Versions in this module Expand all Collapse all v1 v1.0.2 May 18, 2023 Changes in this version + const DefaultCATTL + const DefaultJWTSVIDTTL + const DefaultX509SVIDTTL + func CreateServerCATemplate(spiffeID spiffeid.ID, publicKey crypto.PublicKey, ...) (*x509.Certificate, error) + func CreateX509SVIDTemplate(spiffeID spiffeid.ID, publicKey crypto.PublicKey, ...) (*x509.Certificate, error) + func GenerateServerCACSR(signer crypto.Signer, trustDomain spiffeid.TrustDomain, subject pkix.Name) ([]byte, error) + func MaxSVIDTTL() time.Duration + func MaxSVIDTTLForCATTL(caTTL time.Duration) time.Duration + func MinCATTLForSVIDTTL(svidTTL time.Duration) time.Duration + type BundleUpdater interface + AppendJWTKeys func(ctx context.Context, keys []*common.PublicKey) ([]*common.PublicKey, error) + AppendX509Roots func(ctx context.Context, roots []*x509.Certificate) error + LogError func(err error, msg string) + type CA struct + func NewCA(config Config) *CA + func (ca *CA) JWTKey() *JWTKey + func (ca *CA) SetJWTKey(jwtKey *JWTKey) + func (ca *CA) SetX509CA(x509CA *X509CA) + func (ca *CA) SignJWTSVID(ctx context.Context, params JWTSVIDParams) (string, error) + func (ca *CA) SignX509CASVID(ctx context.Context, params X509CASVIDParams) ([]*x509.Certificate, error) + func (ca *CA) SignX509SVID(ctx context.Context, params X509SVIDParams) ([]*x509.Certificate, error) + func (ca *CA) X509CA() *X509CA + type Config struct + CASubject pkix.Name + Clock clock.Clock + HealthChecker health.Checker + JWTIssuer string + JWTSVIDTTL time.Duration + Log logrus.FieldLogger + Metrics telemetry.Metrics + TrustDomain spiffeid.TrustDomain + X509SVIDTTL time.Duration + type JWTKey struct + Kid string + NotAfter time.Time + Signer crypto.Signer + type JWTKeyEntry = journal.JWTKeyEntry + type JWTSVIDParams struct + Audience []string + SpiffeID spiffeid.ID + TTL time.Duration + type Journal struct + func LoadJournal(path string) (*Journal, error) + func (j *Journal) AppendJWTKey(slotID string, issuedAt time.Time, jwtKey *JWTKey) error + func (j *Journal) AppendX509CA(slotID string, issuedAt time.Time, x509CA *X509CA) error + func (j *Journal) Entries() *JournalEntries + type JournalEntries = journal.Entries + type ManagedCA interface + SetJWTKey func(*JWTKey) + SetX509CA func(*X509CA) + type Manager struct + func NewManager(c ManagerConfig) *Manager + func (m *Manager) Initialize(ctx context.Context) error + func (m *Manager) PublishJWTKey(ctx context.Context, jwtKey *common.PublicKey) ([]*common.PublicKey, error) + func (m *Manager) Run(ctx context.Context) error + type ManagerConfig struct + CA ManagedCA + CASubject pkix.Name + CATTL time.Duration + Catalog catalog.Catalog + Clock clock.Clock + Dir string + HealthChecker health.Checker + JWTKeyType keymanager.KeyType + Log logrus.FieldLogger + Metrics telemetry.Metrics + TrustDomain spiffeid.TrustDomain + X509CAKeyType keymanager.KeyType + type ServerCA interface + SignJWTSVID func(ctx context.Context, params JWTSVIDParams) (string, error) + SignX509CASVID func(ctx context.Context, params X509CASVIDParams) ([]*x509.Certificate, error) + SignX509SVID func(ctx context.Context, params X509SVIDParams) ([]*x509.Certificate, error) + type UpstreamClient struct + func NewUpstreamClient(config UpstreamClientConfig) *UpstreamClient + func (u *UpstreamClient) Close() error + func (u *UpstreamClient) MintX509CA(ctx context.Context, csr []byte, ttl time.Duration, ...) (_ []*x509.Certificate, err error) + func (u *UpstreamClient) PublishJWTKey(ctx context.Context, jwtKey *common.PublicKey) (_ []*common.PublicKey, err error) + func (u *UpstreamClient) WaitUntilMintX509CAStreamDone(ctx context.Context) error + func (u *UpstreamClient) WaitUntilPublishJWTKeyStreamDone(ctx context.Context) error + type UpstreamClientConfig struct + BundleUpdater BundleUpdater + UpstreamAuthority upstreamauthority.UpstreamAuthority + type ValidateX509CAFunc = func(x509CA, x509Roots []*x509.Certificate) error + type X509CA struct + Certificate *x509.Certificate + Signer crypto.Signer + UpstreamChain []*x509.Certificate + func SelfSignX509CA(ctx context.Context, signer crypto.Signer, trustDomain spiffeid.TrustDomain, ...) (*X509CA, []*x509.Certificate, error) + func UpstreamSignX509CA(ctx context.Context, signer crypto.Signer, trustDomain spiffeid.TrustDomain, ...) (*X509CA, error) + type X509CAEntry = journal.X509CAEntry + type X509CASVIDParams struct + PublicKey crypto.PublicKey + SpiffeID spiffeid.ID + TTL time.Duration + type X509CAValidator struct + Signer crypto.Signer + TrustDomain spiffeid.TrustDomain + func (v X509CAValidator) ValidateSelfSignedX509CA(x509CA *x509.Certificate) error + func (v X509CAValidator) ValidateUpstreamX509CA(x509CA, upstreamRoots []*x509.Certificate) error + type X509SVIDParams struct + DNSList []string + PublicKey crypto.PublicKey + SpiffeID spiffeid.ID + Subject pkix.Name + TTL time.Duration