pki

package
v0.38.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 15, 2025 License: MIT Imports: 16 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source 
var (
	// CACertKey is the key used to store the CA certificate in a secret.
	CACertKey = "ca.crt"
	// CAKeyKey is the key used to store the CA private key in a secret.
	CAKeyKey = "ca.key"
	// TLSCertKey is the key used to store the TLS certificate in a secret.
	TLSCertKey = "tls.crt"
	// TLSKeyKey is the key used to store the TLS private key in a secret.
	TLSKeyKey = "tls.key"
)
View Source 
var (
	DefaultCALifetime   = 3 * 365 * 24 * time.Hour // 3 years
	DefaultCertLifetime = 3 * 30 * 24 * time.Hour  // 3 months

)
View Source 
var DefaultRenewBeforePercentage = int32(33) // 33%

DefaultRenewBeforePercentage is the default percentage to calculate the renewal duration.

View Source 
var ErrSecretKeyNotFound = errors.New("Secret key not found")

ErrSecretKeyNotFound is returned when a CA/TLS key is not found in a Secret-

Functions

func BundleCertificatePEMs added in v0.37.0 

func BundleCertificatePEMs(pems [][]byte, bundleOpts ...BundleOption) ([]byte, error)

BundleCertificatePEMs bundles multiple PEM-encoded certificate slices into a single bundle.

func GeneratePrivateKey added in v0.37.0 

func GeneratePrivateKey() (crypto.Signer, error)

GeneratePrivateKey generates a new ECDSA private key.

func MarshalPrivateKey added in v0.37.0 

func MarshalPrivateKey(signer crypto.Signer) ([]byte, error)

MarshalPrivateKey marshals the given ECDSA private key to bytes.

func ParseCertificate added in v0.37.0 

func ParseCertificate(bytes []byte) (*x509.Certificate, error)

ParseCertificate parses a single certificate from the given bytes.

func ParseCertificates added in v0.37.0 

func ParseCertificates(bytes []byte) ([]*x509.Certificate, error)

ParseCertificates parses multiple certificates from the given bytes.

func ParsePrivateKey added in v0.37.0 

func ParsePrivateKey(bytes []byte, supportedKeys []PrivateKey) (crypto.Signer, error)

ParsePrivateKey parses a private key from the given bytes.

func RenewalDuration added in v0.37.0 

func RenewalDuration(duration time.Duration, renewBeforePercentage int32) (*time.Duration, error)

RenewalDuration calculates the certificate renewal duration based on a given duration and a specified percentage. The percentage determines the fraction of the duration before the expiration when renewal should occur.

func RenewalTime added in v0.37.0 

func RenewalTime(notBefore, notAfter time.Time, renewBeforePercentage int32) (*time.Time, error)

RenewalTime calculates the renewal time for a fraction based on its lifetime. The percentage determines the fraction of the validity period before expiration when renewal should occur.

func ValidateCA added in v0.37.0 

func ValidateCA(keyPair *KeyPair, dnsName string, at time.Time) (bool, error)

ValidateCA validates the given CA key pair at the specified time.

func ValidateCert added in v0.37.0 

func ValidateCert(
	caCerts []*x509.Certificate,
	certKeyPair *KeyPair,
	dnsName string,
	at time.Time,
	validateCertOpts ...ValidateCertOpt,
) (bool, error)

ValidateCert validates the given certificate key pair against the provided CA certificates at the specified time.

Types

type BundleOption added in v0.37.0 

type BundleOption func(opts *BundleOptions)

BundleOption represents a function that applies a bundle configuration.

func WithLogger added in v0.37.0 

func WithLogger(logger logr.Logger) BundleOption

WithLogger sets the logger option.

func WithSkipExpired added in v0.37.0 

func WithSkipExpired(skipExpired bool) BundleOption

WithSkipExpired sets an option to skip expired certs.

type BundleOptions added in v0.37.0 

type BundleOptions struct {
	// contains filtered or unexported fields
}

BundleOptions represents options for bundling certificates.

type KeyPair 

type KeyPair struct {
	// CertPEM is the PEM-encoded certificate.
	CertPEM []byte
	// KeyPEM is the PEM-encoded private key.
	KeyPEM []byte
	// SupportedPrivateKeys is a list of supported private key types.
	SupportedPrivateKeys []PrivateKey
}

KeyPair represents a TLS key pair with its certificate and private key.

func CreateCA 

func CreateCA(x509Opts ...X509Opt) (*KeyPair, error)

CreateCA creates a new CA certificate with the given options.

func CreateCert 

func CreateCert(caKeyPair *KeyPair, x509Opts ...X509Opt) (*KeyPair, error)

CreateCert creates a new certificate signed by the given CA key pair with the given options.

func NewKeyPair added in v0.37.0 

func NewKeyPair(certPEM, keyPEM []byte, opts ...KeyPairOpt) (*KeyPair, error)

NewKeyPair creates a new KeyPair with the given certificate and private key PEM data. Additional options can be provided to configure the KeyPair.

func NewKeyPairFromCASecret added in v0.37.0 

func NewKeyPairFromCASecret(secret *corev1.Secret, opts ...KeyPairOpt) (*KeyPair, error)

NewKeyPairFromTLSSecret creates a new KeyPair from the given Kubernetes CA secret.

func NewKeyPairFromSecret added in v0.37.0 

func NewKeyPairFromSecret(secret *corev1.Secret, certKey, privateKeyKey string, opts ...KeyPairOpt) (*KeyPair, error)

NewKeyPairFromTLSSecret creates a new KeyPair from the given Kubernetes secret.

func NewKeyPairFromTLSSecret added in v0.37.0 

func NewKeyPairFromTLSSecret(secret *corev1.Secret, opts ...KeyPairOpt) (*KeyPair, error)

NewKeyPairFromTLSSecret creates a new KeyPair from the given Kubernetes TLS secret.

func NewKeyPairFromTemplate added in v0.37.0 

func NewKeyPairFromTemplate(tpl *x509.Certificate, caKeyPair *KeyPair, opts ...KeyPairOpt) (*KeyPair, error)

NewKeyPairFromTemplate creates a new KeyPair from the given certificate template and CA KeyPair. Additional options can be provided to configure the KeyPair.

func (*KeyPair) Certificates added in v0.37.0 

func (k *KeyPair) Certificates() ([]*x509.Certificate, error)

Certificates parses and returns the certificates from the CertPEM field.

func (*KeyPair) LeafCertificate added in v0.37.0 

func (k *KeyPair) LeafCertificate() (*x509.Certificate, error)

Certificates parses and returns the leaf certificate from the CertPEM field.

func (*KeyPair) PrivateKey added in v0.37.0 

func (k *KeyPair) PrivateKey() (crypto.Signer, error)

PrivateKey parses and returns the private key from the KeyPEM field.

func (*KeyPair) UpdateCASecret added in v0.37.0 

func (k *KeyPair) UpdateCASecret(secret *corev1.Secret)

UpdateTLSSecret updates the given Kubernetes CA secret with the certificate and private key from the KeyPair.

func (*KeyPair) UpdateSecret added in v0.37.0 

func (k *KeyPair) UpdateSecret(secret *corev1.Secret, certKey, privateKeyKey string)

UpdateTLSSecret updates the given Kubernetes secret with the certificate and private key from the KeyPair.

func (*KeyPair) UpdateTLSSecret added in v0.37.0 

func (k *KeyPair) UpdateTLSSecret(secret *corev1.Secret)

UpdateTLSSecret updates the given Kubernetes TLS secret with the certificate and private key from the KeyPair.

func (*KeyPair) Validate added in v0.37.0 

func (k *KeyPair) Validate() error

Validate checks if the KeyPair is valid by ensuring the certificate and private key are not empty and can be parsed correctly.

type KeyPairOpt added in v0.37.0 

type KeyPairOpt func(*KeyPair)

KeyPairOpt is a function type used to configure a KeyPair.

func WithSupportedPrivateKeys added in v0.37.0 

func WithSupportedPrivateKeys(pks ...PrivateKey) KeyPairOpt

WithSupportedPrivateKeys returns a KeyPairOpt that sets the supported private keys for a KeyPair.

type PrivateKey added in v0.37.0 

type PrivateKey string

PrivateKey represents a type of private key. 

const (
	// PrivateKeyTypeECDSA represents an ECDSA private key.
	PrivateKeyTypeECDSA PrivateKey = "ecdsa"
	// PrivateKeyTypeRSA represents an RSA private key.
	PrivateKeyTypeRSA PrivateKey = "rsa"
)

type ValidateCertOpt added in v0.37.0 

type ValidateCertOpt func(*ValidateCertOpts)

ValidateCertOpt is a function type used to configure ValidateCertOpts.

func WithIntermediateCAs added in v0.37.0 

func WithIntermediateCAs(intermediateCAs ...*x509.Certificate) ValidateCertOpt

WithIntermediateCAs sets the intermediate CAs for certificate validation.

type ValidateCertOpts added in v0.37.0 

type ValidateCertOpts struct {
	// contains filtered or unexported fields
}

ValidateCertOpts represents options for validating certificates.

type X509Opt 

type X509Opt func(*X509Opts)

X509Opt is a function type used to configure X509Opts.

func WithCommonName 

func WithCommonName(name string) X509Opt

WithCommonName sets the common name for the certificate.

func WithDNSNames 

func WithDNSNames(dnsNames ...string) X509Opt

WithDNSNames sets the DNS names for the certificate.

func WithExtKeyUsage added in v0.37.0 

func WithExtKeyUsage(extKeyUsage ...x509.ExtKeyUsage) X509Opt

WithExtKeyUsage sets the extended key usages for the certificate.

func WithIsCA added in v0.37.0 

func WithIsCA(isCA bool) X509Opt

WithIsCA sets whether the certificate is a CA certificate.

func WithKeyPairOpts added in v0.37.0 

func WithKeyPairOpts(keyPairOpts ...KeyPairOpt) X509Opt

WithKeyPairOpts sets options to configure the keypair.

func WithKeyUsage added in v0.37.0 

func WithKeyUsage(keyUsage x509.KeyUsage) X509Opt

WithKeyUsage sets the key usage for the certificate.

func WithNotAfter 

func WithNotAfter(notAfter time.Time) X509Opt

WithNotAfter sets the end time for the certificate's validity period.

func WithNotBefore 

func WithNotBefore(notBefore time.Time) X509Opt

WithNotBefore sets the start time for the certificate's validity period.

type X509Opts 

type X509Opts struct {
	// CommonName is the common name for the certificate.
	CommonName string
	// DNSNames is a list of DNS names for the certificate.
	DNSNames []string
	// NotBefore is the start time for the certificate's validity period.
	NotBefore time.Time
	// NotAfter is the end time for the certificate's validity period.
	NotAfter time.Time
	// KeyUsage specifies the allowed uses of the key.
	KeyUsage x509.KeyUsage
	// ExtKeyUsage specifies the extended key usages of the certificate.
	ExtKeyUsage []x509.ExtKeyUsage
	// IsCA indicates whether the certificate is a CA certificate.
	IsCA bool
	// KeyPairOpts are options to configure the keypair.
	KeyPairOpts []KeyPairOpt
}

X509Opts represents options for creating X.509 certificates.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy