vault

package
v1.0.10 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Aug 16, 2021 License: MIT Imports: 12 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type CertRespData

type CertRespData struct {
	SignResponseData
	PrivateKey     string `json:"private_key"`
	PrivateKeyType string `json:"private_key_type"`
}

type CertResponse

type CertResponse struct {
	CommonCAResponse
	Data *CertRespData `json:"data"`
}

type CommonCAResponse

type CommonCAResponse struct {
	RequestID     string `json:"request_id"`
	LeaseID       string `json:"lease_id"`
	Renewable     bool   `json:"renewable"`
	LeaseDuration int    `json:"lease_duration"`
}

type SignResponse

type SignResponse struct {
	CommonCAResponse
	Data *SignResponseData `json:"data"`
}

type SignResponseData

type SignResponseData struct {
	Certificate  string   `json:"certificate"`
	IssuingCA    string   `json:"issuing_ca"`
	CAChain      []string `json:"ca_chain"`
	SerialNumber string   `json:"serial_number"`
}

type VaultCA

type VaultCA struct {
}

func (*VaultCA) CACerts

func (ca *VaultCA) CACerts(ctx context.Context, aps string, r *http.Request) ([]*x509.Certificate, error)

CACerts returns the CA certificates, unless the additional path segment is "triggererrors", in which case an error is returned for testing purposes.

func (*VaultCA) CSRAttrs

func (ca *VaultCA) CSRAttrs(ctx context.Context, aps string, r *http.Request) (attrs est.CSRAttrs, err error)

CSRAttrs returns an empty sequence of CSR attributes, unless the additional path segment is:

  • "csrattrs", in which case it returns the same example sequence described in RFC7030 4.5.2; or
  • "triggererrors", in which case an error is returned for testing purposes.

func (*VaultCA) Enroll

func (ca *VaultCA) Enroll(ctx context.Context, csr *x509.CertificateRequest, aps string, r *http.Request) (*x509.Certificate, error)

Enroll issues a new certificate with:

  • a 90 day duration from the current time
  • a randomly generated 128-bit serial number
  • a subject and subject alternative name copied from the provided CSR
  • a default set of key usages and extended key usages
  • a basic constraints extension with cA flag set to FALSE

unless the additional path segment is "triggererrors", in which case the following errors will be returned for testing purposes, depending on the common name in the CSR:

  • "Trigger Error Forbidden", HTTP status 403
  • "Trigger Error Deferred", HTTP status 202 with retry of 600 seconds
  • "Trigger Error Unknown", untyped error expected to be interpreted as an internal server error.

func (*VaultCA) Reenroll

func (ca *VaultCA) Reenroll(ctx context.Context, cert *x509.Certificate, csr *x509.CertificateRequest, aps string, r *http.Request) (*x509.Certificate, error)

Reenroll implements est.CA but simply passes the request through to Enroll.

func (*VaultCA) ServerKeyGen

func (ca *VaultCA) ServerKeyGen(ctx context.Context, csr *x509.CertificateRequest, aps string, r *http.Request) (*x509.Certificate, []byte, error)

ServerKeyGen creates a new RSA private key and then calls Enroll. It returns the key in PKCS8 DER-encoding, unless the additional path segment is set to "pkcs7", in which case it is returned wrapped in a CMS SignedData structure signed by the CA certificate(s), itself wrapped in a CMS EnvelopedData encrypted with the pre-shared key "pseudohistorical". A "Bit-Size" HTTP header may be passed with the values 2048, 3072 or 4096.

func (*VaultCA) TPMEnroll

func (ca *VaultCA) TPMEnroll(ctx context.Context, csr *x509.CertificateRequest, ekcerts []*x509.Certificate, ekPub, akPub []byte, aps string, r *http.Request) ([]byte, []byte, []byte, error)

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL