tls

package
v0.6.16 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: May 13, 2021 License: Apache-2.0 Imports: 19 Imported by: 2

Documentation

Overview

Package tls contains functions for creating and managing x509 certificates and key pairs for the purposes of TLS

Index

Constants

View Source 
const (
	// Private key algorithms
	ECDSAAlgorithm = "ECDSA"
	RSAAlgorithm   = "RSA"

	// Elliptic curves
	P224Curve = "P224"
	P256Curve = "P256"
	P384Curve = "P384"
	P521Curve = "P521"

	// We force users to use at least 2048 bits for RSA, as anything less is cryptographically insecure (since they have
	// been cracked).
	// See https://en.wikipedia.org/wiki/Key_size for more commentary
	MinimumRSABits = 2048
)

Variables

View Source 
var (
	// Valid private key algorithms we support in this library
	PrivateKeyAlgorithms = []string{
		ECDSAAlgorithm,
		RSAAlgorithm,
	}

	// List of known curves we support for ECDSA private key algorithm
	KnownCurves = []string{
		P224Curve,
		P256Curve,
		P384Curve,
		P521Curve,
	}
)

Functions

func CreateCertificateFromKeys 

func CreateCertificateFromKeys(
	validityTimeSpan time.Duration,
	distinguishedName pkix.Name,
	signedBy *x509.Certificate,
	isCA bool,
	dnsNames []string,
	pubKey interface{},
	privKey interface{},
) ([]byte, error)

CreateCertificateFromKeys will take the provided key pair and generate the associated TLS certificate. You can customize the distinguished name on the certificate, the validity time span, whether or not it is a CA certificate, and sign the certificate with a given CA using the available parameters. Note: The passed in private key should be the private key of the SIGNER (certificate signing), while the public key should be the public key of the SIGNEE (certificate being signed). Code based on generate_cert command in crypto/tls: https://golang.org/src/crypto/tls/generate_cert.go

func CreateECDSAKeyPair 

func CreateECDSAKeyPair(ecdsaCurve string) (*ecdsa.PrivateKey, *ecdsa.PublicKey, error)

CreateECDSAKeyPair generates a new private public key pair using the ECDSA algorithm. The elliptic curve is configurable, and it must be one of P224, P256, P384, P521.

func CreateRSAKeyPair 

func CreateRSAKeyPair(rsaBits int) (*rsa.PrivateKey, *rsa.PublicKey, error)

CreateRSAKeyPair generates a new private public key pair using the RSA algorithm. The size of the RSA key in bits is configurable. We force users to use at least 2048 bits, as anything less is cryptographically insecure (since they have been cracked). See https://en.wikipedia.org/wiki/Key_size for more commentary

func EncodeCertificateToPEM 

func EncodeCertificateToPEM(certificate *x509.Certificate) pem.Block

EncodeCertificateToPEM will take the raw x509 Certificate and encode it to a pem Block struct.

func EncodeECDSAPrivateKeyToPEM 

func EncodeECDSAPrivateKeyToPEM(privateKey *ecdsa.PrivateKey, password string) (pem.Block, error)

EncodeECDSAPrivateKeyToPEM will take the provided ECDSA private key and encode it to a pem Block struct. You can optionally encrypt the private key by providing a password (passing in "" will keep it unencrypted).

func EncodePublicKeyToPEM 

func EncodePublicKeyToPEM(publicKey interface{}) (pem.Block, error)

EncodePublicKeyToPEM will take the provided public key and encode it to a pem Block struct.

func EncodeRSAPrivateKeyToPEM 

func EncodeRSAPrivateKeyToPEM(privateKey *rsa.PrivateKey, password string) (pem.Block, error)

EncodeRSAPrivateKeyToPEM will take the provided RSA private key and encode it to a pem Block struct. You can optionally encrypt the private key by providing a password (passing in "" will keep it unencrypted).

func GenerateAndStoreAsK8SSecret added in v0.3.3 

func GenerateAndStoreAsK8SSecret(
	kubectlOptions *kubectl.KubectlOptions,
	secretOptions KubernetesSecretOptions,
	caSecretOptions KubernetesSecretOptions,
	genCA bool,
	filenameBase string,
	tlsOptions TLSOptions,
	dnsNames []string,
) error

GenerateAndStoreAsK8SSecret will generate new TLS certificate key pairs and store them as Kubernetes Secret resources.

func LoadCertificate 

func LoadCertificate(path string) (*x509.Certificate, error)

LoadCertificate will load a Certificate object from the provided path, assuming it holds a certificate encoded in PEM.

func LoadECDSAPrivateKey 

func LoadECDSAPrivateKey(path string) (*ecdsa.PrivateKey, error)

LoadECDSAPrivateKey will load a private key object from the provided path, assuming it holds a certificate encoded in PEM.

func LoadRSAPrivateKey 

func LoadRSAPrivateKey(path string) (*rsa.PrivateKey, error)

LoadRSAPrivateKey will load a private key object from the provided path, assuming it holds a certificate encoded in PEM.

func NewPrivateKeyPEMBlock 

func NewPrivateKeyPEMBlock(pemType string, pemData []byte, password string) (pem.Block, error)

NewPrivateKeyPEMBlock will create the pem Block struct with the provided data. You can optionally encrypt the private key by providing a password (passing in "" will keep it unencrypted).

func StoreCertificate 

func StoreCertificate(certificate *x509.Certificate, path string) error

StoreCertificate will take the provided certificate, encode it to pem, and store it on disk at the specified path.

func StoreCertificateKeyPairAsKubernetesSecret added in v0.3.3 

func StoreCertificateKeyPairAsKubernetesSecret(
	kubectlOptions *kubectl.KubectlOptions,
	secretName string,
	secretNamespace string,
	labels map[string]string,
	annotations map[string]string,
	nameBase string,
	certificateKeyPairPath CertificateKeyPairPath,
	caCertPath string,
) error

StoreCertificateKeyPairAsKubernetesSecret will store the provided certificate key pair (which is available in the local file system) in the Kubernetes cluster as a secret.

func StoreECDSAPrivateKey 

func StoreECDSAPrivateKey(privateKey *ecdsa.PrivateKey, password string, path string) error

StoreECDSAPrivateKey takes the given ECDSA private key, encode it to pem, and store it on disk at the specified path. You can optionally provide a password to encrypt the key on disk (passing in "" will store it unencrypted).

func StoreECDSAPublicKey 

func StoreECDSAPublicKey(publicKey *ecdsa.PublicKey, path string) error

StoreECDSAPublicKey takes the given ECDSA public key, encode it to pem, and store it on disk at the specified path.

func StorePEM 

func StorePEM(pemBlock pem.Block, path string) error

StorePEM will take the pem block and store it to disk.

func StoreRSAPrivateKey 

func StoreRSAPrivateKey(privateKey *rsa.PrivateKey, password string, path string) error

StoreRSAPrivateKey takes the given RSA private key, encode it to pem, and store it on disk at the specified path. You can optionally provide a password to encrypt the key on disk (passing in "" will store it unencrypted).

func StoreRSAPublicKey 

func StoreRSAPublicKey(publicKey *rsa.PublicKey, path string) error

StoreRSAPublicKey takes the given RSA public key, encode it to pem, and store it on disk at the specified path. You

Types

type CertificateKeyPairPath 

type CertificateKeyPairPath struct {
	CertificatePath string
	PrivateKeyPath  string
	PublicKeyPath   string
}

CertificateKeyPairPath represents the path where the certificate key pair resides.

type KubernetesSecretOptions added in v0.3.3 

type KubernetesSecretOptions struct {
	Name        string
	Namespace   string
	Labels      map[string]string
	Annotations map[string]string
}

type RSABitsTooLow 

type RSABitsTooLow struct {
	RSABits int
}

RSABitsTooLow is returned when the requested RSA key length is too low.

func (RSABitsTooLow) Error 

func (err RSABitsTooLow) Error() string

type TLSECDSACertificateKeyPair 

type TLSECDSACertificateKeyPair struct {
	CertificateBytes []byte
	PrivateKey       *ecdsa.PrivateKey
	PublicKey        *ecdsa.PublicKey
}

TLSECDSACertificateKeyPair represents the certificate key pair generated using the ECDSA algorithm.

func CreateECDSACertificateKeyPair 

func CreateECDSACertificateKeyPair(
	validityTimeSpan time.Duration,
	distinguishedName pkix.Name,
	signedBy *x509.Certificate,
	signedByKey interface{},
	isCA bool,
	dnsNames []string,
	ecdsaCurve string,
) (TLSECDSACertificateKeyPair, error)

CreateECDSACertificateKeyPair will generate a new certificate key pair using the ECDSA algorithm. You can customize the distinguished name on the certificate, the validity time span, whether or not it is a CA certificate, and sign the certificate with a given CA using the available parameters. The elliptic curve is configurable, and it must be one of P224, P256, P384, P521.

func (*TLSECDSACertificateKeyPair) Certificate 

func (certificateKeyPair *TLSECDSACertificateKeyPair) Certificate() (*x509.Certificate, error)

Certificate will return the Certificate struct represented by the raw bytes stored on the key pair struct.

type TLSOptions 

type TLSOptions struct {
	DistinguishedName   pkix.Name
	ValidityTimeSpan    time.Duration
	PrivateKeyAlgorithm string
	RSABits             int
	ECDSACurve          string
}

TLSOptions is a convenient struct to capture all the options needed for generating a TLS certificate key pair.

func SampleTlsOptions added in v0.3.3 

func SampleTlsOptions(algorithm string) TLSOptions

func (*TLSOptions) GenerateAndStoreTLSCertificateKeyPair 

func (options *TLSOptions) GenerateAndStoreTLSCertificateKeyPair(
	name string,
	rootPath string,
	keyPassword string,
	isCA bool,
	dnsNames []string,
	signedBy *x509.Certificate,
	signedByKey interface{},
) (CertificateKeyPairPath, error)

GenerateAndStoreTLSCertificateKeyPair is a convenience method that will select the right underlying functions to use to generate the certificate key pairs and store them to disk at the provided root path. The following files will be created: - name.crt : The x509 certificate file in PEM format. - name.pem : The private key file in PEM format. - name.pub : The public key file in PEM format.

func (*TLSOptions) Validate 

func (options *TLSOptions) Validate() error

Validate will validate the provided TLSOptions struct is valid.

type TLSRSACertificateKeyPair 

type TLSRSACertificateKeyPair struct {
	CertificateBytes []byte
	PrivateKey       *rsa.PrivateKey
	PublicKey        *rsa.PublicKey
}

TLSRSACertificateKeyPair represents the certificate key pair generated using the RSA algorithm.

func CreateRSACertificateKeyPair 

func CreateRSACertificateKeyPair(
	validityTimeSpan time.Duration,
	distinguishedName pkix.Name,
	signedBy *x509.Certificate,
	signedByKey interface{},
	isCA bool,
	dnsNames []string,
	rsaBits int,
) (TLSRSACertificateKeyPair, error)

CreateRSACertificateKeyPair will generate a new certificate key pair using the RSA algorithm. You can customize the distinguished name on the certificate, the validity time span, whether or not it is a CA certificate, and sign the certificate with a given CA using the available parameters. The size of the RSA key in bits is configurable. Choosing at least 2048 bits is recommended.

func (*TLSRSACertificateKeyPair) Certificate 

func (certificateKeyPair *TLSRSACertificateKeyPair) Certificate() (*x509.Certificate, error)

Certificate will return the Certificate struct represented by the raw bytes stored on the key pair struct.

type UnknownECDSACurveError 

type UnknownECDSACurveError struct {
	Curve string
}

UnknownECDSACurveError is returned when an unknown ecdsa curve is requested.

func (UnknownECDSACurveError) Error 

func (err UnknownECDSACurveError) Error() string

type UnknownPrivateKeyAlgorithm 

type UnknownPrivateKeyAlgorithm struct {
	Algorithm string
}

UnknownPrivateKeyAlgorithm is returned when the provided algorithm is unknown or unsupported.

func (UnknownPrivateKeyAlgorithm) Error 

func (err UnknownPrivateKeyAlgorithm) Error() string

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.