pki

package
v1.1.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 22, 2026 License: Apache-2.0 Imports: 22 Imported by: 0

Documentation

Overview

Package pki provides certificate and key generation for instance PKI.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func EnsureRegistrationNonceKey 

func EnsureRegistrationNonceKey(ctx context.Context, secretsStore secrets.Store, isClusterLeader bool, logger *slog.Logger) ([]byte, error)

EnsureRegistrationNonceKey loads or generates registration nonce private key (if server is cluster leader)

func ExtractCertSerial 

func ExtractCertSerial(certPEM []byte) (string, error)

ExtractCertSerial parses a PEM-encoded certificate and returns its serial number as a string.

func GenerateCA 

func GenerateCA(ctx context.Context, storageClient storage.Storage, secretsStore secrets.Store, caCertConfig *config.CertConfig, vars map[string]string, logger *slog.Logger) ([]byte, []byte, error)

GenerateCA creates a new CA certificate and private key and stores them

func GenerateClientCertificate 

func GenerateClientCertificate(caCertPEM, caKeyPEM, clientPublicKeyPEM []byte, clientID, role, tenant string, ttlHours int) ([]byte, time.Time, error)

GenerateClientCertificate creates a client certificate signed by the CA with a specified TTL. The role parameter is encoded as a custom extension (OID: 1.3.6.1.4.1.999999.1) for authorization. The tenant parameter is stored in the Organization (O) field for multi-tenancy.

func GenerateClientCertificateWithConfig 

func GenerateClientCertificateWithConfig(caCertPEM, caKeyPEM, clientPublicKeyPEM []byte, clientID string, config *CertificateConfig) ([]byte, time.Time, error)

GenerateClientCertificateWithConfig creates a client certificate with detailed configuration This is used for batch certificate generation where advanced customization is needed

func GenerateSerialNumber 

func GenerateSerialNumber() (string, error)

GenerateSerialNumber generates a unique serial number for certificate logging

func GenerateServerCertificate 

func GenerateServerCertificate(caCertPEM, caKeyPEM []byte, bindAddress string, extraSANs ...string) ([]byte, []byte, error)

GenerateServerCertificate creates a server certificate signed by the CA. extraSANs are optional additional IP addresses or DNS names to include in the certificate.

func GenerateTestCA 

func GenerateTestCA() (caCertPEM, caPrivateKeyPEM []byte, err error)

GenerateTestCA generates a CA certificate and private key for testing purposes

func LoadCA 

func LoadCA(ctx context.Context, storageClient storage.Storage, secretsStore secrets.Store, logger *slog.Logger) ([]byte, []byte, bool, error)

LoadCA attempts to load existing CA certificate and private key

func ProcessTemplateString 

func ProcessTemplateString(templateStr string, data CertificateTemplateData) (string, error)

ProcessTemplateString processes a single template string with the given data - exposed for testing

Types

type BatchCertificateGenerator 

type BatchCertificateGenerator struct {
	// contains filtered or unexported fields
}

BatchCertificateGenerator handles batch certificate generation

func NewBatchCertificateGenerator 

func NewBatchCertificateGenerator(caCertPEM, caKeyPEM []byte, serialLogger SerialLogger) *BatchCertificateGenerator

NewBatchCertificateGenerator creates a new batch certificate service

func (*BatchCertificateGenerator) GenerateBatch 

func (s *BatchCertificateGenerator) GenerateBatch(ctx context.Context, requests []CertificateRequest) ([]CertificateResult, error)

GenerateBatch generates certificates in batch and logs serials atomically

type CertificateConfig 

type CertificateConfig struct {
	Kind         string
	CN           *string
	Organization []string
	DNS          []string
	IP           []string
	Country      []string
	Province     []string
	Locality     []string
	Street       []string
	PostalCode   []string
	TTL          int
}

CertificateConfig contains a certificate configuration with all templates processed SEE ALSO: CertConfig struct in internal/server/config/types.go

func ProcessCertificateTemplate 

func ProcessCertificateTemplate(certConfig CertificateConfig, data CertificateTemplateData) (*CertificateConfig, error)

ProcessCertificateTemplate processes a certificate template with the given data

type CertificateRequest 

type CertificateRequest struct {
	InstanceID        string
	Tenant            string
	Filename          string
	PublicKeyPEM      []byte
	CertificateConfig *CertificateConfig
	TemplateData      CertificateTemplateData
}

CertificateRequest represents a single certificate generation request

type CertificateResult 

type CertificateResult struct {
	Filename     string
	CertPEM      []byte
	ExpiresAt    time.Time
	SerialNumber string
}

CertificateResult represents the result of certificate generation

type CertificateTemplateData 

type CertificateTemplateData struct {
	Instance  InstanceData
	ClusterID string
	Vars      map[string]string
}

CertificateTemplateData contains all data available for certificate template processing

func CreateCertificateTemplateData 

func CreateCertificateTemplateData(instanceID, instanceType, hostname, fqdn, ip4, ip6, clusterID string, vars map[string]string) CertificateTemplateData

CreateCertificateTemplateData creates template data for certificates

type InstanceData 

type InstanceData struct {
	ID       string
	Type     string
	Hostname string
	FQDN     string
	IP4      string
	IP6      string
}

InstanceData contains all data available for instance template processing

type S3SerialLogger 

type S3SerialLogger struct {
	// contains filtered or unexported fields
}

S3SerialLogger implements SerialLogger using S3 storage

func (*S3SerialLogger) WriteBatch 

func (s *S3SerialLogger) WriteBatch(ctx context.Context, tenant, instanceID string, entries []SerialLogEntry) error

WriteBatch writes certificate serial log entries to S3 in a single batch file S3 path format: certlog/{shard}/{tenant}.{timestamp}.{instanceID}.json

type SerialLogEntry 

type SerialLogEntry struct {
	CertificateName string    `json:"certificate_name"`
	SerialNumber    string    `json:"serial_number"`
	ExpiresAt       time.Time `json:"expires_at"`
}

SerialLogEntry represents a certificate issuance log entry

type SerialLogger 

type SerialLogger interface {
	WriteBatch(ctx context.Context, tenant, instanceID string, entries []SerialLogEntry) error
}

SerialLogger interface for writing certificate serial logs

func NewS3SerialLogger 

func NewS3SerialLogger(storage Storage, shard string) SerialLogger

NewS3SerialLogger creates a new S3-based serial logger

type Storage 

type Storage interface {
	Put(ctx context.Context, key string, data []byte) error
	Get(ctx context.Context, key string) ([]byte, string, error)
}

Storage interface for S3 operations (matches existing storage abstraction)

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.