README
¶
mockca
Package mockca provides a mock certificate authority for testing purposes.
Documentation
¶
Overview ¶
Package mockca provides a mock certificate authority for testing purposes.
Index ¶
- type MockCA
- func (ca *MockCA) CACerts(ctx context.Context, aps string, r *http.Request) ([]*x509.Certificate, error)
- func (ca *MockCA) CSRAttrs(ctx context.Context, aps string, r *http.Request) (attrs est.CSRAttrs, err error)
- func (ca *MockCA) Enroll(ctx context.Context, csr *x509.CertificateRequest, aps string, r *http.Request) (*x509.Certificate, error)
- func (ca *MockCA) Reenroll(ctx context.Context, cert *x509.Certificate, csr *x509.CertificateRequest, ...) (*x509.Certificate, error)
- func (ca *MockCA) ServerKeyGen(ctx context.Context, csr *x509.CertificateRequest, aps string, r *http.Request) (*x509.Certificate, []byte, error)
- func (ca *MockCA) TPMEnroll(ctx context.Context, csr *x509.CertificateRequest, ekcerts []*x509.Certificate, ...) ([]byte, []byte, []byte, error)
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type MockCA ¶
type MockCA struct {
// contains filtered or unexported fields
}
MockCA is a mock, non-production certificate authority useful for testing purposes only.
func New ¶
func New(cacerts []*x509.Certificate, key interface{}) (*MockCA, error)
New creates a new mock certificate authority. If more than one CA certificate is provided, they should be in order with the issuing (intermediate) CA certificate first, and the root CA certificate last. The private key should be associated with the public key in the first, issuing CA certificate.
func NewFromFiles ¶
NewFromFiles creates a new mock certificate authority from a PEM-encoded CA certificates chain and a (unencrypted) PEM-encoded private key contained in files. If more than one certificate is contained in the file, the certificates should appear in order with the issuing (intermediate) CA certificate first, and the root certificate last. The private key should be associated with the public key in the first certificate in certspath.
func NewTransient ¶
NewTransient creates a new mock certificate authority with an automatically generated and transient CA certificates chain for testing purposes.
func (*MockCA) CACerts ¶
func (ca *MockCA) CACerts( ctx context.Context, aps string, r *http.Request, ) ([]*x509.Certificate, error)
CACerts returns the CA certificates, unless the additional path segment is "triggererrors", in which case an error is returned for testing purposes.
func (*MockCA) CSRAttrs ¶
func (ca *MockCA) CSRAttrs( ctx context.Context, aps string, r *http.Request, ) (attrs est.CSRAttrs, err error)
CSRAttrs returns an empty sequence of CSR attributes, unless the additional path segment is:
- "csrattrs", in which case it returns the same example sequence described in RFC7030 4.5.2; or
- "triggererrors", in which case an error is returned for testing purposes.
func (*MockCA) Enroll ¶
func (ca *MockCA) Enroll( ctx context.Context, csr *x509.CertificateRequest, aps string, r *http.Request, ) (*x509.Certificate, error)
Enroll issues a new certificate with:
- a 90 day duration from the current time
- a randomly generated 128-bit serial number
- a subject and subject alternative name copied from the provided CSR
- a default set of key usages and extended key usages
- a basic constraints extension with cA flag set to FALSE
unless the additional path segment is "triggererrors", in which case the following errors will be returned for testing purposes, depending on the common name in the CSR:
- "Trigger Error Forbidden", HTTP status 403
- "Trigger Error Deferred", HTTP status 202 with retry of 600 seconds
- "Trigger Error Unknown", untyped error expected to be interpreted as an internal server error.
func (*MockCA) Reenroll ¶
func (ca *MockCA) Reenroll( ctx context.Context, cert *x509.Certificate, csr *x509.CertificateRequest, aps string, r *http.Request, ) (*x509.Certificate, error)
Reenroll implements est.CA but simply passes the request through to Enroll.
func (*MockCA) ServerKeyGen ¶
func (ca *MockCA) ServerKeyGen( ctx context.Context, csr *x509.CertificateRequest, aps string, r *http.Request, ) (*x509.Certificate, []byte, error)
ServerKeyGen creates a new RSA private key and then calls Enroll. It returns the key in PKCS8 DER-encoding, unless the additional path segment is set to "pkcs7", in which case it is returned wrapped in a CMS SignedData structure signed by the CA certificate(s), itself wrapped in a CMS EnvelopedData encrypted with the pre-shared key "pseudohistorical". A "Bit-Size" HTTP header may be passed with the values 2048, 3072 or 4096.
func (*MockCA) TPMEnroll ¶
func (ca *MockCA) TPMEnroll( ctx context.Context, csr *x509.CertificateRequest, ekcerts []*x509.Certificate, ekPub, akPub []byte, aps string, r *http.Request, ) ([]byte, []byte, []byte, error)
TPMEnroll requests a new certificate using the TPM 2.0 privacy-preserving protocol. An EK certificate chain with a length of at least one must be provided, along with the EK and AK public areas. The return values are an encrypted credential, a wrapped encryption key, and the certificate itself encrypted with the encrypted credential in AES 128 Galois Counter Mode inside a CMS EnvelopedData structure.
Source Files