Skip to main content
Version: 1.11

Cryptographic capabilities

Because of Wasm constraints at the time of writing, some cryptographic libraries cannot be compiled to Wasm. In the meantime, Kubewarden policies needing those libraries can perform callbacks to evaluate the cryptographic functions on the host side. They receive the result, and continue with their tasks.

WaPC protocol contract​

If you are implementing your own language SDK, these are the functions performing cryptographic checks exposed by the host:

waPC function name Input payload Output payload

v1/is_certificate_trusted

# Certificate:
{
  # **mandatory**: Which encoding is used by the certificate
  # Either the string "Pem" or "Der".
  "encoding": string,
  # Actual certificate
  # The certificate is UTF-8 encoded.
  # It's an array of bytes of the unicode code pointers of a PEM/DER encoded
  # certificate string.
  "data": [byte(int), ..., byte(int)]
}

{
  # **mandatory**: PEM-encoded certificate to verify
  "cert": Certificate,
  # optional:
  "cert_chain": [
      # list of certs, ordered by trust
      # usage (intermediates first, root last)
      # If empty or missing, certificate is assumed
      # trusted
      Certificate,
      ...
      Certificate,
    ],
  # RFC 3339 time format string, to check expiration
  # against.
  # If missing, certificate is assumed never expired
  "not_after": string
}
{
   # true if certificate verified:
   "trusted": boolean,
   # empty if trusted == true:
   "reason": string
}