Documentation ¶
Index ¶
Constants ¶
const ( DefaultUpstreamCABackdate = time.Second * 10 DefaultUpstreamCATTL = time.Hour )
Variables ¶
This section is empty.
Functions ¶
func ParseAndValidateCSR ¶
func ParseAndValidateCSR(csrDER []byte, td spiffeid.TrustDomain) (csr *x509.CertificateRequest, err error)
func UniqueIDAttribute ¶
func UniqueIDAttribute(id spiffeid.ID) pkix.AttributeTypeAndValue
UniqueIDAttribute returns a X.500 Unique ID attribute (OID 2.5.4.45) for the given SPIFFE ID for inclusion in an X509-SVID to satisfy RFC 5280 requirements that the subject "DN MUST be unique for each subject entity certified by the one CA as defined by the issuer field" (see issue #3110 for the discussion on this).
The unique ID is composed of a SHA256 hash of the SPIFFE ID, truncated to 128-bits (16 bytes), and then hex encoded. This *SHOULD* be large enough to provide collision resistance on the input domain (i.e. registration entry SPIFFE IDs registered with this server), which ranges from very- to somewhat-restricted depending on the registration scheme and how much influence an attacker can have on workload registration.
func ValidateCSR ¶
func ValidateCSR(csr *x509.CertificateRequest, td spiffeid.TrustDomain) error
Types ¶
type UpstreamCA ¶
type UpstreamCA struct {
// contains filtered or unexported fields
}
func NewUpstreamCA ¶
func NewUpstreamCA(keypair x509util.Keypair, trustDomain spiffeid.TrustDomain, options UpstreamCAOptions) *UpstreamCA