tlsca

package
v1.2.3-fred.1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Oct 18, 2022 License: Apache-2.0 Imports: 26 Imported by: 200

Documentation

Overview

Package tlsca provides internal TLS certificate authority used for mutual TLS authentication with the auth server and internal teleport components and external clients

Index

Constants

This section is empty.

Variables

View Source
var (
	// KubeUsersASN1ExtensionOID is an extension ID used when encoding/decoding
	// license payload into certificates
	KubeUsersASN1ExtensionOID = asn1.ObjectIdentifier{1, 3, 9999, 1, 1}

	// KubeGroupsASN1ExtensionOID is an extension ID used when encoding/decoding
	// license payload into certificates
	KubeGroupsASN1ExtensionOID = asn1.ObjectIdentifier{1, 3, 9999, 1, 2}

	// KubeClusterASN1ExtensionOID is an extension ID used when encoding/decoding
	// target kubernetes cluster name into certificates.
	KubeClusterASN1ExtensionOID = asn1.ObjectIdentifier{1, 3, 9999, 1, 3}

	// AppSessionIDASN1ExtensionOID is an extension ID used to encode the application
	// session ID into a certificate.
	AppSessionIDASN1ExtensionOID = asn1.ObjectIdentifier{1, 3, 9999, 1, 4}

	// AppClusterNameASN1ExtensionOID is an extension ID used to encode the application
	// cluster name into a certificate.
	AppClusterNameASN1ExtensionOID = asn1.ObjectIdentifier{1, 3, 9999, 1, 5}

	// AppPublicAddrASN1ExtensionOID is an extension ID used to encode the application
	// public address into a certificate.
	AppPublicAddrASN1ExtensionOID = asn1.ObjectIdentifier{1, 3, 9999, 1, 6}

	// TeleportClusterASN1ExtensionOID is an extension ID used when encoding/decoding
	// origin teleport cluster name into certificates.
	TeleportClusterASN1ExtensionOID = asn1.ObjectIdentifier{1, 3, 9999, 1, 7}

	// MFAVerifiedASN1ExtensionOID is an extension ID used when encoding/decoding
	// the MFAVerified flag into certificates.
	MFAVerifiedASN1ExtensionOID = asn1.ObjectIdentifier{1, 3, 9999, 1, 8}

	// ClientIPASN1ExtensionOID is an extension ID used when encoding/decoding
	// the client IP into certificates.
	ClientIPASN1ExtensionOID = asn1.ObjectIdentifier{1, 3, 9999, 1, 9}

	// AppNameASN1ExtensionOID is an extension ID used when encoding/decoding
	// application name into a certificate.
	AppNameASN1ExtensionOID = asn1.ObjectIdentifier{1, 3, 9999, 1, 10}

	// AppAWSRoleARNASN1ExtensionOID is an extension ID used when encoding/decoding
	// AWS role ARN into a certificate.
	AppAWSRoleARNASN1ExtensionOID = asn1.ObjectIdentifier{1, 3, 9999, 1, 11}

	// AWSRoleARNsASN1ExtensionOID is an extension ID used when encoding/decoding
	// allowed AWS role ARNs into a certificate.
	AWSRoleARNsASN1ExtensionOID = asn1.ObjectIdentifier{1, 3, 9999, 1, 12}

	// RenewableCertificateASN1ExtensionOID is an extension ID used to indicate
	// that a certificate may be renewed by a certificate renewal bot.
	RenewableCertificateASN1ExtensionOID = asn1.ObjectIdentifier{1, 3, 9999, 1, 13}

	// GenerationASN1ExtensionOID is an extension OID used to count the number
	// of times this certificate has been renewed.
	GenerationASN1ExtensionOID = asn1.ObjectIdentifier{1, 3, 9999, 1, 14}

	// PrivateKeyPolicyASN1ExtensionOID is an extension ID used to determine the
	// private key policy supported by the certificate.
	PrivateKeyPolicyASN1ExtensionOID = asn1.ObjectIdentifier{1, 3, 9999, 1, 15}

	// DatabaseServiceNameASN1ExtensionOID is an extension ID used when encoding/decoding
	// database service name into certificates.
	DatabaseServiceNameASN1ExtensionOID = asn1.ObjectIdentifier{1, 3, 9999, 2, 1}

	// DatabaseProtocolASN1ExtensionOID is an extension ID used when encoding/decoding
	// database protocol into certificates.
	DatabaseProtocolASN1ExtensionOID = asn1.ObjectIdentifier{1, 3, 9999, 2, 2}

	// DatabaseUsernameASN1ExtensionOID is an extension ID used when encoding/decoding
	// database username into certificates.
	DatabaseUsernameASN1ExtensionOID = asn1.ObjectIdentifier{1, 3, 9999, 2, 3}

	// DatabaseNameASN1ExtensionOID is an extension ID used when encoding/decoding
	// database name into certificates.
	DatabaseNameASN1ExtensionOID = asn1.ObjectIdentifier{1, 3, 9999, 2, 4}

	// DatabaseNamesASN1ExtensionOID is an extension OID used when encoding/decoding
	// allowed database names into certificates.
	DatabaseNamesASN1ExtensionOID = asn1.ObjectIdentifier{1, 3, 9999, 2, 5}

	// DatabaseUsersASN1ExtensionOID is an extension OID used when encoding/decoding
	// allowed database users into certificates.
	DatabaseUsersASN1ExtensionOID = asn1.ObjectIdentifier{1, 3, 9999, 2, 6}

	// ImpersonatorASN1ExtensionOID is an extension OID used when encoding/decoding
	// impersonator user
	ImpersonatorASN1ExtensionOID = asn1.ObjectIdentifier{1, 3, 9999, 2, 7}

	// ActiveRequestsASN1ExtensionOID is an extension OID used when encoding/decoding
	// active access requests into certificates.
	ActiveRequestsASN1ExtensionOID = asn1.ObjectIdentifier{1, 3, 9999, 2, 8}

	// DisallowReissueASN1ExtensionOID is an extension OID used to flag that a
	// requests to generate new certificates using this certificate should be
	// denied.
	DisallowReissueASN1ExtensionOID = asn1.ObjectIdentifier{1, 3, 9999, 2, 9}

	// AllowedResourcesASN1ExtensionOID is an extension OID used to list the
	// resources which the certificate should be able to grant access to
	AllowedResourcesASN1ExtensionOID = asn1.ObjectIdentifier{1, 3, 9999, 2, 10}

	// SystemRolesASN1ExtensionOID is an extension OID used to indicate system roles
	// (auth, proxy, node, etc). Note that some certs correspond to a single specific
	// system role, and use `pkix.Name.Organization` to encode this value. This extension
	// is specifically used for "multi-role" certs.
	SystemRolesASN1ExtensionOID = asn1.ObjectIdentifier{1, 3, 9999, 2, 11}
)

Custom ranges are taken from this article

https://serverfault.com/questions/551477/is-there-reserved-oid-space-for-internal-enterprise-cas

http://oid-info.com/get/1.3.9999

Functions

func CalculatePins

func CalculatePins(certsBytes []byte) ([]string, error)

CalculatePins returns the SPKI pins for the given set of concatenated PEM-encoded certificates

func ClusterName

func ClusterName(subject pkix.Name) (string, error)

ClusterName returns cluster name from organization

func GenerateCertificateRequestPEM

func GenerateCertificateRequestPEM(subject pkix.Name, priv crypto.Signer) ([]byte, error)

GenerateCertificateRequestPEM returns PEM-encoded certificate signing request from the provided subject and private key.

func GenerateSelfSignedCA

func GenerateSelfSignedCA(entity pkix.Name, dnsNames []string, ttl time.Duration) ([]byte, []byte, error)

GenerateSelfSignedCA generates self-signed certificate authority used for internal inter-node communications

func GenerateSelfSignedCAWithConfig

func GenerateSelfSignedCAWithConfig(config GenerateCAConfig) (certPEM []byte, err error)

GenerateSelfSignedCAWithConfig generates a new CA certificate from the specified configuration. Returns PEM-encoded private key/certificate payloads upon success

func GenerateSelfSignedCAWithSigner

func GenerateSelfSignedCAWithSigner(signer crypto.Signer, entity pkix.Name, dnsNames []string, ttl time.Duration) ([]byte, error)

GenerateSelfSignedCAWithSigner generates self-signed certificate authority used for internal inter-node communications

func MarshalCertificatePEM

func MarshalCertificatePEM(cert *x509.Certificate) ([]byte, error)

MarshalCertificatePEM takes a *x509.Certificate and returns the PEM encoded bytes.

func MarshalPrivateKeyPEM

func MarshalPrivateKeyPEM(privateKey *rsa.PrivateKey) []byte

MarshalPrivateKeyPEM marshals provided rsa.PrivateKey into PEM format.

func MarshalPublicKeyFromPrivateKeyPEM

func MarshalPublicKeyFromPrivateKeyPEM(privateKey crypto.PrivateKey) ([]byte, error)

MarshalPublicKeyFromPrivateKeyPEM extracts public key from private key and returns PEM marshaled key

func ParseCertificatePEM

func ParseCertificatePEM(bytes []byte) (*x509.Certificate, error)

ParseCertificatePEM parses PEM-encoded certificate

func ParseCertificatePEMs

func ParseCertificatePEMs(bytes []byte) ([]*x509.Certificate, error)

ParseCertificatePEM parses multiple PEM-encoded certificates

func ParseCertificateRequestPEM

func ParseCertificateRequestPEM(bytes []byte) (*x509.CertificateRequest, error)

ParseCertificateRequestPEM parses PEM-encoded certificate signing request

func ParsePrivateKeyDER

func ParsePrivateKeyDER(der []byte) (crypto.Signer, error)

ParsePrivateKeyDER parses unencrypted DER-encoded private key

func ParsePrivateKeyPEM

func ParsePrivateKeyPEM(bytes []byte) (crypto.Signer, error)

ParsePrivateKeyPEM parses PEM-encoded private key

func ParsePublicKeyDER

func ParsePublicKeyDER(der []byte) (crypto.PublicKey, error)

ParsePublicKeyDER parses unencrypted DER-encoded publice key

func ParsePublicKeyPEM

func ParsePublicKeyPEM(bytes []byte) (interface{}, error)

ParsePublicKeyPEM parses public key PEM

Types

type CertAuthority

type CertAuthority struct {
	// Cert is a CA certificate
	Cert *x509.Certificate
	// Signer is a private key based signer
	Signer crypto.Signer
}

CertAuthority is X.509 certificate authority

func FromCertAndSigner

func FromCertAndSigner(certPEM []byte, signer crypto.Signer) (*CertAuthority, error)

FromCertAndSigner returns a CertAuthority with the given raw certificate and signer.

func FromKeys

func FromKeys(certPEM, keyPEM []byte) (*CertAuthority, error)

FromKeys returns new CA from PEM encoded certificate and private key. Private Key is optional, if omitted CA won't be able to issue new certificates, only verify them

func FromTLSCertificate

func FromTLSCertificate(ca tls.Certificate) (*CertAuthority, error)

FromTLSCertificate returns a CertAuthority with the given TLS certificate.

func (*CertAuthority) GenerateCertificate

func (ca *CertAuthority) GenerateCertificate(req CertificateRequest) ([]byte, error)

GenerateCertificate generates certificate from request

type CertificateRequest

type CertificateRequest struct {
	// Clock is a clock used to get current or test time
	Clock clockwork.Clock
	// PublicKey is a public key to sign
	PublicKey crypto.PublicKey
	// Subject is a subject to include in certificate
	Subject pkix.Name
	// NotAfter is a time after which the issued certificate
	// will be no longer valid
	NotAfter time.Time
	// DNSNames is a list of DNS names to add to certificate
	DNSNames []string
	// Optional. ExtraExtensions to populate.
	// Note: ExtraExtensions can override ExtKeyUsage and SANs (like DNSNames).
	ExtraExtensions []pkix.Extension
	// Optional. KeyUsage for the certificate.
	KeyUsage x509.KeyUsage
	// Optional. CRL endpoints.
	CRLDistributionPoints []string
}

CertificateRequest is a X.509 signing certificate request

func (*CertificateRequest) CheckAndSetDefaults

func (c *CertificateRequest) CheckAndSetDefaults() error

CheckAndSetDefaults checks and sets default values

type GenerateCAConfig

type GenerateCAConfig struct {
	Signer      crypto.Signer
	Entity      pkix.Name
	DNSNames    []string
	IPAddresses []net.IP
	TTL         time.Duration
	Clock       clockwork.Clock
}

GenerateCAConfig defines the configuration for generating self-signed CA certificates

type Identity

type Identity struct {
	// Username is a username or name of the node connection
	Username string
	// Impersonator is a username of a user impersonating this user
	Impersonator string
	// Groups is a list of groups (Teleport roles) encoded in the identity
	Groups []string
	// SystemRoles is a list of system roles (e.g. auth, proxy, node, etc) used
	// in "multi-role" certificates. Single-role certificates encode the system role
	// in `Groups` for back-compat reasons.
	SystemRoles []string
	// Usage is a list of usage restrictions encoded in the identity
	Usage []string
	// Principals is a list of Unix logins allowed.
	Principals []string
	// KubernetesGroups is a list of Kubernetes groups allowed
	KubernetesGroups []string
	// KubernetesUsers is a list of Kubernetes users allowed
	KubernetesUsers []string
	// Expires specifies whenever the session will expire
	Expires time.Time
	// RouteToCluster specifies the target cluster
	// if present in the session
	RouteToCluster string
	// KubernetesCluster specifies the target kubernetes cluster for TLS
	// identities. This can be empty on older Teleport clients.
	KubernetesCluster string
	// Traits hold claim data used to populate a role at runtime.
	Traits wrappers.Traits
	// RouteToApp holds routing information for applications. Routing metadata
	// allows Teleport web proxy to route HTTP requests to the appropriate
	// cluster and Teleport application proxy within the cluster.
	RouteToApp RouteToApp
	// TeleportCluster is the name of the teleport cluster that this identity
	// originated from. For TLS certs this may not be the same as cert issuer,
	// in case of multi-hop requests that originate from a remote cluster.
	TeleportCluster string
	// RouteToDatabase contains routing information for databases.
	RouteToDatabase RouteToDatabase
	// DatabaseNames is a list of allowed database names.
	DatabaseNames []string
	// DatabaseUsers is a list of allowed database users.
	DatabaseUsers []string
	// MFAVerified is the UUID of an MFA device when this Identity was
	// confirmed immediately after an MFA check.
	MFAVerified string
	// ClientIP is an observed IP of the client that this Identity represents.
	ClientIP string
	// AWSRoleARNs is a list of allowed AWS role ARNs user can assume.
	AWSRoleARNs []string
	// ActiveRequests is a list of UUIDs of active requests for this Identity.
	ActiveRequests []string
	// DisallowReissue is a flag that, if set, instructs the auth server to
	// deny any attempts to reissue new certificates while authenticated with
	// this certificate.
	DisallowReissue bool
	// Renewable indicates that this identity is allowed to renew it's
	// own credentials. This is only enabled for certificate renewal bots.
	Renewable bool
	// Generation counts the number of times this certificate has been renewed.
	Generation uint64
	// AllowedResourceIDs lists the resources the identity should be allowed to
	// access.
	AllowedResourceIDs []types.ResourceID
	// PrivateKeyPolicy is the private key policy supported by this identity.
	PrivateKeyPolicy keys.PrivateKeyPolicy
}

Identity is an identity of the user or service, e.g. Proxy or Node

func FromSubject

func FromSubject(subject pkix.Name, expires time.Time) (*Identity, error)

FromSubject returns identity from subject name

func (*Identity) CheckAndSetDefaults

func (id *Identity) CheckAndSetDefaults() error

CheckAndSetDefaults checks and sets default values

func (*Identity) GetEventIdentity

func (id *Identity) GetEventIdentity() events.Identity

func (*Identity) GetRouteToApp

func (id *Identity) GetRouteToApp() (RouteToApp, error)

GetRouteToApp returns application routing data. If missing, returns an error.

func (Identity) GetUserMetadata

func (id Identity) GetUserMetadata() events.UserMetadata

func (*Identity) Subject

func (id *Identity) Subject() (pkix.Name, error)

Subject converts identity to X.509 subject name

type RouteToApp

type RouteToApp struct {
	// SessionID is a UUIDv4 used to identify application sessions created by
	// this certificate. The reason a UUID was used instead of a hash of the
	// SubjectPublicKeyInfo like the CA pin is for UX consistency. For example,
	// the SessionID is emitted in the audit log, using a UUID matches how SSH
	// sessions are identified.
	SessionID string

	// PublicAddr (and ClusterName) are used to route requests issued with this
	// certificate to the appropriate application proxy/cluster.
	PublicAddr string

	// ClusterName (and PublicAddr) are used to route requests issued with this
	// certificate to the appropriate application proxy/cluster.
	ClusterName string

	// Name is the app name.
	Name string

	// AWSRoleARN is the AWS role to assume when accessing AWS console.
	AWSRoleARN string
}

RouteToApp holds routing information for applications.

type RouteToDatabase

type RouteToDatabase struct {
	// ServiceName is the name of the Teleport database proxy service
	// to route requests to.
	ServiceName string
	// Protocol is the database protocol.
	//
	// It is embedded in identity so clients can understand what type
	// of database this is without contacting server.
	Protocol string
	// Username is an optional database username to serve as a default
	// username to connect as.
	Username string
	// Database is an optional database name to serve as a default
	// database to connect to.
	Database string
}

RouteToDatabase contains routing information for databases.

func (RouteToDatabase) String

func (r RouteToDatabase) String() string

String returns string representation of the database routing struct.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL