Documentation
¶
Overview ¶
Package bifrost provides simple Public Key Infrastructure (PKI) services.
Bifrost identifies clients by their private keys. Keys are deterministically mapped to UUIDs by hashing them with the namespace UUID. The same key maps to different UUIDs in different namespaces. Clients can request certificates for their UUIDs. The certificates are signed by a root CA.
Index ¶
- Constants
- Variables
- func HTTPClient(clientCert tls.Certificate, roots *x509.CertPool, ssllog io.Writer) *http.Client
- func MarshalECPrivateKey(p *PrivateKey) ([]byte, error)
- func MarshalPKCS8PrivateKey(p *PrivateKey) ([]byte, error)
- func MarshalPKIXPublicKey(p *PublicKey) ([]byte, error)
- func Template(ns uuid.UUID, key *PublicKey) *x509.CertificateRequest
- func UUID(ns uuid.UUID, pubkey *PublicKey) uuid.UUID
- func X509ToTLSCertificate(cert *x509.Certificate, key *ecdsa.PrivateKey) *tls.Certificate
- type Certificate
- type CertificateRequest
- type PrivateKey
- func (p PrivateKey) MarshalDynamoDBAttributeValue() (types.AttributeValue, error)
- func (p PrivateKey) MarshalJSON() ([]byte, error)
- func (p PrivateKey) PublicKey() *PublicKey
- func (p PrivateKey) UUID(ns uuid.UUID) uuid.UUID
- func (p *PrivateKey) UnmarshalDynamoDBAttributeValue(av types.AttributeValue) error
- func (p *PrivateKey) UnmarshalJSON(data []byte) error
- func (p *PrivateKey) WithJSONMarshalPrivateKey() *PrivateKey
- type PublicKey
- func (p *PublicKey) Equal(other *PublicKey) bool
- func (p PublicKey) MarshalDynamoDBAttributeValue() (types.AttributeValue, error)
- func (p PublicKey) MarshalJSON() ([]byte, error)
- func (p PublicKey) UUID(ns uuid.UUID) uuid.UUID
- func (p *PublicKey) UnmarshalDynamoDBAttributeValue(av types.AttributeValue) error
- func (p *PublicKey) UnmarshalJSON(data []byte) error
Examples ¶
Constants ¶
const ( SignatureAlgorithm = x509.ECDSAWithSHA256 PublicKeyAlgorithm = x509.ECDSA )
Signature and Public Key Algorithms
Variables ¶
var ( ErrCertificateInvalid = errors.New("bifrost: certificate invalid") ErrCertificateRequestInvalid = errors.New("bifrost: certificate request invalid") ErrNamespaceMismatch = errors.New("bifrost: namespace mismatch") )
Certificate related errors.
var StatsForNerds = metrics.NewSet()
StatsForNerds captures metrics from various bifrost processes.
Functions ¶
func HTTPClient ¶ added in v0.0.6
HTTPClient returns a http.Client set up for TLS Client Authentication (mTLS). If roots is not nil, then only those Root CAs are used to authenticate server certs. If ssllog is not nil, the client will log TLS key material to it.
func MarshalECPrivateKey ¶ added in v1.16.0
func MarshalECPrivateKey(p *PrivateKey) ([]byte, error)
MarshalECPrivateKey converts an EC Private Key to SEC 1, ASN.1 DER form.
func MarshalPKCS8PrivateKey ¶ added in v1.16.0
func MarshalPKCS8PrivateKey(p *PrivateKey) ([]byte, error)
MarshalPKCS8PrivateKey converts a private key to PKCS #8, ASN.1 DER form.
func MarshalPKIXPublicKey ¶ added in v1.16.0
MarshalPKIXPublicKey marshals a public key to PKIX, ASN.1 DER form.
func Template ¶ added in v1.16.0
func Template(ns uuid.UUID, key *PublicKey) *x509.CertificateRequest
Template returns a bifrost certificate template for the given namespace and public key.
func UUID ¶
UUID returns a unique identifier derived from the namespace and the client's public key identity. The UUID is generated by SHA-1 hashing the namesapce UUID with the big endian bytes of the X and Y curve points from the public key.
func X509ToTLSCertificate ¶
func X509ToTLSCertificate(cert *x509.Certificate, key *ecdsa.PrivateKey) *tls.Certificate
X509ToTLSCertificate puts an x509.Certificate inside a tls.Certificate.
Types ¶
type Certificate ¶ added in v1.11.0
Certificate is a bifrost certificate. It embeds the x509 certificate and adds the bifrost ID, namespace, and public key.
func NewCertificate ¶ added in v1.16.0
func NewCertificate(cert *x509.Certificate) (*Certificate, error)
NewCertificate creates a bifrost certificate from an x509 certificate. It checks for the correct signature algorithm, identity namespace, and identity. On success, it sets the ID, Namespace, and PublicKey fields.
func ParseCertificate ¶
func ParseCertificate(asn1Data []byte) (*Certificate, error)
ParseCertificate parses a DER encoded certificate and validates it. On success, it returns the bifrost certificate.
func RequestCertificate ¶
func RequestCertificate( ctx context.Context, url string, ns uuid.UUID, key *PrivateKey, ) (*Certificate, error)
RequestCertificate sends a certificate request to url and returns the signed certificate.
Example ¶
exampleNS := uuid.MustParse("228b9676-998e-489a-8468-92d46a94a32d") ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second) defer cancel() // TODO: handle errors key, _ := NewPrivateKey() cert, _ := RequestCertificate(ctx, "https://bifrost-ca", exampleNS, key) fmt.Println(cert.Subject)
Output:
func (*Certificate) IssuedTo ¶ added in v1.16.0
func (c *Certificate) IssuedTo(key *PublicKey) bool
IssuedTo returns true if the certificate was issued to the given public key.
func (Certificate) ToTLSCertificate ¶ added in v1.11.0
func (c Certificate) ToTLSCertificate(key PrivateKey) (*tls.Certificate, error)
ToTLSCertificate returns a tls.Certificate from a bifrost certificate and private key.
type CertificateRequest ¶ added in v1.11.0
type CertificateRequest struct { *x509.CertificateRequest ID uuid.UUID Namespace uuid.UUID PublicKey *PublicKey }
CertificateRequest is a bifrost certificate request. It embeds the x509 certificate request and adds the bifrost ID, namespace, and public key.
func NewCertificateRequest ¶ added in v1.16.0
func NewCertificateRequest(cert *x509.CertificateRequest) (*CertificateRequest, error)
NewCertificateRequest creates a bifrost certificate request from an x509 certificate request. It checks for the correct signature algorithm, identity namespace, and identity. On success, it sets the ID, Namespace, and PublicKey fields.
func ParseCertificateRequest ¶ added in v1.5.2
func ParseCertificateRequest(asn1Data []byte) (*CertificateRequest, error)
ParseCertificateRequest parses a DER encoded certificate request and validates it. On success, it returns the bifrost namespace, certificate request, and certificate public key.
type PrivateKey ¶ added in v1.15.3
type PrivateKey struct { *ecdsa.PrivateKey // contains filtered or unexported fields }
PrivateKey is a wrapper around an ECDSA private key. PrivateKey implements the Marshaler and Unmarshaler interfaces for JSON and DynamoDB. By default, PrivateKey's MarshalJSON method marshals the corresponding public key. This is equivalent to calling the PublicKey method and marshaling the result. Use WithJSONMarshalPrivateKey to marshal the private key instead.
func NewPrivateKey ¶ added in v1.15.0
func NewPrivateKey() (*PrivateKey, error)
NewPrivateKey generates a new bifrost private key.
func ParseECPrivateKey ¶ added in v1.16.0
func ParseECPrivateKey(asn1Data []byte) (*PrivateKey, error)
ParseECPrivateKey parses an EC Private Key in SEC 1, ASN.1 DER form.
func ParsePKCS8PrivateKey ¶ added in v1.16.0
func ParsePKCS8PrivateKey(asn1Data []byte) (*PrivateKey, error)
ParsePKCS8PrivateKey parses an unencrypted private key in PKCS #8, ASN.1 DER form.
func (PrivateKey) MarshalDynamoDBAttributeValue ¶ added in v1.15.3
func (p PrivateKey) MarshalDynamoDBAttributeValue() (types.AttributeValue, error)
MarshalDynamoDBAttributeValue marshals the private key to PKCS #8, ASN.1 DER form.
func (PrivateKey) MarshalJSON ¶ added in v1.15.3
func (p PrivateKey) MarshalJSON() ([]byte, error)
MarshalJSON marshals the private key to PEM encoded PKCS #8, ASN.1 DER form.
func (PrivateKey) PublicKey ¶ added in v1.15.3
func (p PrivateKey) PublicKey() *PublicKey
PublicKey returns the public key corresponding to p.
func (PrivateKey) UUID ¶ added in v1.15.3
func (p PrivateKey) UUID(ns uuid.UUID) uuid.UUID
UUID returns the bifrost identifier for p in the given namespace.
func (*PrivateKey) UnmarshalDynamoDBAttributeValue ¶ added in v1.15.3
func (p *PrivateKey) UnmarshalDynamoDBAttributeValue(av types.AttributeValue) error
UnmarshalDynamoDBAttributeValue unmarshals the private key from PKCS #8, ASN.1 DER form.
func (*PrivateKey) UnmarshalJSON ¶ added in v1.15.3
func (p *PrivateKey) UnmarshalJSON(data []byte) error
UnmarshalJSON unmarshals the private key from PEM encoded PKCS #8, ASN.1 DER form.
func (*PrivateKey) WithJSONMarshalPrivateKey ¶ added in v1.15.3
func (p *PrivateKey) WithJSONMarshalPrivateKey() *PrivateKey
WithJSONMarshalPrivateKey configures the private key to be marshaled as a JSON object.
type PublicKey ¶ added in v1.15.0
PublicKey is a wrapper around an ECDSA public key. It implements the Marshaler and Unmarshaler interfaces for JSON and DynamoDB.
func ParsePKIXPublicKey ¶ added in v1.16.0
ParsePKIXPublicKey parses a public key in PKIX, ASN.1 DER form.
func (PublicKey) MarshalDynamoDBAttributeValue ¶ added in v1.15.0
func (p PublicKey) MarshalDynamoDBAttributeValue() (types.AttributeValue, error)
MarshalDynamoDBAttributeValue marshals the public key to PKIX, ASN.1 DER form.
func (PublicKey) MarshalJSON ¶ added in v1.15.0
MarshalJSON marshals the public key to PEM encoded PKIX, ASN.1 DER form.
func (PublicKey) UUID ¶ added in v1.15.0
UUID returns a unique identifier derived from the namespace and the client's public key.
func (*PublicKey) UnmarshalDynamoDBAttributeValue ¶ added in v1.15.0
func (p *PublicKey) UnmarshalDynamoDBAttributeValue(av types.AttributeValue) error
UnmarshalDynamoDBAttributeValue unmarshals the public key from PKIX, ASN.1 DER form.
func (*PublicKey) UnmarshalJSON ¶ added in v1.15.0
UnmarshalJSON unmarshals the public key from PEM encoded PKIX, ASN.1 DER form.
Directories
¶
Path | Synopsis |
---|---|
Package asgard provides middleware for use in HTTP API servers.
|
Package asgard provides middleware for use in HTTP API servers. |
cafiles can fetch CA certificate and private key PEM files from many storage backends.
|
cafiles can fetch CA certificate and private key PEM files from many storage backends. |
cmd
|
|
internal
|
|
Package tinyca implements a Certificate Authority that issues certificates for client authentication.
|
Package tinyca implements a Certificate Authority that issues certificates for client authentication. |
Package web embeds static website files that webservers can serve up to clients.
|
Package web embeds static website files that webservers can serve up to clients. |