Documentation
¶
Overview ¶
Package pem provides utility functions for safely decoding PEM data, placing upper limits on the size of data that will be processed. It functions as an extension to the standard library "encoding/pem" functions.
Index ¶
- Variables
- func SafeDecodeCSR(b []byte) (*stdpem.Block, []byte, error)
- func SafeDecodeCertificateBundle(b []byte) (*stdpem.Block, []byte, error)
- func SafeDecodeCertificateChain(b []byte) (*stdpem.Block, []byte, error)
- func SafeDecodePrivateKey(b []byte) (*stdpem.Block, []byte, error)
- func SafeDecodeSingleCertificate(b []byte) (*stdpem.Block, []byte, error)
- type ErrPEMDataTooLarge
Constants ¶
This section is empty.
Variables ¶
var ( // ErrNoPEMData is returned when the given data contained no PEM ErrNoPEMData = errors.New("no PEM data was found in given input") )
Functions ¶
func SafeDecodeCSR ¶
SafeDecodeCSR calls encoding/pem.Decode on the given input as long as it's within a sensible range for how large we expect a single PEM-encoded PKCS#10 CSR to be. We assume that a PKCS#12 CSR can be about as large as a leaf certificate, which grows with the size of its public key, signature and the number of identities it contains.
func SafeDecodeCertificateBundle ¶ added in v1.17.0
SafeDecodeCertificateBundle calls encoding/pem.Decode on the given input as long as it's within a sensible range for how large we expect a reasonable-length PEM-encoded X.509 certificate bundle (such as a TLS trust store) to be. The baseline is a bundle of 4k-bit RSA certificates, all self-signed. This is smaller than the 16k-bit RSA keys we use in other functions, because using such large keys would make our estimate several times too large for a realistic bundle which would be used in practice.
func SafeDecodeCertificateChain ¶ added in v1.17.0
SafeDecodeCertificateChain calls encoding/pem.Decode on the given input as long as it's within a sensible range for how large we expect a reasonable-length PEM-encoded X.509 certificate chain to be. The baseline is many average sized CA certificates, plus one potentially much larger leaf certificate.
func SafeDecodePrivateKey ¶
SafeDecodePrivateKey calls encoding/pem.Decode on the given input as long as it's within a sensible range for how large we expect a private key to be. The baseline is a 16k-bit RSA private key, which is larger than the maximum supported by cert-manager for key generation.
func SafeDecodeSingleCertificate ¶
SafeDecodeSingleCertificate calls encoding/pem.Decode on the given input as long as it's within a sensible range for how large we expect a single PEM-encoded X.509 _leaf_ certificate to be. The baseline is a 16k-bit RSA certificate signed by a different 16k-bit RSA CA, with a very large number of long DNS names. The maximum size allowed by this function is significantly larger than the size of most CA certificates, which will usually not have a large amount of DNS names or other identities in them.
Types ¶
type ErrPEMDataTooLarge ¶
type ErrPEMDataTooLarge int
ErrPEMDataTooLarge is returned when the given data is larger than the maximum allowed
func (ErrPEMDataTooLarge) Error ¶
func (e ErrPEMDataTooLarge) Error() string
Error returns an error string
Source Files