Documentation ¶
Overview ¶
Package signer implements certificate signature functionality for CFSSL.
Index ¶
- Variables
- func ComputeSKI(template *x509.Certificate) ([]byte, error)
- func DefaultSigAlgo(priv crypto.Signer) x509.SignatureAlgorithm
- func FillTemplate(template *x509.Certificate, defaultProfile, profile *config.SigningProfile) error
- func ParseCertificateRequest(s Signer, csrBytes []byte) (template *x509.Certificate, err error)
- func Profile(s Signer, profile string) (*config.SigningProfile, error)
- func SplitHosts(hostList string) []string
- type Extension
- type SignRequest
- type Signer
- type Subject
Constants ¶
This section is empty.
Variables ¶
var ( // CTPoisonOID is the object ID of the critical poison extension for precertificates // https://tools.ietf.org/html/rfc6962#page-9 CTPoisonOID = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 11129, 2, 4, 3} // SCTListOID is the object ID for the Signed Certificate Timestamp certificate extension // https://tools.ietf.org/html/rfc6962#page-14 SCTListOID = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 11129, 2, 4, 2} )
var MaxPathLen = 2
MaxPathLen is the default path length for a new CA certificate.
Functions ¶
func ComputeSKI ¶
func ComputeSKI(template *x509.Certificate) ([]byte, error)
ComputeSKI derives an SKI from the certificate's public key in a standard manner. This is done by computing the SHA-1 digest of the SubjectPublicKeyInfo component of the certificate.
func DefaultSigAlgo ¶
func DefaultSigAlgo(priv crypto.Signer) x509.SignatureAlgorithm
DefaultSigAlgo returns an appropriate X.509 signature algorithm given the CA's private key.
func FillTemplate ¶
func FillTemplate(template *x509.Certificate, defaultProfile, profile *config.SigningProfile) error
FillTemplate is a utility function that tries to load as much of the certificate template as possible from the profiles and current template. It fills in the key uses, expiration, revocation URLs and SKI.
func ParseCertificateRequest ¶
func ParseCertificateRequest(s Signer, csrBytes []byte) (template *x509.Certificate, err error)
ParseCertificateRequest takes an incoming certificate request and builds a certificate template from it.
func Profile ¶
func Profile(s Signer, profile string) (*config.SigningProfile, error)
Profile gets the specific profile from the signer
func SplitHosts ¶
SplitHosts takes a comma-spearated list of hosts and returns a slice with the hosts split
Types ¶
type Extension ¶
type Extension struct { ID config.OID `json:"id"` Critical bool `json:"critical"` Value string `json:"value"` }
Extension represents a raw extension to be included in the certificate. The "value" field must be hex encoded.
type SignRequest ¶
type SignRequest struct { Hosts []string `json:"hosts"` Request string `json:"certificate_request"` Subject *Subject `json:"subject,omitempty"` Profile string `json:"profile"` Label string `json:"label"` Serial *big.Int `json:"serial,omitempty"` Extensions []Extension `json:"extensions,omitempty"` }
SignRequest stores a signature request, which contains the hostname, the CSR, optional subject information, and the signature profile.
Extensions provided in the signRequest are copied into the certificate, as long as they are in the ExtensionWhitelist for the signer's policy. Extensions requested in the CSR are ignored, except for those processed by ParseCertificateRequest (mainly subjectAltName).
type Signer ¶
type Signer interface { Info(info.Req) (*info.Resp, error) Policy() *config.Signing SetDB(*sql.DB) SetPolicy(*config.Signing) SigAlgo() x509.SignatureAlgorithm Sign(req SignRequest) (cert []byte, err error) }
A Signer contains a CA's certificate and private key for signing certificates, a Signing policy to refer to and a SignatureAlgorithm.
Directories ¶
Path | Synopsis |
---|---|
Package local implements certificate signature functionality for CFSSL.
|
Package local implements certificate signature functionality for CFSSL. |
Package pkcs11 implements support for PKCS #11 signers.
|
Package pkcs11 implements support for PKCS #11 signers. |
Package universal implements a signer that can do remote or local
|
Package universal implements a signer that can do remote or local |