Documentation
¶
Index ¶
- Variables
- func CreateCertificateChain(authority *tls.Certificate, id *x509.Certificate, pub crypto.PublicKey, ...) (pem []byte, err error)
- func CreateSelfSignedCertificate(template *x509.Certificate, key PrivateKey, opts ...CSROption) (pem []byte, err error)
- func DecodePEMBlocks(pemBytes []byte, blockType string) [][]byte
- func EncodeCertificates(certs []*x509.Certificate) []byte
- func EncodePEMSequence(contents [][]byte, blockType string) (encoded []byte)
- func EncodePrivateKey(key crypto.PrivateKey) (pemBytes []byte, err error)
- func GenerateSerialNumber() (*big.Int, error)
- func LoadCertAndRootsWithKey(certPath, rootsPath string, key PrivateKey) (*tls.Certificate, []*x509.Certificate, error)
- func LoadX509Cert(certPath string, privateKey crypto.PrivateKey) (tls.Certificate, error)
- func ParseCertificatesPEM(pemBytes []byte) (certs []*x509.Certificate, errs error)
- func SaveCertificateChain(certFile string, derCerts [][]byte) (pemBytes []byte, err error)
- func SavePrivateKey(keyFile string, key crypto.PrivateKey) (pemBytes []byte, err error)
- func TLSClientConfig(source Source) *tls.Config
- func TLSLeaf(cert *tls.Certificate) (*x509.Certificate, error)
- func TLSServerConfig(source Source) *tls.Config
- func ValidKeyPair(public crypto.PublicKey, private crypto.PrivateKey) error
- type CSROption
- func WithAuthority(authority string) CSROption
- func WithExpireAfter(expireAfter time.Duration) CSROption
- func WithIfaces() CSROption
- func WithNonLoopbackIfaces() CSROption
- func WithNow(now func() time.Time) CSROption
- func WithRand(rand io.Reader) CSROption
- func WithValidSince(validSince time.Duration) CSROption
- type CacheSourceOpt
- type Expiry
- type PrivateKey
- type PublicKey
- type Source
- func AuthoritySource(authority Source, id *x509.Certificate, key PrivateKey, csrOpts ...CSROption) Source
- func AuthoritySourceFn(authority Source, keyPair func() (*x509.Certificate, PrivateKey, error), ...) Source
- func CacheSource(source Source, expiry Expiry, opts ...CacheSourceOpt) Source
- func DirectSource(cert *tls.Certificate, roots []*x509.Certificate) Source
- func FSKeySource(certFile string, key PrivateKey, rootsFile string) Source
- func FSSource(certFile, keyFile, rootsFile string) Source
- func FuncSource(f func() (cert *tls.Certificate, roots []*x509.Certificate, err error)) Source
- func LazySource(f func() (Source, error)) Source
- func SelfSignedSource(key PrivateKey, opts ...CSROption) Source
- func SelfSignedSourceT(key PrivateKey, template *x509.Certificate, opts ...CSROption) Source
- type SourceSet
Constants ¶
This section is empty.
Variables ¶
var ( ErrInvalidPEM = errors.New("invalid PEM data") ErrUnknownBlockType = errors.New("unknown PEM block type") )
var ErrNoCertOrErr = errors.New("pki: no cert from source")
ErrNoCertOrErr is returned when a Source returns neither a tls.Certificate nor an error when invoked.
Functions ¶
func CreateCertificateChain ¶
func CreateCertificateChain(authority *tls.Certificate, id *x509.Certificate, pub crypto.PublicKey, opts ...CSROption) (pem []byte, err error)
CreateCertificateChain creates a new x509.Certificate using id and pub signed by the leaf and private key of authority. The returned bytes contains this new certificate first followed by all intermediates found in authority in PEM encoded format. The authority parameter should represent a CA certificate followed any intermediate certificates.
func CreateSelfSignedCertificate ¶
func CreateSelfSignedCertificate(template *x509.Certificate, key PrivateKey, opts ...CSROption) (pem []byte, err error)
CreateSelfSignedCertificate creates a new certificate whose issuer is the certificate itself.
func DecodePEMBlocks ¶
DecodePEMBlocks returns all PEM blocks in pemBytes with blockType type.
func EncodeCertificates ¶
func EncodeCertificates(certs []*x509.Certificate) []byte
func EncodePEMSequence ¶
func EncodePrivateKey ¶
func EncodePrivateKey(key crypto.PrivateKey) (pemBytes []byte, err error)
func GenerateSerialNumber ¶
GenerateSerialNumber generates a random unsigned 128-bit integer using a cryptographically secure source of random numbers. The returned integer is suitable for use as an X.509 certificate serial number.
func LoadCertAndRootsWithKey ¶
func LoadCertAndRootsWithKey(certPath, rootsPath string, key PrivateKey) (*tls.Certificate, []*x509.Certificate, error)
LoadCertAndRootsWithKey reads and returns a certificate from certPath and validates it against key. It optionally reads a roots file from rootsPath, if rootsPath is empty or the file is not found then returns nil.
func LoadX509Cert ¶
func LoadX509Cert(certPath string, privateKey crypto.PrivateKey) (tls.Certificate, error)
LoadX509Cert reads an x509 certificate chain (leaf first) from certPath and combines it with privateKey to form a tls.Certificate. This is like tls.LoadX509KeyPair except the private key is already known. Leaf will be populated with the first certificate in certPath.
func ParseCertificatesPEM ¶
func ParseCertificatesPEM(pemBytes []byte) (certs []*x509.Certificate, errs error)
ParseCertificatesPEM parses and returns any CERTIFICATE blocks found in the pem encoded pemBytes.
func SaveCertificateChain ¶
SaveCertificateChain writes derCerts as pem encoded CERTIFICATE blocks to certFile. Returns the written bytes.
func SavePrivateKey ¶
func SavePrivateKey(keyFile string, key crypto.PrivateKey) (pemBytes []byte, err error)
func TLSClientConfig ¶
TLSClientConfig returns a *tls.Config for use by a client using sources roots to validate the server certificate. If the server requests a client certificate then sources cert will be used.
func TLSLeaf ¶
func TLSLeaf(cert *tls.Certificate) (*x509.Certificate, error)
TLSLeaf returns either cert.Leaf or parses the first of cert.Certificate. This does not set cert.Leaf.
func TLSServerConfig ¶
TLSServerConfig returns a *tls.Config for use by a server using source to provide the server cert. If the returned tls.Config requires validation of client certificates then sources roots will be used to validate the client certificates.
func ValidKeyPair ¶
func ValidKeyPair(public crypto.PublicKey, private crypto.PrivateKey) error
ValidKeyPair checks whether the given public and private keys are a valid pair, that is to say they use the same algorithm configured with the same parameters. If the keys are not a valid pair a non-nil error will be returned.
Types ¶
type CSROption ¶
type CSROption interface {
// contains filtered or unexported methods
}
CSROption allows customisation of the certificate creation process.
func WithAuthority ¶
WithAuthority adds the given host or IP to the created certificate. authority can have a port which will be stripped before use
func WithExpireAfter ¶
WithExpireAfter sets the created certificates NotAfter to now + expireAfter.
func WithIfaces ¶
func WithIfaces() CSROption
WithIfaces adds all net.Interfaces to the created certificate, including loopback and the DNS "localhost" interface.
func WithNonLoopbackIfaces ¶
func WithNonLoopbackIfaces() CSROption
WithNonLoopbackIfaces adds non-loopback net.Interfaces to the created certificate.
func WithValidSince ¶
WithValidSince sets the created certificates NotBefore to now - validSince.
type CacheSourceOpt ¶
type CacheSourceOpt func(cs *cachedSource)
func WithFSCache ¶
func WithFSCache(certPath, rootsPath string, key PrivateKey) CacheSourceOpt
WithFSCache instructs the source to cache certs and roots to disk when source is invoked. When CacheSource Certs is called for the first time, an attempt will be made to load these files before invoking the underlying source.
type Expiry ¶
type Expiry func(cert *tls.Certificate, roots []*x509.Certificate, err error) bool
Expiry is called to know if certificates need to be reloaded. Either cert is nil or err is nil but never both. roots may be empty.
Expiry will not be called from concurrent go routines.
type PrivateKey ¶
type PrivateKey interface {
crypto.PrivateKey
Public() crypto.PublicKey
Equal(key crypto.PrivateKey) bool
}
PrivateKey contains the method set that the standard library public key types (from crypto/*) all implement. See the docs for crypto.PrivateKey
func LoadOrGeneratePrivateKey ¶
func LoadOrGeneratePrivateKey(keyFile string, logger *zap.Logger) (key PrivateKey, pemBytes []byte, err error)
LoadOrGeneratePrivateKey will load a private key in PEM-encoded PKCS#8, PKCS#1 or EC format from a file. If the file does not exist, a new 4096-bit RSA key in PKCS#8 format is generated and saved to the file.
func LoadPrivateKey ¶
func LoadPrivateKey(keyFile string) (key PrivateKey, pemBytes []byte, err error)
LoadPrivateKey will load a private key from a PEM file, in PKCS#8, PKCS#1 or EC format. Both the loaded key and the raw PEM read from the file are returned.
type PublicKey ¶
PublicKey contains the method set that the standard library public key types (from crypto/*) all implement. See the docs for crypto.PublicKey
type Source ¶
type Source interface {
// Certs returns the currently active certificate and pool, loading it as needed.
Certs() (cert *tls.Certificate, roots []*x509.Certificate, err error)
}
Source defines a source of certificate information.
func AuthoritySource ¶
func AuthoritySource(authority Source, id *x509.Certificate, key PrivateKey, csrOpts ...CSROption) Source
AuthoritySource is like AuthoritySourceFn using a fixed id and key.
func AuthoritySourceFn ¶
func AuthoritySourceFn(authority Source, keyPair func() (*x509.Certificate, PrivateKey, error), csrOpts ...CSROption) Source
AuthoritySourceFn returns a Source that mints a new tls.Certificate based on the given signing authority using id and key funcs.
func CacheSource ¶
func CacheSource(source Source, expiry Expiry, opts ...CacheSourceOpt) Source
CacheSource wraps source such that it is only ever called when expiry returns true. See the package pki/expiry for a collection of bundled expiration functions.
func DirectSource ¶
func DirectSource(cert *tls.Certificate, roots []*x509.Certificate) Source
DirectSource adapts a tls.Certificate and some roots into a Source that always returns these values.
func FSKeySource ¶
func FSKeySource(certFile string, key PrivateKey, rootsFile string) Source
FSKeySource is like FSSource but the key is already loaded. See LoadCertAndRootsWithKey.
func FSSource ¶
FSSource returns a Source that reads the cert+private keypair and roots from files in PEM format on the filesystem. Each call to Certs will read the files. rootsFile can be empty in which case no roots will be read or returned from Source.Certs. certFile should contain the leaf as the first entry followed by any intermediate certificates linking leaf with roots.
func FuncSource ¶
func FuncSource(f func() (cert *tls.Certificate, roots []*x509.Certificate, err error)) Source
FuncSource adapts f to implement Source.
func LazySource ¶
LazySource returns certs from f().Certs(), only invoking f the first time the returns Source.Certs is called.
func SelfSignedSource ¶
func SelfSignedSource(key PrivateKey, opts ...CSROption) Source
SelfSignedSource returns a Source backed by CreateSelfSignedCertificate and a basic certificate template.
func SelfSignedSourceT ¶
func SelfSignedSourceT(key PrivateKey, template *x509.Certificate, opts ...CSROption) Source
SelfSignedSourceT is like SelfSignedSource but using the given template.
Source Files
Directories