import "istio.io/istio/pkg/spiffe"
const ( Scheme = "spiffe" URIPrefix = Scheme + "://" URIPrefixLen = len(URIPrefix) ServiceAccountSegment = "sa" NamespaceSegment = "ns" )
ExpandWithTrustDomains expands a given spiffe identities, plus a list of truts domain aliases. We ensure the returned list does not contain duplicates; the original input is always retained. For example, ExpandWithTrustDomains({"spiffe://td1/ns/def/sa/def"}, {"td1", "td2"}) returns
{"spiffe://td1/ns/def/sa/def", "spiffe://td2/ns/def/sa/def"}.
ExpandWithTrustDomains({"spiffe://td1/ns/def/sa/a", "spiffe://td1/ns/def/sa/b"}, {"td2"}) returns
{"spiffe://td1/ns/def/sa/a", "spiffe://td2/ns/def/sa/a", "spiffe://td1/ns/def/sa/b", "spiffe://td2/ns/def/sa/b"}.
GenSpiffeURI returns the formatted uri(SPIFFE format for now) for the certificate.
GetTrustDomainFromURISAN extracts the trust domain part from the URI SAN in the X.509 certificate.
MustGenSpiffeURI returns the formatted uri(SPIFFE format for now) for the certificate and logs if there was an error.
func RetrieveSpiffeBundleRootCerts(config map[string]string, extraTrustedCerts []*x509.Certificate) ( map[string][]*x509.Certificate, error)
RetrieveSpiffeBundleRootCerts retrieves the trusted CA certificates from a list of SPIFFE bundle endpoints. It can use the system cert pool and the supplied certificates to validate the endpoints.
func RetrieveSpiffeBundleRootCertsFromStringInput(inputString string, extraTrustedCerts []*x509.Certificate) ( map[string][]*x509.Certificate, error)
RetrieveSpiffeBundleRootCertsFromStringInput retrieves the trusted CA certificates from a list of SPIFFE bundle endpoints. It can use the system cert pool and the supplied certificates to validate the endpoints. The input endpointTuples should be in the format of: "foo|URL1||bar|URL2||baz|URL3..."
type PeerCertVerifier struct {
// contains filtered or unexported fields
}
PeerCertVerifier is an instance to verify the peer certificate in the SPIFFE way using the retrieved root certificates.
func NewPeerCertVerifier() *PeerCertVerifier
NewPeerCertVerifier returns a new PeerCertVerifier.
func (v *PeerCertVerifier) AddMapping(trustDomain string, certs []*x509.Certificate)
AddMapping adds a new trust domain to certificates mapping to the certPools map.
func (v *PeerCertVerifier) AddMappingFromPEM(trustDomain string, rootCertBytes []byte) error
AddMappingFromPEM adds multiple RootCA's to the spiffe Trust bundle in the trustDomain namespace
func (v *PeerCertVerifier) AddMappings(certMap map[string][]*x509.Certificate)
AddMappings merges a trust domain to certs map to the certPools map.
func (v *PeerCertVerifier) GetGeneralCertPool() *x509.CertPool
GetGeneralCertPool returns generalCertPool containing all root certs.
func (v *PeerCertVerifier) VerifyPeerCert(rawCerts [][]byte, _ [][]*x509.Certificate) error
VerifyPeerCert is an implementation of tls.Config.VerifyPeerCertificate. It verifies the peer certificate using the root certificates associated with its trust domain.
Package spiffe imports 13 packages (graph) and is imported by 29 packages. Updated 2020-10-21. Refresh now. Tools for package owners.