Documentation ¶
Index ¶
- Constants
- func DecodePEMCertPool(txt string) (pool *x509.CertPool, err error)
- func DecodePEMCertificates(txt string) (certs []*x509.Certificate, err error)
- func EncodeCertificatesPEM(crts ...*x509.Certificate) string
- func EncodePrivateKeyP8(k *ecdsa.PrivateKey) []byte
- func EncodePrivateKeyPEM(k *ecdsa.PrivateKey) ([]byte, error)
- func GenerateKey() (*ecdsa.PrivateKey, error)
- type CA
- type Cred
- type Crt
- type GenericPrivateKey
- type Issuer
- type Validity
Constants ¶
const ( // DefaultLifetime configures certificate validity. // // Initially all certificates will be valid for one year. // // TODO: Shorten the validity duration of CA and end-entity certificates downward. DefaultLifetime = (10 * 365 * 24) * time.Hour // DefaultClockSkewAllowance indicates the maximum allowed difference in clocks // in the network. // // TODO: make it tunable. // // TODO: Reconsider how this interacts with the similar logic in the webpki // verifier; since both are trying to account for clock skew, there is // somewhat of an over-correction. DefaultClockSkewAllowance = 10 * time.Second )
Variables ¶
This section is empty.
Functions ¶
func DecodePEMCertPool ¶
DecodePEMCertPool parses a string containing PE-encoded certificates into a CertPool.
func DecodePEMCertificates ¶
func DecodePEMCertificates(txt string) (certs []*x509.Certificate, err error)
DecodePEMCertificates parses a string containing PEM-encoded certificates.
func EncodeCertificatesPEM ¶
func EncodeCertificatesPEM(crts ...*x509.Certificate) string
EncodeCertificatesPEM encodes the collection of provided certificates as a text blob of PEM-encoded certificates.
func EncodePrivateKeyP8 ¶
func EncodePrivateKeyP8(k *ecdsa.PrivateKey) []byte
EncodePrivateKeyP8 encodes the provided key as PEM-encoded text
func EncodePrivateKeyPEM ¶
func EncodePrivateKeyPEM(k *ecdsa.PrivateKey) ([]byte, error)
EncodePrivateKeyPEM encodes the provided key as PEM-encoded text
func GenerateKey ¶
func GenerateKey() (*ecdsa.PrivateKey, error)
GenerateKey creates a new P-256 ECDSA private key from the default random source.
Types ¶
type CA ¶
type CA struct { // Cred contains the CA's credentials. Cred Cred // Validity configures the NotBefore and NotAfter parameters for certificates // issued by this CA. // // Currently this is used for the CA's validity too, but nothing should // assume that the CA's validity period is the same as issued certificates' // validity. Validity Validity // contains filtered or unexported fields }
CA provides a certificate authority for TLS-enabled installs. Issuing certificates concurrently is not supported.
func CreateRootCA ¶
CreateRootCA configures a new root CA with the given settings
func GenerateRootCAWithDefaults ¶
GenerateRootCAWithDefaults generates a new root CA with default settings.
func (*CA) GenerateCA ¶
GenerateCA generates a new intermdiary CA.
func (*CA) GenerateEndEntityCred ¶
GenerateEndEntityCred creates a new certificate that is valid for the given DNS name, generating a new keypair for it.
func (*CA) IssueEndEntityCrt ¶
func (ca *CA) IssueEndEntityCrt(csr *x509.CertificateRequest) (Crt, error)
IssueEndEntityCrt creates a new certificate that is valid for the given DNS name, generating a new keypair for it.
type Cred ¶
type Cred struct { PrivateKey GenericPrivateKey Crt }
Cred is a container for a certificate, trust chain, and private key.
func ReadPEMCreds ¶
ReadPEMCreds reads PEM-encoded credentials from the named files.
func (*Cred) EncodePrivateKeyP8 ¶
EncodePrivateKeyP8 encodes the provided key to the PKCS#8 binary form.
func (*Cred) EncodePrivateKeyPEM ¶
EncodePrivateKeyPEM emits the private key as PEM-encoded text.
type Crt ¶
type Crt struct { Certificate *x509.Certificate TrustChain []*x509.Certificate }
Crt is a container for a certificate and trust chain.
The trust chain stores all issuer certificates from the root at the head to the direct issuer at the tail.
func DecodePEMCrt ¶
DecodePEMCrt decodes PEM-encoded certificates from leaf to root.
func (*Crt) EncodeCertificatePEM ¶
EncodeCertificatePEM emits the Crt's leaf certificate as PEM-encoded text.
func (*Crt) EncodePEM ¶
EncodePEM emits a certificate and trust chain as a series of PEM-encoded certificates from leaf to root.
func (*Crt) ExtractRaw ¶
ExtractRaw extracts the DER-encoded certificates in the Crt from leaf to root.
type GenericPrivateKey ¶
type GenericPrivateKey interface {
// contains filtered or unexported methods
}
GenericPrivateKey represents either an EC or an RSA private key
func DecodePEMKey ¶
func DecodePEMKey(txt string) (GenericPrivateKey, error)
DecodePEMKey parses a PEM-encoded private key from the named path.
type Issuer ¶
type Issuer interface {
IssueEndEntityCrt(*x509.CertificateRequest) (Crt, error)
}
Issuer implementors signs certificate requests.
type Validity ¶
type Validity struct { // Validity is the duration for which issued certificates are valid. This // is approximately cert.NotAfter - cert.NotBefore with some additional // allowance for clock skew. // // Currently this is used for the CA's validity too, but nothing should // assume that the CA's validity period is the same as issued certificates' // validity. Lifetime time.Duration // ClockSkewAllowance is the maximum supported clock skew. Everything that // processes the certificates must have a system clock that is off by no // more than this allowance in either direction. ClockSkewAllowance time.Duration }
Validity configures the expiry times of issued certificates.