tlsca

package
v0.0.0-...-f25915c Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jan 26, 2025 License: AGPL-3.0 Imports: 26 Imported by: 0

Documentation

Overview

Package tlsca provides internal TLS certificate authority used for mutual TLS authentication with the auth server and internal teleport components and external clients

Index

Constants

This section is empty.

Variables

View Source
var (
	// KubeUsersASN1ExtensionOID is an extension ID used when encoding/decoding
	// license payload into certificates
	KubeUsersASN1ExtensionOID = asn1.ObjectIdentifier{1, 3, 9999, 1, 1}

	// KubeGroupsASN1ExtensionOID is an extension ID used when encoding/decoding
	// license payload into certificates
	KubeGroupsASN1ExtensionOID = asn1.ObjectIdentifier{1, 3, 9999, 1, 2}

	// KubeClusterASN1ExtensionOID is an extension ID used when encoding/decoding
	// target kubernetes cluster name into certificates.
	KubeClusterASN1ExtensionOID = asn1.ObjectIdentifier{1, 3, 9999, 1, 3}

	// AppSessionIDASN1ExtensionOID is an extension ID used to encode the application
	// session ID into a certificate.
	AppSessionIDASN1ExtensionOID = asn1.ObjectIdentifier{1, 3, 9999, 1, 4}

	// AppClusterNameASN1ExtensionOID is an extension ID used to encode the application
	// cluster name into a certificate.
	AppClusterNameASN1ExtensionOID = asn1.ObjectIdentifier{1, 3, 9999, 1, 5}

	// AppPublicAddrASN1ExtensionOID is an extension ID used to encode the application
	// public address into a certificate.
	AppPublicAddrASN1ExtensionOID = asn1.ObjectIdentifier{1, 3, 9999, 1, 6}

	// TeleportClusterASN1ExtensionOID is an extension ID used when encoding/decoding
	// origin teleport cluster name into certificates.
	TeleportClusterASN1ExtensionOID = asn1.ObjectIdentifier{1, 3, 9999, 1, 7}

	// MFAVerifiedASN1ExtensionOID is an extension ID used when encoding/decoding
	// the MFAVerified flag into certificates.
	MFAVerifiedASN1ExtensionOID = asn1.ObjectIdentifier{1, 3, 9999, 1, 8}

	// LoginIPASN1ExtensionOID is an extension ID used when encoding/decoding
	// the client's login IP into certificates.
	LoginIPASN1ExtensionOID = asn1.ObjectIdentifier{1, 3, 9999, 1, 9}

	// AppNameASN1ExtensionOID is an extension ID used when encoding/decoding
	// application name into a certificate.
	AppNameASN1ExtensionOID = asn1.ObjectIdentifier{1, 3, 9999, 1, 10}

	// AppAWSRoleARNASN1ExtensionOID is an extension ID used when encoding/decoding
	// AWS role ARN into a certificate.
	AppAWSRoleARNASN1ExtensionOID = asn1.ObjectIdentifier{1, 3, 9999, 1, 11}

	// AWSRoleARNsASN1ExtensionOID is an extension ID used when encoding/decoding
	// allowed AWS role ARNs into a certificate.
	AWSRoleARNsASN1ExtensionOID = asn1.ObjectIdentifier{1, 3, 9999, 1, 12}

	// RenewableCertificateASN1ExtensionOID is an extension ID used to indicate
	// that a certificate may be renewed by a certificate renewal bot.
	RenewableCertificateASN1ExtensionOID = asn1.ObjectIdentifier{1, 3, 9999, 1, 13}

	// GenerationASN1ExtensionOID is an extension OID used to count the number
	// of times this certificate has been renewed.
	GenerationASN1ExtensionOID = asn1.ObjectIdentifier{1, 3, 9999, 1, 14}

	// PrivateKeyPolicyASN1ExtensionOID is an extension ID used to determine the
	// private key policy supported by the certificate.
	PrivateKeyPolicyASN1ExtensionOID = asn1.ObjectIdentifier{1, 3, 9999, 1, 15}

	// AppAzureIdentityASN1ExtensionOID is an extension ID used when encoding/decoding
	// Azure identity into a certificate.
	AppAzureIdentityASN1ExtensionOID = asn1.ObjectIdentifier{1, 3, 9999, 1, 16}

	// AzureIdentityASN1ExtensionOID is an extension ID used when encoding/decoding
	// allowed Azure identity into a certificate.
	AzureIdentityASN1ExtensionOID = asn1.ObjectIdentifier{1, 3, 9999, 1, 17}

	// AppGCPServiceAccountASN1ExtensionOID is an extension ID used when encoding/decoding
	// the chosen GCP service account into a certificate.
	AppGCPServiceAccountASN1ExtensionOID = asn1.ObjectIdentifier{1, 3, 9999, 1, 18}

	// GCPServiceAccountsASN1ExtensionOID is an extension ID used when encoding/decoding
	// the list of allowed GCP service accounts into a certificate.
	GCPServiceAccountsASN1ExtensionOID = asn1.ObjectIdentifier{1, 3, 9999, 1, 19}

	// DatabaseServiceNameASN1ExtensionOID is an extension ID used when encoding/decoding
	// database service name into certificates.
	DatabaseServiceNameASN1ExtensionOID = asn1.ObjectIdentifier{1, 3, 9999, 2, 1}

	// DatabaseProtocolASN1ExtensionOID is an extension ID used when encoding/decoding
	// database protocol into certificates.
	DatabaseProtocolASN1ExtensionOID = asn1.ObjectIdentifier{1, 3, 9999, 2, 2}

	// DatabaseUsernameASN1ExtensionOID is an extension ID used when encoding/decoding
	// database username into certificates.
	DatabaseUsernameASN1ExtensionOID = asn1.ObjectIdentifier{1, 3, 9999, 2, 3}

	// DatabaseNameASN1ExtensionOID is an extension ID used when encoding/decoding
	// database name into certificates.
	DatabaseNameASN1ExtensionOID = asn1.ObjectIdentifier{1, 3, 9999, 2, 4}

	// DatabaseNamesASN1ExtensionOID is an extension OID used when encoding/decoding
	// allowed database names into certificates.
	DatabaseNamesASN1ExtensionOID = asn1.ObjectIdentifier{1, 3, 9999, 2, 5}

	// DatabaseUsersASN1ExtensionOID is an extension OID used when encoding/decoding
	// allowed database users into certificates.
	DatabaseUsersASN1ExtensionOID = asn1.ObjectIdentifier{1, 3, 9999, 2, 6}

	// ImpersonatorASN1ExtensionOID is an extension OID used when encoding/decoding
	// impersonator user
	ImpersonatorASN1ExtensionOID = asn1.ObjectIdentifier{1, 3, 9999, 2, 7}

	// ActiveRequestsASN1ExtensionOID is an extension OID used when encoding/decoding
	// active access requests into certificates.
	ActiveRequestsASN1ExtensionOID = asn1.ObjectIdentifier{1, 3, 9999, 2, 8}

	// DisallowReissueASN1ExtensionOID is an extension OID used to flag that a
	// requests to generate new certificates using this certificate should be
	// denied.
	DisallowReissueASN1ExtensionOID = asn1.ObjectIdentifier{1, 3, 9999, 2, 9}

	// AllowedResourcesASN1ExtensionOID is an extension OID used to list the
	// resources which the certificate should be able to grant access to
	AllowedResourcesASN1ExtensionOID = asn1.ObjectIdentifier{1, 3, 9999, 2, 10}

	// SystemRolesASN1ExtensionOID is an extension OID used to indicate system roles
	// (auth, proxy, node, etc). Note that some certs correspond to a single specific
	// system role, and use `pkix.Name.Organization` to encode this value. This extension
	// is specifically used for "multi-role" certs.
	SystemRolesASN1ExtensionOID = asn1.ObjectIdentifier{1, 3, 9999, 2, 11}

	// PreviousIdentityExpiresASN1ExtensionOID is the RFC3339 timestamp representing the hard
	// deadline of the session on a certificates issued after an MFA check.
	// See https://github.com/gravitational/teleport/issues/18544.
	PreviousIdentityExpiresASN1ExtensionOID = asn1.ObjectIdentifier{1, 3, 9999, 2, 12}

	// ConnectionDiagnosticIDASN1ExtensionOID is an extension OID used to indicate the Connection Diagnostic ID.
	// When using the Test Connection feature, there's propagation of the ConnectionDiagnosticID.
	// Each service (ex DB Agent) uses that to add checkpoints describing if it was a success or a failure.
	ConnectionDiagnosticIDASN1ExtensionOID = asn1.ObjectIdentifier{1, 3, 9999, 2, 13}

	// LicenseOID is an extension OID signaling the license type of Teleport build.
	// It should take values "oss" or "ent" (the values returned by modules.GetModules().BuildType())
	LicenseOID = asn1.ObjectIdentifier{1, 3, 9999, 2, 14}

	// PinnedIPASN1ExtensionOID is an extension ID used when encoding/decoding
	// the IP the certificate is pinned to.
	PinnedIPASN1ExtensionOID = asn1.ObjectIdentifier{1, 3, 9999, 2, 15}

	// CreateWindowsUserOID is an extension OID used to indicate that the user should be created.
	CreateWindowsUserOID = asn1.ObjectIdentifier{1, 3, 9999, 2, 16}

	// DesktopsLimitExceededOID is an extension OID used indicate if number of non-AD desktops exceeds the limit for OSS distribution.
	DesktopsLimitExceededOID = asn1.ObjectIdentifier{1, 3, 9999, 2, 17}
)

Custom ranges are taken from this article

https://serverfault.com/questions/551477/is-there-reserved-oid-space-for-internal-enterprise-cas

http://oid-info.com/get/1.3.9999

View Source
var (
	// DeviceIDExtensionOID is a string extension that identifies the trusted
	// device.
	DeviceIDExtensionOID = asn1.ObjectIdentifier{1, 3, 9999, 3, 1}

	// DeviceAssetTagExtensionOID is a string extension containing the device
	// inventory identifier.
	DeviceAssetTagExtensionOID = asn1.ObjectIdentifier{1, 3, 9999, 3, 2}

	// DeviceCredentialIDExtensionOID is a string extension that identifies the
	// credential used to authenticate the device.
	DeviceCredentialIDExtensionOID = asn1.ObjectIdentifier{1, 3, 9999, 3, 3}
)

Device Trust OIDs. Namespace 1.3.9999.3.x.

Functions

func CalculatePins

func CalculatePins(certsBytes []byte) ([]string, error)

CalculatePins returns the SPKI pins for the given set of concatenated PEM-encoded certificates

func ClusterName

func ClusterName(subject pkix.Name) (string, error)

ClusterName returns cluster name from organization

func GenerateCertificateRequestPEM

func GenerateCertificateRequestPEM(subject pkix.Name, priv crypto.Signer) ([]byte, error)

GenerateCertificateRequestPEM returns PEM-encoded certificate signing request from the provided subject and private key.

func GenerateSelfSignedCA

func GenerateSelfSignedCA(entity pkix.Name, dnsNames []string, ttl time.Duration) ([]byte, []byte, error)

GenerateSelfSignedCA generates self-signed certificate authority used for internal inter-node communications

func GenerateSelfSignedCAWithConfig

func GenerateSelfSignedCAWithConfig(config GenerateCAConfig) (certPEM []byte, err error)

GenerateSelfSignedCAWithConfig generates a new CA certificate from the specified configuration. Returns PEM-encoded private key/certificate payloads upon success

func GenerateSelfSignedCAWithSigner

func GenerateSelfSignedCAWithSigner(signer crypto.Signer, entity pkix.Name, dnsNames []string, ttl time.Duration) ([]byte, error)

GenerateSelfSignedCAWithSigner generates self-signed certificate authority used for internal inter-node communications

func MarshalCertificatePEM

func MarshalCertificatePEM(cert *x509.Certificate) ([]byte, error)

MarshalCertificatePEM takes a *x509.Certificate and returns the PEM encoded bytes.

func MarshalPrivateKeyPEM

func MarshalPrivateKeyPEM(privateKey *rsa.PrivateKey) []byte

MarshalPrivateKeyPEM marshals provided rsa.PrivateKey into PEM format.

func MarshalPublicKeyFromPrivateKeyPEM

func MarshalPublicKeyFromPrivateKeyPEM(privateKey crypto.PrivateKey) ([]byte, error)

MarshalPublicKeyFromPrivateKeyPEM extracts public key from private key and returns PEM marshaled key

func ParseCertificatePEM

func ParseCertificatePEM(bytes []byte) (*x509.Certificate, error)

ParseCertificatePEM parses PEM-encoded certificate

func ParseCertificatePEMs

func ParseCertificatePEMs(bytes []byte) ([]*x509.Certificate, error)

ParseCertificatePEM parses multiple PEM-encoded certificates

func ParseCertificateRequestPEM

func ParseCertificateRequestPEM(bytes []byte) (*x509.CertificateRequest, error)

ParseCertificateRequestPEM parses PEM-encoded certificate signing request

func ParsePrivateKeyDER

func ParsePrivateKeyDER(der []byte) (crypto.Signer, error)

ParsePrivateKeyDER parses unencrypted DER-encoded private key

func ParsePrivateKeyPEM

func ParsePrivateKeyPEM(bytes []byte) (crypto.Signer, error)

ParsePrivateKeyPEM parses PEM-encoded private key

func ParsePublicKeyDER

func ParsePublicKeyDER(der []byte) (crypto.PublicKey, error)

ParsePublicKeyDER parses unencrypted DER-encoded publice key

func ParsePublicKeyPEM

func ParsePublicKeyPEM(bytes []byte) (interface{}, error)

ParsePublicKeyPEM parses public key PEM

Types

type CertAuthority

type CertAuthority struct {
	// Cert is a CA certificate
	Cert *x509.Certificate
	// Signer is a private key based signer
	Signer crypto.Signer
}

CertAuthority is X.509 certificate authority

func FromCertAndSigner

func FromCertAndSigner(certPEM []byte, signer crypto.Signer) (*CertAuthority, error)

FromCertAndSigner returns a CertAuthority with the given raw certificate and signer.

func FromKeys

func FromKeys(certPEM, keyPEM []byte) (*CertAuthority, error)

FromKeys returns new CA from PEM encoded certificate and private key. Private Key is optional, if omitted CA won't be able to issue new certificates, only verify them

func FromTLSCertificate

func FromTLSCertificate(ca tls.Certificate) (*CertAuthority, error)

FromTLSCertificate returns a CertAuthority with the given TLS certificate.

func (*CertAuthority) GenerateCertificate

func (ca *CertAuthority) GenerateCertificate(req CertificateRequest) ([]byte, error)

GenerateCertificate generates certificate from request

type CertificateRequest

type CertificateRequest struct {
	// Clock is a clock used to get current or test time
	Clock clockwork.Clock
	// PublicKey is a public key to sign
	PublicKey crypto.PublicKey
	// Subject is a subject to include in certificate
	Subject pkix.Name
	// NotAfter is a time after which the issued certificate
	// will be no longer valid
	NotAfter time.Time
	// DNSNames is a list of DNS names to add to certificate
	DNSNames []string
	// Optional. ExtraExtensions to populate.
	// Note: ExtraExtensions can override ExtKeyUsage and SANs (like DNSNames).
	ExtraExtensions []pkix.Extension
	// Optional. KeyUsage for the certificate.
	KeyUsage x509.KeyUsage
	// Optional. CRL endpoints.
	CRLDistributionPoints []string
}

CertificateRequest is a X.509 signing certificate request

func (*CertificateRequest) CheckAndSetDefaults

func (c *CertificateRequest) CheckAndSetDefaults() error

CheckAndSetDefaults checks and sets default values

type DeviceExtensions

type DeviceExtensions struct {
	// DeviceID is the trusted device identifier.
	DeviceID string
	// AssetTag is the device inventory identifier.
	AssetTag string
	// CredentialID is the identifier for the credential used by the device to
	// authenticate itself.
	CredentialID string
}

DeviceExtensions holds device-aware extensions for the identity.

type GenerateCAConfig

type GenerateCAConfig struct {
	Signer      crypto.Signer
	Entity      pkix.Name
	DNSNames    []string
	IPAddresses []net.IP
	TTL         time.Duration
	Clock       clockwork.Clock
}

GenerateCAConfig defines the configuration for generating self-signed CA certificates

type Identity

type Identity struct {
	// Username is a username or name of the node connection
	Username string
	// Impersonator is a username of a user impersonating this user
	Impersonator string
	// Groups is a list of groups (Teleport roles) encoded in the identity
	Groups []string
	// SystemRoles is a list of system roles (e.g. auth, proxy, node, etc) used
	// in "multi-role" certificates. Single-role certificates encode the system role
	// in `Groups` for back-compat reasons.
	SystemRoles []string
	// Usage is a list of usage restrictions encoded in the identity
	Usage []string
	// Principals is a list of Unix logins allowed.
	Principals []string
	// KubernetesGroups is a list of Kubernetes groups allowed
	KubernetesGroups []string
	// KubernetesUsers is a list of Kubernetes users allowed
	KubernetesUsers []string
	// Expires specifies whenever the session will expire
	Expires time.Time
	// RouteToCluster specifies the target cluster
	// if present in the session
	RouteToCluster string
	// KubernetesCluster specifies the target kubernetes cluster for TLS
	// identities. This can be empty on older Teleport clients.
	KubernetesCluster string
	// Traits hold claim data used to populate a role at runtime.
	Traits wrappers.Traits
	// RouteToApp holds routing information for applications. Routing metadata
	// allows Teleport web proxy to route HTTP requests to the appropriate
	// cluster and Teleport application proxy within the cluster.
	RouteToApp RouteToApp
	// TeleportCluster is the name of the teleport cluster that this identity
	// originated from. For TLS certs this may not be the same as cert issuer,
	// in case of multi-hop requests that originate from a remote cluster.
	TeleportCluster string
	// RouteToDatabase contains routing information for databases.
	RouteToDatabase RouteToDatabase
	// DatabaseNames is a list of allowed database names.
	DatabaseNames []string
	// DatabaseUsers is a list of allowed database users.
	DatabaseUsers []string
	// MFAVerified is the UUID of an MFA device when this Identity was
	// confirmed immediately after an MFA check.
	MFAVerified string
	// PreviousIdentityExpires is the expiry time of the identity/cert that this
	// identity/cert was derived from. It is used to determine a session's hard
	// deadline in cases where both require_session_mfa and disconnect_expired_cert
	// are enabled. See https://github.com/gravitational/teleport/issues/18544.
	PreviousIdentityExpires time.Time
	// LoginIP is an observed IP of the client that this Identity represents.
	LoginIP string
	// PinnedIP is an IP the certificate is pinned to.
	PinnedIP string
	// AWSRoleARNs is a list of allowed AWS role ARNs user can assume.
	AWSRoleARNs []string
	// AzureIdentities is a list of allowed Azure identities user can assume.
	AzureIdentities []string
	// GCPServiceAccounts is a list of allowed GCP service accounts that the user can assume.
	GCPServiceAccounts []string
	// ActiveRequests is a list of UUIDs of active requests for this Identity.
	ActiveRequests []string
	// DisallowReissue is a flag that, if set, instructs the auth server to
	// deny any attempts to reissue new certificates while authenticated with
	// this certificate.
	DisallowReissue bool
	// Renewable indicates that this identity is allowed to renew it's
	// own credentials. This is only enabled for certificate renewal bots.
	Renewable bool
	// Generation counts the number of times this certificate has been renewed.
	Generation uint64
	// AllowedResourceIDs lists the resources the identity should be allowed to
	// access.
	AllowedResourceIDs []types.ResourceID
	// PrivateKeyPolicy is the private key policy supported by this identity.
	PrivateKeyPolicy keys.PrivateKeyPolicy

	// ConnectionDiagnosticID is used to add connection diagnostic messages when Testing a Connection.
	ConnectionDiagnosticID string

	// DeviceExtensions holds device-aware extensions for the identity.
	DeviceExtensions DeviceExtensions

	// UserType indicates if the User was created by an SSO Provider or locally.
	UserType types.UserType
}

Identity is an identity of the user or service, e.g. Proxy or Node

func FromSubject

func FromSubject(subject pkix.Name, expires time.Time) (*Identity, error)

FromSubject returns identity from subject name

func (*Identity) CheckAndSetDefaults

func (id *Identity) CheckAndSetDefaults() error

CheckAndSetDefaults checks and sets default values

func (*Identity) GetEventIdentity

func (id *Identity) GetEventIdentity() events.Identity

func (*Identity) GetRouteToApp

func (id *Identity) GetRouteToApp() (RouteToApp, error)

GetRouteToApp returns application routing data. If missing, returns an error.

func (Identity) GetSessionMetadata

func (id Identity) GetSessionMetadata(sid string) events.SessionMetadata

func (Identity) GetUserMetadata

func (id Identity) GetUserMetadata() events.UserMetadata

func (*Identity) IsMFAVerified

func (id *Identity) IsMFAVerified() bool

IsMFAVerified returns whether this identity is MFA verified.

func (*Identity) Subject

func (id *Identity) Subject() (pkix.Name, error)

Subject converts identity to X.509 subject name

type RouteToApp

type RouteToApp struct {
	// SessionID is a UUIDv4 used to identify application sessions created by
	// this certificate. The reason a UUID was used instead of a hash of the
	// SubjectPublicKeyInfo like the CA pin is for UX consistency. For example,
	// the SessionID is emitted in the audit log, using a UUID matches how SSH
	// sessions are identified.
	SessionID string

	// PublicAddr (and ClusterName) are used to route requests issued with this
	// certificate to the appropriate application proxy/cluster.
	PublicAddr string

	// ClusterName (and PublicAddr) are used to route requests issued with this
	// certificate to the appropriate application proxy/cluster.
	ClusterName string

	// Name is the app name.
	Name string

	// AWSRoleARN is the AWS role to assume when accessing AWS console.
	AWSRoleARN string

	// AzureIdentity is the Azure identity to assume when accessing Azure API.
	AzureIdentity string

	// GCPServiceAccount is the GCP service account to assume when accessing GCP API.
	GCPServiceAccount string
}

RouteToApp holds routing information for applications.

type RouteToDatabase

type RouteToDatabase struct {
	// ServiceName is the name of the Teleport database proxy service
	// to route requests to.
	ServiceName string
	// Protocol is the database protocol.
	//
	// It is embedded in identity so clients can understand what type
	// of database this is without contacting server.
	Protocol string
	// Username is an optional database username to serve as a default
	// username to connect as.
	Username string
	// Database is an optional database name to serve as a default
	// database to connect to.
	Database string
}

RouteToDatabase contains routing information for databases.

func (RouteToDatabase) String

func (r RouteToDatabase) String() string

String returns string representation of the database routing struct.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL