Documentation ¶
Overview ¶
Package pki implements a simple Public Key Infrastructure (PKI) manager that can issue and revoke X.509 certificates.
Index ¶
- Constants
- type Options
- type PKIManager
- func (m *PKIManager) CACert() (*x509.Certificate, error)
- func (m *PKIManager) IsRevoked(serialNumber *big.Int) bool
- func (m *PKIManager) IssueCertificate(cr *x509.CertificateRequest) (cert []byte, retErr error)
- func (m *PKIManager) OCSPResponse(req *ocsp.Request) ([]byte, error)
- func (m *PKIManager) RevocationList() (cert, crl []byte, retErr error)
- func (m *PKIManager) RevocationListPEM() ([]byte, error)
- func (m *PKIManager) RevokeCertificate(serialNumber *big.Int, reasonCode int) (retErr error)
- func (m *PKIManager) ServeCACert(w http.ResponseWriter, req *http.Request)
- func (m *PKIManager) ServeCRL(w http.ResponseWriter, req *http.Request)
- func (m *PKIManager) ServeCertificateManagement(w http.ResponseWriter, req *http.Request)
- func (m *PKIManager) ServeOCSP(w http.ResponseWriter, req *http.Request)
- func (m *PKIManager) ValidateCertificateRequest(csr []byte) (*x509.CertificateRequest, error)
Constants ¶
const ( // https://www.rfc-editor.org/rfc/rfc5280.html#section-5.3.1 RevokeReasonUnspecified = 0 RevokeReasonKeyCompromise = 1 RevokeReasonCACompromise = 2 RevokeReasonAffiliationChanged = 3 RevokeReasonSuperseded = 4 RevokeReasonCessationOfOperation = 5 RevokeReasonCertificateHold = 6 // value 7 is not used RevokeReasonRemoveFromCRL = 8 RevokeReasonPriviliegeWithDrawn = 9 RevokeReasonAACompromise = 10 )
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Options ¶
type Options struct { // Name is the names of the PKI manager. Name string // KeyType is one of ed25519, rsa-2048, rsa-4096, ecdsa-p256, etc. // Defaults to ecdsa-p256. KeyType string // Endpoint is the URL that serves the PKI web pages. Endpoint string // IssuingCertificateURL is a list of URLs that serve the CA certificate. IssuingCertificateURL []string // CRLDistributionPoints is a list of URLs that server this CA's // Certificate Revocation List. CRLDistributionPoints []string // OCSPServer is a list of URLs that serve the Online Certificate Status // Protocol (OCSP) for this CA. // https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol OCSPServer []string // Admins is the of users who are allowed to perform administrative // tasks. Admins []string // TPM is used for hardware-backed keys. TPM *tpm.TPM // Store is used to store the PKI manager's data. Store *storage.Storage // EventRecorder is used to record events. EventRecorder interface { Record(string) } Logger interface { Errorf(format string, args ...any) } // ClaimsFromCtx returns jwt claims for the current user. ClaimsFromCtx func(context.Context) jwt.MapClaims }
Options are used to configure the PKI manager.
type PKIManager ¶
type PKIManager struct {
// contains filtered or unexported fields
}
PKIManager implements a simple Public Key Infrastructure (PKI) manager that can issue and revoke X.509 certificates.
func New ¶
func New(opts Options) (*PKIManager, error)
New returns a new initialized PKI manager. The Certificate Authority's key and certificate are created the first time New is called for a given name.
func (*PKIManager) CACert ¶
func (m *PKIManager) CACert() (*x509.Certificate, error)
CACert returns the CA's certificate.
func (*PKIManager) IsRevoked ¶
func (m *PKIManager) IsRevoked(serialNumber *big.Int) bool
IsRevoked returns whether the certificate with this serial number of revoked.
func (*PKIManager) IssueCertificate ¶
func (m *PKIManager) IssueCertificate(cr *x509.CertificateRequest) (cert []byte, retErr error)
IssueCertificate issues a new certificate.
func (*PKIManager) OCSPResponse ¶
func (m *PKIManager) OCSPResponse(req *ocsp.Request) ([]byte, error)
OCSPResponse creates an OCSP Response from the given request.
func (*PKIManager) RevocationList ¶
func (m *PKIManager) RevocationList() (cert, crl []byte, retErr error)
RevocationList returns the current revocation list.
func (*PKIManager) RevocationListPEM ¶
func (m *PKIManager) RevocationListPEM() ([]byte, error)
RevocationListPEM returns the current revocation list, PEM encoded.
func (*PKIManager) RevokeCertificate ¶
func (m *PKIManager) RevokeCertificate(serialNumber *big.Int, reasonCode int) (retErr error)
RevokeCertificate revokes the certificate with this serial number and set the reason code.
func (*PKIManager) ServeCACert ¶
func (m *PKIManager) ServeCACert(w http.ResponseWriter, req *http.Request)
ServeCACert sends the CA's certificate.
func (*PKIManager) ServeCRL ¶
func (m *PKIManager) ServeCRL(w http.ResponseWriter, req *http.Request)
ServeCRL sends the revocation list.
func (*PKIManager) ServeCertificateManagement ¶
func (m *PKIManager) ServeCertificateManagement(w http.ResponseWriter, req *http.Request)
func (*PKIManager) ServeOCSP ¶
func (m *PKIManager) ServeOCSP(w http.ResponseWriter, req *http.Request)
ServeOCSP implements the OCSP protocol for this CA. https://www.rfc-editor.org/rfc/rfc6960.html
func (*PKIManager) ValidateCertificateRequest ¶
func (m *PKIManager) ValidateCertificateRequest(csr []byte) (*x509.CertificateRequest, error)
ValidateCertificateRequest parses and validates a certificate signing request.
Directories ¶
Path | Synopsis |
---|---|
clientwasm implements TLS key generation and PKCS12 packaging in a browser so that the private key is never copied over the network.
|
clientwasm implements TLS key generation and PKCS12 packaging in a browser so that the private key is never copied over the network. |