Documentation
¶
Overview ¶
Package config contains the configuration logic for CFSSL.
Index ¶
Constants ¶
This section is empty.
Variables ¶
var ExtKeyUsage = map[string]x509.ExtKeyUsage{ "any": x509.ExtKeyUsageAny, "server auth": x509.ExtKeyUsageServerAuth, "client auth": x509.ExtKeyUsageClientAuth, "code signing": x509.ExtKeyUsageCodeSigning, "email protection": x509.ExtKeyUsageEmailProtection, "s/mime": x509.ExtKeyUsageEmailProtection, "ipsec end system": x509.ExtKeyUsageIPSECEndSystem, "ipsec tunnel": x509.ExtKeyUsageIPSECTunnel, "ipsec user": x509.ExtKeyUsageIPSECUser, "timestamping": x509.ExtKeyUsageTimeStamping, "ocsp signing": x509.ExtKeyUsageOCSPSigning, "microsoft sgc": x509.ExtKeyUsageMicrosoftServerGatedCrypto, "netscape sgc": x509.ExtKeyUsageNetscapeServerGatedCrypto, }
ExtKeyUsage contains a mapping of string names to extended key usages.
var KeyUsage = map[string]x509.KeyUsage{ "signing": x509.KeyUsageDigitalSignature, "digital signature": x509.KeyUsageDigitalSignature, "content committment": x509.KeyUsageContentCommitment, "key encipherment": x509.KeyUsageKeyEncipherment, "key agreement": x509.KeyUsageKeyAgreement, "data encipherment": x509.KeyUsageDataEncipherment, "cert sign": x509.KeyUsageCertSign, "crl sign": x509.KeyUsageCRLSign, "encipher only": x509.KeyUsageEncipherOnly, "decipher only": x509.KeyUsageDecipherOnly, }
KeyUsage contains a mapping of string names to key usages.
Functions ¶
This section is empty.
Types ¶
type AuthKey ¶
type AuthKey struct {
// Type contains information needed to select the appropriate
// constructor. For example, "standard" for HMAC-SHA-256,
// "standard-ip" for HMAC-SHA-256 incorporating the client's
// IP.
Type string `json:"type"`
// Key contains the key information, such as a hex-encoded
// HMAC key.
Key string `json:"key"`
}
An AuthKey contains an entry for a key used for authentication.
type AuthRemote ¶
AuthRemote is an authenticated remote signer.
type CSRWhitelist ¶
type CSRWhitelist struct {
Subject, PublicKeyAlgorithm, PublicKey, SignatureAlgorithm bool
DNSNames, IPAddresses bool
}
A CSRWhitelist stores booleans for fields in the CSR. If a CSRWhitelist is not present in a SigningProfile, all of these fields may be copied from the CSR into the signed certificate. If a CSRWhitelist *is* present in a SigningProfile, only those fields with a `true` value in the CSRWhitelist may be copied from the CSR to the signed certificate. Note that some of these fields, like Subject, can be provided or partially provided through the API. Since API clients are expected to be trusted, but CSRs are not, fields provided through the API are not subject to whitelisting through this mechanism.
type CertificatePolicy ¶
type CertificatePolicy struct {
ID OID
Qualifiers []CertificatePolicyQualifier
}
CertificatePolicy represents the ASN.1 PolicyInformation structure from https://tools.ietf.org/html/rfc3280.html#page-106. Valid values of Type are "id-qt-unotice" and "id-qt-cps"
type CertificatePolicyQualifier ¶
CertificatePolicyQualifier represents a single qualifier from an ASN.1 PolicyInformation structure.
type Config ¶
type Config struct {
Signing *Signing `json:"signing"`
OCSP *ocspConfig.Config `json:"ocsp"`
AuthKeys map[string]AuthKey `json:"auth_keys,omitempty"`
Remotes map[string]string `json:"remotes,omitempty"`
}
Config stores configuration information for the CA.
func LoadConfig ¶
LoadConfig attempts to load the configuration from a byte slice. On error, it returns nil.
type OID ¶
type OID asn1.ObjectIdentifier
OID is our own version of asn1's ObjectIdentifier, so we can define a custom JSON marshal / unmarshal.
func (OID) MarshalJSON ¶
MarshalJSON marshals an oid into a JSON string.
func (*OID) UnmarshalJSON ¶
UnmarshalJSON unmarshals a JSON string into an OID.
type Signing ¶
type Signing struct {
Profiles map[string]*SigningProfile `json:"profiles"`
Default *SigningProfile `json:"default"`
}
Signing codifies the signature configuration policy for a CA.
func (*Signing) NeedsLocalSigner ¶
NeedsLocalSigner returns true if one of the profiles doe not have a remote set
func (*Signing) NeedsRemoteSigner ¶
NeedsRemoteSigner returns true if one of the profiles has a remote set
func (*Signing) OverrideRemotes ¶
OverrideRemotes takes a signing configuration and updates the remote server object to the hostname:port combination sent by remote
type SigningProfile ¶
type SigningProfile struct {
Usage []string `json:"usages"`
IssuerURL []string `json:"issuer_urls"`
OCSP string `json:"ocsp_url"`
CRL string `json:"crl_url"`
CA bool `json:"is_ca"`
OCSPNoCheck bool `json:"ocsp_no_check"`
ExpiryString string `json:"expiry"`
BackdateString string `json:"backdate"`
AuthKeyName string `json:"auth_key"`
RemoteName string `json:"remote"`
NotBefore time.Time `json:"not_before"`
NotAfter time.Time `json:"not_after"`
NameWhitelistString string `json:"name_whitelist"`
AuthRemote AuthRemote `json:"auth_remote"`
CTLogServers []string `json:"ct_log_servers"`
AllowedExtensions []OID `json:"allowed_extensions"`
CertStore string `json:"cert_store"`
Policies []CertificatePolicy
Expiry time.Duration
Backdate time.Duration
Provider auth.Provider
RemoteProvider auth.Provider
RemoteServer string
CSRWhitelist *CSRWhitelist
NameWhitelist *regexp.Regexp
ExtensionWhitelist map[string]bool
ClientProvidesSerialNumbers bool
}
A SigningProfile stores information that the CA needs to store signature policy.
func DefaultConfig ¶
func DefaultConfig() *SigningProfile
DefaultConfig returns a default configuration specifying basic key usage and a 1 year expiration time. The key usages chosen are signing, key encipherment, client auth and server auth.
func (*SigningProfile) Usages ¶
func (p *SigningProfile) Usages() (ku x509.KeyUsage, eku []x509.ExtKeyUsage, unk []string)
Usages parses the list of key uses in the profile, translating them to a list of X.509 key usages and extended key usages. The unknown uses are collected into a slice that is also returned.
Source Files