Documentation ¶
Overview ¶
Package x509bundle provides X.509 bundle related functionality.
A bundle represents a collection of X.509 authorities, i.e., those that are used to authenticate SPIFFE X509-SVIDs.
You can create a new bundle for a specific trust domain:
td := spiffeid.RequireTrustDomain("example.org") bundle := x509bundle.New(td)
Or you can load it from disk:
td := spiffeid.RequireTrustDomain("example.org") bundle := x509bundle.Load(td, "bundle.pem")
The bundle can be initialized with X.509 authorities:
td := spiffeid.RequireTrustDomain("example.org") var x509Authorities []*x509.Certificate = ... bundle := x509bundle.FromX509Authorities(td, x509Authorities)
In addition, you can add X.509 authorities to the bundle:
var x509CA *x509.Certificate = ... bundle.AddX509Authority(x509CA)
Bundles can be organized into a set, keyed by trust domain:
set := x509bundle.NewSet() set.Add(bundle)
A Source is source of X.509 bundles for a trust domain. Both the Bundle and Set types implement Source:
// Initialize the source from a bundle or set var source x509bundle.Source = bundle // ... or ... var source x509bundle.Source = set // Use the source to query for bundles by trust domain bundle, err := source.GetX509BundleForTrustDomain(td)
Index ¶
- type Bundle
- func FromX509Authorities(trustDomain spiffeid.TrustDomain, authorities []*x509.Certificate) *Bundle
- func Load(trustDomain spiffeid.TrustDomain, path string) (*Bundle, error)
- func New(trustDomain spiffeid.TrustDomain) *Bundle
- func Parse(trustDomain spiffeid.TrustDomain, b []byte) (*Bundle, error)
- func Read(trustDomain spiffeid.TrustDomain, r io.Reader) (*Bundle, error)
- func (b *Bundle) AddX509Authority(x509Authority *x509.Certificate)
- func (b *Bundle) Clone() *Bundle
- func (b *Bundle) Empty() bool
- func (b *Bundle) Equal(other *Bundle) bool
- func (b *Bundle) GetX509BundleForTrustDomain(trustDomain spiffeid.TrustDomain) (*Bundle, error)
- func (b *Bundle) HasX509Authority(x509Authority *x509.Certificate) bool
- func (b *Bundle) Marshal() ([]byte, error)
- func (b *Bundle) RemoveX509Authority(x509Authority *x509.Certificate)
- func (b *Bundle) SetX509Authorities(x509Authorities []*x509.Certificate)
- func (b *Bundle) TrustDomain() spiffeid.TrustDomain
- func (b *Bundle) X509Authorities() []*x509.Certificate
- type Set
- func (s *Set) Add(bundle *Bundle)
- func (s *Set) Bundles() []*Bundle
- func (s *Set) Get(trustDomain spiffeid.TrustDomain) (*Bundle, bool)
- func (s *Set) GetX509BundleForTrustDomain(trustDomain spiffeid.TrustDomain) (*Bundle, error)
- func (s *Set) Has(trustDomain spiffeid.TrustDomain) bool
- func (s *Set) Len() int
- func (s *Set) Remove(trustDomain spiffeid.TrustDomain)
- type Source
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Bundle ¶
type Bundle struct {
// contains filtered or unexported fields
}
Bundle is a collection of trusted X.509 authorities for a trust domain.
func FromX509Authorities ¶
func FromX509Authorities(trustDomain spiffeid.TrustDomain, authorities []*x509.Certificate) *Bundle
FromX509Authorities creates a bundle from X.509 certificates.
func Load ¶
func Load(trustDomain spiffeid.TrustDomain, path string) (*Bundle, error)
Load loads a bundle from a file on disk. The file must contain PEM-encoded certificate blocks.
func Parse ¶
func Parse(trustDomain spiffeid.TrustDomain, b []byte) (*Bundle, error)
Parse parses a bundle from bytes. The data must be PEM-encoded certificate blocks.
func Read ¶
Read decodes a bundle from a reader. The contents must be PEM-encoded certificate blocks.
func (*Bundle) AddX509Authority ¶
func (b *Bundle) AddX509Authority(x509Authority *x509.Certificate)
AddX509Authority adds an X.509 authority to the bundle. If the authority already exists in the bundle, the contents of the bundle will remain unchanged.
func (*Bundle) GetX509BundleForTrustDomain ¶
func (b *Bundle) GetX509BundleForTrustDomain(trustDomain spiffeid.TrustDomain) (*Bundle, error)
GetX509BundleForTrustDomain returns the X.509 bundle for the given trust domain. It implements the Source interface. An error will be returned if the trust domain does not match that of the bundle.
func (*Bundle) HasX509Authority ¶
func (b *Bundle) HasX509Authority(x509Authority *x509.Certificate) bool
HasX509Authority checks if the given X.509 authority exists in the bundle.
func (*Bundle) RemoveX509Authority ¶
func (b *Bundle) RemoveX509Authority(x509Authority *x509.Certificate)
RemoveX509Authority removes an X.509 authority from the bundle.
func (*Bundle) SetX509Authorities ¶
func (b *Bundle) SetX509Authorities(x509Authorities []*x509.Certificate)
SetX509Authorities sets the X.509 authorities in the bundle.
func (*Bundle) TrustDomain ¶
func (b *Bundle) TrustDomain() spiffeid.TrustDomain
TrustDomain returns the trust domain that the bundle belongs to.
func (*Bundle) X509Authorities ¶
func (b *Bundle) X509Authorities() []*x509.Certificate
X509Authorities returns the X.509 x509Authorities in the bundle.
type Set ¶
type Set struct {
// contains filtered or unexported fields
}
Set is a set of bundles, keyed by trust domain.
func (*Set) Add ¶
Add adds a new bundle into the set. If a bundle already exists for the trust domain, the existing bundle is replaced.
func (*Set) Get ¶
func (s *Set) Get(trustDomain spiffeid.TrustDomain) (*Bundle, bool)
Get returns a bundle for the given trust domain. If the bundle is in the set it is returned and the boolean is true. Otherwise, the returned value is nil and the boolean is false.
func (*Set) GetX509BundleForTrustDomain ¶
func (s *Set) GetX509BundleForTrustDomain(trustDomain spiffeid.TrustDomain) (*Bundle, error)
GetX509BundleForTrustDomain returns the X.509 bundle for the given trust domain. It implements the Source interface.
func (*Set) Has ¶
func (s *Set) Has(trustDomain spiffeid.TrustDomain) bool
Has returns true if there is a bundle for the given trust domain.
func (*Set) Remove ¶
func (s *Set) Remove(trustDomain spiffeid.TrustDomain)
Remove removes the bundle for the given trust domain.