GO-2022-0617: WITHDRAWN: Potential proxy IP restriction bypass in Kubernetes in k8s.io/kubernetes

pkiutil

package

v1.31.0-alpha.2 Latest Latest Go to latest Published: Jun 18, 2024 License: Apache-2.0 Imports: 26 Imported by: 97

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/kubernetes/kubernetes

Documentation ¶

Index ¶

Constants
Variables
func CSROrKeyExist(csrDir, name string) bool
func CertOrKeyExist(pkiPath, name string) bool
func CertificateRequestFromFile(file string) (*x509.CertificateRequest, error)
func EncodeCSRPEM(csr *x509.CertificateRequest) []byte
func EncodeCertBundlePEM(certs []*x509.Certificate) ([]byte, error)
func EncodeCertPEM(cert *x509.Certificate) []byte
func EncodePublicKeyPEM(key crypto.PublicKey) ([]byte, error)
func GeneratePrivateKey(keyType kubeadmapi.EncryptionAlgorithmType) (crypto.Signer, error)
func GetAPIServerAltNames(cfg *kubeadmapi.InitConfiguration) (*certutil.AltNames, error)
func GetEtcdAltNames(cfg *kubeadmapi.InitConfiguration) (*certutil.AltNames, error)
func GetEtcdPeerAltNames(cfg *kubeadmapi.InitConfiguration) (*certutil.AltNames, error)
func HasServerAuth(cert *x509.Certificate) bool
func NewCSR(cfg CertConfig, key crypto.Signer) (*x509.CertificateRequest, error)
func NewCSRAndKey(config *CertConfig) (*x509.CertificateRequest, crypto.Signer, error)
func NewCertAndKey(caCert *x509.Certificate, caKey crypto.Signer, config *CertConfig) (*x509.Certificate, crypto.Signer, error)
func NewCertificateAuthority(config *CertConfig) (*x509.Certificate, crypto.Signer, error)
func NewIntermediateCertificateAuthority(parentCert *x509.Certificate, parentKey crypto.Signer, config *CertConfig) (*x509.Certificate, crypto.Signer, error)
func NewSelfSignedCACert(cfg *CertConfig, key crypto.Signer) (*x509.Certificate, error)
func NewSignedCert(cfg *CertConfig, key crypto.Signer, caCert *x509.Certificate, ...) (*x509.Certificate, error)
func PathsForCertAndKey(pkiPath, name string) (string, string)
func RemoveDuplicateAltNames(altNames *certutil.AltNames)
func TryLoadCSRFromDisk(pkiPath, name string) (*x509.CertificateRequest, error)
func TryLoadCertAndKeyFromDisk(pkiPath, name string) (*x509.Certificate, crypto.Signer, error)
func TryLoadCertChainFromDisk(pkiPath, name string) (*x509.Certificate, []*x509.Certificate, error)
func TryLoadCertFromDisk(pkiPath, name string) (*x509.Certificate, error)
func TryLoadKeyFromDisk(pkiPath, name string) (crypto.Signer, error)
func TryLoadPrivatePublicKeyFromDisk(pkiPath, name string) (crypto.PrivateKey, crypto.PublicKey, error)
func ValidateCertPeriod(cert *x509.Certificate, offset time.Duration) error
func VerifyCertChain(cert *x509.Certificate, intermediates []*x509.Certificate, ...) error
func WriteCSR(csrDir, name string, csr *x509.CertificateRequest) error
func WriteCert(pkiPath, name string, cert *x509.Certificate) error
func WriteCertAndKey(pkiPath string, name string, cert *x509.Certificate, key crypto.Signer) error
func WriteCertBundle(pkiPath, name string, certs []*x509.Certificate) error
func WriteKey(pkiPath, name string, key crypto.Signer) error
func WritePublicKey(pkiPath, name string, key crypto.PublicKey) error
type CertConfig

Constants ¶

View Source

const (
	// PrivateKeyBlockType is a possible value for pem.Block.Type.
	PrivateKeyBlockType = "PRIVATE KEY"
	// PublicKeyBlockType is a possible value for pem.Block.Type.
	PublicKeyBlockType = "PUBLIC KEY"
	// CertificateBlockType is a possible value for pem.Block.Type.
	CertificateBlockType = "CERTIFICATE"
	// RSAPrivateKeyBlockType is a possible value for pem.Block.Type.
	RSAPrivateKeyBlockType = "RSA PRIVATE KEY"
)

Variables ¶

View Source

var NewPrivateKey = GeneratePrivateKey

NewPrivateKey returns a new private key.

Functions ¶

func CSROrKeyExist ¶

func CSROrKeyExist(csrDir, name string) bool

CSROrKeyExist returns true if one of the CSR or key exists

func CertOrKeyExist ¶

func CertOrKeyExist(pkiPath, name string) bool

CertOrKeyExist returns a boolean whether the cert or the key exists

func CertificateRequestFromFile ¶

func CertificateRequestFromFile(file string) (*x509.CertificateRequest, error)

CertificateRequestFromFile returns the CertificateRequest from a given PEM-encoded file. Returns an error if the file could not be read or if the CSR could not be parsed.

func EncodeCSRPEM ¶

func EncodeCSRPEM(csr *x509.CertificateRequest) []byte

EncodeCSRPEM returns PEM-encoded CSR data

func EncodeCertBundlePEM ¶ added in v1.21.0

func EncodeCertBundlePEM(certs []*x509.Certificate) ([]byte, error)

EncodeCertBundlePEM returns PEM-endcoded certificate bundle

func EncodeCertPEM ¶ added in v1.14.0

func EncodeCertPEM(cert *x509.Certificate) []byte

EncodeCertPEM returns PEM-endcoded certificate data

func EncodePublicKeyPEM ¶ added in v1.14.0

func EncodePublicKeyPEM(key crypto.PublicKey) ([]byte, error)

EncodePublicKeyPEM returns PEM-encoded public data

func GeneratePrivateKey ¶ added in v1.21.0

func GeneratePrivateKey(keyType kubeadmapi.EncryptionAlgorithmType) (crypto.Signer, error)

GeneratePrivateKey is the default function for generating private keys.

func GetAPIServerAltNames ¶

func GetAPIServerAltNames(cfg *kubeadmapi.InitConfiguration) (*certutil.AltNames, error)

GetAPIServerAltNames builds an AltNames object for to be used when generating apiserver certificate

func GetEtcdAltNames ¶

func GetEtcdAltNames(cfg *kubeadmapi.InitConfiguration) (*certutil.AltNames, error)

GetEtcdAltNames builds an AltNames object for generating the etcd server certificate. `advertise address` and localhost are included in the SAN since this is the interfaces the etcd static pod listens on. The user can override the listen address with `Etcd.ExtraArgs` and add SANs with `Etcd.ServerCertSANs`.

func GetEtcdPeerAltNames ¶

func GetEtcdPeerAltNames(cfg *kubeadmapi.InitConfiguration) (*certutil.AltNames, error)

GetEtcdPeerAltNames builds an AltNames object for generating the etcd peer certificate. Hostname and `API.AdvertiseAddress` are included if the user chooses to promote the single node etcd cluster into a multi-node one (stacked etcd). The user can override the listen address with `Etcd.ExtraArgs` and add SANs with `Etcd.PeerCertSANs`.

func HasServerAuth ¶

func HasServerAuth(cert *x509.Certificate) bool

HasServerAuth returns true if the given certificate is a ServerAuth

func NewCSR ¶

func NewCSR(cfg CertConfig, key crypto.Signer) (*x509.CertificateRequest, error)

NewCSR creates a new CSR

func NewCSRAndKey ¶

func NewCSRAndKey(config *CertConfig) (*x509.CertificateRequest, crypto.Signer, error)

NewCSRAndKey generates a new key and CSR and that could be signed to create the given certificate

func NewCertAndKey ¶

func NewCertAndKey(caCert *x509.Certificate, caKey crypto.Signer, config *CertConfig) (*x509.Certificate, crypto.Signer, error)

NewCertAndKey creates new certificate and key by passing the certificate authority certificate and key

func NewCertificateAuthority ¶

func NewCertificateAuthority(config *CertConfig) (*x509.Certificate, crypto.Signer, error)

NewCertificateAuthority creates new certificate and private key for the certificate authority

func NewIntermediateCertificateAuthority ¶ added in v1.21.0

func NewIntermediateCertificateAuthority(parentCert *x509.Certificate, parentKey crypto.Signer, config *CertConfig) (*x509.Certificate, crypto.Signer, error)

NewIntermediateCertificateAuthority creates new certificate and private key for an intermediate certificate authority

func NewSelfSignedCACert ¶ added in v1.31.0

func NewSelfSignedCACert(cfg *CertConfig, key crypto.Signer) (*x509.Certificate, error)

NewSelfSignedCACert creates a new self-signed CA certificate

func NewSignedCert ¶ added in v1.14.0

func NewSignedCert(cfg *CertConfig, key crypto.Signer, caCert *x509.Certificate, caKey crypto.Signer, isCA bool) (*x509.Certificate, error)

NewSignedCert creates a signed certificate using the given CA certificate and key

func PathsForCertAndKey ¶

func PathsForCertAndKey(pkiPath, name string) (string, string)

PathsForCertAndKey returns the paths for the certificate and key given the path and basename.

func RemoveDuplicateAltNames ¶ added in v1.19.0

func RemoveDuplicateAltNames(altNames *certutil.AltNames)

RemoveDuplicateAltNames removes duplicate items in altNames.

func TryLoadCSRFromDisk ¶ added in v1.19.0

func TryLoadCSRFromDisk(pkiPath, name string) (*x509.CertificateRequest, error)

TryLoadCSRFromDisk tries to load the CSR from the disk

func TryLoadCertAndKeyFromDisk ¶

func TryLoadCertAndKeyFromDisk(pkiPath, name string) (*x509.Certificate, crypto.Signer, error)

TryLoadCertAndKeyFromDisk tries to load a cert and a key from the disk and validates that they are valid

func TryLoadCertChainFromDisk ¶ added in v1.21.0

func TryLoadCertChainFromDisk(pkiPath, name string) (*x509.Certificate, []*x509.Certificate, error)

TryLoadCertChainFromDisk tries to load the cert chain from the disk

func TryLoadCertFromDisk ¶

func TryLoadCertFromDisk(pkiPath, name string) (*x509.Certificate, error)

TryLoadCertFromDisk tries to load the cert from the disk

func TryLoadKeyFromDisk ¶

func TryLoadKeyFromDisk(pkiPath, name string) (crypto.Signer, error)

TryLoadKeyFromDisk tries to load the key from the disk and validates that it is valid

func TryLoadPrivatePublicKeyFromDisk ¶

func TryLoadPrivatePublicKeyFromDisk(pkiPath, name string) (crypto.PrivateKey, crypto.PublicKey, error)

TryLoadPrivatePublicKeyFromDisk tries to load the key from the disk and validates that it is valid

func ValidateCertPeriod ¶ added in v1.20.0

func ValidateCertPeriod(cert *x509.Certificate, offset time.Duration) error

ValidateCertPeriod checks if the certificate is valid relative to the current time (+/- offset)

func VerifyCertChain ¶ added in v1.21.0

func VerifyCertChain(cert *x509.Certificate, intermediates []*x509.Certificate, root *x509.Certificate) error

VerifyCertChain verifies that a certificate has a valid chain of intermediate CAs back to the root CA

func WriteCSR ¶

func WriteCSR(csrDir, name string, csr *x509.CertificateRequest) error

WriteCSR writes the pem-encoded CSR data to csrPath. The CSR file will be created with file mode 0600. If the CSR file already exists, it will be overwritten. The parent directory of the csrPath will be created as needed with file mode 0700.

func WriteCert ¶

func WriteCert(pkiPath, name string, cert *x509.Certificate) error

WriteCert stores the given certificate at the given location

func WriteCertAndKey ¶

func WriteCertAndKey(pkiPath string, name string, cert *x509.Certificate, key crypto.Signer) error

WriteCertAndKey stores certificate and key at the specified location

func WriteCertBundle ¶ added in v1.21.0

func WriteCertBundle(pkiPath, name string, certs []*x509.Certificate) error

WriteCertBundle stores the given certificate bundle at the given location

func WriteKey ¶

func WriteKey(pkiPath, name string, key crypto.Signer) error

WriteKey stores the given key at the given location

func WritePublicKey ¶

func WritePublicKey(pkiPath, name string, key crypto.PublicKey) error

WritePublicKey stores the given public key at the given location

Types ¶

type CertConfig ¶ added in v1.18.0

type CertConfig struct {
	certutil.Config
	NotAfter            time.Time
	EncryptionAlgorithm kubeadmapi.EncryptionAlgorithmType
}

CertConfig is a wrapper around certutil.Config extending it with EncryptionAlgorithm.

Source Files ¶

View all Source files

pki_helpers.go

Directories ¶

Path	Synopsis
testing

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL