Documentation
¶
Index ¶
- Constants
- func BootstrapCNFromName(name string) string
- func CNFromDeviceFingerprint(fingerprint string) (string, error)
- func CanReadCertAndKey(certPath, keyPath string) (bool, error)
- func DecryptKeyBytes(pemKeyEncrypted []byte, pw []byte) ([]byte, error)
- func EnsureKey(keyFile string) (crypto.PublicKey, crypto.PrivateKey, bool, error)
- func GetCA(certFile, keyFile, serialFile string) (*internalCA, error)
- func GetPEMBlock(pemKey []byte) (*pem.Block, error)
- func HashPublicKey(key crypto.PublicKey) ([]byte, error)
- func IsEncryptedPEMKey(pemKey []byte) (bool, error)
- func LoadKey(keyFile string) (crypto.PrivateKey, error)
- func MakeCSR(privateKey crypto.Signer, subjectName string) ([]byte, error)
- func MakeSelfSignedCA(certFile, keyFile, serialFile, subjectName string, expiryDays int) (*internalCA, error)
- func NewKeyPair() (crypto.PublicKey, crypto.PrivateKey, error)
- func NewKeyPairWithHash() (crypto.PublicKey, crypto.PrivateKey, []byte, error)
- func PEMEncodeKey(key crypto.PrivateKey) ([]byte, error)
- func ParseCSR(csrPEM []byte) (*x509.CertificateRequest, error)
- func ParseKeyPEM(pemKey []byte) (crypto.PrivateKey, error)
- func TLSConfigForClient(caBundleX509 []*x509.Certificate, clientConfig *TLSCertificateConfig) (*tls.Config, error)
- func TLSConfigForServer(caBundlex509 []*x509.Certificate, serverConfig *TLSCertificateConfig) (*tls.Config, *tls.Config, error)
- func WriteKey(keyPath string, key crypto.PrivateKey) error
- func WritePasswordEncryptedKey(keyPath string, key crypto.PrivateKey, password []byte) error
- type CABackend
- type CAClient
- func (caClient *CAClient) EnsureClientCertificate(certFile, keyFile string, subjectName string, expireDays int) (*TLSCertificateConfig, bool, error)
- func (caClient *CAClient) EnsureServerCertificate(certFile, keyFile string, hostnames []string, expireDays int) (*TLSCertificateConfig, bool, error)
- func (caClient *CAClient) GetCABundle() ([]byte, error)
- func (caClient *CAClient) GetCABundleX509() []*x509.Certificate
- func (caClient *CAClient) IssueRequestedClientCertificate(csr *x509.CertificateRequest, expirySeconds int) ([]byte, error)
- func (caClient *CAClient) IssueRequestedClientCertificateAsX509(csr *x509.CertificateRequest, expirySeconds int) (*x509.Certificate, error)
- func (caClient *CAClient) IssueRequestedServerCertificate(csr *x509.CertificateRequest, expirySeconds int) ([]byte, error)
- func (caClient *CAClient) IssueRequestedServerCertificateAsX509(csr *x509.CertificateRequest, expirySeconds int) (*x509.Certificate, error)
- func (caClient *CAClient) MakeAndWriteServerCertificate(certFile, keyFile string, hostnames []string, expireDays int) (*TLSCertificateConfig, error)
- func (caClient *CAClient) MakeClientCertificate(certFile, keyFile string, subjectName string, expiryDays int) (*TLSCertificateConfig, error)
- func (caClient *CAClient) MakeServerCertificate(hostnames []string, expiryDays int) (*TLSCertificateConfig, error)
- type TLSCertificateConfig
Constants ¶
View Source
const AdminCommonName = "flightctl-admin"
View Source
const ClientBootstrapCommonName = "client-enrollment"
Wraps openshift/library-go/pkg/crypto to use ECDSA and simplify the interface
View Source
const ClientBootstrapCommonNamePrefix = "client-enrollment-"
View Source
const DeviceCommonNamePrefix = "device:"
Variables ¶
This section is empty.
Functions ¶
func BootstrapCNFromName ¶ added in v0.2.0
func CNFromDeviceFingerprint ¶
func CanReadCertAndKey ¶ added in v0.5.0
CanReadCertAndKey checks if both the certificate and key files exist and are readable. Returns true if both files are accessible, false if neither exists, and an error if one is missing.
func DecryptKeyBytes ¶ added in v0.3.0
func IsEncryptedPEMKey ¶ added in v0.3.0
func MakeSelfSignedCA ¶
func NewKeyPair ¶
func NewKeyPair() (crypto.PublicKey, crypto.PrivateKey, error)
func NewKeyPairWithHash ¶
func PEMEncodeKey ¶
func PEMEncodeKey(key crypto.PrivateKey) ([]byte, error)
func ParseKeyPEM ¶
func ParseKeyPEM(pemKey []byte) (crypto.PrivateKey, error)
func TLSConfigForClient ¶
func TLSConfigForClient(caBundleX509 []*x509.Certificate, clientConfig *TLSCertificateConfig) (*tls.Config, error)
func TLSConfigForServer ¶
func TLSConfigForServer(caBundlex509 []*x509.Certificate, serverConfig *TLSCertificateConfig) (*tls.Config, *tls.Config, error)
func WritePasswordEncryptedKey ¶ added in v0.3.0
func WritePasswordEncryptedKey(keyPath string, key crypto.PrivateKey, password []byte) error
this copies functionality from sigstore's cosign to encrypt the private key using functionality from secure systems lab, which relies on golang crypto's secretbox and scrypt. see: https://github.com/sigstore/cosign/blob/77f71e0d7470e31ed4ed5653fe5a7c8e3b283606/pkg/cosign/keys.go#L158 https://github.com/secure-systems-lab/go-securesystemslib/blob/7dd9eabdaf9ea98ba33653cdfbdec7057bd662fd/encrypted/encrypted.go#L158
Types ¶
type CABackend ¶ added in v0.6.0
type CABackend interface {
IssueRequestedCertificateAsX509(csr *x509.CertificateRequest, expirySeconds int, usage []x509.ExtKeyUsage) (*x509.Certificate, error)
GetCABundleX509() []*x509.Certificate
}
type CAClient ¶ added in v0.6.0
type CAClient struct {
// contains filtered or unexported fields
}
func EnsureCA ¶
func EnsureCA(certFile, keyFile, serialFile, subjectName string, expireDays int) (*CAClient, bool, error)
EnsureCA() tries to load or generate a CA and connect to it. If the CA is successfully loaded or generated it returns a valid CA instance, a flag signifying was it loaded or generated and a nil error. In case of errors a non-nil error is returned.
func (*CAClient) EnsureClientCertificate ¶ added in v0.6.0
func (*CAClient) EnsureServerCertificate ¶ added in v0.6.0
func (*CAClient) GetCABundle ¶ added in v0.6.0
func (*CAClient) GetCABundleX509 ¶ added in v0.6.0
func (caClient *CAClient) GetCABundleX509() []*x509.Certificate
func (*CAClient) IssueRequestedClientCertificate ¶ added in v0.6.0
func (*CAClient) IssueRequestedClientCertificateAsX509 ¶ added in v0.6.0
func (caClient *CAClient) IssueRequestedClientCertificateAsX509(csr *x509.CertificateRequest, expirySeconds int) (*x509.Certificate, error)
func (*CAClient) IssueRequestedServerCertificate ¶ added in v0.6.0
func (*CAClient) IssueRequestedServerCertificateAsX509 ¶ added in v0.6.0
func (caClient *CAClient) IssueRequestedServerCertificateAsX509(csr *x509.CertificateRequest, expirySeconds int) (*x509.Certificate, error)
func (*CAClient) MakeAndWriteServerCertificate ¶ added in v0.6.0
func (*CAClient) MakeClientCertificate ¶ added in v0.6.0
func (*CAClient) MakeServerCertificate ¶ added in v0.6.0
func (caClient *CAClient) MakeServerCertificate(hostnames []string, expiryDays int) (*TLSCertificateConfig, error)
type TLSCertificateConfig ¶
type TLSCertificateConfig oscrypto.TLSCertificateConfig
func GetClientCertificate ¶
func GetClientCertificate(certFile, keyFile string, subjectName string) (*TLSCertificateConfig, error)
func GetServerCertificate ¶ added in v0.6.0
func GetServerCertificate(certFile, keyFile string, hostnames []string) (*TLSCertificateConfig, error)
func GetTLSCertificateConfig ¶
func GetTLSCertificateConfig(certFile, keyFile string) (*TLSCertificateConfig, error)
func (*TLSCertificateConfig) GetPEMBytes ¶
func (c *TLSCertificateConfig) GetPEMBytes() ([]byte, []byte, error)
func (*TLSCertificateConfig) WriteCertConfigFile ¶
func (c *TLSCertificateConfig) WriteCertConfigFile(certFile, keyFile string) error
Source Files
Click to show internal directories.
Click to hide internal directories.