cert

package module
v0.0.4 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jan 15, 2026 License: MIT Imports: 18 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	// our default root should not include env(dev/prod) path
	// but if use customize the cert dir, then, there is no env in that path, such as /etc/certs
	DefCertRootDir   string = "./configs/certs"
	DefServerCertDir string = "server" // just name, not full path, related to DefCertRootDir
	DefClientCertDir string = "client" // just name, not full path, related to DefCertRootDir

	DefClientCertUsage string = "client auth"
	DefServerCertUsage string = "server auth"

	PROF_NAME_CLIENT string = "client"
	PROF_NAME_SERVER string = "server"

	DefRootCaFileName   string        = "ca"              // ca.pem,ca.key
	DefCaCN             string        = "SDP Inc"         //
	DefCaExpiry         time.Duration = 43800 * time.Hour // 43800h/5years // 43800 = 5 * 365 *  24
	DefServerCertExpiry time.Duration = 43800 * time.Hour // 43800h/5years
	DefCertExpiry       time.Duration = 43800 * time.Hour // 43800h/5years
	DefClientCertExpiry time.Duration = DefCertExpiry     // 43800h/5years
)
View Source 
const (
	CERT_STATUS_GOOD    string = "good"
	CERT_STATUS_REVOKED string = "revoked"
)
View Source 
const (
	CertPemPathPrefix string = "path:"
)

Variables

This section is empty.

Functions

func GenerateCertKey 

func GenerateCertKey(parentCertPem []byte, parentKeyPem []byte, subject *pkix.Name, serial *string) (cert *pem.Block, key *pem.Block)

func GenerateCertKeyBytes 

func GenerateCertKeyBytes(parentCertPem []byte, parentKeyPem []byte, subject *pkix.Name, serial *string) (cert []byte, key []byte)

func GenerateCertKeyFiles 

func GenerateCertKeyFiles(parentCertPem []byte, parentKeyPem []byte, subject *pkix.Name, serial *string)

func GetCertDir 

func GetCertDir(certRootDir string) string

customized 如果没配置,那就是默认值+env 如果配置了,就没有加env

func GetCertPemPathWithPrefix 

func GetCertPemPathWithPrefix(certPathOrPem string) string

func GetClientCertDir 

func GetClientCertDir(certRootDir string) string

maybe customized

func GetDefCertDir 

func GetDefCertDir() string

func GetDefCertDirByEnv 

func GetDefCertDirByEnv(envStr string) string

func GetServerCertDir 

func GetServerCertDir(certRootDir string) string

maybe customized

func IsCertPemPathWithPrefix 

func IsCertPemPathWithPrefix(certPathOrPem string) bool

func JoinPath 

func JoinPath(dir string, file string) string

func LoadTLSCertFromFile 

func LoadTLSCertFromFile(serverPemPath string, serverCertKeyPath string) (*tls.Certificate, error)

加载服务器的私钥和证书

func LoadTLSCfg 

func LoadTLSCfg(caPath string, clientCertPath string, clientCertKeyPath string) (*tls.Config, error)

func LoadTLSCfgFromBytes 

func LoadTLSCfgFromBytes(caCert []byte, clientCertPem []byte, clientCertKey []byte) (*tls.Config, error)

func PemToCertificate 

func PemToCertificate(pemBytes []byte) (cert *x509.Certificate)

func PemToPrivKey 

func PemToPrivKey(pemBytes []byte) (key *rsa.PrivateKey)

func ReadCertFile 

func ReadCertFile(certPathOrPem string) ([]byte, error)

func RequiresClientCertValid 

func RequiresClientCertValid(tlsCfg *tls.Config) bool

func Sign 

func Sign(privateKey []byte, payload string) string

func Verify 

func Verify(certificate []byte, payload, sig string) error

Types

type CaCertOpts 

type CaCertOpts struct {
	CaExpiry   string `yaml:"expiry"`   // such as 365d, for server root ca
	CaCN       string `yaml:"cn"`       // default is SDP Inc.
	CaFileName string `yaml:"fileName"` // default is ca(ca.pem/ca.key)
}

func (*CaCertOpts) GetCaCN 

func (c *CaCertOpts) GetCaCN() string

func (*CaCertOpts) GetCaExpiry 

func (c *CaCertOpts) GetCaExpiry() time.Duration

func (*CaCertOpts) GetRootCaFilename 

func (c *CaCertOpts) GetRootCaFilename() string

type CertOpts 

type CertOpts struct {
	// means trust the client anyway, agent will send info with its id
	// AUTH_TYPE_NONE uint8 = 0
	// send (agentId + apiKey) to identify agent, agentId can get from agent's config.yaml
	// 非mtls的时候可以采用这种方式,服务端需要验证客户端
	// AUTH_TYPE_API_KEY uint8 = 1
	// cn can identify the agent, cn认证通过就行
	// AUTH_TYPE_CN uint8 = 2
	// 同时验证,即便cn是某个agent独有的,api-key验证也必须做, 双重认证
	// AUTH_TYPE_CN_API_KEY uint8 = 3
	AuthType uint8 `yaml:"authType"` //
	// KNOWN Cert type, such as "test.com", "abc"
	// !!!!cn在数据库表里不唯一
	// CERT_TYPE_NONE uint8 = 0
	// such as "pop.test.com"
	// !!!!cn在数据库表里不唯一
	// CERT_TYPE_CN_ONLY_TYPE uint8 = 1
	// domain format, such as "agentId.test.com", "agentId.xxx"
	// test.com can be any format, 只要能用来判断这个是固定的格式就行
	// 第一个点号前面的就是id, 不用去查数据库, 但是类型未知
	// !!!!cn在数据库表里唯一
	// CERT_TYPE_CN uint8 = 2
	// such as "agentId.typeX.test.com", "agentId.typeX.xxx"
	// 这个cn可以获取到id和类型type, 不用查数据库, 比如123.pop.test.com
	// !!!!cn在数据库表里唯一
	// CERT_TYPE_CN_WITH_TYPE uint8 = 3
	// agentId, such as "12345" 因为cn可是是普通字符串,也可以是域名形式
	// 这种情况类型未知, 但是server端可以从数据库拿到cert detail,
	// !!!!cn在数据库表里唯一
	// CERT_TYPE_CN_IS_ID uint8 = 4
	CertType   uint8  `yaml:"certType"`   //
	CertSuffix string `yaml:"certSuffix"` // sdp.com
	CertExpiry string `yaml:"certExpiry"` // such as 365d
	CertHosts  string `yaml:"certHosts"`  // for server cert, used for SANs, such as: a.com,1.1.1.1
}

func (*CertOpts) GetAuthType 

func (c *CertOpts) GetAuthType() uint8

func (*CertOpts) GetCertExpiry 

func (c *CertOpts) GetCertExpiry(def *time.Duration) time.Duration

func (*CertOpts) GetCertHosts 

func (c *CertOpts) GetCertHosts() []string

type GlobalCertOpts 

type GlobalCertOpts struct {
	CaOpts     CaCertOpts `yaml:"ca"`
	ServerOpts CertOpts   `yaml:"server"`
}

Source Files

View all Source files

Directories

Path Synopsis
cfssl
ca
cert_file
cert_info
cfssl_csr
cfssl_signer
cfssl_util
revoke
sqlite

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.