...Option) (*KeyPair, error)
NewKeyPair generates a certificate signed by the provided CA, and a private key. The certifcate and private key are then used to create a tls.X509KeyPair.
type Option ¶
type Option func(*Options)
Option is the functional option func.
func CommonName ¶
CommonName sets the common name of the certificate.
func DNSNames ¶
DNSNames sets the value for the DNS Names in Subject Alternate Name of the certificate.
func ECDSA ¶
ECDSA sets a flag for indicating that the requested operation should be performed under the context of ECDSA instead of the default Ed25519.
func ECDSASHA512 ¶
ECDSASHA512 sets a flag for indicating that the requested operation should be performed under the context of ECDSA with SHA512 instead of the default Ed25519.
Note: this is only used for compatibility with previous version of the library, new code should always use ECDSA(true).
func ExtKeyUsage ¶
func ExtKeyUsage(o []x509.ExtKeyUsage) Option
ExtKeyUsage sets the ExtKeyUsage* constants.
func IPAddresses ¶
IPAddresses sets the value for the IP addresses in Subject Alternate Name of the certificate.
func Organization ¶
Organization sets the subject organizations of the certificate.
func OverrideSubject ¶
OverrideSubject sets the option to override fields in the certificate subject when signing a CSR.
func RSA ¶
RSA sets a flag for indicating that the requested operation should be performed under the context of RSA-SHA512 instead of the default Ed25519.
func SignatureAlgorithm ¶
func SignatureAlgorithm(o x509.SignatureAlgorithm) Option
SignatureAlgorithm sets the hash algorithm used to sign the SSL certificate.
type Options ¶
type Options struct { CommonName string Organizations []string SignatureAlgorithm x509.SignatureAlgorithm IPAddresses []net.IP DNSNames []string Bits int NotAfter time.Time NotBefore time.Time KeyUsage x509.KeyUsage ExtKeyUsage []x509.ExtKeyUsage // Used with CSR signing process to override fields in the certificate subject. OverrideSubject func(*pkix.Name) }
Options is the functional options struct.
func NewDefaultOptions ¶
NewDefaultOptions initializes the Options struct with default values.
type PEMEncodedCertificate ¶ added in v0.4.3
type PEMEncodedCertificate struct {
Crt []byte `json:"Crt"`
}
PEMEncodedCertificate represents a PEM encoded certificate.
func (*PEMEncodedCertificate) DeepCopy ¶ added in v0.4.3
func (p *PEMEncodedCertificate) DeepCopy() *PEMEncodedCertificate
DeepCopy implements DeepCopy interface.
func (*PEMEncodedCertificate) DeepCopyInto ¶ added in v0.4.3
func (p *PEMEncodedCertificate) DeepCopyInto(out *PEMEncodedCertificate)
DeepCopyInto implements DeepCopy interface.
func (*PEMEncodedCertificate) GetCert ¶ added in v0.4.3
func (p *PEMEncodedCertificate) GetCert() (*x509.Certificate, error)
GetCert parses PEM-encoded certificate as x509.Certificate.
func (*PEMEncodedCertificate) MarshalYAML ¶ added in v0.4.3
func (p *PEMEncodedCertificate) MarshalYAML() (interface{}, error)
MarshalYAML implements the yaml.Marshaler interface for PEMEncodedCertificate. It is expected that the Crt is a base64 encoded string in the YAML file. This function encodes the byte slices into strings.
func (*PEMEncodedCertificate) UnmarshalYAML ¶ added in v0.4.3
func (p *PEMEncodedCertificate) UnmarshalYAML(unmarshal func(interface{}) error) error
UnmarshalYAML implements the yaml.Unmarshaler interface for PEMEncodedCertificateAndKey. It is expected that the Crt is a base64 encoded string in the YAML file. This function decodes the strings into byte slices.
type PEMEncodedCertificateAndKey ¶
PEMEncodedCertificateAndKey represents a PEM encoded certificate and private key pair.
func NewCertficateAndKey
deprecated
func NewCertficateAndKey(crt *x509.Certificate, key interface{}, setters ...Option) (*PEMEncodedCertificateAndKey, error)
NewCertficateAndKey is the NewCertificateAndKey with a typo in the name.
Deprecated: use NewCertificateAndKey instead.
func NewCertificateAndKey ¶
func NewCertificateAndKey(crt *x509.Certificate, key interface{}, setters ...Option) (*PEMEncodedCertificateAndKey, error)
NewCertificateAndKey generates a new key and certificate signed by a CA.
func NewCertificateAndKeyFromCertificateAuthority ¶
func NewCertificateAndKeyFromCertificateAuthority(ca *CertificateAuthority) *PEMEncodedCertificateAndKey
NewCertificateAndKeyFromCertificateAuthority initializes and returns a PEMEncodedCertificateAndKey from the CertificateAuthority.
func NewCertificateAndKeyFromFiles ¶
func NewCertificateAndKeyFromFiles(crt, key string) (*PEMEncodedCertificateAndKey, error)
NewCertificateAndKeyFromFiles initializes and returns a PEMEncodedCertificateAndKey from the path to a crt and key.
