istio: istio.io/istio/security/pkg/pki/util Index | Files | Directories

package util

import "istio.io/istio/security/pkg/pki/util"

Index

Package Files

crypto.go dual_use.go generate_cert.go generate_csr.go keycertbundle.go san.go verify_cert.go

func AppendRootCerts Uses

func AppendRootCerts(pemCert []byte, rootCertFile string) ([]byte, error)

AppendRootCerts appends root certificates in RootCertFile to the input certificate.

func BuildSANExtension Uses

func BuildSANExtension(identites []Identity) (*pkix.Extension, error)

BuildSANExtension builds a `pkix.Extension` of type "Subject Alternative Name" based on the given identities.

func BuildSubjectAltNameExtension Uses

func BuildSubjectAltNameExtension(hosts string) (*pkix.Extension, error)

BuildSubjectAltNameExtension builds the SAN extension for the certificate.

func DualUseCommonName Uses

func DualUseCommonName(host string) (string, error)

DualUseCommonName extracts a valid CommonName from a comma-delimited host string for dual-use certificates.

func ExtractIDs Uses

func ExtractIDs(exts []pkix.Extension) ([]string, error)

ExtractIDs first finds the SAN extension from the given extension set, then extract identities from the SAN extension.

func ExtractSANExtension Uses

func ExtractSANExtension(exts []pkix.Extension) *pkix.Extension

ExtractSANExtension extracts the "Subject Alternative Name" externsion from the given PKIX extension set.

func GenCSR Uses

func GenCSR(options CertOptions) ([]byte, []byte, error)

GenCSR generates a X.509 certificate sign request and private key with the given options.

func GenCSRTemplate Uses

func GenCSRTemplate(options CertOptions) (*x509.CertificateRequest, error)

GenCSRTemplate generates a certificateRequest template with the given options.

func GenCertFromCSR Uses

func GenCertFromCSR(csr *x509.CertificateRequest, signingCert *x509.Certificate, publicKey interface{},
    signingKey crypto.PrivateKey, subjectIDs []string, ttl time.Duration, isCA bool) (cert []byte, err error)

GenCertFromCSR generates a X.509 certificate with the given CSR.

func GenCertKeyFromOptions Uses

func GenCertKeyFromOptions(options CertOptions) (pemCert []byte, pemKey []byte, err error)

GenCertKeyFromOptions generates a X.509 certificate and a private key with the given options.

func GenRootCertFromExistingKey Uses

func GenRootCertFromExistingKey(options CertOptions) (pemCert []byte, pemKey []byte, err error)

GenRootCertFromExistingKey generates a X.509 certificate using existing CA private key. Only called by a self-signed Citadel.

func GetRSAKeySize Uses

func GetRSAKeySize(privKey crypto.PrivateKey) (int, error)

GetRSAKeySize returns the size if it is RSA key, otherwise it returns an error.

func LoadSignerCredsFromFiles Uses

func LoadSignerCredsFromFiles(signerCertFile string, signerPrivFile string) (*x509.Certificate, crypto.PrivateKey, error)

LoadSignerCredsFromFiles loads the signer cert&key from the given files.

signerCertFile: cert file name
signerPrivFile: private key file name

func ParsePemEncodedCSR Uses

func ParsePemEncodedCSR(csrBytes []byte) (*x509.CertificateRequest, error)

ParsePemEncodedCSR constructs a `x509.CertificateRequest` object using the given PEM-encoded certificate signing request.

func ParsePemEncodedCertificate Uses

func ParsePemEncodedCertificate(certBytes []byte) (*x509.Certificate, error)

ParsePemEncodedCertificate constructs a `x509.Certificate` object using the given a PEM-encoded certificate.

func ParsePemEncodedKey Uses

func ParsePemEncodedKey(keyBytes []byte) (crypto.PrivateKey, error)

ParsePemEncodedKey takes a PEM-encoded key and parsed the bytes into a `crypto.PrivateKey`.

func Verify Uses

func Verify(certBytes, privKeyBytes, certChainBytes, rootCertBytes []byte) error

Verify that the cert chain, root cert and key/cert match.

func VerifyCertificate Uses

func VerifyCertificate(privPem []byte, certChainPem []byte, rootCertPem []byte, expectedFields *VerifyFields) error

VerifyCertificate verifies a given PEM encoded certificate by - building one or more chains from the certificate to a root certificate; - checking fields are set as expected.

type CertOptions Uses

type CertOptions struct {
    // Comma-separated hostnames and IPs to generate a certificate for.
    // This can also be set to the identity running the workload,
    // like kubernetes service account.
    Host string

    // The NotBefore field of the issued certificate.
    NotBefore time.Time

    // TTL of the certificate. NotAfter - NotBefore.
    TTL time.Duration

    // Signer certificate.
    SignerCert *x509.Certificate

    // Signer private key.
    SignerPriv crypto.PrivateKey

    // Signer private key (PEM encoded).
    SignerPrivPem []byte

    // Organization for this certificate.
    Org string

    // The size of RSA private key to be generated.
    RSAKeySize int

    // Whether this certificate is used as signing cert for CA.
    IsCA bool

    // Whether this certificate is self-signed.
    IsSelfSigned bool

    // Whether this certificate is for a client.
    IsClient bool

    // Whether this certificate is for a server.
    IsServer bool

    // Whether this certificate is for dual-use clients (SAN+CN).
    IsDualUse bool

    // If true, the private key is encoded with PKCS#8.
    PKCS8Key bool
}

CertOptions contains options for generating a new certificate.

type Identity Uses

type Identity struct {
    Type  IdentityType
    Value []byte
}

Identity is an object holding both the encoded identifier bytes as well as the type of the identity.

func ExtractIDsFromSAN Uses

func ExtractIDsFromSAN(sanExt *pkix.Extension) ([]Identity, error)

ExtractIDsFromSAN takes a SAN extension and extracts the identities. The logic is mostly borrowed from https://github.com/golang/go/blob/master/src/crypto/x509/x509.go, with the addition of supporting extracting URIs.

type IdentityType Uses

type IdentityType int

IdentityType represents type of an identity. This is used to properly encode an identity into a SAN extension.

const (
    // TypeDNS represents a DNS name.
    TypeDNS IdentityType = iota
    // TypeIP represents an IP address.
    TypeIP
    // TypeURI represents a universal resource identifier.
    TypeURI
)

type KeyCertBundle Uses

type KeyCertBundle interface {
    // GetAllPem returns all key/cert PEMs in KeyCertBundle together. Getting all values together avoids inconsistency.
    GetAllPem() (certBytes, privKeyBytes, certChainBytes, rootCertBytes []byte)

    // GetAll returns all key/cert in KeyCertBundle together. Getting all values together avoids inconsistency.
    GetAll() (cert *x509.Certificate, privKey *crypto.PrivateKey, certChainBytes, rootCertBytes []byte)

    // GetCertChainPem returns the certificate chain PEM.
    GetCertChainPem() []byte

    // GetRootCertPem returns the root certificate PEM.
    GetRootCertPem() []byte

    // VerifyAndSetAll verifies the key/certs, and sets all key/certs in KeyCertBundle together.
    // Setting all values together avoids inconsistency.
    VerifyAndSetAll(certBytes, privKeyBytes, certChainBytes, rootCertBytes []byte) error

    // CertOptions returns the CertOptions for rotating the current key cert.
    CertOptions() (*CertOptions, error)
}

KeyCertBundle stores the cert, private key, cert chain and root cert for an entity. It is thread safe. TODO(myidpt): Remove this interface.

type KeyCertBundleImpl Uses

type KeyCertBundleImpl struct {
    // contains filtered or unexported fields
}

KeyCertBundleImpl implements the KeyCertBundle interface. The cert and privKey should be a public/private key pair. The cert should be verifiable from the rootCert through the certChain. cert and priveKey are pointers to the cert/key parsed from certBytes/privKeyBytes.

func NewKeyCertBundleWithRootCertFromFile Uses

func NewKeyCertBundleWithRootCertFromFile(rootCertFile string) (*KeyCertBundleImpl, error)

NewKeyCertBundleWithRootCertFromFile returns a new KeyCertBundle with the root cert without verification.

func NewVerifiedKeyCertBundleFromFile Uses

func NewVerifiedKeyCertBundleFromFile(certFile, privKeyFile, certChainFile, rootCertFile string) (
    *KeyCertBundleImpl, error)

NewVerifiedKeyCertBundleFromFile returns a new KeyCertBundle, or error if the provided certs failed the verification.

func NewVerifiedKeyCertBundleFromPem Uses

func NewVerifiedKeyCertBundleFromPem(certBytes, privKeyBytes, certChainBytes, rootCertBytes []byte) (
    *KeyCertBundleImpl, error)

NewVerifiedKeyCertBundleFromPem returns a new KeyCertBundle, or error if the provided certs failed the verification.

func (*KeyCertBundleImpl) CertOptions Uses

func (b *KeyCertBundleImpl) CertOptions() (*CertOptions, error)

CertOptions returns the certificate config based on currently stored cert.

func (*KeyCertBundleImpl) GetAll Uses

func (b *KeyCertBundleImpl) GetAll() (cert *x509.Certificate, privKey *crypto.PrivateKey, certChainBytes,
    rootCertBytes []byte)

GetAll returns all key/cert in KeyCertBundle together. Getting all values together avoids inconsistency. NOTE: Callers should not modify the content of cert and privKey.

func (*KeyCertBundleImpl) GetAllPem Uses

func (b *KeyCertBundleImpl) GetAllPem() (certBytes, privKeyBytes, certChainBytes, rootCertBytes []byte)

GetAllPem returns all key/cert PEMs in KeyCertBundle together. Getting all values together avoids inconsistency.

func (*KeyCertBundleImpl) GetCertChainPem Uses

func (b *KeyCertBundleImpl) GetCertChainPem() []byte

GetCertChainPem returns the certificate chain PEM.

func (*KeyCertBundleImpl) GetRootCertPem Uses

func (b *KeyCertBundleImpl) GetRootCertPem() []byte

GetRootCertPem returns the root certificate PEM.

func (*KeyCertBundleImpl) VerifyAndSetAll Uses

func (b *KeyCertBundleImpl) VerifyAndSetAll(certBytes, privKeyBytes, certChainBytes, rootCertBytes []byte) error

VerifyAndSetAll verifies the key/certs, and sets all key/certs in KeyCertBundle together. Setting all values together avoids inconsistency.

type VerifyFields Uses

type VerifyFields struct {
    NotBefore   time.Time
    TTL         time.Duration // NotAfter - NotBefore
    ExtKeyUsage []x509.ExtKeyUsage
    KeyUsage    x509.KeyUsage
    IsCA        bool
    Org         string
    CommonName  string
    Host        string
}

VerifyFields contains the certificate fields to verify in the test.

Directories

PathSynopsis
mock

Package util imports 21 packages (graph) and is imported by 15 packages. Updated 2019-10-10. Refresh now. Tools for package owners.