Documentation ¶
Overview ¶
Copyright 2011 The Go Authors. All rights reserved. Use of this source code is governed by a BSD-style license that can be found in the LICENSE file.
The code in this file is an adapted version of the code in https://cs.opensource.google/go/go/+/refs/tags/go1.17.5:src/crypto/x509/verify.go
Index ¶
- type NamePolicyEngine
- func (e *NamePolicyEngine) AreSANsAllowed(sans []string) error
- func (e *NamePolicyEngine) IsDNSAllowed(dns string) error
- func (e *NamePolicyEngine) IsIPAllowed(ip net.IP) error
- func (e *NamePolicyEngine) IsSSHCertificateAllowed(cert *ssh.Certificate) error
- func (e *NamePolicyEngine) IsX509CertificateAllowed(cert *x509.Certificate) error
- func (e *NamePolicyEngine) IsX509CertificateRequestAllowed(csr *x509.CertificateRequest) error
- type NamePolicyError
- type NamePolicyOption
- func WithAllowLiteralWildcardNames() NamePolicyOption
- func WithExcludedCIDRs(cidrs ...string) NamePolicyOption
- func WithExcludedCommonNames(commonNames ...string) NamePolicyOption
- func WithExcludedDNSDomains(domains ...string) NamePolicyOption
- func WithExcludedEmailAddresses(emailAddresses ...string) NamePolicyOption
- func WithExcludedIPRanges(ipRanges ...*net.IPNet) NamePolicyOption
- func WithExcludedIPsOrCIDRs(ipsOrCIDRs ...string) NamePolicyOption
- func WithExcludedPrincipals(principals ...string) NamePolicyOption
- func WithExcludedURIDomains(domains ...string) NamePolicyOption
- func WithPermittedCIDRs(cidrs ...string) NamePolicyOption
- func WithPermittedCommonNames(commonNames ...string) NamePolicyOption
- func WithPermittedDNSDomains(domains ...string) NamePolicyOption
- func WithPermittedEmailAddresses(emailAddresses ...string) NamePolicyOption
- func WithPermittedIPRanges(ipRanges ...*net.IPNet) NamePolicyOption
- func WithPermittedIPsOrCIDRs(ipsOrCIDRs ...string) NamePolicyOption
- func WithPermittedPrincipals(principals ...string) NamePolicyOption
- func WithPermittedURIDomains(uriDomains ...string) NamePolicyOption
- func WithSubjectCommonNameVerification() NamePolicyOption
- type NamePolicyReason
- type NameType
- type SSHNamePolicyEngine
- type X509NamePolicyEngine
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type NamePolicyEngine ¶
type NamePolicyEngine struct {
// contains filtered or unexported fields
}
func New ¶
func New(opts ...NamePolicyOption) (*NamePolicyEngine, error)
NewNamePolicyEngine creates a new NamePolicyEngine with NamePolicyOptions
func (*NamePolicyEngine) AreSANsAllowed ¶
func (e *NamePolicyEngine) AreSANsAllowed(sans []string) error
AreSANSAllowed verifies that all names in the slice of SANs are allowed. The SANs are first split into DNS names, IPs, email addresses and URIs.
func (*NamePolicyEngine) IsDNSAllowed ¶
func (e *NamePolicyEngine) IsDNSAllowed(dns string) error
IsDNSAllowed verifies a single DNS domain is allowed.
func (*NamePolicyEngine) IsIPAllowed ¶
func (e *NamePolicyEngine) IsIPAllowed(ip net.IP) error
IsIPAllowed verifies a single IP domain is allowed.
func (*NamePolicyEngine) IsSSHCertificateAllowed ¶
func (e *NamePolicyEngine) IsSSHCertificateAllowed(cert *ssh.Certificate) error
IsSSHCertificateAllowed verifies that all principals in an SSH certificate are allowed.
func (*NamePolicyEngine) IsX509CertificateAllowed ¶
func (e *NamePolicyEngine) IsX509CertificateAllowed(cert *x509.Certificate) error
IsX509CertificateAllowed verifies that all SANs in a Certificate are allowed.
func (*NamePolicyEngine) IsX509CertificateRequestAllowed ¶
func (e *NamePolicyEngine) IsX509CertificateRequestAllowed(csr *x509.CertificateRequest) error
IsX509CertificateRequestAllowed verifies that all names in the CSR are allowed.
type NamePolicyError ¶
type NamePolicyError struct { Reason NamePolicyReason NameType NameType Name string // contains filtered or unexported fields }
func (*NamePolicyError) As ¶ added in v0.23.0
func (e *NamePolicyError) As(v any) bool
As implements the As(any) bool interface and allows to use "errors.As()" to convert a NotAllowed NamePolicyError to an errs.Error.
func (*NamePolicyError) Detail ¶
func (e *NamePolicyError) Detail() string
func (*NamePolicyError) Error ¶
func (e *NamePolicyError) Error() string
type NamePolicyOption ¶
type NamePolicyOption func(e *NamePolicyEngine) error
func WithAllowLiteralWildcardNames ¶
func WithAllowLiteralWildcardNames() NamePolicyOption
func WithExcludedCIDRs ¶
func WithExcludedCIDRs(cidrs ...string) NamePolicyOption
func WithExcludedCommonNames ¶
func WithExcludedCommonNames(commonNames ...string) NamePolicyOption
func WithExcludedDNSDomains ¶
func WithExcludedDNSDomains(domains ...string) NamePolicyOption
func WithExcludedEmailAddresses ¶
func WithExcludedEmailAddresses(emailAddresses ...string) NamePolicyOption
func WithExcludedIPRanges ¶
func WithExcludedIPRanges(ipRanges ...*net.IPNet) NamePolicyOption
func WithExcludedIPsOrCIDRs ¶
func WithExcludedIPsOrCIDRs(ipsOrCIDRs ...string) NamePolicyOption
func WithExcludedPrincipals ¶
func WithExcludedPrincipals(principals ...string) NamePolicyOption
func WithExcludedURIDomains ¶
func WithExcludedURIDomains(domains ...string) NamePolicyOption
func WithPermittedCIDRs ¶
func WithPermittedCIDRs(cidrs ...string) NamePolicyOption
func WithPermittedCommonNames ¶
func WithPermittedCommonNames(commonNames ...string) NamePolicyOption
func WithPermittedDNSDomains ¶
func WithPermittedDNSDomains(domains ...string) NamePolicyOption
func WithPermittedEmailAddresses ¶
func WithPermittedEmailAddresses(emailAddresses ...string) NamePolicyOption
func WithPermittedIPRanges ¶
func WithPermittedIPRanges(ipRanges ...*net.IPNet) NamePolicyOption
func WithPermittedIPsOrCIDRs ¶
func WithPermittedIPsOrCIDRs(ipsOrCIDRs ...string) NamePolicyOption
func WithPermittedPrincipals ¶
func WithPermittedPrincipals(principals ...string) NamePolicyOption
func WithPermittedURIDomains ¶
func WithPermittedURIDomains(uriDomains ...string) NamePolicyOption
func WithSubjectCommonNameVerification ¶
func WithSubjectCommonNameVerification() NamePolicyOption
type NamePolicyReason ¶
type NamePolicyReason int
const ( // NotAllowed results when an instance of NamePolicyEngine // determines that there's a constraint which doesn't permit // a DNS or another type of SAN to be signed (or otherwise used). NotAllowed NamePolicyReason = iota + 1 // CannotParseDomain is returned when an error occurs // when parsing the domain part of SAN or subject. CannotParseDomain // CannotParseRFC822Name is returned when an error // occurs when parsing an email address. CannotParseRFC822Name // CannotMatch is the type of error returned when // an error happens when matching SAN types. CannotMatchNameToConstraint )
type SSHNamePolicyEngine ¶
type SSHNamePolicyEngine interface {
IsSSHCertificateAllowed(cert *ssh.Certificate) error
}