func NewCertificateAndKeyFromKeyPair ¶
func NewCertificateAndKeyFromKeyPair(keyPair *KeyPair) *PEMEncodedCertificateAndKey
NewCertificateAndKeyFromKeyPair initializes and returns a PEMEncodedCertificateAndKey from the KeyPair.
func (*PEMEncodedCertificateAndKey) DeepCopy ¶
func (p *PEMEncodedCertificateAndKey) DeepCopy() *PEMEncodedCertificateAndKey
DeepCopy implements DeepCopy interface.
func (*PEMEncodedCertificateAndKey) DeepCopyInto ¶
func (p *PEMEncodedCertificateAndKey) DeepCopyInto(out *PEMEncodedCertificateAndKey)
DeepCopyInto implements DeepCopy interface.
func (*PEMEncodedCertificateAndKey) GetCert ¶
func (p *PEMEncodedCertificateAndKey) GetCert() (*x509.Certificate, error)
GetCert parses PEM-encoded certificate as x509.Certificate.
func (*PEMEncodedCertificateAndKey) GetECDSAKey ¶
func (p *PEMEncodedCertificateAndKey) GetECDSAKey() (*ecdsa.PrivateKey, error)
GetECDSAKey parses PEM-encoded ECDSA key.
func (*PEMEncodedCertificateAndKey) GetEd25519Key ¶
func (p *PEMEncodedCertificateAndKey) GetEd25519Key() (ed25519.PrivateKey, error)
GetEd25519Key parses PEM-encoded Ed25519 key.
func (*PEMEncodedCertificateAndKey) GetKey ¶
func (p *PEMEncodedCertificateAndKey) GetKey() (interface{}, error)
GetKey parses either RSA or Ed25519 PEM-encoded key.
func (*PEMEncodedCertificateAndKey) GetRSAKey ¶
func (p *PEMEncodedCertificateAndKey) GetRSAKey() (*rsa.PrivateKey, error)
GetRSAKey parses PEM-encoded RSA key.
func (*PEMEncodedCertificateAndKey) MarshalYAML ¶
func (p *PEMEncodedCertificateAndKey) MarshalYAML() (interface{}, error)
MarshalYAML implements the yaml.Marshaler interface for PEMEncodedCertificateAndKey. It is expected that the Crt and Key are a base64 encoded string in the YAML file. This function encodes the byte slices into strings.
func (*PEMEncodedCertificateAndKey) UnmarshalYAML ¶
func (p *PEMEncodedCertificateAndKey) UnmarshalYAML(unmarshal func(interface{}) error) error
UnmarshalYAML implements the yaml.Unmarshaler interface for PEMEncodedCertificateAndKey. It is expected that the Crt and Key are a base64 encoded string in the YAML file. This function decodes the strings into byte slices.
type PEMEncodedKey ¶
type PEMEncodedKey struct {
Key []byte `json:"Key"`
}
PEMEncodedKey represents a PEM encoded private key.
func NewKeyFromFile ¶ added in v0.4.1
func NewKeyFromFile(keyPath string) (*PEMEncodedKey, error)
NewKeyFromFile loads a PEM-encoded key from a file.
func (*PEMEncodedKey) DeepCopy ¶
func (p *PEMEncodedKey) DeepCopy() *PEMEncodedKey
DeepCopy implements DeepCopy interface.
func (*PEMEncodedKey) DeepCopyInto ¶
func (p *PEMEncodedKey) DeepCopyInto(out *PEMEncodedKey)
DeepCopyInto implements DeepCopy interface.
func (*PEMEncodedKey) GetECDSAKey ¶
func (p *PEMEncodedKey) GetECDSAKey() (*ECDSAKey, error)
GetECDSAKey parses PEM-encoded ECDSA key.
func (*PEMEncodedKey) GetEd25519Key ¶
func (p *PEMEncodedKey) GetEd25519Key() (*Ed25519Key, error)
GetEd25519Key parses PEM-encoded Ed25519 key.
func (*PEMEncodedKey) GetKey ¶
func (p *PEMEncodedKey) GetKey() (Key, error)
GetKey parses one of RSAKey, ECDSAKey or Ed25519Key.
func (*PEMEncodedKey) GetRSAKey ¶
func (p *PEMEncodedKey) GetRSAKey() (*RSAKey, error)
GetRSAKey parses PEM-encoded RSA key.
func (*PEMEncodedKey) MarshalYAML ¶
func (p *PEMEncodedKey) MarshalYAML() (interface{}, error)
MarshalYAML implements the yaml.Marshaler interface for PEMEncodedCertificateAndKey. It is expected that the Crt and Key are a base64 encoded string in the YAML file. This function encodes the byte slices into strings.
func (*PEMEncodedKey) UnmarshalYAML ¶
func (p *PEMEncodedKey) UnmarshalYAML(unmarshal func(interface{}) error) error
UnmarshalYAML implements the yaml.Unmarshaler interface for PEMEncodedKey. It is expected that the Key is a base64 encoded string in the YAML file. This function decodes the strings into byte slices.
type RSAKey ¶
RSAKey represents an RSA key.
func (*RSAKey) GetPrivateKeyPEM ¶
GetPrivateKeyPEM implements Key interface.
func (*RSAKey) GetPublicKeyPEM ¶
GetPublicKeyPEM implements Key interface.