authority

package
v0.0.0-...-c397b60 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: May 17, 2024 License: Apache-2.0 Imports: 65 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	AdminLockOut policyErrorType = iota + 1
	StoreFailure
	ReloadFailure
	ConfigurationFailure
	EvaluationFailure
	InternalFailure
)
View Source 
const (
	// SSHAddUserPrincipal is the principal that will run the add user command.
	// Defaults to "provisioner" but it can be changed in the configuration.
	SSHAddUserPrincipal = "provisioner"

	// SSHAddUserCommand is the default command to run to add a new user.
	// Defaults to "sudo useradd -m <principal>; nc -q0 localhost 22" but it can be changed in the
	// configuration. The string "<principal>" will be replace by the new
	// principal to add.
	SSHAddUserCommand = "sudo useradd -m <principal>; nc -q0 localhost 22"
)

Variables

View Source 
var DefaultTLSOptions = config.DefaultTLSOptions

DefaultTLSOptions is an alias to support older APIs.

View Source 
var GlobalVersion = Version{
	Version: "0.0.0",
}

GlobalVersion stores the version information of the server.

View Source 
var LoadConfiguration = config.LoadConfiguration

LoadConfiguration is an alias to support older APIs.

Functions

func CreateFirstProvisioner 

func CreateFirstProvisioner(ctx context.Context, adminDB admin.DB, password string) (*linkedca.Provisioner, error)

CreateFirstProvisioner creates and stores the first provisioner when using admin database provisioner storage.

func IsValidForAddUser 

func IsValidForAddUser(cert *ssh.Certificate) error

IsValidForAddUser checks if a user provisioner certificate can be issued to the given certificate.

func NewContext 

func NewContext(ctx context.Context, a *Authority) context.Context

NewContext adds the given authority to the context.

func NewContextWithSkipTokenReuse 

func NewContextWithSkipTokenReuse(ctx context.Context) context.Context

NewContextWithSkipTokenReuse creates a new context from ctx and attaches a value to skip the token reuse.

func NewTokenContext 

func NewTokenContext(ctx context.Context, token string) context.Context

NewTokenContext adds the given token to the context.

func ProvisionerToCertificates 

func ProvisionerToCertificates(p *linkedca.Provisioner) (provisioner.Interface, error)

ProvisionerToCertificates converts the linkedca provisioner type to the certificates provisioner interface.

func ProvisionerToLinkedca 

func ProvisionerToLinkedca(p provisioner.Interface) (*linkedca.Provisioner, error)

ProvisionerToLinkedca converts a provisioner.Interface to a linkedca.Provisioner type.

func SkipTokenReuseFromContext 

func SkipTokenReuseFromContext(ctx context.Context) bool

SkipTokenReuseFromContext returns if the token reuse needs to be ignored.

func TokenFromContext 

func TokenFromContext(ctx context.Context) (token string, ok bool)

TokenFromContext returns the token from the given context.

func ValidateClaims 

func ValidateClaims(c *linkedca.Claims) error

ValidateClaims validates the Claims type.

func ValidateDurations 

func ValidateDurations(d *linkedca.Durations) error

ValidateDurations validates the Durations type.

Types

type ASN1DN 

type ASN1DN = config.ASN1DN

ASN1DN is an alias to support older APIs.

type AuthConfig 

type AuthConfig = config.AuthConfig

AuthConfig is an alias to support older APIs.

type Authority 

type Authority struct {
	// contains filtered or unexported fields
}

Authority implements the Certificate Authority internal interface.

func FromContext 

func FromContext(ctx context.Context) (a *Authority, ok bool)

FromContext returns the current authority from the given context.

func MustFromContext 

func MustFromContext(ctx context.Context) *Authority

MustFromContext returns the current authority from the given context. It will panic if the authority is not in the context.

func New 

func New(cfg *config.Config, opts ...Option) (*Authority, error)

New creates and initiates a new Authority type.

func NewEmbedded 

func NewEmbedded(opts ...Option) (*Authority, error)

NewEmbedded initializes an authority that can be embedded in a different project without the limitations of the config.

func (*Authority) AreSANsAllowed 

func (a *Authority) AreSANsAllowed(_ context.Context, sans []string) error

AreSANsAllowed evaluates the provided sans against the authority X.509 policy.

func (*Authority) Authorize 

func (a *Authority) Authorize(ctx context.Context, token string) ([]provisioner.SignOption, error)

Authorize grabs the method from the context and authorizes the request by validating the one-time-token.

func (*Authority) AuthorizeAdminToken 

func (a *Authority) AuthorizeAdminToken(r *http.Request, token string) (*linkedca.Admin, error)

AuthorizeAdminToken authorize an Admin token.

func (*Authority) AuthorizeRenewToken 

func (a *Authority) AuthorizeRenewToken(_ context.Context, ott string) (*x509.Certificate, error)

AuthorizeRenewToken validates the renew token and returns the leaf certificate in the x5cInsecure header.

func (*Authority) AuthorizeSign deprecated 

func (a *Authority) AuthorizeSign(token string) ([]provisioner.SignOption, error)

AuthorizeSign authorizes a signature request by validating and authenticating a token that must be sent w/ the request.

Deprecated: Use Authorize(context.Context, string) ([]provisioner.SignOption, error).

func (*Authority) CheckSSHHost 

func (a *Authority) CheckSSHHost(ctx context.Context, principal, token string) (bool, error)

CheckSSHHost checks the given principal has been registered before.

func (*Authority) CloseForReload 

func (a *Authority) CloseForReload()

CloseForReload closes internal services, to allow a safe reload.

func (*Authority) CreateAuthorityPolicy 

func (a *Authority) CreateAuthorityPolicy(ctx context.Context, adm *linkedca.Admin, p *linkedca.Policy) (*linkedca.Policy, error)

func (*Authority) Export 

func (a *Authority) Export() (c *linkedca.Configuration, err error)

Export creates a linkedca configuration form the current ca.json and loaded authorities.

Note that export will not export neither the pki password nor the certificate issuer password.

func (*Authority) GenerateCertificateRevocationList 

func (a *Authority) GenerateCertificateRevocationList() error

GenerateCertificateRevocationList generates a DER representation of a signed CRL and stores it in the database. Returns nil if CRL generation has been disabled in the config

func (*Authority) GetAdminDatabase 

func (a *Authority) GetAdminDatabase() admin.DB

GetAdminDatabase returns the admin database, if one exists.

func (*Authority) GetAdmins 

func (a *Authority) GetAdmins(cursor string, limit int) ([]*linkedca.Admin, string, error)

GetAdmins returns a map listing each provisioner and the JWK Key Set with their public keys.

func (*Authority) GetAuthorityPolicy 

func (a *Authority) GetAuthorityPolicy(ctx context.Context) (*linkedca.Policy, error)

func (*Authority) GetCertificateRevocationList 

func (a *Authority) GetCertificateRevocationList() (*CertificateRevocationListInfo, error)

GetCertificateRevocationList will return the currently generated CRL from the DB, or a not implemented error if the underlying AuthDB does not support CRLs

func (*Authority) GetConfig 

func (a *Authority) GetConfig() *config.Config

GetConfig returns the config.

func (*Authority) GetDatabase 

func (a *Authority) GetDatabase() db.AuthDB

GetDatabase returns the authority database. If the configuration does not define a database, GetDatabase will return a db.SimpleDB instance.

func (*Authority) GetEncryptedKey 

func (a *Authority) GetEncryptedKey(kid string) (string, error)

GetEncryptedKey returns the JWE key corresponding to the given kid argument.

func (*Authority) GetFederation 

func (a *Authority) GetFederation() (federation []*x509.Certificate, err error)

GetFederation returns all the root certificates in the federation. This method implements the Authority interface.

func (*Authority) GetID 

func (a *Authority) GetID() string

GetID returns the define authority id or a zero uuid.

func (*Authority) GetInfo 

func (a *Authority) GetInfo() Info

GetInfo returns information about the authority.

func (*Authority) GetProvisioners 

func (a *Authority) GetProvisioners(cursor string, limit int) (provisioner.List, string, error)

GetProvisioners returns a map listing each provisioner and the JWK Key Set with their public keys.

func (*Authority) GetRootCertificate 

func (a *Authority) GetRootCertificate() *x509.Certificate

GetRootCertificate returns the server root certificate.

func (*Authority) GetRootCertificates 

func (a *Authority) GetRootCertificates() []*x509.Certificate

GetRootCertificates returns the server root certificates.

In the Authority interface we also have a similar method, GetRoots, at the moment the functionality of these two methods are almost identical, but this method is intended to be used internally by CA HTTP server to load the roots that will be set in the tls.Config while GetRoots will be used by the Authority interface and might have extra checks in the future.

func (*Authority) GetRoots 

func (a *Authority) GetRoots() ([]*x509.Certificate, error)

GetRoots returns all the root certificates for this CA. This method implements the Authority interface.

func (*Authority) GetSCEP 

func (a *Authority) GetSCEP() *scep.Authority

GetSCEP returns the configured SCEP Authority

func (*Authority) GetSSHBastion 

func (a *Authority) GetSSHBastion(ctx context.Context, user, hostname string) (*config.Bastion, error)

GetSSHBastion returns the bastion configuration, for the given pair user, hostname.

func (*Authority) GetSSHConfig 

func (a *Authority) GetSSHConfig(_ context.Context, typ string, data map[string]string) ([]templates.Output, error)

GetSSHConfig returns rendered templates for clients (user) or servers (host).

func (*Authority) GetSSHFederation 

func (a *Authority) GetSSHFederation(context.Context) (*config.SSHKeys, error)

GetSSHFederation returns the public keys for federated SSH signers.

func (*Authority) GetSSHHosts 

func (a *Authority) GetSSHHosts(ctx context.Context, cert *x509.Certificate) ([]config.Host, error)

GetSSHHosts returns a list of valid host principals.

func (*Authority) GetSSHRoots 

func (a *Authority) GetSSHRoots(context.Context) (*config.SSHKeys, error)

GetSSHRoots returns the SSH User and Host public keys.

func (*Authority) GetTLSCertificate 

func (a *Authority) GetTLSCertificate() (*tls.Certificate, error)

GetTLSCertificate creates a new leaf certificate to be used by the CA HTTPS server.

func (*Authority) GetTLSOptions 

func (a *Authority) GetTLSOptions() *config.TLSOptions

GetTLSOptions returns the tls options configured.

func (*Authority) IsAdminAPIEnabled 

func (a *Authority) IsAdminAPIEnabled() bool

IsAdminAPIEnabled returns a boolean indicating whether the Admin API has been enabled.

func (*Authority) IsRevoked 

func (a *Authority) IsRevoked(sn string) (bool, error)

IsRevoked returns whether or not a certificate has been revoked before.

func (*Authority) LoadAdminByID 

func (a *Authority) LoadAdminByID(id string) (*linkedca.Admin, bool)

LoadAdminByID returns an *linkedca.Admin with the given ID.

func (*Authority) LoadAdminBySubProv 

func (a *Authority) LoadAdminBySubProv(subject, prov string) (*linkedca.Admin, bool)

LoadAdminBySubProv returns an *linkedca.Admin with the given ID.

func (*Authority) LoadProvisionerByCertificate 

func (a *Authority) LoadProvisionerByCertificate(crt *x509.Certificate) (provisioner.Interface, error)

LoadProvisionerByCertificate returns an interface to the provisioner that provisioned the certificate.

func (*Authority) LoadProvisionerByID 

func (a *Authority) LoadProvisionerByID(id string) (provisioner.Interface, error)

LoadProvisionerByID returns an interface to the provisioner with the given ID.

func (*Authority) LoadProvisionerByName 

func (a *Authority) LoadProvisionerByName(name string) (provisioner.Interface, error)

LoadProvisionerByName returns an interface to the provisioner with the given Name.

func (*Authority) LoadProvisionerByToken 

func (a *Authority) LoadProvisionerByToken(token *jose.JSONWebToken, claims *jose.Claims) (provisioner.Interface, error)

LoadProvisionerByToken returns an interface to the provisioner that provisioned the token.

func (*Authority) Rekey 

func (a *Authority) Rekey(oldCert *x509.Certificate, pk crypto.PublicKey) ([]*x509.Certificate, error)

Rekey is used for rekeying and renewing based on the public key. If the public key is 'nil' then it's assumed that the cert should be renewed using the existing public key. If the public key is not 'nil' then it's assumed that the cert should be rekeyed.

For both Rekey and Renew all other attributes of the new certificate should match the old certificate. The exceptions are 'AuthorityKeyId' (which may have changed), 'SubjectKeyId' (different in case of rekey), and 'NotBefore/NotAfter' (the validity duration of the new certificate should be equal to the old one, but starting 'now').

func (*Authority) RekeySSH 

func (a *Authority) RekeySSH(ctx context.Context, oldCert *ssh.Certificate, pub ssh.PublicKey, signOpts ...provisioner.SignOption) (*ssh.Certificate, error)

RekeySSH creates a signed SSH certificate using the old SSH certificate as a template.

func (*Authority) ReloadAdminResources 

func (a *Authority) ReloadAdminResources(ctx context.Context) error

ReloadAdminResources reloads admins and provisioners from the DB.

func (*Authority) RemoveAdmin 

func (a *Authority) RemoveAdmin(ctx context.Context, id string) error

RemoveAdmin removes an *linkedca.Admin from the authority.

func (*Authority) RemoveAuthorityPolicy 

func (a *Authority) RemoveAuthorityPolicy(ctx context.Context) error

func (*Authority) RemoveProvisioner 

func (a *Authority) RemoveProvisioner(ctx context.Context, id string) error

RemoveProvisioner removes an provisioner.Interface from the authority.

func (*Authority) Renew 

func (a *Authority) Renew(oldCert *x509.Certificate) ([]*x509.Certificate, error)

Renew creates a new Certificate identical to the old certificate, except with a validity window that begins 'now'.

func (*Authority) RenewContext 

func (a *Authority) RenewContext(ctx context.Context, oldCert *x509.Certificate, pk crypto.PublicKey) ([]*x509.Certificate, error)

RenewContext creates a new certificate identical to the old one, but it can optionally replace the public key with the given one. When running on RA mode, it can only renew a certificate using a renew token instead.

For both rekey and renew operations, all other attributes of the new certificate should match the old certificate. The exceptions are 'AuthorityKeyId' (which may have changed), 'SubjectKeyId' (different in case of rekey), and 'NotBefore/NotAfter' (the validity duration of the new certificate should be equal to the old one, but starting 'now').

func (*Authority) RenewSSH 

func (a *Authority) RenewSSH(ctx context.Context, oldCert *ssh.Certificate) (*ssh.Certificate, error)

RenewSSH creates a signed SSH certificate using the old SSH certificate as a template.

func (*Authority) Revoke 

func (a *Authority) Revoke(ctx context.Context, revokeOpts *RevokeOptions) error

Revoke revokes a certificate.

NOTE: Only supports passive revocation - prevent existing certificates from being renewed.

TODO: Add OCSP and CRL support.

func (*Authority) Root 

func (a *Authority) Root(sum string) (*x509.Certificate, error)

Root returns the certificate corresponding to the given SHA sum argument.

func (*Authority) Shutdown 

func (a *Authority) Shutdown() error

Shutdown safely shuts down any clients, databases, etc. held by the Authority.

func (*Authority) Sign deprecated 

func (a *Authority) Sign(csr *x509.CertificateRequest, signOpts provisioner.SignOptions, extraOpts ...provisioner.SignOption) ([]*x509.Certificate, error)

Sign creates a signed certificate from a certificate signing request. It creates a new context.Context, and calls into SignWithContext.

Deprecated: Use authority.SignWithContext with an actual context.Context.

func (*Authority) SignSSH 

func (a *Authority) SignSSH(ctx context.Context, key ssh.PublicKey, opts provisioner.SignSSHOptions, signOpts ...provisioner.SignOption) (*ssh.Certificate, error)

SignSSH creates a signed SSH certificate with the given public key and options.

func (*Authority) SignSSHAddUser 

func (a *Authority) SignSSHAddUser(ctx context.Context, key ssh.PublicKey, subject *ssh.Certificate) (*ssh.Certificate, error)

SignSSHAddUser signs a certificate that provisions a new user in a server.

func (*Authority) SignWithContext 

func (a *Authority) SignWithContext(ctx context.Context, csr *x509.CertificateRequest, signOpts provisioner.SignOptions, extraOpts ...provisioner.SignOption) ([]*x509.Certificate, error)

SignWithContext creates a signed certificate from a certificate signing request, taking the provided context.Context.

func (*Authority) StoreAdmin 

func (a *Authority) StoreAdmin(ctx context.Context, adm *linkedca.Admin, prov provisioner.Interface) error

StoreAdmin stores an *linkedca.Admin to the authority.

func (*Authority) StoreProvisioner 

func (a *Authority) StoreProvisioner(ctx context.Context, prov *linkedca.Provisioner) error

StoreProvisioner stores a provisioner to the authority.

func (*Authority) UpdateAdmin 

func (a *Authority) UpdateAdmin(ctx context.Context, id string, nu *linkedca.Admin) (*linkedca.Admin, error)

UpdateAdmin stores an *linkedca.Admin to the authority.

func (*Authority) UpdateAuthorityPolicy 

func (a *Authority) UpdateAuthorityPolicy(ctx context.Context, adm *linkedca.Admin, p *linkedca.Policy) (*linkedca.Policy, error)

func (*Authority) UpdateProvisioner 

func (a *Authority) UpdateProvisioner(ctx context.Context, nu *linkedca.Provisioner) error

UpdateProvisioner stores an provisioner.Interface to the authority.

func (*Authority) UseToken 

func (a *Authority) UseToken(token string, prov provisioner.Interface) error

UseToken stores the token to protect against reuse.

This method currently ignores any error coming from the GetTokenID, but it should specifically ignore the error provisioner.ErrAllowTokenReuse.

func (*Authority) Version 

func (a *Authority) Version() Version

Version returns the version information of the server.

type Bastion 

type Bastion = config.Bastion

Bastion is an alias to support older APIs.

type CertificateRevocationListInfo 

type CertificateRevocationListInfo struct {
	Number    int64
	ExpiresAt time.Time
	Duration  time.Duration
	Data      []byte
}

CertificateRevocationListInfo contains a CRL in DER format and associated metadata.

type CipherSuites 

type CipherSuites = config.CipherSuites

CipherSuites is an alias to support older APIs.

type Claims 

type Claims struct {
	jose.Claims
	SANs  []string `json:"sans,omitempty"`
	Email string   `json:"email,omitempty"`
	Nonce string   `json:"nonce,omitempty"`
}

Claims extends jose.Claims with step attributes.

type Config 

type Config = config.Config

Config is an alias to support older APIs.

type Host 

type Host = config.Host

Host is an alias to support older APIs.

type HostTag 

type HostTag = config.HostTag

HostTag is an alias to support older APIs.

type Info 

type Info struct {
	StartTime          time.Time
	RootX509Certs      []*x509.Certificate
	SSHCAUserPublicKey []byte
	SSHCAHostPublicKey []byte
	DNSNames           []string
}

Info contains information about the authority.

type Meter 

type Meter interface {
	// X509Signed is called whenever an X509 certificate is signed.
	X509Signed(provisioner.Interface, error)

	// X509Renewed is called whenever an X509 certificate is renewed.
	X509Renewed(provisioner.Interface, error)

	// X509Rekeyed is called whenever an X509 certificate is rekeyed.
	X509Rekeyed(provisioner.Interface, error)

	// X509WebhookAuthorized is called whenever an X509 authoring webhook is called.
	X509WebhookAuthorized(provisioner.Interface, error)

	// X509WebhookEnriched is called whenever an X509 enriching webhook is called.
	X509WebhookEnriched(provisioner.Interface, error)

	// SSHSigned is called whenever an SSH certificate is signed.
	SSHSigned(provisioner.Interface, error)

	// SSHRenewed is called whenever an SSH certificate is renewed.
	SSHRenewed(provisioner.Interface, error)

	// SSHRekeyed is called whenever an SSH certificate is rekeyed.
	SSHRekeyed(provisioner.Interface, error)

	// SSHWebhookAuthorized is called whenever an SSH authoring webhook is called.
	SSHWebhookAuthorized(provisioner.Interface, error)

	// SSHWebhookEnriched is called whenever an SSH enriching webhook is called.
	SSHWebhookEnriched(provisioner.Interface, error)

	// KMSSigned is called per KMS signer signature.
	KMSSigned(error)
}

Meter wraps the set of defined callbacks for metrics gatherers.

type Option 

type Option func(*Authority) error

Option sets options to the Authority.

func WithAdminDB 

func WithAdminDB(d admin.DB) Option

WithAdminDB is an option to set the database backing the admin APIs.

func WithAuthorizeRenewFunc 

func WithAuthorizeRenewFunc(fn func(ctx context.Context, p *provisioner.Controller, cert *x509.Certificate) error) Option

WithAuthorizeRenewFunc sets a custom function that authorizes the renewal of an X.509 certificate.

func WithAuthorizeSSHRenewFunc 

func WithAuthorizeSSHRenewFunc(fn func(ctx context.Context, p *provisioner.Controller, cert *ssh.Certificate) error) Option

WithAuthorizeSSHRenewFunc sets a custom function that authorizes the renewal of a SSH certificate.

func WithConfig 

func WithConfig(cfg *config.Config) Option

WithConfig replaces the current config with the given one. No validation is performed in the given value.

func WithConfigFile 

func WithConfigFile(filename string) Option

WithConfigFile reads the given filename as a configuration file and replaces the current one. No validation is performed in the given configuration.

func WithDatabase 

func WithDatabase(d db.AuthDB) Option

WithDatabase sets an already initialized authority database to a new authority. This option is intended to be use on graceful reloads.

func WithFullSCEPOptions 

func WithFullSCEPOptions(options *scep.Options) Option

WithFullSCEPOptions defines the options used for SCEP support.

This feature is EXPERIMENTAL and might change at any time.

func WithGetIdentityFunc 

func WithGetIdentityFunc(fn func(ctx context.Context, p provisioner.Interface, email string) (*provisioner.Identity, error)) Option

WithGetIdentityFunc sets a custom function to retrieve the identity from an external resource.

func WithIssuerPassword 

func WithIssuerPassword(password []byte) Option

WithIssuerPassword set the password to decrypt the certificate issuer private key used in RA mode.

func WithKeyManager 

func WithKeyManager(k kms.KeyManager) Option

WithKeyManager defines the key manager used to get and create keys, and sign certificates.

func WithLinkedCAToken 

func WithLinkedCAToken(token string) Option

WithLinkedCAToken is an option to set the authentication token used to enable linked ca.

func WithMeter 

func WithMeter(m Meter) Option

WithMeter is an option that sets the authority's Meter to the provided one.

func WithPassword 

func WithPassword(password []byte) Option

WithPassword set the password to decrypt the intermediate key as well as the ssh host and user keys if they are not overridden by other options.

func WithProvisioners deprecated 

func WithProvisioners(ps *provisioner.Collection) Option

WithProvisioners is an option to set the provisioner collection.

Deprecated: provisioner collections will likely change

func WithQuietInit 

func WithQuietInit() Option

WithQuietInit disables log output when the authority is initialized.

func WithSCEPKeyManager 

func WithSCEPKeyManager(skm provisioner.SCEPKeyManager) Option

WithSCEPKeyManager defines the key manager used on SCEP provisioners.

This feature is EXPERIMENTAL and might change at any time.

func WithSSHBastionFunc 

func WithSSHBastionFunc(fn func(ctx context.Context, user, host string) (*config.Bastion, error)) Option

WithSSHBastionFunc sets a custom function to get the bastion for a given user-host pair.

func WithSSHCheckHost 

func WithSSHCheckHost(fn func(ctx context.Context, principal string, tok string, roots []*x509.Certificate) (bool, error)) Option

WithSSHCheckHost sets a custom function to check whether a given host is step ssh enabled. The token is used to validate the request, while the roots are used to validate the token.

func WithSSHGetHosts 

func WithSSHGetHosts(fn func(ctx context.Context, cert *x509.Certificate) ([]config.Host, error)) Option

WithSSHGetHosts sets a custom function to return a list of step ssh enabled hosts.

func WithSSHHostPassword 

func WithSSHHostPassword(password []byte) Option

WithSSHHostPassword set the password to decrypt the key used to sign SSH host certificates.

func WithSSHHostSigner 

func WithSSHHostSigner(s crypto.Signer) Option

WithSSHHostSigner defines the signer used to sign SSH host certificates.

func WithSSHUserPassword 

func WithSSHUserPassword(password []byte) Option

WithSSHUserPassword set the password to decrypt the key used to sign SSH user certificates.

func WithSSHUserSigner 

func WithSSHUserSigner(s crypto.Signer) Option

WithSSHUserSigner defines the signer used to sign SSH user certificates.

func WithSkipInit 

func WithSkipInit() Option

WithSkipInit is an option that allows the constructor to skip initializtion of the authority.

func WithWebhookClient 

func WithWebhookClient(c *http.Client) Option

WithWebhookClient sets the http.Client to be used for outbound requests.

func WithX509CAService 

func WithX509CAService(svc casapi.CertificateAuthorityService) Option

WithX509CAService allows the consumer to provide an externally implemented API implementation of apiv1.CertificateAuthorityService

func WithX509Enforcers 

func WithX509Enforcers(ces ...provisioner.CertificateEnforcer) Option

WithX509Enforcers is an option that allows to define custom certificate modifiers that will be processed just before the signing of the certificate.

func WithX509FederatedBundle 

func WithX509FederatedBundle(pemCerts []byte) Option

WithX509FederatedBundle is an option that allows to define the list of federated certificates. This option will replace any federated certificate defined before.

func WithX509FederatedCerts 

func WithX509FederatedCerts(certs ...*x509.Certificate) Option

WithX509FederatedCerts is an option that allows to define the list of federated certificates. This option will replace any federated certificate defined before.

func WithX509IntermediateCerts 

func WithX509IntermediateCerts(intermediateCerts ...*x509.Certificate) Option

WithX509IntermediateCerts is an option that allows to define the list of intermediate certificates that the CA will be using. This option will replace any intermediate certificate defined before.

Note that these certificates will not be bundled with the certificates signed by the CA, because the CAS service will take care of that. They should match, but that's not guaranteed. These certificates will be mainly used for name constraint validation before a certificate is issued.

This option should only be used on specific configurations, for example when WithX509SignerFunc is used, as we don't know the list of intermediates in advance.

func WithX509RootBundle 

func WithX509RootBundle(pemCerts []byte) Option

WithX509RootBundle is an option that allows to define the list of root certificates. This option will replace any root certificate defined before.

func WithX509RootCerts 

func WithX509RootCerts(rootCerts ...*x509.Certificate) Option

WithX509RootCerts is an option that allows to define the list of root certificates to use. This option will replace any root certificate defined before.

func WithX509Signer 

func WithX509Signer(crt *x509.Certificate, s crypto.Signer) Option

WithX509Signer defines the signer used to sign X509 certificates.

func WithX509SignerChain 

func WithX509SignerChain(issuerChain []*x509.Certificate, s crypto.Signer) Option

WithX509SignerChain defines the signer used to sign X509 certificates. This option is similar to WithX509Signer but it supports a chain of intermediates.

func WithX509SignerFunc 

func WithX509SignerFunc(fn func() ([]*x509.Certificate, crypto.Signer, error)) Option

WithX509SignerFunc defines the function used to get the chain of certificates and signer used when we sign X.509 certificates.

type PolicyError 

type PolicyError struct {
	Typ policyErrorType
	Err error
}

func (*PolicyError) Error 

func (p *PolicyError) Error() string

type RevokeOptions 

type RevokeOptions struct {
	Serial      string
	Reason      string
	ReasonCode  int
	PassiveOnly bool
	MTLS        bool
	ACME        bool
	Crt         *x509.Certificate
	OTT         string
}

RevokeOptions are the options for the Revoke API.

type SSHConfig 

type SSHConfig = config.SSHConfig

SSHConfig is an alias to support older APIs.

type SSHKeys 

type SSHKeys = config.SSHKeys

SSHKeys is an alias to support older APIs.

type SSHPublicKey 

type SSHPublicKey = config.SSHPublicKey

SSHPublicKey is an alias to support older APIs.

type TLSOptions 

type TLSOptions = config.TLSOptions

TLSOptions is an alias to support older APIs.

type Version 

type Version struct {
	Version                     string
	RequireClientAuthentication bool
}

Version defines the

Source Files

View all Source files

Directories

Path Synopsis
api
db/nosql
internal
constraints

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.