crypto

package
v0.0.0-...-ac3ba9e Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 16, 2025 License: Apache-2.0 Imports: 27 Imported by: 295

Documentation

Index

Constants

View Source 
const (
	DefaultCertificateLifetimeDuration   = time.Hour * 24 * 365 * 2 // 2 years
	DefaultCACertificateLifetimeDuration = time.Hour * 24 * 365 * 5 // 5 years

)

Variables

This section is empty.

Functions

func CertsFromPEM 

func CertsFromPEM(pemCerts []byte) ([]*x509.Certificate, error)

func CipherSuite 

func CipherSuite(cipherName string) (uint16, error)

func CipherSuiteToNameOrDie 

func CipherSuiteToNameOrDie(intVal uint16) string

CipherSuiteToNameOrDie given a cipher suite as an int, return its readable name

func CipherSuitesOrDie 

func CipherSuitesOrDie(cipherNames []string) []uint16

func CipherSuitesToNamesOrDie 

func CipherSuitesToNamesOrDie(intVals []uint16) []string

CipherSuitesToNamesOrDie given a list of cipher suites as ints, return their readable names

func DefaultCiphers 

func DefaultCiphers() []uint16

func DefaultTLSVersion 

func DefaultTLSVersion() uint16

func EncodeCertificates 

func EncodeCertificates(certs ...*x509.Certificate) ([]byte, error)

func EncodeKey 

func EncodeKey(key crypto.PrivateKey) ([]byte, error)

func FilterExpiredCerts 

func FilterExpiredCerts(certs ...*x509.Certificate) []*x509.Certificate

FilterExpiredCerts checks are all certificates in the bundle valid, i.e. they have not expired. The function returns new bundle with only valid certificates or error if no valid certificate is found.

func GolangTLSVersions 

func GolangTLSVersions() []string

TLS versions that are known to golang, but may not necessarily be enabled.

func IPAddressesDNSNames 

func IPAddressesDNSNames(hosts []string) ([]net.IP, []string)

func NewClientCertificateTemplate 

func NewClientCertificateTemplate(subject pkix.Name, lifetime time.Duration, currentTime func() time.Time) *x509.Certificate

Can be used as a certificate in http.Transport TLSClientConfig

func NewClientCertificateTemplateForDuration 

func NewClientCertificateTemplateForDuration(subject pkix.Name, lifetime time.Duration, currentTime func() time.Time) *x509.Certificate

Can be used as a certificate in http.Transport TLSClientConfig

func NewKeyPair 

func NewKeyPair() (crypto.PublicKey, crypto.PrivateKey, error)

func OpenSSLToIANACipherSuites 

func OpenSSLToIANACipherSuites(ciphers []string) []string

OpenSSLToIANACipherSuites maps input OpenSSL Cipher Suite names to their IANA counterparts. Unknown ciphers are left out.

func SecureTLSConfig 

func SecureTLSConfig(config *tls.Config) *tls.Config

SecureTLSConfig enforces the default minimum security settings for the cluster.

func TLSVersion 

func TLSVersion(versionName string) (uint16, error)

func TLSVersionOrDie 

func TLSVersionOrDie(versionName string) uint16

func TLSVersionToNameOrDie 

func TLSVersionToNameOrDie(intVal uint16) string

TLSVersionToNameOrDie given a tls version as an int, return its readable name

func UserToSubject 

func UserToSubject(u user.Info) pkix.Name

func ValidCipherSuites 

func ValidCipherSuites() []string

func ValidTLSVersions 

func ValidTLSVersions() []string

Returns the build enabled TLS versions.

Types

type CA 

type CA struct {
	Config *TLSCertificateConfig

	SerialGenerator SerialGenerator
}

func EnsureCA 

func EnsureCA(certFile, keyFile, serialFile, name string, lifetime time.Duration) (*CA, bool, error)

EnsureCA returns a CA, whether it was created (as opposed to pre-existing), and any error if serialFile is empty, a RandomSerialGenerator will be used

func GetCA 

func GetCA(certFile, keyFile, serialFile string) (*CA, error)

if serialFile is empty, a RandomSerialGenerator will be used

func GetCAFromBytes 

func GetCAFromBytes(certBytes, keyBytes []byte) (*CA, error)

func MakeSelfSignedCA 

func MakeSelfSignedCA(certFile, keyFile, serialFile, name string, lifetime time.Duration) (*CA, error)

if serialFile is empty, a RandomSerialGenerator will be used

func (*CA) EnsureClientCertificate 

func (ca *CA) EnsureClientCertificate(certFile, keyFile string, u user.Info, lifetime time.Duration) (*TLSCertificateConfig, bool, error)

func (*CA) EnsureServerCert 

func (ca *CA) EnsureServerCert(certFile, keyFile string, hostnames sets.Set[string], lifetime time.Duration) (*TLSCertificateConfig, bool, error)

func (*CA) EnsureSubCA 

func (ca *CA) EnsureSubCA(certFile, keyFile, serialFile, name string, lifetime time.Duration) (*CA, bool, error)

EnsureSubCA returns a subCA signed by the `ca`, whether it was created (as opposed to pre-existing), and any error that might occur during the subCA creation. If serialFile is an empty string, a RandomSerialGenerator will be used.

func (*CA) MakeAndWriteServerCert 

func (ca *CA) MakeAndWriteServerCert(certFile, keyFile string, hostnames sets.Set[string], lifetime time.Duration) (*TLSCertificateConfig, error)

func (*CA) MakeAndWriteSubCA 

func (ca *CA) MakeAndWriteSubCA(certFile, keyFile, serialFile, name string, lifetime time.Duration) (*CA, error)

MakeAndWriteSubCA returns a new sub-CA configuration. New cert/key pair is generated while using this function. If serialFile is an empty string, a RandomSerialGenerator will be used.

func (*CA) MakeClientCertificate 

func (ca *CA) MakeClientCertificate(certFile, keyFile string, u user.Info, lifetime time.Duration) (*TLSCertificateConfig, error)

func (*CA) MakeClientCertificateForDuration 

func (ca *CA) MakeClientCertificateForDuration(u user.Info, lifetime time.Duration) (*TLSCertificateConfig, error)

func (*CA) MakeServerCert 

func (ca *CA) MakeServerCert(hostnames sets.Set[string], lifetime time.Duration, fns ...CertificateExtensionFunc) (*TLSCertificateConfig, error)

func (*CA) MakeServerCertForDuration 

func (ca *CA) MakeServerCertForDuration(hostnames sets.Set[string], lifetime time.Duration, fns ...CertificateExtensionFunc) (*TLSCertificateConfig, error)

func (*CA) SignCertificate 

func (ca *CA) SignCertificate(template *x509.Certificate, requestKey crypto.PublicKey) (*x509.Certificate, error)

type CertificateExtensionFunc 

type CertificateExtensionFunc func(*x509.Certificate) error

CertificateExtensionFunc is passed a certificate that it may extend, or return an error if the extension attempt failed.

type RandomSerialGenerator 

type RandomSerialGenerator struct {
}

RandomSerialGenerator returns a serial based on time.Now and the subject

func (*RandomSerialGenerator) Next 

func (s *RandomSerialGenerator) Next(template *x509.Certificate) (int64, error)

type SerialFileGenerator 

type SerialFileGenerator struct {
	SerialFile string

	Serial int64
	// contains filtered or unexported fields
}

SerialFileGenerator returns a unique, monotonically increasing serial number and ensures the CA on disk records that value.

func NewSerialFileGenerator 

func NewSerialFileGenerator(serialFile string) (*SerialFileGenerator, error)

func (*SerialFileGenerator) Next 

func (s *SerialFileGenerator) Next(template *x509.Certificate) (int64, error)

Next returns a unique, monotonically increasing serial number and ensures the CA on disk records that value.

type SerialGenerator 

type SerialGenerator interface {
	Next(template *x509.Certificate) (int64, error)
}

SerialGenerator is an interface for getting a serial number for the cert. It MUST be thread-safe.

type TLSCARoots 

type TLSCARoots struct {
	Roots []*x509.Certificate
}

type TLSCertificateConfig 

type TLSCertificateConfig struct {
	Certs []*x509.Certificate
	Key   crypto.PrivateKey
}

func GetClientCertificate 

func GetClientCertificate(certFile, keyFile string, u user.Info) (*TLSCertificateConfig, error)

func GetServerCert 

func GetServerCert(certFile, keyFile string, hostnames sets.Set[string]) (*TLSCertificateConfig, error)

func GetTLSCertificateConfig 

func GetTLSCertificateConfig(certFile, keyFile string) (*TLSCertificateConfig, error)

func GetTLSCertificateConfigFromBytes 

func GetTLSCertificateConfigFromBytes(certBytes, keyBytes []byte) (*TLSCertificateConfig, error)

func MakeCAConfigForDuration 

func MakeCAConfigForDuration(name string, caLifetime time.Duration, issuer *CA) (*TLSCertificateConfig, error)

func MakeSelfSignedCAConfig 

func MakeSelfSignedCAConfig(name string, lifetime time.Duration) (*TLSCertificateConfig, error)

func MakeSelfSignedCAConfigForDuration 

func MakeSelfSignedCAConfigForDuration(name string, caLifetime time.Duration) (*TLSCertificateConfig, error)

func MakeSelfSignedCAConfigForSubject 

func MakeSelfSignedCAConfigForSubject(subject pkix.Name, lifetime time.Duration) (*TLSCertificateConfig, error)

func UnsafeMakeSelfSignedCAConfigForDurationAtTime 

func UnsafeMakeSelfSignedCAConfigForDurationAtTime(name string, currentTime func() time.Time, caLifetime time.Duration) (*TLSCertificateConfig, error)

func (*TLSCertificateConfig) GetPEMBytes 

func (c *TLSCertificateConfig) GetPEMBytes() ([]byte, []byte, error)

func (*TLSCertificateConfig) WriteCertConfig 

func (c *TLSCertificateConfig) WriteCertConfig(certFile, keyFile io.Writer) error

func (*TLSCertificateConfig) WriteCertConfigFile 

func (c *TLSCertificateConfig) WriteCertConfigFile(certFile, keyFile string) error

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.
JackTT - Gopher 🇻🇳