Documentation ¶
Overview ¶
Package certauthority generates and manages x509 certificates for use in cross-service authentication.
Index ¶
- Variables
- func BytesToCert(bytes []byte) (*x509.Certificate, error)
- func CertForLog(cert *x509.Certificate) string
- func PEMToCert(cert string) (*x509.Certificate, error)
- type CertAuthority
- func (a *CertAuthority) CertDataForService(request CertRequest) (*ServiceCertData, error)
- func (a *CertAuthority) InitAuthority() error
- func (a *CertAuthority) IsInitialized() (bool, error)
- func (a *CertAuthority) IsSignedBy(cert *x509.Certificate) bool
- func (a *CertAuthority) RegenerateRoot() error
- func (a *CertAuthority) RootCert() string
- func (a *CertAuthority) ValidateCA() error
- func (a *CertAuthority) ValidateCertificateForRequest(cert *x509.Certificate, certRequest CertRequest) error
- type CertBackend
- type CertExpired
- type CertNotYetValid
- type CertRequest
- type CertstrapBackend
- func (b *CertstrapBackend) CertForService(request CertRequest) (*ServiceCertData, error)
- func (b *CertstrapBackend) Init() (string, error)
- func (b *CertstrapBackend) IsInitialized() (bool, error)
- func (b *CertstrapBackend) ReInit() (string, error)
- func (b *CertstrapBackend) SetCmdExecutor(e command.Executor)
- func (b *CertstrapBackend) SetFileStore(f FileStore)
- type CommonNameMismatchError
- type DiskStore
- type FileStore
- type SANHostnameMismatch
- type SANIPAddrMismatchError
- type ServiceCertData
Constants ¶
This section is empty.
Variables ¶
var ErrNotSignedByCA = errors.New("Certificate is not signed by Certificate Authority")
ErrNotSignedByCA is returned by validation functions when the certificate being validated is not signed by the CA doing the validation.
Functions ¶
func BytesToCert ¶
func BytesToCert(bytes []byte) (*x509.Certificate, error)
BytesToCert takes an array of bytes and tries to parse it as an x509 Certificate.
func CertForLog ¶
func CertForLog(cert *x509.Certificate) string
Types ¶
type CertAuthority ¶
type CertAuthority struct {
// contains filtered or unexported fields
}
A CertAuthority represents a CA certificate and key that can be used to generate per-service certificates. The certBackend is responsible for certificate generation and maintaining the CA across restarts. This type is responsible for maintaining a copy of our root cert for easy access and enforcing our naming conventions for services' common names.
func NewCertAuthority ¶
func NewCertAuthority(backend CertBackend, id string) *CertAuthority
NewCertAuthority creates a new CertAuthority with a name generated from id, storing certificate data in `directory`.
`id` should be unique enough to facilitate identifying certificates from the same deployment.
func NewCertstrapCertAuthority ¶
func NewCertstrapCertAuthority(dataDir string, id string) *CertAuthority
NewCertstrapCertAuthority is a convenience constructor for the common, non-test use case.
func (*CertAuthority) CertDataForService ¶
func (a *CertAuthority) CertDataForService(request CertRequest) (*ServiceCertData, error)
CertDataForService returns certificate data for the named service. The certificate is signed by our certificate authority and is appropriate for authenticating gRPC traffic between Chef Automate services.
func (*CertAuthority) InitAuthority ¶
func (a *CertAuthority) InitAuthority() error
InitAuthority generates the CA certificate for the given CertAuthority.
func (*CertAuthority) IsInitialized ¶
func (a *CertAuthority) IsInitialized() (bool, error)
IsInitialized returns true if InitAuthority() has been called in the past. Delegates to backend.
func (*CertAuthority) IsSignedBy ¶
func (a *CertAuthority) IsSignedBy(cert *x509.Certificate) bool
IsSignedBy returns true if the given x509 certificate was signed by the given CertAuthorities root certificate. For convenience we take a string since we tend to pass pem-encoded string versions of the certs around.
func (*CertAuthority) RegenerateRoot ¶
func (a *CertAuthority) RegenerateRoot() error
RegenerateRoot regenerates the root certificate for this certificate authority. As a result, all certificates issues by the previous root certificate will be invalid.
func (*CertAuthority) RootCert ¶
func (a *CertAuthority) RootCert() string
RootCert returns the root certificate for use
func (*CertAuthority) ValidateCA ¶
func (a *CertAuthority) ValidateCA() error
ValidateCA checks the CA certificate for the certificate authority against local validity rules.
func (*CertAuthority) ValidateCertificateForRequest ¶
func (a *CertAuthority) ValidateCertificateForRequest(cert *x509.Certificate, certRequest CertRequest) error
ValidateCertificateForRequest checks the existing certificate for common problems and whether or not it matches the passed CertRequest. If a non-nil error is returned if the certificate is not valid.
type CertBackend ¶
type CertBackend interface { // Generates the new CA, returning the root CA cert. This // should be safe-to-recall across reboots of the service. Init() (string, error) // Returns true if Init() has been called in the past and // CertForService is expected to succeed. This should work // across reboots of the process. IsInitialized() (bool, error) // Generate a cert for a given service, signed by the CA CertForService(CertRequest) (*ServiceCertData, error) // ReInit re-initializes the certificate authority ReInit() (string, error) }
A CertBackend is used by CertAuthority to generate the CA and per-service certificates. By default, the deployment service will use the CertstrapBackend implementation of this interface found in certstrap.go
type CertExpired ¶
type CertExpired struct {
// contains filtered or unexported fields
}
CertExpired is an error returned by validation functions when the certificate is expired or within our expiry window.
func NewCertExpired ¶
func NewCertExpired(notAfter time.Time, window time.Duration) *CertExpired
func (*CertExpired) Error ¶
func (c *CertExpired) Error() string
type CertNotYetValid ¶
type CertNotYetValid struct {
// contains filtered or unexported fields
}
func NewCertNotYetValid ¶
func NewCertNotYetValid(notBefore time.Time) *CertNotYetValid
func (*CertNotYetValid) Error ¶
func (c *CertNotYetValid) Error() string
type CertRequest ¶
type CertRequest struct {
// contains filtered or unexported fields
}
func NewCertRequest ¶
func NewCertRequest(name string, ips []net.IP, dnsNames []string) CertRequest
func (CertRequest) String ¶
func (r CertRequest) String() string
type CertstrapBackend ¶
type CertstrapBackend struct {
// contains filtered or unexported fields
}
The CertstrapBackend is a CertAuthorityBackend (see certauthority.go) that uses the certstrap command line tool to produce certificates.
func NewCertstrapBackend ¶
func NewCertstrapBackend(dataDir string, authorityName string) *CertstrapBackend
NewCertstrapBackend returns a CertstrapBackend for the given authority name which will store its data in the given dataDir. It uses the default implementations of cmdExecutor and fileStore.
func (*CertstrapBackend) CertForService ¶
func (b *CertstrapBackend) CertForService(request CertRequest) (*ServiceCertData, error)
CertForService creates an x509 certificate and RSA key for the given name.
Certstrap will create these on disk, so we read them in and then try to clean them up off the disk.
func (*CertstrapBackend) Init ¶
func (b *CertstrapBackend) Init() (string, error)
Init initializes a new Certificate Authority using certstrap and returns the root CA certificate.
func (*CertstrapBackend) IsInitialized ¶
func (b *CertstrapBackend) IsInitialized() (bool, error)
IsInitialized returns a bool indicating whether the CA has been initialized. This check should succeed if we believe calls to CertForService will succeed.
func (*CertstrapBackend) ReInit ¶
func (b *CertstrapBackend) ReInit() (string, error)
ReInit re-initializes a new Certificate Authority using certstrap and returns the root CA certificate.
func (*CertstrapBackend) SetCmdExecutor ¶
func (b *CertstrapBackend) SetCmdExecutor(e command.Executor)
SetCmdExecutor sets the file store to use. Used in testing.
func (*CertstrapBackend) SetFileStore ¶
func (b *CertstrapBackend) SetFileStore(f FileStore)
SetFileStore sets the file store to use. Used in testing.
type CommonNameMismatchError ¶
type CommonNameMismatchError struct {
// contains filtered or unexported fields
}
CommonNameMismatchError is an error returned by validation functions when the common name of the certificate subject does not match the name of the given CertRequest.
func NewCommonNameMismatchError ¶
func NewCommonNameMismatchError(want, have string) *CommonNameMismatchError
func (*CommonNameMismatchError) Error ¶
func (c *CommonNameMismatchError) Error() string
type DiskStore ¶
type DiskStore struct{}
A DiskStore is a FileStore that uses the local filesystem. It assumes filenames are paths on disk. This is the implementation of FileStore used by default.
func (*DiskStore) DeleteFile ¶
DeleteFile deletes the file at the named path.
type FileStore ¶
type FileStore interface { // ReadFile returns the contents of the file as a string ReadFile(string) (string, error) // DeleteFile removes the file from the store DeleteFile(string) error // Exist returns true if the file exists in the store Exist(string) (bool, error) }
A FileStore manages files identified by string names.
type SANHostnameMismatch ¶
type SANHostnameMismatch struct {
// contains filtered or unexported fields
}
SANHostnameMismatch is an error returned by validation functions when the Subject Alternative Name extension in the certificate does not have DNSName values for every hostname in the given CertRequest.
func NewSANHostnameMismatch ¶
func NewSANHostnameMismatch(want, have []string) *SANHostnameMismatch
func (*SANHostnameMismatch) Error ¶
func (c *SANHostnameMismatch) Error() string
type SANIPAddrMismatchError ¶
type SANIPAddrMismatchError struct {
// contains filtered or unexported fields
}
SANIPAddrMismatchError is an error returned by validation functions when the Subject Alternative Name extension in the certificate does not have IP values for every IP in the given CertRequest.
func NewSANIPAddrMismatchError ¶
func NewSANIPAddrMismatchError(want, have []net.IP) *SANIPAddrMismatchError
func (*SANIPAddrMismatchError) Error ¶
func (c *SANIPAddrMismatchError) Error() string
type ServiceCertData ¶
type ServiceCertData struct { // The PEM-formated RSA key Key string // The PEM-formated x509 certificate Cert string // The root cert for our CA. Services should trust this. RootCert *string }
A ServiceCertData is returned to callers of CertForService and contains all of the key data required for the service to configure mutual TLS