Documentation ¶
Index ¶
- func AppendRootCerts(pemCert []byte, rootCertFile string) ([]byte, error)
- func BuildSANExtension(identites []Identity) (*pkix.Extension, error)
- func BuildSubjectAltNameExtension(hosts string) (*pkix.Extension, error)
- func DualUseCommonName(host string) (string, error)
- func ExtractIDs(exts []pkix.Extension) ([]string, error)
- func ExtractSANExtension(exts []pkix.Extension) *pkix.Extension
- func GenCSR(options CertOptions) ([]byte, []byte, error)
- func GenCSRTemplate(options CertOptions) (*x509.CertificateRequest, error)
- func GenCertFromCSR(csr *x509.CertificateRequest, signingCert *x509.Certificate, ...) (cert []byte, err error)
- func GenCertKeyFromOptions(options CertOptions) (pemCert []byte, pemKey []byte, err error)
- func GenRootCertFromExistingKey(options CertOptions) (pemCert []byte, pemKey []byte, err error)
- func GetRSAKeySize(privKey crypto.PrivateKey) (int, error)
- func IsSupportedECPrivateKey(privKey *crypto.PrivateKey) bool
- func LoadSignerCredsFromFiles(signerCertFile string, signerPrivFile string) (*x509.Certificate, crypto.PrivateKey, error)
- func ParsePemEncodedCSR(csrBytes []byte) (*x509.CertificateRequest, error)
- func ParsePemEncodedCertificate(certBytes []byte) (*x509.Certificate, error)
- func ParsePemEncodedKey(keyBytes []byte) (crypto.PrivateKey, error)
- func TimeBeforeCertExpires(certBytes []byte, now time.Time) (time.Duration, error)
- func Verify(certBytes, privKeyBytes, certChainBytes, rootCertBytes []byte) error
- func VerifyCertificate(privPem []byte, certChainPem []byte, rootCertPem []byte, ...) error
- type CertOptions
- type Identity
- type IdentityType
- type KeyCertBundle
- type KeyCertBundleImpl
- func NewKeyCertBundleWithRootCertFromFile(rootCertFile string) (*KeyCertBundleImpl, error)
- func NewVerifiedKeyCertBundleFromFile(certFile, privKeyFile, certChainFile, rootCertFile string) (*KeyCertBundleImpl, error)
- func NewVerifiedKeyCertBundleFromPem(certBytes, privKeyBytes, certChainBytes, rootCertBytes []byte) (*KeyCertBundleImpl, error)
- func (b *KeyCertBundleImpl) CertOptions() (*CertOptions, error)
- func (b *KeyCertBundleImpl) ExtractCACertExpiryTimestamp() (float64, error)
- func (b *KeyCertBundleImpl) ExtractRootCertExpiryTimestamp() (float64, error)
- func (b *KeyCertBundleImpl) GetAll() (cert *x509.Certificate, privKey *crypto.PrivateKey, ...)
- func (b *KeyCertBundleImpl) GetAllPem() (certBytes, privKeyBytes, certChainBytes, rootCertBytes []byte)
- func (b *KeyCertBundleImpl) GetCertChainPem() []byte
- func (b *KeyCertBundleImpl) GetRootCertPem() []byte
- func (b *KeyCertBundleImpl) VerifyAndSetAll(certBytes, privKeyBytes, certChainBytes, rootCertBytes []byte) error
- type SupportedECSignatureAlgorithms
- type VerifyFields
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func AppendRootCerts ¶
AppendRootCerts appends root certificates in RootCertFile to the input certificate.
func BuildSANExtension ¶
BuildSANExtension builds a `pkix.Extension` of type "Subject Alternative Name" based on the given identities.
func BuildSubjectAltNameExtension ¶
BuildSubjectAltNameExtension builds the SAN extension for the certificate.
func DualUseCommonName ¶
DualUseCommonName extracts a valid CommonName from a comma-delimited host string for dual-use certificates.
func ExtractIDs ¶
ExtractIDs first finds the SAN extension from the given extension set, then extract identities from the SAN extension.
func ExtractSANExtension ¶
ExtractSANExtension extracts the "Subject Alternative Name" externsion from the given PKIX extension set.
func GenCSR ¶
func GenCSR(options CertOptions) ([]byte, []byte, error)
GenCSR generates a X.509 certificate sign request and private key with the given options.
func GenCSRTemplate ¶
func GenCSRTemplate(options CertOptions) (*x509.CertificateRequest, error)
GenCSRTemplate generates a certificateRequest template with the given options.
func GenCertFromCSR ¶
func GenCertFromCSR(csr *x509.CertificateRequest, signingCert *x509.Certificate, publicKey interface{}, signingKey crypto.PrivateKey, subjectIDs []string, ttl time.Duration, isCA bool) (cert []byte, err error)
GenCertFromCSR generates a X.509 certificate with the given CSR.
func GenCertKeyFromOptions ¶
func GenCertKeyFromOptions(options CertOptions) (pemCert []byte, pemKey []byte, err error)
GenCertKeyFromOptions generates a X.509 certificate and a private key with the given options.
func GenRootCertFromExistingKey ¶
func GenRootCertFromExistingKey(options CertOptions) (pemCert []byte, pemKey []byte, err error)
GenRootCertFromExistingKey generates a X.509 certificate using existing CA private key. Only called by a self-signed Citadel.
func GetRSAKeySize ¶
func GetRSAKeySize(privKey crypto.PrivateKey) (int, error)
GetRSAKeySize returns the size if it is RSA key, otherwise it returns an error.
func IsSupportedECPrivateKey ¶
func IsSupportedECPrivateKey(privKey *crypto.PrivateKey) bool
IsSupportedECPrivateKey is a predicate returning true if the private key is EC based
func LoadSignerCredsFromFiles ¶
func LoadSignerCredsFromFiles(signerCertFile string, signerPrivFile string) (*x509.Certificate, crypto.PrivateKey, error)
LoadSignerCredsFromFiles loads the signer cert&key from the given files.
signerCertFile: cert file name signerPrivFile: private key file name
func ParsePemEncodedCSR ¶
func ParsePemEncodedCSR(csrBytes []byte) (*x509.CertificateRequest, error)
ParsePemEncodedCSR constructs a `x509.CertificateRequest` object using the given PEM-encoded certificate signing request.
func ParsePemEncodedCertificate ¶
func ParsePemEncodedCertificate(certBytes []byte) (*x509.Certificate, error)
ParsePemEncodedCertificate constructs a `x509.Certificate` object using the given a PEM-encoded certificate.
func ParsePemEncodedKey ¶
func ParsePemEncodedKey(keyBytes []byte) (crypto.PrivateKey, error)
ParsePemEncodedKey takes a PEM-encoded key and parsed the bytes into a `crypto.PrivateKey`.
func TimeBeforeCertExpires ¶
TimeBeforeCertExpires returns the time duration before the cert gets expired. It returns an error if it failed to extract the cert expiration timestamp. The returned time duration could be a negative value indicating the cert has already been expired.
func VerifyCertificate ¶
func VerifyCertificate(privPem []byte, certChainPem []byte, rootCertPem []byte, expectedFields *VerifyFields) error
VerifyCertificate verifies a given PEM encoded certificate by - building one or more chains from the certificate to a root certificate; - checking fields are set as expected.
Types ¶
type CertOptions ¶
type CertOptions struct { // Comma-separated hostnames and IPs to generate a certificate for. // This can also be set to the identity running the workload, // like kubernetes service account. Host string // The NotBefore field of the issued certificate. NotBefore time.Time // TTL of the certificate. NotAfter - NotBefore. TTL time.Duration // Signer certificate. SignerCert *x509.Certificate // Signer private key. SignerPriv crypto.PrivateKey // Signer private key (PEM encoded). SignerPrivPem []byte // Organization for this certificate. Org string // The size of RSA private key to be generated. RSAKeySize int // Whether this certificate is used as signing cert for CA. IsCA bool // Whether this certificate is self-signed. IsSelfSigned bool // Whether this certificate is for a client. IsClient bool // Whether this certificate is for a server. IsServer bool // Whether this certificate is for dual-use clients (SAN+CN). IsDualUse bool // If true, the private key is encoded with PKCS#8. PKCS8Key bool // The type of Elliptical Signature algorithm to use // when generating private keys. Currently only ECDSA is supported. // If empty, RSA is used, otherwise ECC is used. ECSigAlg SupportedECSignatureAlgorithms }
CertOptions contains options for generating a new certificate.
func GetCertOptionsFromExistingCert ¶
func GetCertOptionsFromExistingCert(certBytes []byte) (opts CertOptions, err error)
GetCertOptionsFromExistingCert parses cert and generates a CertOptions that contains information about the cert. This is the reverse operation of genCertTemplateFromOptions(), and only called by a self-signed Citadel.
func MergeCertOptions ¶
func MergeCertOptions(defaultOpts, deltaOpts CertOptions) CertOptions
MergeCertOptions merges deltaOpts into defaultOpts and returns the merged CertOptions. Only called by a self-signed Citadel.
type Identity ¶
type Identity struct { Type IdentityType Value []byte }
Identity is an object holding both the encoded identifier bytes as well as the type of the identity.
func ExtractIDsFromSAN ¶
ExtractIDsFromSAN takes a SAN extension and extracts the identities. The logic is mostly borrowed from https://github.com/golang/go/blob/master/src/crypto/x509/x509.go, with the addition of supporting extracting URIs.
type IdentityType ¶
type IdentityType int
IdentityType represents type of an identity. This is used to properly encode an identity into a SAN extension.
const ( // TypeDNS represents a DNS name. TypeDNS IdentityType = iota // TypeIP represents an IP address. TypeIP // TypeURI represents a universal resource identifier. TypeURI )
type KeyCertBundle ¶
type KeyCertBundle interface { // GetAllPem returns all key/cert PEMs in KeyCertBundle together. Getting all values together avoids inconsistency. GetAllPem() (certBytes, privKeyBytes, certChainBytes, rootCertBytes []byte) // GetAll returns all key/cert in KeyCertBundle together. Getting all values together avoids inconsistency. GetAll() (cert *x509.Certificate, privKey *crypto.PrivateKey, certChainBytes, rootCertBytes []byte) // GetCertChainPem returns the certificate chain PEM. GetCertChainPem() []byte // GetRootCertPem returns the root certificate PEM. GetRootCertPem() []byte // VerifyAndSetAll verifies the key/certs, and sets all key/certs in KeyCertBundle together. // Setting all values together avoids inconsistency. VerifyAndSetAll(certBytes, privKeyBytes, certChainBytes, rootCertBytes []byte) error // CertOptions returns the CertOptions for rotating the current key cert. CertOptions() (*CertOptions, error) // ExtractRootCertExpiryTimestamp returns the unix timestamp when the root becomes expires. // An error indicates the certificate is expired. ExtractRootCertExpiryTimestamp() (float64, error) // ExtractCACertExpiryTimestamp returns the unix timestamp when the CA cert becomes expires. // An error indicates the certificate is expired. ExtractCACertExpiryTimestamp() (float64, error) }
KeyCertBundle stores the cert, private key, cert chain and root cert for an entity. It is thread safe. TODO(myidpt): Remove this interface.
type KeyCertBundleImpl ¶
type KeyCertBundleImpl struct {
// contains filtered or unexported fields
}
KeyCertBundleImpl implements the KeyCertBundle interface. The cert and privKey should be a public/private key pair. The cert should be verifiable from the rootCert through the certChain. cert and priveKey are pointers to the cert/key parsed from certBytes/privKeyBytes.
func NewKeyCertBundleWithRootCertFromFile ¶
func NewKeyCertBundleWithRootCertFromFile(rootCertFile string) (*KeyCertBundleImpl, error)
NewKeyCertBundleWithRootCertFromFile returns a new KeyCertBundle with the root cert without verification.
func NewVerifiedKeyCertBundleFromFile ¶
func NewVerifiedKeyCertBundleFromFile(certFile, privKeyFile, certChainFile, rootCertFile string) ( *KeyCertBundleImpl, error)
NewVerifiedKeyCertBundleFromFile returns a new KeyCertBundle, or error if the provided certs failed the verification.
func NewVerifiedKeyCertBundleFromPem ¶
func NewVerifiedKeyCertBundleFromPem(certBytes, privKeyBytes, certChainBytes, rootCertBytes []byte) ( *KeyCertBundleImpl, error)
NewVerifiedKeyCertBundleFromPem returns a new KeyCertBundle, or error if the provided certs failed the verification.
func (*KeyCertBundleImpl) CertOptions ¶
func (b *KeyCertBundleImpl) CertOptions() (*CertOptions, error)
CertOptions returns the certificate config based on currently stored cert.
func (*KeyCertBundleImpl) ExtractCACertExpiryTimestamp ¶
func (b *KeyCertBundleImpl) ExtractCACertExpiryTimestamp() (float64, error)
ExtractCACertExpiryTimestamp returns the unix timestamp when the cert chain becomes expires.
func (*KeyCertBundleImpl) ExtractRootCertExpiryTimestamp ¶
func (b *KeyCertBundleImpl) ExtractRootCertExpiryTimestamp() (float64, error)
ExtractRootCertExpiryTimestamp returns the unix timestamp when the root becomes expires.
func (*KeyCertBundleImpl) GetAll ¶
func (b *KeyCertBundleImpl) GetAll() (cert *x509.Certificate, privKey *crypto.PrivateKey, certChainBytes, rootCertBytes []byte)
GetAll returns all key/cert in KeyCertBundle together. Getting all values together avoids inconsistency. NOTE: Callers should not modify the content of cert and privKey.
func (*KeyCertBundleImpl) GetAllPem ¶
func (b *KeyCertBundleImpl) GetAllPem() (certBytes, privKeyBytes, certChainBytes, rootCertBytes []byte)
GetAllPem returns all key/cert PEMs in KeyCertBundle together. Getting all values together avoids inconsistency.
func (*KeyCertBundleImpl) GetCertChainPem ¶
func (b *KeyCertBundleImpl) GetCertChainPem() []byte
GetCertChainPem returns the certificate chain PEM.
func (*KeyCertBundleImpl) GetRootCertPem ¶
func (b *KeyCertBundleImpl) GetRootCertPem() []byte
GetRootCertPem returns the root certificate PEM.
func (*KeyCertBundleImpl) VerifyAndSetAll ¶
func (b *KeyCertBundleImpl) VerifyAndSetAll(certBytes, privKeyBytes, certChainBytes, rootCertBytes []byte) error
VerifyAndSetAll verifies the key/certs, and sets all key/certs in KeyCertBundle together. Setting all values together avoids inconsistency.
type SupportedECSignatureAlgorithms ¶
type SupportedECSignatureAlgorithms string
SupportedECSignatureAlgorithms are the types of EC Signature Algorithms to be used in key generation (e.g. ECDSA or ED2551)
const ( // only ECDSA using P256 is currently supported EcdsaSigAlg SupportedECSignatureAlgorithms = "ECDSA" )