x509svid

package
v2.3.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jun 17, 2024 License: Apache-2.0 Imports: 13 Imported by: 54

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func IDFromCert

func IDFromCert(cert *x509.Certificate) (spiffeid.ID, error)

IDFromCert extracts the SPIFFE ID from the URI SAN of the provided certificate. It will return an an error if the certificate does not have exactly one URI SAN with a well-formed SPIFFE ID.

func ParseAndVerify

func ParseAndVerify(rawCerts [][]byte, bundleSource x509bundle.Source, opts ...VerifyOption) (spiffeid.ID, [][]*x509.Certificate, error)

ParseAndVerify parses and verifies an X509-SVID chain using the X.509 bundle source. It returns the SPIFFE ID of the X509-SVID and one or more chains back to a root in the bundle.

func Verify

func Verify(certs []*x509.Certificate, bundleSource x509bundle.Source, opts ...VerifyOption) (spiffeid.ID, [][]*x509.Certificate, error)

Verify verifies an X509-SVID chain using the X.509 bundle source. It returns the SPIFFE ID of the X509-SVID and one or more chains back to a root in the bundle.

Types

type SVID

type SVID struct {
	// ID is the SPIFFE ID of the X509-SVID.
	ID spiffeid.ID

	// Certificates are the X.509 certificates of the X509-SVID. The leaf
	// certificate is the X509-SVID certificate. Any remaining certificates (
	// if any) chain the X509-SVID certificate back to a X.509 root for the
	// trust domain.
	Certificates []*x509.Certificate

	// PrivateKey is the private key for the X509-SVID.
	PrivateKey crypto.Signer

	// Hint is an operator-specified string used to provide guidance on how this
	// identity should be used by a workload when more than one SVID is returned.
	Hint string
}

SVID represents a SPIFFE X509-SVID.

func Load

func Load(certFile, keyFile string) (*SVID, error)

Load loads the X509-SVID from PEM encoded files on disk. certFile and keyFile may be the same file.

func Parse

func Parse(certBytes, keyBytes []byte) (*SVID, error)

Parse parses the X509-SVID from PEM blocks containing certificate and key bytes. The certificate must be one or more PEM blocks with ASN.1 DER. The key must be a PEM block with PKCS#8 ASN.1 DER.

func ParseRaw

func ParseRaw(certBytes, keyBytes []byte) (*SVID, error)

ParseRaw parses the X509-SVID from certificate and key bytes. The certificate must be ASN.1 DER (concatenated with no intermediate padding if there are more than one certificate). The key must be a PKCS#8 ASN.1 DER.

func (*SVID) GetX509SVID

func (s *SVID) GetX509SVID() (*SVID, error)

GetX509SVID returns the X509-SVID. It implements the Source interface.

func (*SVID) Marshal

func (s *SVID) Marshal() ([]byte, []byte, error)

Marshal marshals the X509-SVID and returns PEM encoded blocks for the SVID and private key.

func (*SVID) MarshalRaw

func (s *SVID) MarshalRaw() ([]byte, []byte, error)

MarshalRaw marshals the X509-SVID and returns ASN.1 DER for the certificates (concatenated with no intermediate padding) and PKCS8 ASN1.DER for the private key.

type Source

type Source interface {
	// GetX509SVID returns an X509-SVID from the source.
	GetX509SVID() (*SVID, error)
}

Source represents a source of X509-SVIDs.

type VerifyOption

type VerifyOption interface {
	// contains filtered or unexported methods
}

VerifyOption is an option used when verifying X509-SVIDs.

func WithTime

func WithTime(now time.Time) VerifyOption

WithTime sets the time used when verifying validity periods on the X509-SVID. If not used, the current time will be used.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL