Package certnames contains the predefined locations for the various TLS certificates and keys used by CockroachDB.

Package clientsecopts defines the rules to attach TLS authentication options to a client connection URL.

Package pprompt provides a facility to prompt a user for a password securely (i.e.

Package securitytest embeds the TLS test certificates.

AppendCertificatesToBlob adds the passed PEM encoded certificates to the existing byte slice containing PEM encoded certificates, ensuring that there is a newline separating the original byte slice and each subsequent certificate byte slices.

CertificateUserScopeContainsFunc returns true if the given function returns true for any of the scopes in the client certificate.

CertInfoFromFilename takes a filename and attempts to determine the certificate usage (ca, node, etc..).

CheckCertDNMatchesRootDNorNodeDN returns `rootOrNodeDNSet` which validates whether rootDN or nodeDN is currently set using their respective CLI flags *-cert-distinguished-name.

ClusterTLSSettings creates a TLSSettings backed by the given cluster settings.

Contains returns true if the specified string is present in the given slice.

CreateCAPair creates a general CA certificate and associated key.

CreateClientCAPair creates a client CA certificate and associated key.

CreateClientPair creates a node key and certificate.

CreateNodePair creates a node key and certificate.

CreateTenantCAPair creates a tenant client CA pair.

CreateTenantPair creates a key and certificate for use as client certs when communicating with the KV layer.

CreateTenantSigningPair creates a tenant signing pair.

CreateUICAPair creates a UI CA certificate and associated key.

CreateUIPair creates a UI certificate and key using the UI CA.

ExtKeyUsageToString converts a x509.ExtKeyUsage to a string, returning "unknown" if the list is not up-to-date.

FormatUserScopes formats a list of scopes in a human-readable way, suitable for e.g.

ForTenant is an option to NewCertificateManager which ties the manager to the provided tenant.

GenerateCA generates a CA certificate and signs it using the signer (a private key).

GenerateClientCert generates a client certificate and returns the cert bytes.

GenerateJoinToken generates a new join token, and signs it with the CA cert in the certificate manager.

GenerateServerCert generates a server certificate and returns the cert bytes.

GenerateTenantCert generates a tenant client certificate and returns the cert bytes.

GenerateTenantSigningCert generates a signing certificate and returns the cert bytes.

GenerateUIServerCert generates a server certificate for the Admin UI and returns the cert bytes.

GetCertificateUserScope extracts the certificate scopes from a client certificate.

GetConfiguredPasswordCost returns the configured hashing cost for the given method.

GetConfiguredPasswordHashMethod returns the configured hash method to use before storing passwords provided in cleartext from clients.

GetExpensiveHashComputeSem retrieves the hashing semaphore.

GetExpensiveHashComputeSemWithGauge retrieves the hashing semaphore and will make the callback update a gauge to track the number of goroutines waiting for the semaphore.

IsTenantCertificate returns true if the passed certificate indicates an inbound Tenant connection.

KeyUsageToString returns the list of key usages described by the bitmask.

MakeTenantNameURISANs constructs the tenant name SAN URI for the client certificate.

MakeTenantURISANs constructs the tenant SAN URI for the client certificate.

NewCertificateLoader creates a new instance of the certificate loader.

NewCertificateManager creates a new certificate manager.

NewCertificateManagerFirstRun creates a new certificate manager.

NewClientCertExpirationCache creates a new client cert expiration cache.

NewErrPasswordUserAuthFailed constructs an error that represents failed password authentication for a user.

OldCipherSuites returns a list of "old" cipher suites for TLS v1.2, which adds back all ciphers from v22.1.

PEMContentsToX509 takes raw pem-encoded contents and attempts to parse into x509.Certificate objects.

PEMToCertificates parses multiple certificate PEM blocks and returns them.

PEMToPrivateKey parses a PEM block and returns the private key.

PrivateKeyToPEM generates a PEM block from a private key.

PrivateKeyToPKCS8 encodes a private key into PKCS#8.

RecommendedCipherSuites returns a list of enabled TLS 1.2 cipher suites.

SafeWriteToFile writes the passed-in bytes to a file.

SetCertPrincipalMap sets the global principal map.

UserAuthCertHook builds an authentication hook based on the security mode and client certificate.

UserAuthPasswordHook builds an authentication hook based on the security mode, password, and its potentially matching hash.

ValidateUserScope returns true if the user is a valid user for the tenant based on the certificate user scope.

WithTimeSource allows the caller to pass a time source to be used by the Metrics struct (mostly for testing).

WritePEMToFile writes an arbitrary number of PEM blocks to a file.

WriteTenantPair writes a TenantPair into certsDir.

BcryptCostSettingName is the name of the cluster setting BcryptCost.

CacheCapacityMax is set arbitrarily high; configurable later if needed.

CAPem describes the main CA certificate.

ClientCAPem describes the CA certificate used to verify client certificates.

All cluster settings necessary for tls client cert authentication.

ClientPem describes a client certificate.

JoinTokenExpiration is the default expiration time of newly created join tokens.

NodePem describes the server certificate for the node, possibly a combined server/client certificate for user Node if a separate 'client.node.crt' is not present.

OldCipherSuitesEnabledEnv is the environment variable used to reenable use of old cipher suites for backwards compatibility with applications that do not support any of the recommended cipher suites.

SCRAMCostSettingName is the name of the cluster setting SCRAMCost.

TenantCAPem describes the CA certificate used to broker authN/Z for SQL tenants wishing to access the KV layer.

TenantPem describes a SQL tenant client certificate.

TenantSigningPem describes a SQL tenant signing certificate.

TenantsOU is the OrganizationalUnit that determines a client certificate should be treated as a tenant client certificate (as opposed to a KV node client certificate).

UICAPem describes the CA certificate used to verify the Admin UI server certificate.

UIPem describes the server certificate for the admin UI.

AutoDetectPasswordHashes is the cluster setting that configures whether the server recognizes pre-hashed passwords.

AutoDowngradePasswordHashes is the cluster setting that configures whether to automatically re-encode stored passwords using scram-sha-256 to crdb-bcrypt.

AutoRehashOnSCRAMCostChange is the cluster setting that configures whether to automatically re-encode stored passwords using scram-sha-256 to use a new default cost setting.

AutoUpgradePasswordHashes is the cluster setting that configures whether to automatically re-encode stored passwords using crdb-bcrypt to scram-sha-256.

BcryptCost is the cost to use when hashing passwords.

ClientCertExpirationCacheCapacity is the cluster setting that controls the maximum number of client cert expirations in the cache.

ClientCertSubjectRequired mandates a requirement for role subject to be set either through subject role option or root-cert-distinguished-name and node-cert-distinguished-name.

ErrCertManagement is a marker error for errors produced in this package that can be identified with errors.Is().

ErrEmptyPassword indicates that an empty password was attempted to be set.

ErrPasswordTooShort indicates that a client provided a password that was too short according to policy.

ErrUnknownHashMethod is returned by LoadPasswordHash if the hash encoding method is not supported.

MinPasswordLength is the cluster setting that configures the minimum SQL password length.

PasswordHashMethod is the cluster setting that configures which hash method to use when clients request to store a cleartext password.

SCRAMCost is the cost to use in SCRAM exchanges.

CertificateLoader searches for certificates and keys in the certs directory.

CertificateManager lives for the duration of the process and manages certificates and keys.

CertificateUserScope indicates the scope of a user certificate i.e.

CertInfo describe a certificate file and optional key file.

ClientCertExpirationCache contains a cache of gauge objects keyed by SQL username strings.

CommandTLSSettings defines the TLS settings for command-line tools.

JoinToken is a container for a TokenID and associated SharedSecret for use in certificate-free add/join operations.

Metrics is a metric.Struct for certificates.

PasswordUserAuthError indicates that an error was encountered during the initial set-up of a SQL connection.

TenantPair are client certs for use with multi-tenancy.

TLSSettings allows for customization of TLS behavior.

Option is an option to NewCertificateManager.

PemUsage indicates the purpose of a given certificate.

UserAuthHook authenticates a user based on their username and whether their connection originates from a client or another node in the cluster.