certauthority

package
v0.0.0-...-0c4aab6 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jan 9, 2025 License: Apache-2.0 Imports: 11 Imported by: 4

Documentation

Overview

Package certauthority generates and manages x509 certificates for use in cross-service authentication.

Index

Constants

This section is empty.

Variables

View Source
var ErrNotSignedByCA = errors.New("Certificate is not signed by Certificate Authority")

ErrNotSignedByCA is returned by validation functions when the certificate being validated is not signed by the CA doing the validation.

Functions

func BytesToCert

func BytesToCert(bytes []byte) (*x509.Certificate, error)

BytesToCert takes an array of bytes and tries to parse it as an x509 Certificate.

func CertForLog

func CertForLog(cert *x509.Certificate) string

func PEMToCert

func PEMToCert(cert string) (*x509.Certificate, error)

PEMToCert converts a PEM-encoded string into an x509.Certificate

Types

type CertAuthority

type CertAuthority struct {
	// contains filtered or unexported fields
}

A CertAuthority represents a CA certificate and key that can be used to generate per-service certificates. The certBackend is responsible for certificate generation and maintaining the CA across restarts. This type is responsible for maintaining a copy of our root cert for easy access and enforcing our naming conventions for services' common names.

func NewCertAuthority

func NewCertAuthority(backend CertBackend, id string) *CertAuthority

NewCertAuthority creates a new CertAuthority with a name generated from id, storing certificate data in `directory`.

`id` should be unique enough to facilitate identifying certificates from the same deployment.

func NewCertstrapCertAuthority

func NewCertstrapCertAuthority(dataDir string, id string) *CertAuthority

NewCertstrapCertAuthority is a convenience constructor for the common, non-test use case.

func (*CertAuthority) CertDataForService

func (a *CertAuthority) CertDataForService(request CertRequest) (*ServiceCertData, error)

CertDataForService returns certificate data for the named service. The certificate is signed by our certificate authority and is appropriate for authenticating gRPC traffic between Chef Automate services.

func (*CertAuthority) InitAuthority

func (a *CertAuthority) InitAuthority() error

InitAuthority generates the CA certificate for the given CertAuthority.

func (*CertAuthority) IsInitialized

func (a *CertAuthority) IsInitialized() (bool, error)

IsInitialized returns true if InitAuthority() has been called in the past. Delegates to backend.

func (*CertAuthority) IsSignedBy

func (a *CertAuthority) IsSignedBy(cert *x509.Certificate) bool

IsSignedBy returns true if the given x509 certificate was signed by the given CertAuthorities root certificate. For convenience we take a string since we tend to pass pem-encoded string versions of the certs around.

func (*CertAuthority) RegenerateRoot

func (a *CertAuthority) RegenerateRoot() error

RegenerateRoot regenerates the root certificate for this certificate authority. As a result, all certificates issues by the previous root certificate will be invalid.

func (*CertAuthority) RootCert

func (a *CertAuthority) RootCert() string

RootCert returns the root certificate for use

func (*CertAuthority) ValidateCA

func (a *CertAuthority) ValidateCA() error

ValidateCA checks the CA certificate for the certificate authority against local validity rules.

func (*CertAuthority) ValidateCertificateForRequest

func (a *CertAuthority) ValidateCertificateForRequest(cert *x509.Certificate, certRequest CertRequest) error

ValidateCertificateForRequest checks the existing certificate for common problems and whether or not it matches the passed CertRequest. If a non-nil error is returned if the certificate is not valid.

type CertBackend

type CertBackend interface {
	// Generates the new CA, returning the root CA cert. This
	// should be safe-to-recall across reboots of the service.
	Init() (string, error)
	// Returns true if Init() has been called in the past and
	// CertForService is expected to succeed. This should work
	// across reboots of the process.
	IsInitialized() (bool, error)
	// Generate a cert for a given service, signed by the CA
	CertForService(CertRequest) (*ServiceCertData, error)

	// ReInit re-initializes the certificate authority
	ReInit() (string, error)
}

A CertBackend is used by CertAuthority to generate the CA and per-service certificates. By default, the deployment service will use the CertstrapBackend implementation of this interface found in certstrap.go

type CertExpired

type CertExpired struct {
	// contains filtered or unexported fields
}

CertExpired is an error returned by validation functions when the certificate is expired or within our expiry window.

func NewCertExpired

func NewCertExpired(notAfter time.Time, window time.Duration) *CertExpired

func (*CertExpired) Error

func (c *CertExpired) Error() string

type CertNotYetValid

type CertNotYetValid struct {
	// contains filtered or unexported fields
}

func NewCertNotYetValid

func NewCertNotYetValid(notBefore time.Time) *CertNotYetValid

func (*CertNotYetValid) Error

func (c *CertNotYetValid) Error() string

type CertRequest

type CertRequest struct {
	// contains filtered or unexported fields
}

func NewCertRequest

func NewCertRequest(name string, ips []net.IP, dnsNames []string) CertRequest

func (CertRequest) String

func (r CertRequest) String() string

type CertstrapBackend

type CertstrapBackend struct {
	// contains filtered or unexported fields
}

The CertstrapBackend is a CertAuthorityBackend (see certauthority.go) that uses the certstrap command line tool to produce certificates.

func NewCertstrapBackend

func NewCertstrapBackend(dataDir string, authorityName string) *CertstrapBackend

NewCertstrapBackend returns a CertstrapBackend for the given authority name which will store its data in the given dataDir. It uses the default implementations of cmdExecutor and fileStore.

func (*CertstrapBackend) CertForService

func (b *CertstrapBackend) CertForService(request CertRequest) (*ServiceCertData, error)

CertForService creates an x509 certificate and RSA key for the given name.

Certstrap will create these on disk, so we read them in and then try to clean them up off the disk.

func (*CertstrapBackend) Init

func (b *CertstrapBackend) Init() (string, error)

Init initializes a new Certificate Authority using certstrap and returns the root CA certificate.

func (*CertstrapBackend) IsInitialized

func (b *CertstrapBackend) IsInitialized() (bool, error)

IsInitialized returns a bool indicating whether the CA has been initialized. This check should succeed if we believe calls to CertForService will succeed.

func (*CertstrapBackend) ReInit

func (b *CertstrapBackend) ReInit() (string, error)

ReInit re-initializes a new Certificate Authority using certstrap and returns the root CA certificate.

func (*CertstrapBackend) SetCmdExecutor

func (b *CertstrapBackend) SetCmdExecutor(e command.Executor)

SetCmdExecutor sets the file store to use. Used in testing.

func (*CertstrapBackend) SetFileStore

func (b *CertstrapBackend) SetFileStore(f FileStore)

SetFileStore sets the file store to use. Used in testing.

type CommonNameMismatchError

type CommonNameMismatchError struct {
	// contains filtered or unexported fields
}

CommonNameMismatchError is an error returned by validation functions when the common name of the certificate subject does not match the name of the given CertRequest.

func NewCommonNameMismatchError

func NewCommonNameMismatchError(want, have string) *CommonNameMismatchError

func (*CommonNameMismatchError) Error

func (c *CommonNameMismatchError) Error() string

type DiskStore

type DiskStore struct{}

A DiskStore is a FileStore that uses the local filesystem. It assumes filenames are paths on disk. This is the implementation of FileStore used by default.

func (*DiskStore) DeleteFile

func (d *DiskStore) DeleteFile(path string) error

DeleteFile deletes the file at the named path.

func (*DiskStore) Exist

func (d *DiskStore) Exist(path string) (bool, error)

Exist returns true if the file exists on disk. False otherwise.

func (*DiskStore) ReadFile

func (d *DiskStore) ReadFile(path string) (string, error)

ReadFile returns the contents of the file at the named path.

type FileStore

type FileStore interface {
	// ReadFile returns the contents of the file as a string
	ReadFile(string) (string, error)
	// DeleteFile removes the file from the store
	DeleteFile(string) error
	// Exist returns true if the file exists in the store
	Exist(string) (bool, error)
}

A FileStore manages files identified by string names.

type SANHostnameMismatch

type SANHostnameMismatch struct {
	// contains filtered or unexported fields
}

SANHostnameMismatch is an error returned by validation functions when the Subject Alternative Name extension in the certificate does not have DNSName values for every hostname in the given CertRequest.

func NewSANHostnameMismatch

func NewSANHostnameMismatch(want, have []string) *SANHostnameMismatch

func (*SANHostnameMismatch) Error

func (c *SANHostnameMismatch) Error() string

type SANIPAddrMismatchError

type SANIPAddrMismatchError struct {
	// contains filtered or unexported fields
}

SANIPAddrMismatchError is an error returned by validation functions when the Subject Alternative Name extension in the certificate does not have IP values for every IP in the given CertRequest.

func NewSANIPAddrMismatchError

func NewSANIPAddrMismatchError(want, have []net.IP) *SANIPAddrMismatchError

func (*SANIPAddrMismatchError) Error

func (c *SANIPAddrMismatchError) Error() string

type ServiceCertData

type ServiceCertData struct {
	// The PEM-formated RSA key
	Key string
	// The PEM-formated x509 certificate
	Cert string
	// The root cert for our CA. Services should trust this.
	RootCert *string
}

A ServiceCertData is returned to callers of CertForService and contains all of the key data required for the service to configure mutual TLS

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL