pki

package
v0.13.1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Nov 30, 2024 License: MIT Imports: 35 Imported by: 0

Documentation

Overview

Package pki implements a simple Public Key Infrastructure (PKI) manager that can issue and revoke X.509 certificates.

Index

Constants

View Source
const (
	// https://www.rfc-editor.org/rfc/rfc5280.html#section-5.3.1
	RevokeReasonUnspecified          = 0
	RevokeReasonKeyCompromise        = 1
	RevokeReasonCACompromise         = 2
	RevokeReasonAffiliationChanged   = 3
	RevokeReasonSuperseded           = 4
	RevokeReasonCessationOfOperation = 5
	RevokeReasonCertificateHold      = 6
	// value 7 is not used
	RevokeReasonRemoveFromCRL       = 8
	RevokeReasonPriviliegeWithDrawn = 9
	RevokeReasonAACompromise        = 10
)

Variables

This section is empty.

Functions

This section is empty.

Types

type Options

type Options struct {
	// Name is the names of the PKI manager.
	Name string
	// KeyType is one of ed25519, rsa-2048, rsa-4096, ecdsa-p256, etc.
	// Defaults to ecdsa-p256.
	KeyType string
	// Endpoint is the URL that serves the PKI web pages.
	Endpoint string
	// IssuingCertificateURL is a list of URLs that serve the CA certificate.
	IssuingCertificateURL []string
	// CRLDistributionPoints is a list of URLs that server this CA's
	// Certificate Revocation List.
	CRLDistributionPoints []string
	// OCSPServer is a list of URLs that serve the Online Certificate Status
	// Protocol (OCSP) for this CA.
	// https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol
	OCSPServer []string
	// Admins is the of users who are allowed to perform administrative
	// tasks.
	Admins []string
	// TPM is used for hardware-backed keys.
	TPM *tpm.TPM
	// Store is used to store the PKI manager's data.
	Store *storage.Storage
	// EventRecorder is used to record events.
	EventRecorder interface {
		Record(string)
	}
	Logger interface {
		Errorf(format string, args ...any)
	}
	// ClaimsFromCtx returns jwt claims for the current user.
	ClaimsFromCtx func(context.Context) jwt.MapClaims
}

Options are used to configure the PKI manager.

type PKIManager

type PKIManager struct {
	// contains filtered or unexported fields
}

PKIManager implements a simple Public Key Infrastructure (PKI) manager that can issue and revoke X.509 certificates.

func New

func New(opts Options) (*PKIManager, error)

New returns a new initialized PKI manager. The Certificate Authority's key and certificate are created the first time New is called for a given name.

func (*PKIManager) CACert

func (m *PKIManager) CACert() (*x509.Certificate, error)

CACert returns the CA's certificate.

func (*PKIManager) IsRevoked

func (m *PKIManager) IsRevoked(serialNumber *big.Int) bool

IsRevoked returns whether the certificate with this serial number of revoked.

func (*PKIManager) IssueCertificate

func (m *PKIManager) IssueCertificate(cr *x509.CertificateRequest) (cert []byte, retErr error)

IssueCertificate issues a new certificate.

func (*PKIManager) OCSPResponse

func (m *PKIManager) OCSPResponse(req *ocsp.Request) ([]byte, error)

OCSPResponse creates an OCSP Response from the given request.

func (*PKIManager) RevocationList

func (m *PKIManager) RevocationList() (cert, crl []byte, retErr error)

RevocationList returns the current revocation list.

func (*PKIManager) RevocationListPEM

func (m *PKIManager) RevocationListPEM() ([]byte, error)

RevocationListPEM returns the current revocation list, PEM encoded.

func (*PKIManager) RevokeCertificate

func (m *PKIManager) RevokeCertificate(serialNumber *big.Int, reasonCode int) (retErr error)

RevokeCertificate revokes the certificate with this serial number and set the reason code.

func (*PKIManager) ServeCACert

func (m *PKIManager) ServeCACert(w http.ResponseWriter, req *http.Request)

ServeCACert sends the CA's certificate.

func (*PKIManager) ServeCRL

func (m *PKIManager) ServeCRL(w http.ResponseWriter, req *http.Request)

ServeCRL sends the revocation list.

func (*PKIManager) ServeCertificateManagement

func (m *PKIManager) ServeCertificateManagement(w http.ResponseWriter, req *http.Request)

func (*PKIManager) ServeOCSP

func (m *PKIManager) ServeOCSP(w http.ResponseWriter, req *http.Request)

ServeOCSP implements the OCSP protocol for this CA. https://www.rfc-editor.org/rfc/rfc6960.html

func (*PKIManager) ValidateCertificateRequest

func (m *PKIManager) ValidateCertificateRequest(csr []byte) (*x509.CertificateRequest, error)

ValidateCertificateRequest parses and validates a certificate signing request.

Directories

Path Synopsis
clientwasm implements TLS key generation and PKCS12 packaging in a browser so that the private key is never copied over the network.
clientwasm implements TLS key generation and PKCS12 packaging in a browser so that the private key is never copied over the network.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL