tls

package

v0.0.1 Latest Latest Go to latest Published: Nov 3, 2025 License: Apache-2.0 Imports: 26 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/openqe/openqe

Links

Open Source Insights

Documentation ¶

Index ¶

Constants
func Base64(data []byte) string
func CertInCAFile(cert, caFile string) (bool, error)
func CertInConfigMap(cm *corev1.ConfigMap, cert string) (bool, error)
func CertToPem(cert *x509.Certificate) []byte
func CheckCACertInBundle(caCertFile, caBundleFile string) (bool, error)
func CheckCert(cert string, certs string) (bool, error)
func GenerateCA() (*rsa.PrivateKey, *x509.Certificate, error)
func GenerateCAToFiles(opts *CAOptions) error
func GenerateCAWith(subject, dnsName string) (*rsa.PrivateKey, *x509.Certificate, error)
func GenerateSelfSignedCertificate(cfg *CertCfg) (*rsa.PrivateKey, *x509.Certificate, error)
func GenerateSignedCertificate(caKey *rsa.PrivateKey, caCert *x509.Certificate, cfg *CertCfg) (*rsa.PrivateKey, *x509.Certificate, error)
func GenerateTLSKeyCertPair(subject, dnsName, caKeyFile, caCertFile string) (*rsa.PrivateKey, *x509.Certificate, error)
func GenerateTLSKeyCertPairToFiles(opts *PKIOptions) error
func HasCAHash(secret *corev1.Secret, ca *corev1.Secret, opts *CAOpts) bool
func ParseSubject(subject string) pkix.Name
func PemToCertificate(data []byte) (*x509.Certificate, error)
func PemToPrivateKey(data []byte) (*rsa.PrivateKey, error)
func PrivateKey(size int) (*rsa.PrivateKey, error)
func PrivateKeyToPem(key *rsa.PrivateKey) []byte
func PublicKeyToPem(key *rsa.PublicKey) ([]byte, error)
func Reader() io.Reader
func SelfSignedCertificate(cfg *CertCfg, key *rsa.PrivateKey) (*x509.Certificate, error)
func UnsafeSeed(seed int64)
func ValidateKeyPair(pemKey, pemCertificate []byte, cfg *CertCfg, ...) error
type CAOptions
- func DefaultCAOptions() *CAOptions
type CAOpts
type CertCfg
type PKIOptions
- func DefaultPKIOptions() *PKIOptions

Constants ¶

View Source

const (
	DefaultKeySize = 2048

	ValidityOneDay   = 24 * time.Hour
	ValidityOneYear  = 365 * ValidityOneDay
	ValidityTenYears = 10 * ValidityOneYear

	CAHashAnnotation = "hypershiftlite.openshift.io/ca-hash"
	// CASignerCertMapKey is the key value in a CA cert utilized by the control plane operator.
	CASignerCertMapKey = "ca.crt"
	// CASignerKeyMapKey is the key for the private key field in a CA cert utilized by the control plane operator.
	CASignerKeyMapKey = "ca.key"
	// TLSSignerCertMapKey is the key value the default k8s cert-manager looks for in a TLS certificate in a TLS secret.
	//TLSSignerCertMapKey is programmatically enforced to have the same data as CASignerCertMapKey.
	TLSSignerCertMapKey = "tls.crt"
	// TLSSignerKeyMapKey is the key the default k8s cert-manager looks for in a private key field in a TLS secret.
	// TLSSignerKeyMapKey is programmatically enforced to have the same data as CASignerKeyMapKey.
	TLSSignerKeyMapKey = "tls.key"
	// UserCABundleMapKeyis the key value in a user-provided CA configMap.
	UserCABundleMapKey = "ca-bundle.crt"
)

Comes from https://github.com/openshift/hypershift/blob/main/support/certs/tls.go

Variables ¶

This section is empty.

Functions ¶

func Base64 ¶

func Base64(data []byte) string

func CertInCAFile ¶

func CertInCAFile(cert, caFile string) (bool, error)

CertInCAFile checks if a certificate represented by certs in PEM format is already inside the ca-bundle ConfigMap. Normally it can be used to test the system ca bundle file at: /etc/pki/tls/certs/ca-bundle.crt

func CertInConfigMap ¶

func CertInConfigMap(cm *corev1.ConfigMap, cert string) (bool, error)

CertInConfigMap checks if a certificate represented by certs in PEM format is already inside the ca-bundle ConfigMap.

func CertToPem ¶

func CertToPem(cert *x509.Certificate) []byte

CertToPem converts an x509.Certificate object to a pem string

func CheckCACertInBundle ¶

func CheckCACertInBundle(caCertFile, caBundleFile string) (bool, error)

CheckCACertInBundle checks if a CA certificate file is included in a CA bundle file

func CheckCert ¶

func CheckCert(cert string, certs string) (bool, error)

CheckCert checks if a certificate represented by cert exists in the certificates represented by certs.

func GenerateCA ¶

func GenerateCA() (*rsa.PrivateKey, *x509.Certificate, error)

Generates CA private key and certificate

func GenerateCAToFiles ¶

func GenerateCAToFiles(opts *CAOptions) error

* Generates a CA key/cert pair and save them into different files *

func GenerateCAWith ¶

func GenerateCAWith(subject, dnsName string) (*rsa.PrivateKey, *x509.Certificate, error)

Generates CA private key and certificate with subject and dnsName specified

func GenerateSelfSignedCertificate ¶

func GenerateSelfSignedCertificate(cfg *CertCfg) (*rsa.PrivateKey, *x509.Certificate, error)

GenerateSelfSignedCertificate generates a key/cert pair defined by CertCfg.

func GenerateSignedCertificate ¶

func GenerateSignedCertificate(caKey *rsa.PrivateKey, caCert *x509.Certificate,
	cfg *CertCfg) (*rsa.PrivateKey, *x509.Certificate, error)

GenerateSignedCertificate generate a key and cert defined by CertCfg and signed by CA.

func GenerateTLSKeyCertPair ¶

func GenerateTLSKeyCertPair(subject, dnsName, caKeyFile, caCertFile string) (*rsa.PrivateKey, *x509.Certificate, error)

func GenerateTLSKeyCertPairToFiles ¶

func GenerateTLSKeyCertPairToFiles(opts *PKIOptions) error

func HasCAHash ¶

func HasCAHash(secret *corev1.Secret, ca *corev1.Secret, opts *CAOpts) bool

func ParseSubject ¶

func ParseSubject(subject string) pkix.Name

Parse the openssl fashion subject into pkix.Name used in go

func PemToCertificate ¶

func PemToCertificate(data []byte) (*x509.Certificate, error)

PemToCertificate converts a data block to x509.Certificate.

func PemToPrivateKey ¶

func PemToPrivateKey(data []byte) (*rsa.PrivateKey, error)

PemToPrivateKey converts a data block to rsa.PrivateKey.

func PrivateKey ¶

func PrivateKey(size int) (*rsa.PrivateKey, error)

PrivateKey generates an RSA Private key and returns the value

func PrivateKeyToPem ¶

func PrivateKeyToPem(key *rsa.PrivateKey) []byte

PrivateKeyToPem converts a rsa.PrivateKey object to pem string

func PublicKeyToPem ¶

func PublicKeyToPem(key *rsa.PublicKey) ([]byte, error)

PublicKeyToPem converts a rsa.PublicKey object to pem string

func Reader ¶

func Reader() io.Reader

func SelfSignedCertificate ¶

func SelfSignedCertificate(cfg *CertCfg, key *rsa.PrivateKey) (*x509.Certificate, error)

SelfSignedCertificate creates a self-signed certificate

func UnsafeSeed ¶

func UnsafeSeed(seed int64)

UnsafeSeed seeds the rng with the provided seed. This is not safe to do in production code and should only be used to make tests that interact with this package deterministic.

func ValidateKeyPair ¶

func ValidateKeyPair(pemKey, pemCertificate []byte, cfg *CertCfg, minimumRemainingValidity time.Duration) error

Types ¶

type CAOptions ¶

type CAOptions struct {
	Subject    string
	DNSName    string
	CaKeyFile  string
	CaCertFile string
}

func DefaultCAOptions ¶

func DefaultCAOptions() *CAOptions

type CAOpts ¶

type CAOpts struct {
	CASignerCertMapKey string
	CASignerKeyMapKey  string
}

type CertCfg ¶

type CertCfg struct {
	KeySize      int
	DNSNames     []string
	ExtKeyUsages []x509.ExtKeyUsage
	IPAddresses  []net.IP
	KeyUsages    x509.KeyUsage
	Subject      pkix.Name
	Validity     time.Duration
	IsCA         bool
}

CertCfg contains all needed fields to configure a new certificate

type PKIOptions ¶

type PKIOptions struct {
	CaGenOpt *CAOptions
	Subject  string
	DNSName  string
	CertFile string
	KeyFile  string
}

func DefaultPKIOptions ¶

func DefaultPKIOptions() *PKIOptions

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL