certmaker

package

v1.8.5 Latest Latest Go to latest Published: Jan 12, 2026 License: Apache-2.0 Imports: 21 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/sigstore/fulcio

Links

Open Source Insights

Documentation ¶

Overview ¶

Package certmaker implements a certificate creation utility for Fulcio. It supports creating root, intermediate, and leaf certs using (AWS, GCP, Azure, HashiVault).

Package certmaker provides template parsing and certificate generation functionality for creating X.509 certificates from JSON templates per RFC3161 standards.

Index ¶

Variables
func CreateCertificates(config KMSConfig, rootTemplatePath, leafTemplatePath string, ...) error
func GetDefaultTemplate(certType string) (string, error)
func LoadCertificateFromFile(path string) (*x509.Certificate, error)
func ParseTemplate(input interface{}, parent *x509.Certificate, notAfter time.Time, ...) (*x509.Certificate, error)
func ValidateCertificateKeyMatch(cert *x509.Certificate, sv signature.SignerVerifier) error
func ValidateKMSConfig(config KMSConfig) error
func ValidateTemplate(filename string, _ *x509.Certificate, _ string) error
func ValidateTemplateRequirements() error
func WriteCertificateToFile(cert *x509.Certificate, filename string) error
type CryptoSignerVerifier
type KMSConfig

Constants ¶

This section is empty.

Variables ¶

View Source

var (
	// returned when certificate file is not found
	ErrCertificateNotFound = errors.New("certificate file not found")

	// returned when PEM decoding fails or wrong block type
	ErrInvalidPEM = errors.New("invalid PEM format")

	// returned when PEM block contains no certificate
	ErrNoCertificateData = errors.New("no certificate data in PEM block")

	// returned when certificate public key doesn't match KMS key
	ErrKeyMismatch = errors.New("certificate public key does not match KMS key")
)

View Source

var InitKMS = func(ctx context.Context, config KMSConfig) (signature.SignerVerifier, error) {
	if err := ValidateKMSConfig(config); err != nil {
		return nil, fmt.Errorf("invalid KMS configuration: %w", err)
	}

	var sv signature.SignerVerifier
	var err error

	switch config.Type {
	case "awskms":
		ref := fmt.Sprintf("awskms:///%s", config.KeyID)
		if awsRegion := config.Options["aws-region"]; awsRegion != "" {
			os.Setenv("AWS_REGION", awsRegion)
		}
		sv, err = kmsGet(ctx, ref, crypto.SHA256)
		if err != nil {
			return nil, fmt.Errorf("failed to initialize AWS KMS: %w", err)
		}

	case "gcpkms":
		ref := fmt.Sprintf("gcpkms://%s", config.KeyID)
		if gcpCredsFile := config.Options["gcp-credentials-file"]; gcpCredsFile != "" {
			os.Setenv("GCP_CREDENTIALS_FILE", gcpCredsFile)
		}
		sv, err = kmsGet(ctx, ref, crypto.SHA256)
		if err != nil {
			return nil, fmt.Errorf("failed to initialize GCP KMS: %w", err)
		}

	case "azurekms":
		keyURI := config.KeyID
		if strings.HasPrefix(config.KeyID, "azurekms:name=") {
			nameStart := strings.Index(config.KeyID, "name=") + 5
			vaultIndex := strings.Index(config.KeyID, ";vault=")
			if vaultIndex != -1 {
				keyName := strings.TrimSpace(config.KeyID[nameStart:vaultIndex])
				vaultName := strings.TrimSpace(config.KeyID[vaultIndex+7:])
				keyURI = fmt.Sprintf("azurekms://%s.vault.azure.net/%s", vaultName, keyName)
			}
		}
		if config.Options != nil && config.Options["azure-tenant-id"] != "" {
			azureTenantID := config.Options["azure-tenant-id"]
			os.Setenv("AZURE_TENANT_ID", azureTenantID)
			os.Setenv("AZURE_ADDITIONALLY_ALLOWED_TENANTS", "*")
		}
		os.Setenv("AZURE_AUTHORITY_HOST", "https://login.microsoftonline.com/")

		sv, err = kmsGet(ctx, keyURI, crypto.SHA256)
		if err != nil {
			return nil, fmt.Errorf("failed to initialize Azure KMS: %w", err)
		}

	case "hashivault":
		keyURI := fmt.Sprintf("hashivault://%s", config.KeyID)
		if config.Options != nil {
			if vaultToken := config.Options["vault-token"]; vaultToken != "" {
				os.Setenv("VAULT_TOKEN", vaultToken)
			}
			if vaultAddr := config.Options["vault-address"]; vaultAddr != "" {
				os.Setenv("VAULT_ADDR", vaultAddr)
			}
			if vaultNamespace := config.Options["vault-namespace"]; vaultNamespace != "" {
				os.Setenv("VAULT_NAMESPACE", vaultNamespace)
			}
		}

		sv, err = kmsGet(ctx, keyURI, crypto.SHA256)
		if err != nil {
			return nil, fmt.Errorf("failed to initialize HashiVault KMS: %w", err)
		}

	default:
		return nil, fmt.Errorf("unsupported KMS type: %s", config.Type)
	}

	if err != nil {
		return nil, fmt.Errorf("failed to get KMS signer: %w", err)
	}
	if sv == nil {
		return nil, fmt.Errorf("KMS returned nil signer")
	}

	return sv, nil
}

InitKMS initializes KMS provider based on the given config, KMSConfig.

Functions ¶

func CreateCertificates ¶

func CreateCertificates(config KMSConfig,
	rootTemplatePath, leafTemplatePath string,
	rootCertPath, leafCertPath string,
	intermediateKeyID, intermediateTemplatePath, intermediateCertPath string,
	leafKeyID string,
	rootLifetime, intermediateLifetime, leafLifetime time.Duration,
	existingRootCertPath, existingIntermediateCertPath string) error

CreateCertificates creates certificates using the provided KMS and templates. Root certificate is always required (either generated or loaded from existingRootCertPath). Intermediate and leaf certificates are optional based on provided key IDs and templates. if existingRootCertPath or existingIntermediateCertPath are provided, those certificates will be loaded and used instead of generating new ones.

func GetDefaultTemplate ¶

func GetDefaultTemplate(certType string) (string, error)

Returns a default JSON template string for the specified cert type

func LoadCertificateFromFile ¶ added in v1.8.0

func LoadCertificateFromFile(path string) (*x509.Certificate, error)

reads a PEM-encoded X.509 certificate from the specified file path and returns the parsed certificate.

func ParseTemplate ¶

func ParseTemplate(input interface{}, parent *x509.Certificate, notAfter time.Time, publicKey crypto.PublicKey, commonName string) (*x509.Certificate, error)

func ValidateCertificateKeyMatch ¶ added in v1.8.0

func ValidateCertificateKeyMatch(cert *x509.Certificate, sv signature.SignerVerifier) error

verifies that the public key in the given certificate matches the public key from the KMS SignerVerifier.

func ValidateKMSConfig ¶

func ValidateKMSConfig(config KMSConfig) error

Ensures all required KMS config params are present

func ValidateTemplate ¶

func ValidateTemplate(filename string, _ *x509.Certificate, _ string) error

Performs validation checks on the cert template

func ValidateTemplateRequirements ¶

func ValidateTemplateRequirements() error

Ensures that required templates are present

func WriteCertificateToFile ¶

func WriteCertificateToFile(cert *x509.Certificate, filename string) error

Writes cert to a PEM-encoded file

Types ¶

type CryptoSignerVerifier ¶

type CryptoSignerVerifier interface {
	signature.SignerVerifier
	CryptoSigner(context.Context, func(error)) (crypto.Signer, crypto.SignerOpts, error)
}

CryptoSignerVerifier extends SignerVerifier with CryptoSigner capability

type KMSConfig ¶

type KMSConfig struct {
	CommonName string
	Type       string
	KeyID      string
	Options    map[string]string
}

KMSConfig holds config for KMS providers.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL