Documentation ¶
Index ¶
Constants ¶
const SDKName = "Venafi VCert-Go"
Variables ¶
var LocalIP string
Functions ¶
This section is empty.
Types ¶
type AllowedKeyConfiguration ¶
type AllowedKeyConfiguration struct { KeyType certificate.KeyType KeySizes []int KeyCurves []certificate.EllipticCurve }
AllowedKeyConfiguration contains an allowed key type with its sizes or curves
type Authentication ¶
type Authentication struct { // TPP Auth methods // user and password User string `yaml:"user,omitempty"` //**DEPRECATED** Use access/refresh token or client certificate instead Password string `yaml:"password,omitempty"` //**DEPRECATED** Use access/refresh token or client certificate instead // tokens AccessToken string `yaml:"accessToken,omitempty"` RefreshToken string `yaml:"refreshToken,omitempty"` // client certificate ClientPKCS12 bool `yaml:"-"` // VCP Auth methods // API key APIKey string `yaml:"apiKey,omitempty"` // Service account TokenURL string `yaml:"tokenURL,omitempty"` ExternalJWT string `yaml:"externalJWT,omitempty"` // OIDC Auth methods ClientId string `yaml:"clientId,omitempty"` ClientSecret string `yaml:"clientSecret,omitempty"` Scope string `yaml:"scope,omitempty"` // IdentityProvider specify the OAuth 2.0 which VCert will be working for authorization purposes IdentityProvider *OAuthProvider `yaml:"idP,omitempty"` }
Authentication provides a struct for authentication data. Either specify User and Password for Trust Protection Platform or Firefly or ClientId and ClientSecret for Firefly or specify an APIKey for TLS Protect Cloud.
type Connector ¶
type Connector interface { // GetType returns a connector type (cloud/TPP/fake). Can be useful because some features are not supported by a Cloud connection. GetType() ConnectorType // SetZone sets a zone (by name) for requests with this connector. SetZone(z string) // SetHTTPClient allows to set custom http.Client to this Connector. SetHTTPClient(client *http.Client) Ping() (err error) // Authenticate is usually called by NewClient and it is not required that you manually call it. Authenticate(auth *Authentication) (err error) // ReadPolicyConfiguration returns information about zone policies. It can be used for checking request compatibility with policies. ReadPolicyConfiguration() (policy *Policy, err error) // ReadZoneConfiguration returns the zone configuration. A zone configuration includes zone policy and additional zone information. ReadZoneConfiguration() (config *ZoneConfiguration, err error) // GetZonesByParent returns a list of valid zones specified by parent GetZonesByParent(parent string) ([]string, error) // GenerateRequest update certificate.Request with data from zone configuration. GenerateRequest(config *ZoneConfiguration, req *certificate.Request) (err error) // ResetCertificate resets the state of a certificate. // This function is idempotent, i.e., it won't fail if there is nothing to be reset. ResetCertificate(req *certificate.Request, restart bool) (err error) // RequestCertificate makes a request to the server with data for enrolling the certificate. RequestCertificate(req *certificate.Request) (requestID string, err error) // RetrieveCertificate immediately returns an enrolled certificate. Otherwise, RetrieveCertificate waits and retries during req.Timeout. RetrieveCertificate(req *certificate.Request) (certificates *certificate.PEMCollection, err error) IsCSRServiceGenerated(req *certificate.Request) (bool, error) RevokeCertificate(req *certificate.RevocationRequest) error RenewCertificate(req *certificate.RenewalRequest) (requestID string, err error) RetireCertificate(req *certificate.RetireRequest) error // ImportCertificate adds an existing certificate to Venafi Platform even if the certificate was not issued by Venafi Cloud or Venafi Platform. For information purposes. ImportCertificate(req *certificate.ImportRequest) (*certificate.ImportResponse, error) // ListCertificates returns a list of certificates from inventory that matches the filter ListCertificates(filter Filter) ([]certificate.CertificateInfo, error) SearchCertificates(req *certificate.SearchRequest) (*certificate.CertSearchResponse, error) // SearchCertificate returns a valid certificate // // If it returns no error, the certificate returned should be the latest [1] // exact matching zone [2], CN and sans.DNS [3] provided, with a minimum // validity of `certMinTimeLeft` // // [1] the one with the longest validity; field named ValidTo for TPP and // validityEnd for VaaS // [2] application name for VaaS // [3] an array of strings representing the DNS names SearchCertificate(zone string, cn string, sans *certificate.Sans, certMinTimeLeft time.Duration) (*certificate.CertificateInfo, error) RetrieveCertificateMetaData(dn string) (*certificate.CertificateMetaData, error) SetPolicy(name string, ps *policy.PolicySpecification) (string, error) GetPolicy(name string) (*policy.PolicySpecification, error) RequestSSHCertificate(req *certificate.SshCertRequest) (response *certificate.SshCertificateObject, err error) RetrieveSSHCertificate(req *certificate.SshCertRequest) (response *certificate.SshCertificateObject, err error) RetrieveSshConfig(ca *certificate.SshCaTemplateRequest) (*certificate.SshConfig, error) RetrieveAvailableSSHTemplates() ([]certificate.SshAvaliableTemplate, error) // SynchronousRequestCertificate makes a request to the server with data for enrolling the certificate and returns the enrolled certificate. SynchronousRequestCertificate(req *certificate.Request) (certificates *certificate.PEMCollection, err error) // SupportSynchronousRequestCertificate returns if the connector support synchronous calls to request a certificate. SupportSynchronousRequestCertificate() bool RetrieveSystemVersion() (string, error) WriteLog(req *LogRequest) error // SetUserAgent sets the value of the UserAgent header in HTTP requests to // Venafi API endpoints by this connector. // The default is `vcert/v5`. // Further reading: https://www.rfc-editor.org/rfc/rfc9110#field.user-agent SetUserAgent(userAgent string) }
Connector provides a common interface for external communications with TPP or Venafi Cloud
type ConnectorType ¶
type ConnectorType int
ConnectorType represents the available connectors
const ( ConnectorTypeUndefined ConnectorType = iota // ConnectorTypeFake is a fake connector for tests ConnectorTypeFake // ConnectorTypeCloud represents the Cloud connector type ConnectorTypeCloud // ConnectorTypeTPP represents the TPP connector type ConnectorTypeTPP // ConnectorTypeFirefly represents the Firefly connector type ConnectorTypeFirefly )
func (ConnectorType) String ¶
func (t ConnectorType) String() string
type ErrCertificatePending ¶
todo: replace with verror ErrCertificatePending provides a common error structure for a timeout while retrieving a certificate
func (ErrCertificatePending) Error ¶
func (err ErrCertificatePending) Error() string
type ErrCertificateRejected ¶
func (ErrCertificateRejected) Error ¶
func (err ErrCertificateRejected) Error() string
type ErrRetrieveCertificateTimeout ¶
type ErrRetrieveCertificateTimeout struct {
CertificateID string
}
todo: replace with verror ErrRetrieveCertificateTimeout provides a common error structure for a timeout while retrieving a certificate
func (ErrRetrieveCertificateTimeout) Error ¶
func (err ErrRetrieveCertificateTimeout) Error() string
type LogRequest ¶
type LogRequest struct { LogID string `json:"ID,omitempty"` Component string `json:",omitempty"` Text1 string `json:",omitempty"` Text2 string `json:",omitempty"` Value1 string `json:",omitempty"` Value2 string `json:",omitempty"` SourceIp string `json:",omitempty"` Severity string `json:",omitempty"` }
type OAuthProvider ¶ added in v5.1.0
type OAuthProvider struct { // OIDC Auth methods DeviceURL string `yaml:"-"` TokenURL string `yaml:"tokenURL,omitempty"` Audience string `yaml:"audience,omitempty"` }
OAuthProvider provides a struct for the OAuth 2.0 providers information
type Policy ¶
type Policy struct { SubjectCNRegexes []string SubjectORegexes []string SubjectOURegexes []string SubjectSTRegexes []string SubjectLRegexes []string SubjectCRegexes []string // AllowedKeyConfigurations lists all allowed key configurations. Certificate key configuration have to be listed in this list. // For example: If key has type RSA and length 2048 bit for satisfying the policy, that list must contain AT LEAST ONE configuration with type RSA and value 2048 in KeySizes list of this configuration. AllowedKeyConfigurations []AllowedKeyConfiguration // DnsSanRegExs is a list of regular expressions that show allowable DNS names in SANs. DnsSanRegExs []string // IpSanRegExs is a list of regular expressions that show allowable DNS names in SANs. IpSanRegExs []string EmailSanRegExs []string UriSanRegExs []string UpnSanRegExs []string AllowWildcards bool AllowKeyReuse bool }
Policy is struct that contains restrictions for certificates. Most of the fields contains list of regular expression. For satisfying policies, all values in the certificate field must match AT LEAST ONE regular expression in corresponding policy field.
func (*Policy) SimpleValidateCertificateRequest ¶
func (p *Policy) SimpleValidateCertificateRequest(request certificate.Request) error
SimpleValidateCertificateRequest functions just check Common Name and SANs mathching with policies
func (*Policy) ValidateCertificateRequest ¶
func (p *Policy) ValidateCertificateRequest(request *certificate.Request) error
ValidateCertificateRequest validates the request against the Policy
type ZoneConfiguration ¶
type ZoneConfiguration struct { Organization string OrganizationalUnit []string Country string Province string Locality string Policy HashAlgorithm x509.SignatureAlgorithm CustomAttributeValues map[string]string KeyConfiguration *AllowedKeyConfiguration }
ZoneConfiguration provides a common structure for certificate request data provided by the remote endpoint
func NewZoneConfiguration ¶
func NewZoneConfiguration() *ZoneConfiguration
NewZoneConfiguration creates a new zone configuration which creates the map used in the configuration
func (*ZoneConfiguration) UpdateCertificateRequest ¶
func (z *ZoneConfiguration) UpdateCertificateRequest(request *certificate.Request)
UpdateCertificateRequest updates a certificate request based on the zone configuration retrieved from the remote endpoint