ca

package
v0.0.1-rc.2 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Nov 3, 2018 License: Apache-2.0 Imports: 37 Imported by: 3

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func Certificate 

func Certificate(sign *api.SignResponse) (*x509.Certificate, error)

Certificate returns the server or client certificate from the sign response.

func CreateSignRequest 

func CreateSignRequest(ott string) (*api.SignRequest, crypto.PrivateKey, error)

CreateSignRequest is a helper function that given an x509 OTT returns a simple but secure sign request as well as the private key used.

func IntermediateCertificate 

func IntermediateCertificate(sign *api.SignResponse) (*x509.Certificate, error)

IntermediateCertificate returns the CA intermediate certificate from the sign response.

func RootCertificate 

func RootCertificate(sign *api.SignResponse) (*x509.Certificate, error)

RootCertificate returns the root certificate from the sign response.

func StopReloaderHandler 

func StopReloaderHandler(servers ...StopReloader)

StopReloaderHandler watches SIGINT, SIGTERM and SIGHUP on a list of servers implementing the StopReloader interface, and when one of those signals is caught we'll run Stop (SIGINT, SIGTERM) or Reload (SIGHUP) on all servers.

func TLSCertificate 

func TLSCertificate(sign *api.SignResponse, pk crypto.PrivateKey) (*tls.Certificate, error)

TLSCertificate creates a new TLS certificate from the sign response and the private key used.

func WithRenewBefore 

func WithRenewBefore(b time.Duration) func(r *TLSRenewer) error

WithRenewBefore modifies a tlsRenewer by setting the renewBefore attribute.

func WithRenewJitter 

func WithRenewJitter(j time.Duration) func(r *TLSRenewer) error

WithRenewJitter modifies a tlsRenewer by setting the renewJitter attribute.

Types

type CA 

type CA struct {
	// contains filtered or unexported fields
}

CA is the type used to build the complete certificate authority. It builds the HTTP server, set ups the middlewares and the HTTP handlers.

func New 

func New(config *authority.Config, opts ...Option) (*CA, error)

New creates and initializes the CA with the given configuration and options.

func (*CA) Init 

func (ca *CA) Init(config *authority.Config) (*CA, error)

Init initializes the CA with the given configuration.

func (*CA) Reload 

func (ca *CA) Reload() error

Reload reloads the configuration of the CA and calls to the server Reload method.

func (*CA) Run 

func (ca *CA) Run() error

Run starts the CA calling to the server ListenAndServe method.

func (*CA) Stop 

func (ca *CA) Stop() error

Stop stops the CA calling to the server Shutdown method.

type Client 

type Client struct {
	// contains filtered or unexported fields
}

Client implements an HTTP client for the CA server.

func NewClient 

func NewClient(endpoint string, opts ...ClientOption) (*Client, error)

NewClient creates a new Client with the given endpoint and options.

func (*Client) GetClientTLSConfig 

func (c *Client) GetClientTLSConfig(ctx context.Context, sign *api.SignResponse, pk crypto.PrivateKey) (*tls.Config, error)

GetClientTLSConfig returns a tls.Config for client use configured with the sign certificate, and a new certificate pool with the sign root certificate. The certificate will automatically rotate before expiring.

func (*Client) GetServerTLSConfig 

func (c *Client) GetServerTLSConfig(ctx context.Context, sign *api.SignResponse, pk crypto.PrivateKey) (*tls.Config, error)

GetServerTLSConfig returns a tls.Config for server use configured with the sign certificate, and a new certificate pool with the sign root certificate. The certificate will automatically rotate before expiring.

func (*Client) Health 

func (c *Client) Health() (*api.HealthResponse, error)

Health performs the health request to the CA and returns the api.HealthResponse struct.

func (*Client) ProvisionerKey 

func (c *Client) ProvisionerKey(kid string) (*api.ProvisionerKeyResponse, error)

ProvisionerKey performs the request to the CA to get the encrypted key for the given provisioner kid and returns the api.ProvisionerKeyResponse struct with the encrypted key.

func (*Client) Provisioners 

func (c *Client) Provisioners(opts ...ProvisionerOption) (*api.ProvisionersResponse, error)

Provisioners performs the provisioners request to the CA and returns the api.ProvisionersResponse struct with a map of provisioners.

ProvisionerOption WithProvisionerCursor and WithProvisionLimit can be used to paginate the provisioners.

func (*Client) Renew 

func (c *Client) Renew(tr http.RoundTripper) (*api.SignResponse, error)

Renew performs the renew request to the CA and returns the api.SignResponse struct.

func (*Client) Root 

func (c *Client) Root(sha256Sum string) (*api.RootResponse, error)

Root performs the root request to the CA with the given SHA256 and returns the api.RootResponse struct. It uses an insecure client, but it checks the resulting root certificate with the given SHA256, returning an error if they do not match.

func (*Client) Sign 

func (c *Client) Sign(req *api.SignRequest) (*api.SignResponse, error)

Sign performs the sign request to the CA and returns the api.SignResponse struct.

func (*Client) Transport 

func (c *Client) Transport(ctx context.Context, sign *api.SignResponse, pk crypto.PrivateKey) (*http.Transport, error)

Transport returns an http.Transport configured to use the client certificate from the sign response.

type ClientOption 

type ClientOption func(o *clientOptions) error

ClientOption is the type of options passed to the Client constructor.

func WithRootFile 

func WithRootFile(filename string) ClientOption

WithRootFile will create the transport using the given root certificate. If the root file is given it will have preference over WithRootSHA256, but less preference than WithTransport.

func WithRootSHA256 

func WithRootSHA256(sum string) ClientOption

WithRootSHA256 will create the transport using an insecure client to retrieve the root certificate. It has less preference than WithTransport and WithRootFile.

func WithTransport 

func WithTransport(tr http.RoundTripper) ClientOption

WithTransport adds a custom transport to the Client. If the transport is given is given it will have preference over WithRootFile and WithRootSHA256.

type Option 

type Option func(o *options)

Option is the type of options passed to the CA constructor.

func WithConfigFile 

func WithConfigFile(name string) Option

WithConfigFile sets the given name as the configuration file name in the CA options.

func WithPassword 

func WithPassword(password []byte) Option

WithPassword sets the given password as the configured password in the CA options.

type ProvisionerOption 

type ProvisionerOption func(o *provisionerOptions) error

ProvisionerOption is the type of options passed to the Provisioner method.

func WithProvisionerCursor 

func WithProvisionerCursor(cursor string) ProvisionerOption

WithProvisionerCursor will request the provisioners starting with the given cursor.

func WithProvisionerLimit 

func WithProvisionerLimit(limit int) ProvisionerOption

WithProvisionerLimit will request the given number of provisioners.

type RenewFunc 

type RenewFunc func() (*tls.Certificate, error)

RenewFunc defines the type of the functions used to get a new tls certificate.

type StopReloader 

type StopReloader interface {
	Stop() error
	Reload() error
}

StopReloader is the interface that external commands can implement to stop the server and reload the configuration while running.

type TLSRenewer 

type TLSRenewer struct {
	sync.RWMutex
	RenewCertificate RenewFunc
	// contains filtered or unexported fields
}

TLSRenewer renews automatically a tls certificate with a given function.

func NewTLSRenewer 

func NewTLSRenewer(cert *tls.Certificate, fn RenewFunc, opts ...tlsRenewerOptions) (*TLSRenewer, error)

NewTLSRenewer creates a TLSRenewer for the given cert. It will use the given function to get a new certificate when required.

func (*TLSRenewer) GetCertificate 

func (r *TLSRenewer) GetCertificate(clientHello *tls.ClientHelloInfo) (*tls.Certificate, error)

GetCertificate returns the current server certificate.

This method is set in the tls.Config GetCertificate property.

func (*TLSRenewer) GetClientCertificate 

func (r *TLSRenewer) GetClientCertificate(*tls.CertificateRequestInfo) (*tls.Certificate, error)

GetClientCertificate returns the current client certificate.

This method is set in the tls.Config GetClientCertificate property.

func (*TLSRenewer) Run 

func (r *TLSRenewer) Run()

Run starts the certificate renewer for the given certificate.

func (*TLSRenewer) RunContext 

func (r *TLSRenewer) RunContext(ctx context.Context)

RunContext starts the certificate renewer for the given certificate.

func (*TLSRenewer) Stop 

func (r *TLSRenewer) Stop() bool

Stop prevents the renew timer from firing.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.