tlsca

package
v4.3.6-dev.2+incompatible Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Aug 18, 2020 License: Apache-2.0 Imports: 17 Imported by: 200

Documentation

Overview

Package tlsca provides internal TLS certificate authority used for mutual TLS authentication with the auth server and internal teleport components and external clients

Index

Constants

This section is empty.

Variables

View Source
var KubeGroupsASN1ExtensionOID = asn1.ObjectIdentifier{1, 3, 9999, 1, 2}

KubeGroupsASN1ExtensionOID is an extension ID used when encoding/decoding license payload into certificates

View Source
var KubeUsersASN1ExtensionOID = asn1.ObjectIdentifier{1, 3, 9999, 1, 1}

KubeUsersASN1ExtensionOID is an extension ID used when encoding/decoding license payload into certificates

Functions

func ClusterName

func ClusterName(subject pkix.Name) (string, error)

ClusterName returns cluster name from organization

func GenerateSelfSignedCA

func GenerateSelfSignedCA(entity pkix.Name, dnsNames []string, ttl time.Duration) ([]byte, []byte, error)

GenerateSelfSignedCA generates self-signed certificate authority used for internal inter-node communications

func GenerateSelfSignedCAWithPrivateKey

func GenerateSelfSignedCAWithPrivateKey(priv *rsa.PrivateKey, entity pkix.Name, dnsNames []string, ttl time.Duration) ([]byte, []byte, error)

GenerateSelfSignedCA generates self-signed certificate authority used for internal inter-node communications

func MarshalCertificatePEM

func MarshalCertificatePEM(cert *x509.Certificate) ([]byte, error)

MarshalCertificatePEM takes a *x509.Certificate and returns the PEM encoded bytes.

func MarshalPublicKeyFromPrivateKeyPEM

func MarshalPublicKeyFromPrivateKeyPEM(privateKey crypto.PrivateKey) ([]byte, error)

MarshalPublicKeyFromPrivateKeyPEM extracts public key from private key and returns PEM marshalled key

func ParseCertificatePEM

func ParseCertificatePEM(bytes []byte) (*x509.Certificate, error)

ParseCertificatePEM parses PEM-encoded certificate

func ParseCertificateRequestPEM

func ParseCertificateRequestPEM(bytes []byte) (*x509.CertificateRequest, error)

ParseCertificateRequestPEM parses PEM-encoded certificate signing request

func ParsePrivateKeyDER

func ParsePrivateKeyDER(der []byte) (crypto.Signer, error)

ParsePrivateKeyDER parses unencrypted DER-encoded private key

func ParsePrivateKeyPEM

func ParsePrivateKeyPEM(bytes []byte) (crypto.Signer, error)

ParsePrivateKeyPEM parses PEM-encoded private key

func ParsePublicKeyDER

func ParsePublicKeyDER(der []byte) (crypto.PublicKey, error)

ParsePublicKeyDER parses unencrypted DER-encoded publice key

func ParsePublicKeyPEM

func ParsePublicKeyPEM(bytes []byte) (interface{}, error)

ParsePublicKeyPEM parses public key PEM

Types

type CertAuthority

type CertAuthority struct {
	// Cert is a CA certificate
	Cert *x509.Certificate
	// Signer is a private key based signer
	Signer crypto.Signer
}

CertAuthority is X.509 certificate authority

func New

func New(certPEM, keyPEM []byte) (*CertAuthority, error)

New returns new CA from PEM encoded certificate and private key. Private Key is optional, if omitted CA won't be able to issue new certificates, only verify them

func (*CertAuthority) GenerateCertificate

func (ca *CertAuthority) GenerateCertificate(req CertificateRequest) ([]byte, error)

GenerateCertificate generates certificate from request

type CertificateRequest

type CertificateRequest struct {
	// Clock is a clock used to get current or test time
	Clock clockwork.Clock
	// PublicKey is a public key to sign
	PublicKey crypto.PublicKey
	// Subject is a subject to include in certificate
	Subject pkix.Name
	// NotAfter is a time after which the issued certificate
	// will be no longer valid
	NotAfter time.Time
	// DNSNames is a list of DNS names to add to certificate
	DNSNames []string
}

CertificateRequest is a X.509 signing certificate request

func (*CertificateRequest) CheckAndSetDefaults

func (c *CertificateRequest) CheckAndSetDefaults() error

CheckAndSetDefaults checks and sets default values

type Identity

type Identity struct {
	// Username is a username or name of the node connection
	Username string
	// Groups is a list of groups (Teleport roles) encoded in the identity
	Groups []string
	// Usage is a list of usage restrictions encoded in the identity
	Usage []string
	// Principals is a list of Unix logins allowed.
	Principals []string
	// KubernetesGroups is a list of Kubernetes groups allowed
	KubernetesGroups []string
	// KubernetesUsers is a list of Kubernetes users allowed
	KubernetesUsers []string
	// Expires specifies whenever the session will expire
	Expires time.Time
	// RouteToCluster specifies the target cluster
	// if present in the session
	RouteToCluster string
	// Traits hold claim data used to populate a role at runtime.
	Traits wrappers.Traits
}

Identity is an identity of the user or service, e.g. Proxy or Node

func FromSubject

func FromSubject(subject pkix.Name, expires time.Time) (*Identity, error)

FromSubject returns identity from subject name

func (*Identity) CheckAndSetDefaults

func (i *Identity) CheckAndSetDefaults() error

CheckAndSetDefaults checks and sets default values

func (*Identity) Subject

func (id *Identity) Subject() (pkix.Name, error)

Subject converts identity to X.509 subject name

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL