credtemplate

package
v1.0.2 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: May 18, 2023 License: Apache-2.0 Imports: 17 Imported by: 0

Documentation

Index

Constants

View Source
const (
	// DefaultX509CATTL is the TTL given to X509 CAs if not overridden by
	// the server config.
	DefaultX509CATTL = time.Hour * 24

	// DefaultX509SVIDTTL is the TTL given to X509 SVIDs if not overridden by
	// the server config.
	DefaultX509SVIDTTL = time.Hour

	// DefaultJWTSVIDTTL is the TTL given to JWT SVIDs if a different TTL is
	// not provided in the signing request.
	DefaultJWTSVIDTTL = time.Minute * 5

	// NotBeforeCushion is how much of a cushion to subtract from the current
	// time when determining the notBefore field of certificates to account
	// for clock skew.
	NotBeforeCushion = 10 * time.Second
)

Variables

This section is empty.

Functions

func DefaultX509CASubject

func DefaultX509CASubject() pkix.Name

DefaultX509CASubject is the default subject set on workload X509SVIDs TODO: This is a historic, but poor, default. We should revisit (see issue #3841).

func DefaultX509SVIDSubject

func DefaultX509SVIDSubject() pkix.Name

DefaultX509SVIDSubject is the default subject set on workload X509SVIDs TODO: This is a historic, but poor, default. We should revisit (see issue #3841).

Types

type AgentX509SVIDParams

type AgentX509SVIDParams struct {
	ParentChain []*x509.Certificate
	PublicKey   crypto.PublicKey
	SPIFFEID    spiffeid.ID
}

type Builder

type Builder struct {
	// contains filtered or unexported fields
}

func NewBuilder

func NewBuilder(config Config) (*Builder, error)

func (*Builder) BuildAgentX509SVIDTemplate

func (b *Builder) BuildAgentX509SVIDTemplate(ctx context.Context, params AgentX509SVIDParams) (*x509.Certificate, error)

func (*Builder) BuildDownstreamX509CATemplate

func (b *Builder) BuildDownstreamX509CATemplate(ctx context.Context, params DownstreamX509CAParams) (*x509.Certificate, error)

func (*Builder) BuildSelfSignedX509CATemplate

func (b *Builder) BuildSelfSignedX509CATemplate(ctx context.Context, params SelfSignedX509CAParams) (*x509.Certificate, error)

func (*Builder) BuildServerX509SVIDTemplate

func (b *Builder) BuildServerX509SVIDTemplate(ctx context.Context, params ServerX509SVIDParams) (*x509.Certificate, error)

func (*Builder) BuildUpstreamSignedX509CACSR

func (b *Builder) BuildUpstreamSignedX509CACSR(ctx context.Context, params UpstreamSignedX509CAParams) (*x509.CertificateRequest, error)

func (*Builder) BuildWorkloadJWTSVIDClaims

func (b *Builder) BuildWorkloadJWTSVIDClaims(ctx context.Context, params WorkloadJWTSVIDParams) (map[string]interface{}, error)

func (*Builder) BuildWorkloadX509SVIDTemplate

func (b *Builder) BuildWorkloadX509SVIDTemplate(ctx context.Context, params WorkloadX509SVIDParams) (*x509.Certificate, error)

func (*Builder) Config

func (b *Builder) Config() Config

func (*Builder) ValidateWorkloadJWTSVID

func (b *Builder) ValidateWorkloadJWTSVID(rawToken string, id spiffeid.ID) error

func (*Builder) ValidateX509CA

func (b *Builder) ValidateX509CA(ca *x509.Certificate) error

func (*Builder) ValidateX509SVID

func (b *Builder) ValidateX509SVID(svid *x509.Certificate, id spiffeid.ID) error

type Config

type Config struct {
	TrustDomain         spiffeid.TrustDomain
	Clock               clock.Clock
	X509CASubject       pkix.Name
	X509CATTL           time.Duration
	X509SVIDSubject     pkix.Name
	X509SVIDTTL         time.Duration
	JWTSVIDTTL          time.Duration
	JWTIssuer           string
	AgentSVIDTTL        time.Duration
	CredentialComposers []credentialcomposer.CredentialComposer
	NewSerialNumber     func() (*big.Int, error)
}

type DownstreamX509CAParams

type DownstreamX509CAParams struct {
	ParentChain []*x509.Certificate
	PublicKey   crypto.PublicKey
	TTL         time.Duration
}

type SelfSignedX509CAParams

type SelfSignedX509CAParams struct {
	PublicKey crypto.PublicKey
}

type ServerX509SVIDParams

type ServerX509SVIDParams struct {
	ParentChain []*x509.Certificate
	PublicKey   crypto.PublicKey
}

type UpstreamSignedX509CAParams

type UpstreamSignedX509CAParams struct {
	PublicKey crypto.PublicKey
}

type WorkloadJWTSVIDParams

type WorkloadJWTSVIDParams struct {
	SPIFFEID      spiffeid.ID
	Audience      []string
	TTL           time.Duration
	ExpirationCap time.Time
}

type WorkloadX509SVIDParams

type WorkloadX509SVIDParams struct {
	ParentChain []*x509.Certificate
	PublicKey   crypto.PublicKey
	SPIFFEID    spiffeid.ID
	DNSNames    []string
	TTL         time.Duration
	Subject     pkix.Name
}

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL