Documentation
¶
Index ¶
- Constants
- func ExtractRootCertificate(certPEM []byte) ([]byte, error)
- func MakeBearerToken() ([]byte, error)
- func PEMEncodeBlock(blockType string, derBytes []byte) []byte
- func PEMEncodeCertificates(certs ...[]byte) []byte
- func PEMEncodePrivateKey(pkcs1Bytes []byte) []byte
- func ValidateCertificate(cert *x509.Certificate) (string, error)
- type ServerCertificateData
Constants ¶
const BearerTokenLength = 32
Variables ¶
This section is empty.
Functions ¶
func ExtractRootCertificate ¶ added in v0.22.10
ExtractRootCertificate extracts the trust anchor from PEM-encoded certificate data. It identifies the self-signed certificate (where Issuer equals Subject) regardless of PEM ordering. For a single self-signed cert it returns that cert. For a chain it returns the root CA after verifying that the leaf cert chains to it through any intermediates present. Returns an error if no self-signed certificate is found or if the chain is invalid.
func MakeBearerToken ¶
func PEMEncodeBlock ¶ added in v0.22.10
PEMEncodeBlock PEM-encodes a single block with the given type and DER bytes.
func PEMEncodeCertificates ¶
PEMEncodeCertificates PEM-encodes a set of raw DER certificates into a common buffer.
func PEMEncodePrivateKey ¶
PEMEncodePrivateKey PEM-encodes PKCS#1 RSA private key bytes.
func ValidateCertificate ¶ added in v0.22.10
func ValidateCertificate(cert *x509.Certificate) (string, error)
ValidateCertificate validates that the given certificate is currently valid, authorized for server authentication, and covers a localhost address. Returns the server address to use based on what the certificate covers and the system's IP version preference.
Types ¶
type ServerCertificateData ¶
type ServerCertificateData struct {
CACertPEM []byte // Root CA certificate, PEM-encoded (for client trust / kubeconfig)
CertChainPEM []byte // Server certificate chain (leaf + intermediates), PEM-encoded
ServerKeyPEM []byte // Server private key, PEM-encoded
}
func GenerateServerCertificate ¶
func GenerateServerCertificate(ip net.IP) (ServerCertificateData, error)
Generates a self-signed certificate authority, server certificate, and a server private key for securing network connections. Returned certificates are raw (not PEM-encoded).
func LookupCertificate ¶ added in v0.22.10
func LookupCertificate(thumbprint string) (*ServerCertificateData, string, error)
LookupCertificate looks up a certificate by its SHA-1 thumbprint in the system certificate store (CurrentUser\My on Windows) and returns the certificate data including the private key, along with the validated server address the certificate covers. This is only supported on Windows; on other platforms it returns an error.
Source Files