ca

package

v0.0.0-...-2a6dfc0 Latest Latest Go to latest Published: Aug 3, 2024 License: Apache-2.0 Imports: 21 Imported by: 2

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/costinm/meshauth

Documentation ¶

Index ¶

func PublicKey(key crypto.PrivateKey) crypto.PublicKey
type CA
- func NewCA(cfg *meshauth.Mesh) *CA
- func NewTempCA(trust string) *CA

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func PublicKey ¶

func PublicKey(key crypto.PrivateKey) crypto.PublicKey

Types ¶

type CA ¶

type CA struct {

	// Private key for the CA.
	Private crypto.PrivateKey

	// CACert is the associated cert.
	CACert *x509.Certificate

	TrustDomain string

	// The Certificate may be signed by multiple intermediaries
	IntermediatesPEM []byte

	// Root certs that signed the root.
	CACertPEM []byte
}

CA deals with certificate management.

Istio CA interface is very flexible - it takes a 'CSR' string and returns a list of 'certificates' - but the input can be anything, including empty, and the output can also include concatenated PEM files. The use of metadata (headers) makes it even more flexible.

So an implementation of the gRPC API could decide to accept empty CSR and generate keys, or use input as a hostname and return key and certificates. Envoy (and others) can also map it to JSON.

Istio CA uses 2 kinds of roots: - direct - using istio-ca-secret.istio-system secret - intermediate - using cacerts.istio-system

Istio used to stores the files in /etc/cacerts - there are 3 or 4 files: ca-key.pem - root or intermediary key ca-cert.pem - single certificate associated with ca-key. cert-chain.pem - will be appended to all generated certificates - should be a chain path to the root, not including ca-cert ca-cert.pem - the root key (top root)

More recent versions of Istio are compatible with CertManager.

func NewCA ¶

func NewCA(cfg *meshauth.Mesh) *CA

NewCA creates a new CA. Keys must be loaded.

func NewTempCA ¶

func NewTempCA(trust string) *CA

NewTempCA creates a temporary/test CA.

func (*CA) CertTemplate ¶

func (ca *CA) CertTemplate(org string, urlSAN string, sans ...string) *x509.Certificate

func (*CA) GetJWK ¶

func (a *CA) GetJWK() string

func (*CA) GetToken ¶

func (a *CA) GetToken(ctx context.Context, sub, aud, iss string) (string, error)

func (*CA) HandleJWK ¶

func (a *CA) HandleJWK(w http.ResponseWriter, r *http.Request)

OIDC JWKS handler - returns the

func (*CA) Init ¶

func (ca *CA) Init(dir string) error

func (*CA) NewID ¶

func (ca *CA) NewID(ns, sa string, dns []string) *meshauth.Mesh

New ID creates a new Mesh, with a certificate signed by this CA

The cert will include both Spiffe identiy and DNS SANs.

func (*CA) NewIntermediaryCA ¶

func (ca *CA) NewIntermediaryCA(trust, cluster string) *CA

NewIntermediaryCA creates a cert for an intermediary CA.

func (*CA) NewRoot ¶

func (ca *CA) NewRoot()

NewRoot initializes the root CA.

func (*CA) NewTLSCert ¶

func (ca *CA) NewTLSCert(ns, sa string, dns []string) (*tls.Certificate, []byte, []byte)

NewTLSCert creates a new cert from this CA.

func (*CA) Save ¶

func (ca *CA) Save(dir string) error

func (*CA) SetCert ¶

func (ca *CA) SetCert(privPEM, certPEM []byte) error

SetCert will Init an existing root CA from bytes.

func (*CA) SignCertificate ¶

func (c *CA) SignCertificate(template *x509.Certificate, pub crypto.PublicKey) string

Source Files ¶

View all Source files

ca.go

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL