pki

package

v0.9.0 Latest Latest Go to latest Published: Jun 21, 2024 License: MIT Imports: 35 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/c2FmZQ/tlsproxy

Links

Open Source Insights

Documentation ¶

Overview ¶

Package pki implements a simple Public Key Infrastructure (PKI) manager that can issue and revoke X.509 certificates.

Index ¶

Constants
type Options
type PKIManager
- func New(opts Options) (*PKIManager, error)

Constants ¶

View Source

const (
	// https://www.rfc-editor.org/rfc/rfc5280.html#section-5.3.1
	RevokeReasonUnspecified          = 0
	RevokeReasonKeyCompromise        = 1
	RevokeReasonCACompromise         = 2
	RevokeReasonAffiliationChanged   = 3
	RevokeReasonSuperseded           = 4
	RevokeReasonCessationOfOperation = 5
	RevokeReasonCertificateHold      = 6
	// value 7 is not used
	RevokeReasonRemoveFromCRL       = 8
	RevokeReasonPriviliegeWithDrawn = 9
	RevokeReasonAACompromise        = 10
)

Variables ¶

This section is empty.

Functions ¶

This section is empty.

Types ¶

type Options ¶

type Options struct {
	// Name is the names of the PKI manager.
	Name string
	// KeyType is one of ed25519, rsa-2048, rsa-4096, ecdsa-p256, etc.
	// Defaults to ecdsa-p256.
	KeyType string
	// Endpoint is the URL that serves the PKI web pages.
	Endpoint string
	// IssuingCertificateURL is a list of URLs that serve the CA certificate.
	IssuingCertificateURL []string
	// CRLDistributionPoints is a list of URLs that server this CA's
	// Certificate Revocation List.
	CRLDistributionPoints []string
	// OCSPServer is a list of URLs that serve the Online Certificate Status
	// Protocol (OCSP) for this CA.
	// https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol
	OCSPServer []string
	// Admins is the of users who are allowed to perform administrative
	// tasks.
	Admins []string
	// TPM is used for hardware-backed keys.
	TPM *tpm.TPM
	// Store is used to store the PKI manager's data.
	Store *storage.Storage
	// EventRecorder is used to record events.
	EventRecorder interface {
		Record(string)
	}
	// ClaimsFromCtx returns jwt claims for the current user.
	ClaimsFromCtx func(context.Context) jwt.MapClaims
}

Options are used to configure the PKI manager.

type PKIManager ¶

type PKIManager struct {
	// contains filtered or unexported fields
}

PKIManager implements a simple Public Key Infrastructure (PKI) manager that can issue and revoke X.509 certificates.

func New ¶

func New(opts Options) (*PKIManager, error)

New returns a new initialized PKI manager. The Certificate Authority's key and certificate are created the first time New is called for a given name.

func (*PKIManager) CACert ¶

func (m *PKIManager) CACert() (*x509.Certificate, error)

CACert returns the CA's certificate.

func (*PKIManager) IsRevoked ¶

func (m *PKIManager) IsRevoked(serialNumber *big.Int) bool

IsRevoked returns whether the certificate with this serial number of revoked.

func (*PKIManager) IssueCertificate ¶

func (m *PKIManager) IssueCertificate(cr *x509.CertificateRequest) (cert []byte, retErr error)

IssueCertificate issues a new certificate.

func (*PKIManager) OCSPResponse ¶

func (m *PKIManager) OCSPResponse(req *ocsp.Request) ([]byte, error)

OCSPResponse creates an OCSP Response from the given request.

func (*PKIManager) RevocationList ¶

func (m *PKIManager) RevocationList() (cert, crl []byte, retErr error)

RevocationList returns the current revocation list.

func (*PKIManager) RevocationListPEM ¶

func (m *PKIManager) RevocationListPEM() ([]byte, error)

RevocationListPEM returns the current revocation list, PEM encoded.

func (*PKIManager) RevokeCertificate ¶

func (m *PKIManager) RevokeCertificate(serialNumber *big.Int, reasonCode int) (retErr error)

RevokeCertificate revokes the certificate with this serial number and set the reason code.

func (*PKIManager) ServeCACert ¶

func (m *PKIManager) ServeCACert(w http.ResponseWriter, req *http.Request)

ServeCACert sends the CA's certificate.

func (*PKIManager) ServeCRL ¶

func (m *PKIManager) ServeCRL(w http.ResponseWriter, req *http.Request)

ServeCRL sends the revocation list.

func (*PKIManager) ServeCertificateManagement ¶

func (m *PKIManager) ServeCertificateManagement(w http.ResponseWriter, req *http.Request)

func (*PKIManager) ServeOCSP ¶

func (m *PKIManager) ServeOCSP(w http.ResponseWriter, req *http.Request)

ServeOCSP implements the OCSP protocol for this CA. https://www.rfc-editor.org/rfc/rfc6960.html

func (*PKIManager) ValidateCertificateRequest ¶

func (m *PKIManager) ValidateCertificateRequest(csr []byte) (*x509.CertificateRequest, error)

ValidateCertificateRequest parses and validates a certificate signing request.

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
clientwasm clientwasm implements TLS key generation and PKCS12 packaging in a browser so that the private key is never copied over the network.	clientwasm implements TLS key generation and PKCS12 packaging in a browser so that the private key is never copied over the network.
impl
keys

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL