config

package
v0.0.0-...-c818f1a Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Apr 30, 2015 License: BSD-2-Clause Imports: 13 Imported by: 0

Documentation

Overview

Package config contains the configuration logic for CF-SSL.

Index

Constants

This section is empty.

Variables

View Source
var ExtKeyUsage = map[string]x509.ExtKeyUsage{
	"any":              x509.ExtKeyUsageAny,
	"server auth":      x509.ExtKeyUsageServerAuth,
	"client auth":      x509.ExtKeyUsageClientAuth,
	"code signing":     x509.ExtKeyUsageCodeSigning,
	"email protection": x509.ExtKeyUsageEmailProtection,
	"s/mime":           x509.ExtKeyUsageEmailProtection,
	"ipsec end system": x509.ExtKeyUsageIPSECEndSystem,
	"ipsec tunnel":     x509.ExtKeyUsageIPSECTunnel,
	"ipsec user":       x509.ExtKeyUsageIPSECUser,
	"timestamping":     x509.ExtKeyUsageTimeStamping,
	"ocsp signing":     x509.ExtKeyUsageOCSPSigning,
	"microsoft sgc":    x509.ExtKeyUsageMicrosoftServerGatedCrypto,
	"netscape sgc":     x509.ExtKeyUsageNetscapeServerGatedCrypto,
}

ExtKeyUsage contains a mapping of string names to extended key usages.

View Source
var KeyUsage = map[string]x509.KeyUsage{
	"signing":             x509.KeyUsageDigitalSignature,
	"digital signature":   x509.KeyUsageDigitalSignature,
	"content committment": x509.KeyUsageContentCommitment,
	"key encipherment":    x509.KeyUsageKeyEncipherment,
	"data encipherment":   x509.KeyUsageDataEncipherment,
	"cert sign":           x509.KeyUsageCertSign,
	"crl sign":            x509.KeyUsageCRLSign,
	"encipher only":       x509.KeyUsageEncipherOnly,
	"decipher only":       x509.KeyUsageDecipherOnly,
}

KeyUsage contains a mapping of string names to key usages.

Functions

This section is empty.

Types

type AuthKey

type AuthKey struct {
	// Type contains information needed to select the appropriate
	// constructor. For example, "standard" for HMAC-SHA-256,
	// "standard-ip" for HMAC-SHA-256 incorporating the client's
	// IP.
	Type string `json:"type"`
	// Key contains the key information, such as a hex-encoded
	// HMAC key.
	Key string `json:"key"`
}

An AuthKey contains an entry for a key used for authentication.

type CSRWhitelist

type CSRWhitelist struct {
	Subject, PublicKeyAlgorithm, PublicKey, SignatureAlgorithm bool
	DNSNames, IPAddresses                                      bool
}

A CSRWhitelist stores booleans for fields in the CSR. If a CSRWhitelist is not present in a SigningProfile, all of these fields may be copied from the CSR into the signed certificate. If a CSRWhitelist *is* present in a SigningProfile, only those fields with a `true` value in the CSRWhitelist may be copied from the CSR to the signed certificate. Note that some of these fields, like Subject, can be provided or partially provided through the API. Since API clients are expected to be trusted, but CSRs are not, fields provided through the API are not subject to whitelisting through this mechanism.

type Config

type Config struct {
	Signing  *Signing           `json:"signing"`
	AuthKeys map[string]AuthKey `json:"auth_keys,omitempty"`
	Remotes  map[string]string  `json:"remotes,omitempty"`
}

Config stores configuration information for the CA.

func LoadConfig

func LoadConfig(config []byte) (*Config, error)

LoadConfig attempts to load the configuration from a byte slice. On error, it returns nil.

func LoadFile

func LoadFile(path string) (*Config, error)

LoadFile attempts to load the configuration file stored at the path and returns the configuration. On error, it returns nil.

func (*Config) Valid

func (c *Config) Valid() bool

Valid ensures that Config is a valid configuration. It should be called immediately after parsing a configuration file.

type Signing

type Signing struct {
	Profiles map[string]*SigningProfile `json:"profiles"`
	Default  *SigningProfile            `json:"default"`
}

Signing codifies the signature configuration policy for a CA.

func (*Signing) NeedsLocalSigner

func (p *Signing) NeedsLocalSigner() bool

NeedsLocalSigner returns true if one of the profiles doe not have a remote set

func (*Signing) NeedsRemoteSigner

func (p *Signing) NeedsRemoteSigner() bool

NeedsRemoteSigner returns true if one of the profiles has a remote set

func (*Signing) OverrideRemotes

func (p *Signing) OverrideRemotes(remote string) error

OverrideRemotes takes a signing configuration and updates the remote server object to the hostname:port combination sent by remote

func (*Signing) Valid

func (p *Signing) Valid() bool

Valid checks the signature policies, ensuring they are valid policies. A policy is valid if it has defined at least key usages to be used, and a valid default profile has defined at least a default expiration.

type SigningProfile

type SigningProfile struct {
	Usage          []string  `json:"usages"`
	IssuerURL      []string  `json:"issuer_urls"`
	OCSP           string    `json:"ocsp_url"`
	CRL            string    `json:"crl_url"`
	CA             bool      `json:"is_ca"`
	PolicyStrings  []string  `json:"policies"`
	OCSPNoCheck    bool      `json:"ocsp_no_check"`
	ExpiryString   string    `json:"expiry"`
	BackdateString string    `json:"backdate"`
	AuthKeyName    string    `json:"auth_key"`
	RemoteName     string    `json:"remote"`
	NotBefore      time.Time `json:"not_before"`
	NotAfter       time.Time `json:"not_after"`

	Policies     []asn1.ObjectIdentifier
	Expiry       time.Duration
	Backdate     time.Duration
	Provider     auth.Provider
	RemoteServer string
	UseSerialSeq bool
	CSRWhitelist *CSRWhitelist
}

A SigningProfile stores information that the CA needs to store signature policy.

func DefaultConfig

func DefaultConfig() *SigningProfile

DefaultConfig returns a default configuration specifying basic key usage and a 1 year expiration time. The key usages chosen are signing, key encipherment, client auth and server auth.

func (*SigningProfile) Usages

func (p *SigningProfile) Usages() (ku x509.KeyUsage, eku []x509.ExtKeyUsage, unk []string)

Usages parses the list of key uses in the profile, translating them to a list of X.509 key usages and extended key usages. The unknown uses are collected into a slice that is also returned.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL