Documentation ¶
Overview ¶
Package tlsca provides internal TLS certificate authority used for mutual TLS authentication with the auth server and internal teleport components and external clients
Index ¶
- Variables
- func CalculatePins(certsBytes []byte) ([]string, error)
- func ClusterName(subject pkix.Name) (string, error)
- func GenerateCertificateRequestPEM(subject pkix.Name, priv crypto.Signer) ([]byte, error)
- func GenerateSelfSignedCA(entity pkix.Name, dnsNames []string, ttl time.Duration) ([]byte, []byte, error)
- func GenerateSelfSignedCAWithConfig(config GenerateCAConfig) (certPEM []byte, err error)
- func GenerateSelfSignedCAWithSigner(signer crypto.Signer, entity pkix.Name, dnsNames []string, ttl time.Duration) ([]byte, error)
- func MarshalCertificatePEM(cert *x509.Certificate) ([]byte, error)
- func MarshalPrivateKeyPEM(privateKey *rsa.PrivateKey) []byte
- func MarshalPublicKeyFromPrivateKeyPEM(privateKey crypto.PrivateKey) ([]byte, error)
- func ParseCertificatePEM(bytes []byte) (*x509.Certificate, error)
- func ParseCertificatePEMs(bytes []byte) ([]*x509.Certificate, error)
- func ParseCertificateRequestPEM(bytes []byte) (*x509.CertificateRequest, error)
- func ParsePrivateKeyDER(der []byte) (crypto.Signer, error)
- func ParsePrivateKeyPEM(bytes []byte) (crypto.Signer, error)
- func ParsePublicKeyDER(der []byte) (crypto.PublicKey, error)
- func ParsePublicKeyPEM(bytes []byte) (interface{}, error)
- type CertAuthority
- type CertificateRequest
- type DeviceExtensions
- type GenerateCAConfig
- type Identity
- func (id *Identity) CheckAndSetDefaults() error
- func (id *Identity) GetEventIdentity() events.Identity
- func (id *Identity) GetRouteToApp() (RouteToApp, error)
- func (id Identity) GetSessionMetadata(sid string) events.SessionMetadata
- func (id Identity) GetUserMetadata() events.UserMetadata
- func (id *Identity) IsMFAVerified() bool
- func (id *Identity) Subject() (pkix.Name, error)
- type RouteToApp
- type RouteToDatabase
Constants ¶
This section is empty.
Variables ¶
var ( // KubeUsersASN1ExtensionOID is an extension ID used when encoding/decoding // license payload into certificates KubeUsersASN1ExtensionOID = asn1.ObjectIdentifier{1, 3, 9999, 1, 1} // KubeGroupsASN1ExtensionOID is an extension ID used when encoding/decoding // license payload into certificates KubeGroupsASN1ExtensionOID = asn1.ObjectIdentifier{1, 3, 9999, 1, 2} // KubeClusterASN1ExtensionOID is an extension ID used when encoding/decoding // target kubernetes cluster name into certificates. KubeClusterASN1ExtensionOID = asn1.ObjectIdentifier{1, 3, 9999, 1, 3} // AppSessionIDASN1ExtensionOID is an extension ID used to encode the application // session ID into a certificate. AppSessionIDASN1ExtensionOID = asn1.ObjectIdentifier{1, 3, 9999, 1, 4} // AppClusterNameASN1ExtensionOID is an extension ID used to encode the application // cluster name into a certificate. AppClusterNameASN1ExtensionOID = asn1.ObjectIdentifier{1, 3, 9999, 1, 5} // AppPublicAddrASN1ExtensionOID is an extension ID used to encode the application // public address into a certificate. AppPublicAddrASN1ExtensionOID = asn1.ObjectIdentifier{1, 3, 9999, 1, 6} // TeleportClusterASN1ExtensionOID is an extension ID used when encoding/decoding // origin teleport cluster name into certificates. TeleportClusterASN1ExtensionOID = asn1.ObjectIdentifier{1, 3, 9999, 1, 7} // MFAVerifiedASN1ExtensionOID is an extension ID used when encoding/decoding // the MFAVerified flag into certificates. MFAVerifiedASN1ExtensionOID = asn1.ObjectIdentifier{1, 3, 9999, 1, 8} // LoginIPASN1ExtensionOID is an extension ID used when encoding/decoding // the client's login IP into certificates. LoginIPASN1ExtensionOID = asn1.ObjectIdentifier{1, 3, 9999, 1, 9} // AppNameASN1ExtensionOID is an extension ID used when encoding/decoding // application name into a certificate. AppNameASN1ExtensionOID = asn1.ObjectIdentifier{1, 3, 9999, 1, 10} // AppAWSRoleARNASN1ExtensionOID is an extension ID used when encoding/decoding // AWS role ARN into a certificate. AppAWSRoleARNASN1ExtensionOID = asn1.ObjectIdentifier{1, 3, 9999, 1, 11} // AWSRoleARNsASN1ExtensionOID is an extension ID used when encoding/decoding // allowed AWS role ARNs into a certificate. AWSRoleARNsASN1ExtensionOID = asn1.ObjectIdentifier{1, 3, 9999, 1, 12} // RenewableCertificateASN1ExtensionOID is an extension ID used to indicate // that a certificate may be renewed by a certificate renewal bot. RenewableCertificateASN1ExtensionOID = asn1.ObjectIdentifier{1, 3, 9999, 1, 13} // GenerationASN1ExtensionOID is an extension OID used to count the number // of times this certificate has been renewed. GenerationASN1ExtensionOID = asn1.ObjectIdentifier{1, 3, 9999, 1, 14} // PrivateKeyPolicyASN1ExtensionOID is an extension ID used to determine the // private key policy supported by the certificate. PrivateKeyPolicyASN1ExtensionOID = asn1.ObjectIdentifier{1, 3, 9999, 1, 15} // AppAzureIdentityASN1ExtensionOID is an extension ID used when encoding/decoding // Azure identity into a certificate. AppAzureIdentityASN1ExtensionOID = asn1.ObjectIdentifier{1, 3, 9999, 1, 16} // AzureIdentityASN1ExtensionOID is an extension ID used when encoding/decoding // allowed Azure identity into a certificate. AzureIdentityASN1ExtensionOID = asn1.ObjectIdentifier{1, 3, 9999, 1, 17} // AppGCPServiceAccountASN1ExtensionOID is an extension ID used when encoding/decoding // the chosen GCP service account into a certificate. AppGCPServiceAccountASN1ExtensionOID = asn1.ObjectIdentifier{1, 3, 9999, 1, 18} // GCPServiceAccountsASN1ExtensionOID is an extension ID used when encoding/decoding // the list of allowed GCP service accounts into a certificate. GCPServiceAccountsASN1ExtensionOID = asn1.ObjectIdentifier{1, 3, 9999, 1, 19} // DatabaseServiceNameASN1ExtensionOID is an extension ID used when encoding/decoding // database service name into certificates. DatabaseServiceNameASN1ExtensionOID = asn1.ObjectIdentifier{1, 3, 9999, 2, 1} // DatabaseProtocolASN1ExtensionOID is an extension ID used when encoding/decoding // database protocol into certificates. DatabaseProtocolASN1ExtensionOID = asn1.ObjectIdentifier{1, 3, 9999, 2, 2} // DatabaseUsernameASN1ExtensionOID is an extension ID used when encoding/decoding // database username into certificates. DatabaseUsernameASN1ExtensionOID = asn1.ObjectIdentifier{1, 3, 9999, 2, 3} // DatabaseNameASN1ExtensionOID is an extension ID used when encoding/decoding // database name into certificates. DatabaseNameASN1ExtensionOID = asn1.ObjectIdentifier{1, 3, 9999, 2, 4} // DatabaseNamesASN1ExtensionOID is an extension OID used when encoding/decoding // allowed database names into certificates. DatabaseNamesASN1ExtensionOID = asn1.ObjectIdentifier{1, 3, 9999, 2, 5} // DatabaseUsersASN1ExtensionOID is an extension OID used when encoding/decoding // allowed database users into certificates. DatabaseUsersASN1ExtensionOID = asn1.ObjectIdentifier{1, 3, 9999, 2, 6} // ImpersonatorASN1ExtensionOID is an extension OID used when encoding/decoding // impersonator user ImpersonatorASN1ExtensionOID = asn1.ObjectIdentifier{1, 3, 9999, 2, 7} // ActiveRequestsASN1ExtensionOID is an extension OID used when encoding/decoding // active access requests into certificates. ActiveRequestsASN1ExtensionOID = asn1.ObjectIdentifier{1, 3, 9999, 2, 8} // DisallowReissueASN1ExtensionOID is an extension OID used to flag that a // requests to generate new certificates using this certificate should be // denied. DisallowReissueASN1ExtensionOID = asn1.ObjectIdentifier{1, 3, 9999, 2, 9} // AllowedResourcesASN1ExtensionOID is an extension OID used to list the // resources which the certificate should be able to grant access to AllowedResourcesASN1ExtensionOID = asn1.ObjectIdentifier{1, 3, 9999, 2, 10} // SystemRolesASN1ExtensionOID is an extension OID used to indicate system roles // (auth, proxy, node, etc). Note that some certs correspond to a single specific // system role, and use `pkix.Name.Organization` to encode this value. This extension // is specifically used for "multi-role" certs. SystemRolesASN1ExtensionOID = asn1.ObjectIdentifier{1, 3, 9999, 2, 11} // PreviousIdentityExpiresASN1ExtensionOID is the RFC3339 timestamp representing the hard // deadline of the session on a certificates issued after an MFA check. // See https://github.com/gravitational/teleport/issues/18544. PreviousIdentityExpiresASN1ExtensionOID = asn1.ObjectIdentifier{1, 3, 9999, 2, 12} // ConnectionDiagnosticIDASN1ExtensionOID is an extension OID used to indicate the Connection Diagnostic ID. // When using the Test Connection feature, there's propagation of the ConnectionDiagnosticID. // Each service (ex DB Agent) uses that to add checkpoints describing if it was a success or a failure. ConnectionDiagnosticIDASN1ExtensionOID = asn1.ObjectIdentifier{1, 3, 9999, 2, 13} // LicenseOID is an extension OID signaling the license type of Teleport build. // It should take values "oss" or "ent" (the values returned by modules.GetModules().BuildType()) LicenseOID = asn1.ObjectIdentifier{1, 3, 9999, 2, 14} // PinnedIPASN1ExtensionOID is an extension ID used when encoding/decoding // the IP the certificate is pinned to. PinnedIPASN1ExtensionOID = asn1.ObjectIdentifier{1, 3, 9999, 2, 15} // CreateWindowsUserOID is an extension OID used to indicate that the user should be created. CreateWindowsUserOID = asn1.ObjectIdentifier{1, 3, 9999, 2, 16} // DesktopsLimitExceededOID is an extension OID used indicate if number of non-AD desktops exceeds the limit for OSS distribution. DesktopsLimitExceededOID = asn1.ObjectIdentifier{1, 3, 9999, 2, 17} )
Custom ranges are taken from this article
https://serverfault.com/questions/551477/is-there-reserved-oid-space-for-internal-enterprise-cas
http://oid-info.com/get/1.3.9999
var ( // DeviceIDExtensionOID is a string extension that identifies the trusted // device. DeviceIDExtensionOID = asn1.ObjectIdentifier{1, 3, 9999, 3, 1} // DeviceAssetTagExtensionOID is a string extension containing the device // inventory identifier. DeviceAssetTagExtensionOID = asn1.ObjectIdentifier{1, 3, 9999, 3, 2} // DeviceCredentialIDExtensionOID is a string extension that identifies the // credential used to authenticate the device. DeviceCredentialIDExtensionOID = asn1.ObjectIdentifier{1, 3, 9999, 3, 3} )
Device Trust OIDs. Namespace 1.3.9999.3.x.
Functions ¶
func CalculatePins ¶
CalculatePins returns the SPKI pins for the given set of concatenated PEM-encoded certificates
func ClusterName ¶
ClusterName returns cluster name from organization
func GenerateCertificateRequestPEM ¶
GenerateCertificateRequestPEM returns PEM-encoded certificate signing request from the provided subject and private key.
func GenerateSelfSignedCA ¶
func GenerateSelfSignedCA(entity pkix.Name, dnsNames []string, ttl time.Duration) ([]byte, []byte, error)
GenerateSelfSignedCA generates self-signed certificate authority used for internal inter-node communications
func GenerateSelfSignedCAWithConfig ¶
func GenerateSelfSignedCAWithConfig(config GenerateCAConfig) (certPEM []byte, err error)
GenerateSelfSignedCAWithConfig generates a new CA certificate from the specified configuration. Returns PEM-encoded private key/certificate payloads upon success
func GenerateSelfSignedCAWithSigner ¶
func GenerateSelfSignedCAWithSigner(signer crypto.Signer, entity pkix.Name, dnsNames []string, ttl time.Duration) ([]byte, error)
GenerateSelfSignedCAWithSigner generates self-signed certificate authority used for internal inter-node communications
func MarshalCertificatePEM ¶
func MarshalCertificatePEM(cert *x509.Certificate) ([]byte, error)
MarshalCertificatePEM takes a *x509.Certificate and returns the PEM encoded bytes.
func MarshalPrivateKeyPEM ¶
func MarshalPrivateKeyPEM(privateKey *rsa.PrivateKey) []byte
MarshalPrivateKeyPEM marshals provided rsa.PrivateKey into PEM format.
func MarshalPublicKeyFromPrivateKeyPEM ¶
func MarshalPublicKeyFromPrivateKeyPEM(privateKey crypto.PrivateKey) ([]byte, error)
MarshalPublicKeyFromPrivateKeyPEM extracts public key from private key and returns PEM marshaled key
func ParseCertificatePEM ¶
func ParseCertificatePEM(bytes []byte) (*x509.Certificate, error)
ParseCertificatePEM parses PEM-encoded certificate
func ParseCertificatePEMs ¶
func ParseCertificatePEMs(bytes []byte) ([]*x509.Certificate, error)
ParseCertificatePEM parses multiple PEM-encoded certificates
func ParseCertificateRequestPEM ¶
func ParseCertificateRequestPEM(bytes []byte) (*x509.CertificateRequest, error)
ParseCertificateRequestPEM parses PEM-encoded certificate signing request
func ParsePrivateKeyDER ¶
ParsePrivateKeyDER parses unencrypted DER-encoded private key
func ParsePrivateKeyPEM ¶
ParsePrivateKeyPEM parses PEM-encoded private key
func ParsePublicKeyDER ¶
ParsePublicKeyDER parses unencrypted DER-encoded publice key
func ParsePublicKeyPEM ¶
ParsePublicKeyPEM parses public key PEM
Types ¶
type CertAuthority ¶
type CertAuthority struct { // Cert is a CA certificate Cert *x509.Certificate // Signer is a private key based signer Signer crypto.Signer }
CertAuthority is X.509 certificate authority
func FromCertAndSigner ¶
func FromCertAndSigner(certPEM []byte, signer crypto.Signer) (*CertAuthority, error)
FromCertAndSigner returns a CertAuthority with the given raw certificate and signer.
func FromKeys ¶
func FromKeys(certPEM, keyPEM []byte) (*CertAuthority, error)
FromKeys returns new CA from PEM encoded certificate and private key. Private Key is optional, if omitted CA won't be able to issue new certificates, only verify them
func FromTLSCertificate ¶
func FromTLSCertificate(ca tls.Certificate) (*CertAuthority, error)
FromTLSCertificate returns a CertAuthority with the given TLS certificate.
func (*CertAuthority) GenerateCertificate ¶
func (ca *CertAuthority) GenerateCertificate(req CertificateRequest) ([]byte, error)
GenerateCertificate generates certificate from request
type CertificateRequest ¶
type CertificateRequest struct { // Clock is a clock used to get current or test time Clock clockwork.Clock // PublicKey is a public key to sign PublicKey crypto.PublicKey // Subject is a subject to include in certificate Subject pkix.Name // NotAfter is a time after which the issued certificate // will be no longer valid NotAfter time.Time // DNSNames is a list of DNS names to add to certificate DNSNames []string // Optional. ExtraExtensions to populate. // Note: ExtraExtensions can override ExtKeyUsage and SANs (like DNSNames). ExtraExtensions []pkix.Extension // Optional. KeyUsage for the certificate. KeyUsage x509.KeyUsage // Optional. CRL endpoints. CRLDistributionPoints []string }
CertificateRequest is a X.509 signing certificate request
func (*CertificateRequest) CheckAndSetDefaults ¶
func (c *CertificateRequest) CheckAndSetDefaults() error
CheckAndSetDefaults checks and sets default values
type DeviceExtensions ¶
type DeviceExtensions struct { // DeviceID is the trusted device identifier. DeviceID string // AssetTag is the device inventory identifier. AssetTag string // CredentialID is the identifier for the credential used by the device to // authenticate itself. CredentialID string }
DeviceExtensions holds device-aware extensions for the identity.
type GenerateCAConfig ¶
type GenerateCAConfig struct { Signer crypto.Signer Entity pkix.Name DNSNames []string IPAddresses []net.IP TTL time.Duration Clock clockwork.Clock }
GenerateCAConfig defines the configuration for generating self-signed CA certificates
type Identity ¶
type Identity struct { // Username is a username or name of the node connection Username string // Impersonator is a username of a user impersonating this user Impersonator string // Groups is a list of groups (Teleport roles) encoded in the identity Groups []string // SystemRoles is a list of system roles (e.g. auth, proxy, node, etc) used // in "multi-role" certificates. Single-role certificates encode the system role // in `Groups` for back-compat reasons. SystemRoles []string // Usage is a list of usage restrictions encoded in the identity Usage []string // Principals is a list of Unix logins allowed. Principals []string // KubernetesGroups is a list of Kubernetes groups allowed KubernetesGroups []string // KubernetesUsers is a list of Kubernetes users allowed KubernetesUsers []string // Expires specifies whenever the session will expire Expires time.Time // RouteToCluster specifies the target cluster // if present in the session RouteToCluster string // KubernetesCluster specifies the target kubernetes cluster for TLS // identities. This can be empty on older Teleport clients. KubernetesCluster string // Traits hold claim data used to populate a role at runtime. Traits wrappers.Traits // RouteToApp holds routing information for applications. Routing metadata // allows Teleport web proxy to route HTTP requests to the appropriate // cluster and Teleport application proxy within the cluster. RouteToApp RouteToApp // TeleportCluster is the name of the teleport cluster that this identity // originated from. For TLS certs this may not be the same as cert issuer, // in case of multi-hop requests that originate from a remote cluster. TeleportCluster string // RouteToDatabase contains routing information for databases. RouteToDatabase RouteToDatabase // DatabaseNames is a list of allowed database names. DatabaseNames []string // DatabaseUsers is a list of allowed database users. DatabaseUsers []string // MFAVerified is the UUID of an MFA device when this Identity was // confirmed immediately after an MFA check. MFAVerified string // PreviousIdentityExpires is the expiry time of the identity/cert that this // identity/cert was derived from. It is used to determine a session's hard // deadline in cases where both require_session_mfa and disconnect_expired_cert // are enabled. See https://github.com/gravitational/teleport/issues/18544. PreviousIdentityExpires time.Time // LoginIP is an observed IP of the client that this Identity represents. LoginIP string // PinnedIP is an IP the certificate is pinned to. PinnedIP string // AWSRoleARNs is a list of allowed AWS role ARNs user can assume. AWSRoleARNs []string // AzureIdentities is a list of allowed Azure identities user can assume. AzureIdentities []string // GCPServiceAccounts is a list of allowed GCP service accounts that the user can assume. GCPServiceAccounts []string // ActiveRequests is a list of UUIDs of active requests for this Identity. ActiveRequests []string // DisallowReissue is a flag that, if set, instructs the auth server to // deny any attempts to reissue new certificates while authenticated with // this certificate. DisallowReissue bool // Renewable indicates that this identity is allowed to renew it's // own credentials. This is only enabled for certificate renewal bots. Renewable bool // Generation counts the number of times this certificate has been renewed. Generation uint64 // AllowedResourceIDs lists the resources the identity should be allowed to // access. AllowedResourceIDs []types.ResourceID // PrivateKeyPolicy is the private key policy supported by this identity. PrivateKeyPolicy keys.PrivateKeyPolicy // ConnectionDiagnosticID is used to add connection diagnostic messages when Testing a Connection. ConnectionDiagnosticID string // DeviceExtensions holds device-aware extensions for the identity. DeviceExtensions DeviceExtensions // UserType indicates if the User was created by an SSO Provider or locally. UserType types.UserType }
Identity is an identity of the user or service, e.g. Proxy or Node
func FromSubject ¶
FromSubject returns identity from subject name
func (*Identity) CheckAndSetDefaults ¶
CheckAndSetDefaults checks and sets default values
func (*Identity) GetEventIdentity ¶
func (*Identity) GetRouteToApp ¶
func (id *Identity) GetRouteToApp() (RouteToApp, error)
GetRouteToApp returns application routing data. If missing, returns an error.
func (Identity) GetSessionMetadata ¶
func (id Identity) GetSessionMetadata(sid string) events.SessionMetadata
func (Identity) GetUserMetadata ¶
func (id Identity) GetUserMetadata() events.UserMetadata
func (*Identity) IsMFAVerified ¶
IsMFAVerified returns whether this identity is MFA verified.
type RouteToApp ¶
type RouteToApp struct { // SessionID is a UUIDv4 used to identify application sessions created by // this certificate. The reason a UUID was used instead of a hash of the // SubjectPublicKeyInfo like the CA pin is for UX consistency. For example, // the SessionID is emitted in the audit log, using a UUID matches how SSH // sessions are identified. SessionID string // PublicAddr (and ClusterName) are used to route requests issued with this // certificate to the appropriate application proxy/cluster. PublicAddr string // ClusterName (and PublicAddr) are used to route requests issued with this // certificate to the appropriate application proxy/cluster. ClusterName string // Name is the app name. Name string // AWSRoleARN is the AWS role to assume when accessing AWS console. AWSRoleARN string // AzureIdentity is the Azure identity to assume when accessing Azure API. AzureIdentity string // GCPServiceAccount is the GCP service account to assume when accessing GCP API. GCPServiceAccount string }
RouteToApp holds routing information for applications.
type RouteToDatabase ¶
type RouteToDatabase struct { // ServiceName is the name of the Teleport database proxy service // to route requests to. ServiceName string // Protocol is the database protocol. // // It is embedded in identity so clients can understand what type // of database this is without contacting server. Protocol string // Username is an optional database username to serve as a default // username to connect as. Username string // Database is an optional database name to serve as a default // database to connect to. Database string }
RouteToDatabase contains routing information for databases.
func (RouteToDatabase) String ¶
func (r RouteToDatabase) String() string
String returns string representation of the database routing struct.