crypto

package
v0.3.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 13, 2026 License: Apache-2.0 Imports: 16 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func CheckCertificateAndPrivateKeyPairValidity 

func CheckCertificateAndPrivateKeyPairValidity(certificate, privateKey []byte, threshold time.Duration) (bool, error)

CheckCertificateAndPrivateKeyPairValidity checks if the certificate and private key pair are valid.

func CheckCertificateNamesAndIPs 

func CheckCertificateNamesAndIPs(certificateBytes []byte, entries []string) (bool, error)

CheckCertificateNamesAndIPs checks if the Kubernetes API Server certificate matches the Control Plane Endpoint and SAN stored in the kubeadm: it must check both IPs and DNS names, and returns a false if the required entry isn't available. In case of removal of entries, this function returns true nevertheless to avoid reloading a Control Plane uselessly.

func CheckPublicAndPrivateKeyValidity 

func CheckPublicAndPrivateKeyValidity(publicKey, privateKey []byte) (bool, error)

CheckPublicAndPrivateKeyValidity checks if the given bytes for the private and public keys are valid.

func GenerateAdminClientCert added in v0.3.1 

func GenerateAdminClientCert(clusterName string, caCert *x509.Certificate, caKey ed25519.PrivateKey) (certPEM, keyPEM []byte, err error)

GenerateAdminClientCert generates an admin client certificate signed by the OS CA. This certificate can be used with talosctl to authenticate against trustd.

func GenerateCertificatePrivateKeyPair 

func GenerateCertificatePrivateKeyPair(template *x509.Certificate, caCertificate []byte, caPrivateKey []byte) (*bytes.Buffer, *bytes.Buffer, error)

GenerateCertificatePrivateKeyPair starts from the Certificate Authority bytes a certificate using the provided template, returning the bytes both for the certificate and its key.

func IsValidCertificateKeyPairBytes 

func IsValidCertificateKeyPairBytes(certificateBytes, privateKeyBytes []byte, expirationThreshold time.Duration) (bool, error)

IsValidCertificateKeyPairBytes checks if the certificate matches the private key bounded to it.

func NewCertificateTemplate 

func NewCertificateTemplate(commonName string) *x509.Certificate

NewCertificateTemplate returns the template that must be used to generate a certificate, used to perform the authentication against the DataStore.

func NewCertificateTemplateWithSANs 

func NewCertificateTemplateWithSANs(commonName string, dnsNames []string, ipAddresses []net.IP) *x509.Certificate

NewCertificateTemplateWithSANs returns a certificate template with DNS names and/or IP addresses in the Subject Alternative Names field. This is required for TLS server certificates where clients verify the hostname matches the certificate.

func ParseCertificateBytes 

func ParseCertificateBytes(content []byte) (*x509.Certificate, error)

ParseCertificateBytes takes the certificate bytes returning a x509 certificate by parsing it.

func ParsePrivateKeyBytes 

func ParsePrivateKeyBytes(content []byte) (crypto.Signer, error)

ParsePrivateKeyBytes takes the private key bytes returning an RSA private key by parsing it.

func ParsePublicKeyBytes 

func ParsePublicKeyBytes(content []byte) (*rsa.PublicKey, error)

ParsePublicKeyBytes takes the public key bytes returning an RSA public key by parsing it.

func ParseTrustdServerCertSANs added in v0.3.0 

func ParseTrustdServerCertSANs(certPEM []byte) ([]net.IP, []string, error)

ParseTrustdServerCertSANs parses a PEM-encoded server certificate (possibly chained) and returns its IP addresses and DNS names.

func RegenerateAdminClientCert added in v0.3.1 

func RegenerateAdminClientCert(clusterName string, caCertPEM, caKeyPEM []byte) (certPEM, keyPEM []byte, err error)

RegenerateAdminClientCert regenerates an admin client certificate from PEM-encoded CA cert and key.

func RegenerateTrustdServerCert added in v0.3.0 

func RegenerateTrustdServerCert(caCertPEM, caKeyPEM []byte, ipAddresses []net.IP, dnsNames []string) (serverChain, serverKey []byte, err error)

RegenerateTrustdServerCert regenerates only the server certificate when SANs change. The CA and token are preserved. Returns the new server chain and key.

func VerifyCertificate 

func VerifyCertificate(cert, ca []byte, usages ...x509.ExtKeyUsage) (bool, error)

Types

type TrustdCredentials added in v0.3.0 

type TrustdCredentials struct {
	// OSCACert is the PEM-encoded Ed25519 CA certificate (10-year validity).
	OSCACert []byte
	// OSCAKey is the PEM-encoded Ed25519 CA private key.
	OSCAKey []byte
	// ServerChain is the PEM-encoded server cert + CA cert concatenated.
	// This chain is required for TLS handshakes — without it, workers get
	// "certificate signed by unknown authority".
	ServerChain []byte
	// ServerKey is the PEM-encoded server private key.
	ServerKey []byte
	// Token is the machine token in the format "butler.<32-hex-chars>".
	Token string
	// AdminCert is the PEM-encoded admin client certificate for CLI access.
	AdminCert []byte
	// AdminKey is the PEM-encoded admin client private key.
	AdminKey []byte
}

TrustdCredentials contains the OS-level credentials for steward-trustd.

func GenerateTrustdCredentials added in v0.3.0 

func GenerateTrustdCredentials(clusterName string, ipAddresses []net.IP, dnsNames []string) (*TrustdCredentials, error)

GenerateTrustdCredentials generates a full set of OS credentials for steward-trustd: Ed25519 CA, server certificate with IP SANs and DNS SANs (chained with CA), and a token.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.