crypto

package
v0.0.0-...-12d8376 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 26, 2026 License: Apache-2.0 Imports: 30 Imported by: 418

Documentation

Index

Constants

View Source 
const (
	DefaultCertificateLifetimeDuration   = time.Hour * 24 * 365 * 2 // 2 years
	DefaultCACertificateLifetimeDuration = time.Hour * 24 * 365 * 5 // 5 years

)
View Source 
const DefaultTLSProfileType = configv1.TLSProfileIntermediateType

DefaultTLSProfileType is the intermediate profile type.

Variables

This section is empty.

Functions

func CertsFromPEM 

func CertsFromPEM(pemCerts []byte) ([]*x509.Certificate, error)

func CipherSuite 

func CipherSuite(cipherName string) (uint16, error)

func CipherSuiteToNameOrDie 

func CipherSuiteToNameOrDie(intVal uint16) string

CipherSuiteToNameOrDie given a cipher suite as an int, return its readable name

func CipherSuitesOrDie 

func CipherSuitesOrDie(cipherNames []string) []uint16

func CipherSuitesToNamesOrDie 

func CipherSuitesToNamesOrDie(intVals []uint16) []string

CipherSuitesToNamesOrDie given a list of cipher suites as ints, return their readable names

func DefaultCiphers 

func DefaultCiphers() []uint16

DefaultCiphers returns the default cipher suites for TLS connections.

RECOMMENDATION: Instead of relying on this function directly, consumers should respect TLSSecurityProfile settings from one of the OpenShift API configuration resources:

  • For API servers: Use apiserver.config.openshift.io/cluster Spec.TLSSecurityProfile
  • For ingress controllers: Use operator.openshift.io/v1 IngressController Spec.TLSSecurityProfile
  • For kubelet: Use machineconfiguration.openshift.io/v1 KubeletConfig Spec.TLSSecurityProfile

These API resources allow cluster administrators to choose between Old, Intermediate, Modern, or Custom TLS profiles. Components should observe these settings.

func DefaultTLSVersion 

func DefaultTLSVersion() uint16

func EncodeCertificates 

func EncodeCertificates(certs ...*x509.Certificate) ([]byte, error)

func EncodeKey 

func EncodeKey(key crypto.PrivateKey) ([]byte, error)

func FilterExpiredCerts 

func FilterExpiredCerts(certs ...*x509.Certificate) []*x509.Certificate

FilterExpiredCerts checks are all certificates in the bundle valid, i.e. they have not expired. The function returns new bundle with only valid certificates or error if no valid certificate is found.

func GolangTLSVersions 

func GolangTLSVersions() []string

TLS versions that are known to golang, but may not necessarily be enabled.

func IPAddressesDNSNames 

func IPAddressesDNSNames(hosts []string) ([]net.IP, []string)

func KeyUsageForPublicKey 

func KeyUsageForPublicKey(pub crypto.PublicKey) x509.KeyUsage

KeyUsageForPublicKey returns the x509.KeyUsage flags appropriate for the given public key type. ECDSA keys use DigitalSignature only; RSA keys also include KeyEncipherment.

func NewClientCertificateTemplate 

func NewClientCertificateTemplate(subject pkix.Name, lifetime time.Duration, currentTime func() time.Time) *x509.Certificate

Can be used as a certificate in http.Transport TLSClientConfig

func NewClientCertificateTemplateForDuration 

func NewClientCertificateTemplateForDuration(subject pkix.Name, lifetime time.Duration, currentTime func() time.Time) *x509.Certificate

Can be used as a certificate in http.Transport TLSClientConfig

func NewKeyPair 

func NewKeyPair() (crypto.PublicKey, crypto.PrivateKey, error)

func OpenSSLToIANACipherSuites 

func OpenSSLToIANACipherSuites(ciphers []string) []string

OpenSSLToIANACipherSuites maps input OpenSSL Cipher Suite names to their IANA counterparts. Unknown ciphers are left out.

func SecureTLSConfig 

func SecureTLSConfig(config *tls.Config) *tls.Config

SecureTLSConfig enforces the default minimum security settings for the cluster.

func ShouldHonorClusterTLSProfile 

func ShouldHonorClusterTLSProfile(tlsAdherence configv1.TLSAdherencePolicy) bool

ShouldHonorClusterTLSProfile returns true if the component should honor the cluster-wide TLS security profile settings from apiserver.config.openshift.io/cluster.

When this returns true (StrictAllComponents mode), components must honor the cluster-wide TLS profile unless they have a component-specific TLS configuration that overrides it.

Unknown enum values are treated as StrictAllComponents for forward compatibility and to default to the more secure behavior.

func SubjectKeyIDFromPublicKey 

func SubjectKeyIDFromPublicKey(pub crypto.PublicKey) ([]byte, error)

SubjectKeyIDFromPublicKey computes a truncated SHA-256 hash suitable for use as a certificate SubjectKeyId from any supported public key type. This uses the first 160 bits of the SHA-256 hash per RFC 7093, consistent with the Go standard library since Go 1.25 (go.dev/issue/71746) and Let's Encrypt. Prior Go versions used SHA-1 which is not FIPS-compatible.

func TLSVersion 

func TLSVersion(versionName string) (uint16, error)

func TLSVersionOrDie 

func TLSVersionOrDie(versionName string) uint16

func TLSVersionToNameOrDie 

func TLSVersionToNameOrDie(intVal uint16) string

TLSVersionToNameOrDie given a tls version as an int, return its readable name

func UserToSubject 

func UserToSubject(u user.Info) pkix.Name

func ValidCipherSuites 

func ValidCipherSuites() []string

func ValidTLSVersions 

func ValidTLSVersions() []string

Returns the build enabled TLS versions.

Types

type CA 

type CA struct {
	Config *TLSCertificateConfig

	SerialGenerator SerialGenerator
}

func EnsureCA 

func EnsureCA(certFile, keyFile, serialFile, name string, lifetime time.Duration) (*CA, bool, error)

EnsureCA returns a CA, whether it was created (as opposed to pre-existing), and any error if serialFile is empty, a RandomSerialGenerator will be used

func GetCA 

func GetCA(certFile, keyFile, serialFile string) (*CA, error)

if serialFile is empty, a RandomSerialGenerator will be used

func GetCAFromBytes 

func GetCAFromBytes(certBytes, keyBytes []byte) (*CA, error)

func MakeSelfSignedCA 

func MakeSelfSignedCA(certFile, keyFile, serialFile, name string, lifetime time.Duration) (*CA, error)

if serialFile is empty, a RandomSerialGenerator will be used

func (*CA) EnsureClientCertificate 

func (ca *CA) EnsureClientCertificate(certFile, keyFile string, u user.Info, lifetime time.Duration) (*TLSCertificateConfig, bool, error)

func (*CA) EnsureServerCert 

func (ca *CA) EnsureServerCert(certFile, keyFile string, hostnames sets.Set[string], lifetime time.Duration) (*TLSCertificateConfig, bool, error)

func (*CA) EnsureSubCA 

func (ca *CA) EnsureSubCA(certFile, keyFile, serialFile, name string, lifetime time.Duration) (*CA, bool, error)

EnsureSubCA returns a subCA signed by the `ca`, whether it was created (as opposed to pre-existing), and any error that might occur during the subCA creation. If serialFile is an empty string, a RandomSerialGenerator will be used.

func (*CA) MakeAndWriteServerCert 

func (ca *CA) MakeAndWriteServerCert(certFile, keyFile string, hostnames sets.Set[string], lifetime time.Duration) (*TLSCertificateConfig, error)

func (*CA) MakeAndWriteSubCA 

func (ca *CA) MakeAndWriteSubCA(certFile, keyFile, serialFile, name string, lifetime time.Duration) (*CA, error)

MakeAndWriteSubCA returns a new sub-CA configuration. New cert/key pair is generated while using this function. If serialFile is an empty string, a RandomSerialGenerator will be used.

func (*CA) MakeClientCertificate 

func (ca *CA) MakeClientCertificate(certFile, keyFile string, u user.Info, lifetime time.Duration) (*TLSCertificateConfig, error)

func (*CA) MakeClientCertificateForDuration 

func (ca *CA) MakeClientCertificateForDuration(u user.Info, lifetime time.Duration) (*TLSCertificateConfig, error)

func (*CA) MakeServerCert 

func (ca *CA) MakeServerCert(hostnames sets.Set[string], lifetime time.Duration, fns ...CertificateExtensionFunc) (*TLSCertificateConfig, error)

func (*CA) MakeServerCertForDuration 

func (ca *CA) MakeServerCertForDuration(hostnames sets.Set[string], lifetime time.Duration, fns ...CertificateExtensionFunc) (*TLSCertificateConfig, error)

func (*CA) NewClientCertificate 

func (ca *CA) NewClientCertificate(u user.Info, keyGen KeyPairGenerator, opts ...CertificateOption) (*TLSCertificateConfig, error)

NewClientCertificate creates a client certificate signed by this CA. Optional: WithLifetime (defaults to DefaultCertificateLifetimeDuration).

func (*CA) NewPeerCertificate 

func (ca *CA) NewPeerCertificate(hostnames sets.Set[string], u user.Info, keyGen KeyPairGenerator, opts ...CertificateOption) (*TLSCertificateConfig, error)

NewPeerCertificate creates a peer certificate (both server and client auth) signed by this CA. Optional: WithLifetime (defaults to DefaultCertificateLifetimeDuration), WithExtensions.

func (*CA) NewServerCertificate 

func (ca *CA) NewServerCertificate(hostnames sets.Set[string], keyGen KeyPairGenerator, opts ...CertificateOption) (*TLSCertificateConfig, error)

NewServerCertificate creates a server/serving certificate signed by this CA. Optional: WithLifetime (defaults to DefaultCertificateLifetimeDuration), WithExtensions.

func (*CA) SignCertificate 

func (ca *CA) SignCertificate(template *x509.Certificate, requestKey crypto.PublicKey) (*x509.Certificate, error)

type CertificateExtensionFunc 

type CertificateExtensionFunc func(*x509.Certificate) error

CertificateExtensionFunc is passed a certificate that it may extend, or return an error if the extension attempt failed.

type CertificateOption 

type CertificateOption func(*CertificateOptions)

CertificateOption is a functional option for certificate creation.

func WithExtensions 

func WithExtensions(fns ...CertificateExtensionFunc) CertificateOption

WithExtensions adds certificate extension functions that are called to modify the certificate template before signing.

func WithLifetime 

func WithLifetime(d time.Duration) CertificateOption

WithLifetime sets the certificate lifetime duration.

func WithSigner 

func WithSigner(ca *CA) CertificateOption

WithSigner specifies a CA to sign the certificate. When used with NewSigningCertificate, this creates an intermediate CA signed by the given CA instead of a self-signed root CA.

func WithSubject 

func WithSubject(s pkix.Name) CertificateOption

WithSubject overrides the certificate subject. For signing certificates, this overrides the default subject derived from the name parameter.

type CertificateOptions 

type CertificateOptions struct {
	// contains filtered or unexported fields
}

CertificateOptions holds optional configuration collected from functional options.

type ECDSACurve 

type ECDSACurve string

ECDSACurve identifies a named ECDSA curve. 

const (
	// P256 specifies the NIST P-256 curve (secp256r1), providing 128-bit security.
	P256 ECDSACurve = "P256"
	// P384 specifies the NIST P-384 curve (secp384r1), providing 192-bit security.
	P384 ECDSACurve = "P384"
	// P521 specifies the NIST P-521 curve (secp521r1), providing 256-bit security.
	P521 ECDSACurve = "P521"
)

type ECDSAKeyPairGenerator 

type ECDSAKeyPairGenerator struct {
	// Curve is the named ECDSA curve.
	Curve ECDSACurve
}

ECDSAKeyPairGenerator generates ECDSA key pairs.

func (ECDSAKeyPairGenerator) GenerateKeyPair 

func (g ECDSAKeyPairGenerator) GenerateKeyPair() (crypto.PublicKey, crypto.PrivateKey, error)

type KeyAlgorithm 

type KeyAlgorithm string

KeyAlgorithm identifies the key generation algorithm. 

const (
	// RSAKeyAlgorithm specifies RSA key generation.
	RSAKeyAlgorithm KeyAlgorithm = "RSA"
	// ECDSAKeyAlgorithm specifies ECDSA key generation.
	ECDSAKeyAlgorithm KeyAlgorithm = "ECDSA"
)

type KeyPairGenerator 

type KeyPairGenerator interface {
	GenerateKeyPair() (crypto.PublicKey, crypto.PrivateKey, error)
}

KeyPairGenerator generates a cryptographic key pair.

type RSAKeyPairGenerator 

type RSAKeyPairGenerator struct {
	// Bits is the RSA key size in bits. Must be >= 2048.
	Bits int
}

RSAKeyPairGenerator generates RSA key pairs.

func (RSAKeyPairGenerator) GenerateKeyPair 

func (g RSAKeyPairGenerator) GenerateKeyPair() (crypto.PublicKey, crypto.PrivateKey, error)

type RandomSerialGenerator 

type RandomSerialGenerator struct {
}

RandomSerialGenerator returns a serial based on time.Now and the subject

func (*RandomSerialGenerator) Next 

func (s *RandomSerialGenerator) Next(template *x509.Certificate) (int64, error)

type SerialFileGenerator 

type SerialFileGenerator struct {
	SerialFile string

	Serial int64
	// contains filtered or unexported fields
}

SerialFileGenerator returns a unique, monotonically increasing serial number and ensures the CA on disk records that value.

func NewSerialFileGenerator 

func NewSerialFileGenerator(serialFile string) (*SerialFileGenerator, error)

func (*SerialFileGenerator) Next 

func (s *SerialFileGenerator) Next(template *x509.Certificate) (int64, error)

Next returns a unique, monotonically increasing serial number and ensures the CA on disk records that value.

type SerialGenerator 

type SerialGenerator interface {
	Next(template *x509.Certificate) (int64, error)
}

SerialGenerator is an interface for getting a serial number for the cert. It MUST be thread-safe.

type TLSCARoots 

type TLSCARoots struct {
	Roots []*x509.Certificate
}

type TLSCertificateConfig 

type TLSCertificateConfig struct {
	Certs []*x509.Certificate
	Key   crypto.PrivateKey
}

func GetClientCertificate 

func GetClientCertificate(certFile, keyFile string, u user.Info) (*TLSCertificateConfig, error)

func GetServerCert 

func GetServerCert(certFile, keyFile string, hostnames sets.Set[string]) (*TLSCertificateConfig, error)

func GetTLSCertificateConfig 

func GetTLSCertificateConfig(certFile, keyFile string) (*TLSCertificateConfig, error)

func GetTLSCertificateConfigFromBytes 

func GetTLSCertificateConfigFromBytes(certBytes, keyBytes []byte) (*TLSCertificateConfig, error)

func MakeCAConfigForDuration 

func MakeCAConfigForDuration(name string, caLifetime time.Duration, issuer *CA) (*TLSCertificateConfig, error)

func MakeSelfSignedCAConfig 

func MakeSelfSignedCAConfig(name string, lifetime time.Duration) (*TLSCertificateConfig, error)

func MakeSelfSignedCAConfigForDuration 

func MakeSelfSignedCAConfigForDuration(name string, caLifetime time.Duration) (*TLSCertificateConfig, error)

func MakeSelfSignedCAConfigForSubject 

func MakeSelfSignedCAConfigForSubject(subject pkix.Name, lifetime time.Duration) (*TLSCertificateConfig, error)

func NewSigningCertificate 

func NewSigningCertificate(name string, keyGen KeyPairGenerator, opts ...CertificateOption) (*TLSCertificateConfig, error)

NewSigningCertificate creates a CA certificate. By default it creates a self-signed root CA. Use WithSigner to create an intermediate CA signed by a parent CA. The name parameter is used as the CommonName unless overridden with WithSubject. Optional: WithSigner, WithSubject, WithLifetime (defaults to DefaultCACertificateLifetimeDuration).

func UnsafeMakeSelfSignedCAConfigForDurationAtTime 

func UnsafeMakeSelfSignedCAConfigForDurationAtTime(name string, currentTime func() time.Time, caLifetime time.Duration) (*TLSCertificateConfig, error)

func (*TLSCertificateConfig) GetPEMBytes 

func (c *TLSCertificateConfig) GetPEMBytes() ([]byte, []byte, error)

func (*TLSCertificateConfig) WriteCertConfig 

func (c *TLSCertificateConfig) WriteCertConfig(certFile, keyFile io.Writer) error

func (*TLSCertificateConfig) WriteCertConfigFile 

func (c *TLSCertificateConfig) WriteCertConfigFile(certFile, keyFile string) error

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.