Documentation
¶
Index ¶
- Constants
- Variables
- func WriteDefaultIdentity(certChain []api.Certificate, key crypto.PrivateKey) error
- func WriteIdentityCertificate(certChain []api.Certificate) error
- type Client
- type Identity
- func (i *Identity) GetCertPool() (*x509.CertPool, error)
- func (i *Identity) GetClientCertificateFunc() func(*tls.CertificateRequestInfo) (*tls.Certificate, error)
- func (i *Identity) Kind() Type
- func (i *Identity) Renew(client Renewer) error
- func (i *Identity) TLSCertificate() (tls.Certificate, error)
- func (i *Identity) Validate() error
- type Renewer
- type Type
Constants ¶
const DefaultLeeway = 1 * time.Minute
DefaultLeeway is the duration for matching not before claims.
Variables ¶
var ( // IdentityFile contains a pointer to a function that outputs the location of // the identity file. IdentityFile = step.IdentityFile // DefaultsFile contains a prointer a function that outputs the location of the // defaults configuration file. DefaultsFile = step.DefaultsFile )
Functions ¶
func WriteDefaultIdentity ¶
func WriteDefaultIdentity(certChain []api.Certificate, key crypto.PrivateKey) error
WriteDefaultIdentity writes the given certificates and key and the identity.json pointing to the new files.
func WriteIdentityCertificate ¶
func WriteIdentityCertificate(certChain []api.Certificate) error
WriteIdentityCertificate writes the identity certificate to disk.
Types ¶
type Client ¶
Client wraps http.Client with a transport using the step root and identity.
func LoadClient ¶
LoadClient configures an http.Client with the root in $STEPPATH/config/defaults.json and the identity defined in $STEPPATH/config/identity.json
type Identity ¶
type Identity struct {
Type string `json:"type"`
Certificate string `json:"crt"`
Key string `json:"key"`
// Host is the tunnel host for a TunnelTLS (tTLS) identity.
Host string `json:"host,omitempty"`
// Root is the CA bundle of root CAs used in TunnelTLS to trust the
// certificate of the host.
Root string `json:"root,omitempty"`
}
Identity represents the identity file that can be used to authenticate with the CA.
func LoadDefaultIdentity ¶
LoadDefaultIdentity loads the default identity.
func LoadIdentity ¶
LoadIdentity loads an identity present in the given filename.
func (*Identity) GetCertPool ¶
GetCertPool returns a x509.CertPool if the identity defines a custom root.
func (*Identity) GetClientCertificateFunc ¶
func (i *Identity) GetClientCertificateFunc() func(*tls.CertificateRequestInfo) (*tls.Certificate, error)
GetClientCertificateFunc returns a method that can be used as the GetClientCertificate property in a tls.Config.
func (*Identity) Renew ¶
Renew renews the current identity certificate using a client with a renew method.
func (*Identity) TLSCertificate ¶
func (i *Identity) TLSCertificate() (tls.Certificate, error)
TLSCertificate returns a tls.Certificate for the identity.
type Renewer ¶
type Renewer interface {
GetRootCAs() *x509.CertPool
Renew(tr http.RoundTripper) (*api.SignResponse, error)
}
Renewer is that interface that a renew client must implement.
type Type ¶
type Type string
Type represents the different types of identity files.
const Disabled Type = ""
Disabled represents a disabled identity type
const MutualTLS Type = "mTLS"
MutualTLS represents the identity using mTLS.
const TunnelTLS Type = "tTLS"
TunnelTLS represents an identity using a (m)TLS tunnel.
TunnelTLS can be optionally configured with client certificates and a root file with the CAs to trust. By default it will use the system truststore instead of the CA truststore.
Source Files