certgenerate

package

v3.1.1 Latest Latest Go to latest Published: Feb 20, 2024 License: Apache-2.0 Imports: 19 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/apache/dubbo-go

Links

Open Source Insights

Documentation ¶

Index ¶

Constants
func AppendCertByte(pemCert []byte, rootCert []byte) []byte
func AppendRootCerts(pemCert []byte, rootCertFile string) ([]byte, error)
func BuildSANExtension(identites []Identity) (*pkix.Extension, error)
func BuildSubjectAltNameExtension(hosts string) (*pkix.Extension, error)
func DualUseCommonName(host string) (string, error)
func ExtractIDs(exts []pkix.Extension) ([]string, error)
func ExtractSANExtension(exts []pkix.Extension) *pkix.Extension
func GenCSR(options CertOptions) ([]byte, []byte, error)
func GenCSRTemplate(options CertOptions) (*x509.CertificateRequest, error)
func GenCertFromCSR(csr *x509.CertificateRequest, signingCert *x509.Certificate, ...) (cert []byte, err error)
func GenCertKeyFromOptions(options CertOptions) (pemCert []byte, pemKey []byte, err error)
func GenRootCertFromExistingKey(options CertOptions) (pemCert []byte, pemKey []byte, err error)
func GetRSAKeySize(privKey crypto.PrivateKey) (int, error)
func IsSupportedECPrivateKey(privKey *crypto.PrivateKey) bool
func LoadSignerCredsFromFiles(signerCertFile string, signerPrivFile string) (*x509.Certificate, crypto.PrivateKey, error)
func ParsePemEncodedCSR(csrBytes []byte) (*x509.CertificateRequest, error)
func ParsePemEncodedCertificate(certBytes []byte) (*x509.Certificate, error)
func ParsePemEncodedCertificateChain(certBytes []byte) ([]*x509.Certificate, error)
func ParsePemEncodedKey(keyBytes []byte) (crypto.PrivateKey, error)
func PemCertBytestoString(caCerts []byte) []string
type CertOptions
- func GetCertOptionsFromExistingCert(certBytes []byte) (opts CertOptions, err error)
- func MergeCertOptions(defaultOpts, deltaOpts CertOptions) CertOptions
type Identity
- func ExtractIDsFromSAN(sanExt *pkix.Extension) ([]Identity, error)
type IdentityType
type SupportedECSignatureAlgorithms

Constants ¶

View Source

const (
	// TypeDNS represents a DNS name.
	TypeDNS IdentityType = iota
	// TypeIP represents an IP address.
	TypeIP
	// TypeURI represents a universal resource identifier.
	TypeURI

	Scheme       = "spiffe"
	URIPrefix    = Scheme + "://"
	URIPrefixLen = len(URIPrefix)
)

View Source

const ClockSkewGracePeriod = time.Minute * 2

ClockSkewGracePeriod defines the period of time a certificate will be valid before its creation. This is meant to handle cases where we have clock skew between the CA and workloads.

Variables ¶

This section is empty.

Functions ¶

func AppendCertByte ¶

func AppendCertByte(pemCert []byte, rootCert []byte) []byte

AppendCertByte: Append x.509 rootCert in bytes to existing certificate chain (in bytes)

func AppendRootCerts ¶

func AppendRootCerts(pemCert []byte, rootCertFile string) ([]byte, error)

AppendRootCerts appends root certificates in RootCertFile to the input certificate.

func BuildSANExtension ¶

func BuildSANExtension(identites []Identity) (*pkix.Extension, error)

BuildSANExtension builds a `pkix.Extension` of type "Subject Alternative Name" based on the given identities.

func BuildSubjectAltNameExtension ¶

func BuildSubjectAltNameExtension(hosts string) (*pkix.Extension, error)

BuildSubjectAltNameExtension builds the SAN extension for the certificate.

func DualUseCommonName ¶

func DualUseCommonName(host string) (string, error)

DualUseCommonName extracts a valid CommonName from a comma-delimited host string for dual-use certificates.

func ExtractIDs ¶

func ExtractIDs(exts []pkix.Extension) ([]string, error)

ExtractIDs first finds the SAN extension from the given extension set, then extract identities from the SAN extension.

func ExtractSANExtension ¶

func ExtractSANExtension(exts []pkix.Extension) *pkix.Extension

ExtractSANExtension extracts the "Subject Alternative Name" externsion from the given PKIX extension set.

func GenCSR ¶

func GenCSR(options CertOptions) ([]byte, []byte, error)

GenCSR generates a X.509 certificate sign request and private key with the given options.

func GenCSRTemplate ¶

func GenCSRTemplate(options CertOptions) (*x509.CertificateRequest, error)

GenCSRTemplate generates a certificateRequest template with the given options.

func GenCertFromCSR ¶

func GenCertFromCSR(csr *x509.CertificateRequest, signingCert *x509.Certificate, publicKey interface{},
	signingKey crypto.PrivateKey, subjectIDs []string, ttl time.Duration, isCA bool,
) (cert []byte, err error)

GenCertFromCSR generates a X.509 certificate with the given CSR.

func GenCertKeyFromOptions ¶

func GenCertKeyFromOptions(options CertOptions) (pemCert []byte, pemKey []byte, err error)

GenCertKeyFromOptions generates a X.509 certificate and a private key with the given options.

func GenRootCertFromExistingKey ¶

func GenRootCertFromExistingKey(options CertOptions) (pemCert []byte, pemKey []byte, err error)

GenRootCertFromExistingKey generates a X.509 certificate using existing CA private key. Only called by a self-signed Citadel.

func GetRSAKeySize ¶

func GetRSAKeySize(privKey crypto.PrivateKey) (int, error)

GetRSAKeySize returns the size if it is RSA key, otherwise it returns an error.

func IsSupportedECPrivateKey ¶

func IsSupportedECPrivateKey(privKey *crypto.PrivateKey) bool

IsSupportedECPrivateKey is a predicate returning true if the private key is EC based

func LoadSignerCredsFromFiles ¶

func LoadSignerCredsFromFiles(signerCertFile string, signerPrivFile string) (*x509.Certificate, crypto.PrivateKey, error)

LoadSignerCredsFromFiles loads the signer cert&key from the given files.

signerCertFile: cert file name
signerPrivFile: private key file name

func ParsePemEncodedCSR ¶

func ParsePemEncodedCSR(csrBytes []byte) (*x509.CertificateRequest, error)

ParsePemEncodedCSR constructs a `x509.CertificateRequest` object using the given PEM-encoded certificate signing request.

func ParsePemEncodedCertificate ¶

func ParsePemEncodedCertificate(certBytes []byte) (*x509.Certificate, error)

ParsePemEncodedCertificate constructs a `x509.Certificate` object using the given a PEM-encoded certificate.

func ParsePemEncodedCertificateChain ¶

func ParsePemEncodedCertificateChain(certBytes []byte) ([]*x509.Certificate, error)

ParsePemEncodedCertificateChain constructs a slice of `x509.Certificate` objects using the given a PEM-encoded certificate chain.

func ParsePemEncodedKey ¶

func ParsePemEncodedKey(keyBytes []byte) (crypto.PrivateKey, error)

ParsePemEncodedKey takes a PEM-encoded key and parsed the bytes into a `crypto.PrivateKey`.

func PemCertBytestoString ¶

func PemCertBytestoString(caCerts []byte) []string

PemCertBytestoString: takes an array of PEM certs in bytes and returns a string array in the same order with trailing newline characters removed

Types ¶

type CertOptions ¶

type CertOptions struct {
	// Comma-separated hostnames and IPs to generate a certificate for.
	// This can also be set to the identity running the workload,
	// like kubernetes service account.
	Host string

	// The NotBefore field of the issued certificate.
	NotBefore time.Time

	// TTL of the certificate. NotAfter - NotBefore.
	TTL time.Duration

	// Signer certificate.
	SignerCert *x509.Certificate

	// Signer private key.
	SignerPriv crypto.PrivateKey

	// Signer private key (PEM encoded).
	SignerPrivPem []byte

	// Organization for this certificate.
	Org string

	// The size of RSA private key to be generated.
	RSAKeySize int

	// Whether this certificate is used as signing cert for CA.
	IsCA bool

	// Whether this certificate is self-signed.
	IsSelfSigned bool

	// Whether this certificate is for a client.
	IsClient bool

	// Whether this certificate is for a server.
	IsServer bool

	// Whether this certificate is for dual-use clients (SAN+CN).
	IsDualUse bool

	// If true, the private key is encoded with PKCS#8.
	PKCS8Key bool

	// The type of Elliptical Signature algorithm to use
	// when generating private keys. Currently only ECDSA is supported.
	// If empty, RSA is used, otherwise ECC is used.
	ECSigAlg SupportedECSignatureAlgorithms

	// Subjective Alternative Name values.
	DNSNames string
}

CertOptions contains options for generating a new certificate.

func GetCertOptionsFromExistingCert ¶

func GetCertOptionsFromExistingCert(certBytes []byte) (opts CertOptions, err error)

GetCertOptionsFromExistingCert parses cert and generates a CertOptions that contains information about the cert. This is the reverse operation of genCertTemplateFromOptions(), and only called by a self-signed Citadel.

func MergeCertOptions ¶

func MergeCertOptions(defaultOpts, deltaOpts CertOptions) CertOptions

MergeCertOptions merges deltaOpts into defaultOpts and returns the merged CertOptions. Only called by a self-signed Citadel.

type Identity ¶

type Identity struct {
	Type  IdentityType
	Value []byte
}

Identity is an object holding both the encoded identifier bytes as well as the type of the identity.

func ExtractIDsFromSAN ¶

func ExtractIDsFromSAN(sanExt *pkix.Extension) ([]Identity, error)

ExtractIDsFromSAN takes a SAN extension and extracts the identities. The logic is mostly borrowed from https://github.com/golang/go/blob/master/src/crypto/x509/x509.go, with the addition of supporting extracting URIs.

type IdentityType ¶

type IdentityType int

IdentityType represents type of an identity. This is used to properly encode an identity into a SAN extension.

type SupportedECSignatureAlgorithms ¶

type SupportedECSignatureAlgorithms string

SupportedECSignatureAlgorithms are the types of EC Signature Algorithms to be used in key generation (e.g. ECDSA or ED2551)

const (
	// only ECDSA using P256 is currently supported
	EcdsaSigAlg SupportedECSignatureAlgorithms = "ECDSA"
)

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL