package tls

import "github.com/banzaicloud/bank-vaults/pkg/sdk/tls"

Index ¶

• Variables
• func GetCertExpirationDate(certPEM []byte) (time.Time, error)
• type CertificateChain
• func GenerateTLS(hosts string, validity string) (*CertificateChain, error)
• type CertificateManager
• func NewCertificateManager(hosts string, validity string) (*CertificateManager, error)
• func (cm *CertificateManager) GenerateCA() error
• func (c *CertificateManager) GenerateClient() error
• func (c *CertificateManager) GeneratePeer() error
• func (cm *CertificateManager) GenerateServer() error
• func (cm *CertificateManager) LoadCA(caCertBytes []byte, caKeyBytes []byte, expirationThreshold time.Duration) error
• func (cc *CertificateManager) NewChain() error
• type ClientCertificate
• func GenerateClientCertificate(req ClientCertificateRequest, signerCert *x509.Certificate, signerKey crypto.Signer) (*ClientCertificate, error)
• type ClientCertificateRequest
• type PeerCertificate
• func GeneratePeerCertificate(req PeerCertificateRequest, signerCert *x509.Certificate, signerKey crypto.Signer) (*PeerCertificate, error)
• type PeerCertificateRequest
• type SeparatedCertHosts
• func NewSeparatedCertHosts(hosts string) *SeparatedCertHosts
• func (sh *SeparatedCertHosts) Validate() error
• type ServerCertificate
• func GenerateServerCertificate(req ServerCertificateRequest, signerCert *x509.Certificate, signerKey crypto.Signer) (*ServerCertificate, error)
• type ServerCertificateRequest

Package Files ¶

tls.go tls_client.go tls_peer.go tls_server.go

Variables ¶

var (
    // InvalidHostNameError is returned when you have a hostname that has already been covered by a wildcard hostname
    InvalidHostNameError = errors.New("invalid host name, this has been already covered by the wildcard")

    // InvalidCAError will be returned if the provided CA is invalid
    InvalidCAError = errors.New("the CA provided is not valid")

    // EmptyCAError will be returned if the CA provided was empty
    EmptyCAError = errors.New("an empty CA was provided")

    // ExpiredCAError will be returned if the CA does not meet the required threshold of validity
    ExpiredCAError = errors.New("the CA provided will expired before the provided threshold")
)

func GetCertExpirationDate ¶ Uses

func GetCertExpirationDate(certPEM []byte) (time.Time, error)

GetCertExpirationDate will return a PEM encoded certificate's expiration date

type CertificateChain ¶ Uses

type CertificateChain struct {
    CAKey      string `mapstructure:"caKey"`
    CACert     string `mapstructure:"caCert"`
    ServerKey  string `mapstructure:"serverKey"`
    ServerCert string `mapstructure:"serverCert"`
    ClientKey  string `mapstructure:"clientKey"`
    ClientCert string `mapstructure:"clientCert"`
    PeerKey    string `mapstructure:"peerKey"`
    PeerCert   string `mapstructure:"peerCert"`
}

CertificateChain represents a full certificate chain with a root CA, a server, client and peer certificate All values are in PEM format

func GenerateTLS ¶ Uses

func GenerateTLS(hosts string, validity string) (*CertificateChain, error)

GenerateTLS generates ca, server, client and peer TLS certificates. hosts: Comma-separated hostnames and IPs to generate a certificate for validity: Duration that certificate is valid for, in Go Duration format

type CertificateManager ¶ Uses

type CertificateManager struct {
    Chain *CertificateChain
    // contains filtered or unexported fields
}

CertificateManager contains a certificate chain and methods to generate certificates on that chain

func NewCertificateManager ¶ Uses

func NewCertificateManager(hosts string, validity string) (*CertificateManager, error)

NewCertificateManager will return a new instance of the CertificateManager

func (*CertificateManager) GenerateCA ¶ Uses

func (cm *CertificateManager) GenerateCA() error

GenerateCA will generate a new certificate authority

func (*CertificateManager) GenerateClient ¶ Uses

func (c *CertificateManager) GenerateClient() error

GenerateClient will generate a new client TLS certificate signed by the CA within the chain

func (*CertificateManager) GeneratePeer ¶ Uses

func (c *CertificateManager) GeneratePeer() error

GeneratePeer will generate a new peer TLS certificate signed by the CA within the chain

func (*CertificateManager) GenerateServer ¶ Uses

func (cm *CertificateManager) GenerateServer() error

GenerateServer will generate a new server TLS certificate signed by the CA within the chain

func (*CertificateManager) LoadCA ¶ Uses

func (cm *CertificateManager) LoadCA(caCertBytes []byte, caKeyBytes []byte, expirationThreshold time.Duration) error

LoadCA will load an existing certifiate authority into the CertificateManager and underlying chain

func (*CertificateManager) NewChain ¶ Uses

func (cc *CertificateManager) NewChain() error

NewChain generates ca, server, client and peer TLS certificates. hosts: Comma-separated hostnames and IPs to generate a certificate for validity: Duration that certificate is valid for, in Go Duration format

type ClientCertificate ¶ Uses

type ClientCertificate struct {
    Certificate []byte
    Key         []byte
}

ClientCertificate contains the generated certificate and key in PEM encoded format.

func GenerateClientCertificate ¶ Uses

func GenerateClientCertificate(req ClientCertificateRequest, signerCert *x509.Certificate, signerKey crypto.Signer) (*ClientCertificate, error)

GenerateClientCertificate generates client TLS certificate and key signed by a parent CA.

type ClientCertificateRequest ¶ Uses

type ClientCertificateRequest struct {
    Subject  pkix.Name
    Validity time.Duration
    // contains filtered or unexported fields
}

ClientCertificateRequest contains a set of options configurable for client certificate generation

type PeerCertificate ¶ Uses

type PeerCertificate struct {
    Certificate []byte
    Key         []byte
}

PeerCertificate contains the generated certificate and key in PEM encoded format.

func GeneratePeerCertificate ¶ Uses

func GeneratePeerCertificate(req PeerCertificateRequest, signerCert *x509.Certificate, signerKey crypto.Signer) (*PeerCertificate, error)

GeneratePeerCertificate generates peer TLS certificate and key signed by a parent CA.

type PeerCertificateRequest ¶ Uses

type PeerCertificateRequest struct {
    Subject     pkix.Name
    Validity    time.Duration
    DNSNames    []string
    IPAddresses []net.IP
    // contains filtered or unexported fields
}

PeerCertificateRequest contains a set of options configurable for peer certificate generation.

type SeparatedCertHosts ¶ Uses

type SeparatedCertHosts struct {
    WildCardHosts []string
    Hosts         []string
    IPs           []net.IP
}

func NewSeparatedCertHosts ¶ Uses

func NewSeparatedCertHosts(hosts string) *SeparatedCertHosts

NewSeparatedCertHosts creates a new seperatedCertsHosts struct by parsing and separating the comma-separated host names and IPs.

func (*SeparatedCertHosts) Validate ¶ Uses

func (sh *SeparatedCertHosts) Validate() error

Validate validates the hostnames in case of wildCard host is present eg.: *.foo.bar boo.foo.bar is not allowed, but coo.boo.foo.bar is valid

type ServerCertificate ¶ Uses

type ServerCertificate struct {
    Certificate []byte
    Key         []byte
}

ServerCertificate contains the generated certificate and key in PEM encoded format.

func GenerateServerCertificate ¶ Uses

func GenerateServerCertificate(req ServerCertificateRequest, signerCert *x509.Certificate, signerKey crypto.Signer) (*ServerCertificate, error)

GenerateServerCertificate generates server TLS certificate and key signed by a parent CA.

type ServerCertificateRequest ¶ Uses

type ServerCertificateRequest struct {
    Subject     pkix.Name
    Validity    time.Duration
    DNSNames    []string
    IPAddresses []net.IP
    // contains filtered or unexported fields
}

ServerCertificateRequest contains a set of options configurable for server certificate generation.