issuance

package
v0.0.0-...-0c658f2 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Dec 18, 2024 License: MPL-2.0 Imports: 31 Imported by: 3

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func ContainsMustStaple

func ContainsMustStaple(extensions []pkix.Extension) bool

ContainsMustStaple returns true if the provided set of extensions includes an entry whose OID and value both match the expected values for the OCSP Must-Staple (a.k.a. id-pe-tlsFeature) extension.

Types

type CRLProfile

type CRLProfile struct {
	// contains filtered or unexported fields
}

func NewCRLProfile

func NewCRLProfile(config CRLProfileConfig) (*CRLProfile, error)

type CRLProfileConfig

type CRLProfileConfig struct {
	ValidityInterval config.Duration
	MaxBackdate      config.Duration
}

type CRLRequest

type CRLRequest struct {
	Number *big.Int
	Shard  int64

	ThisUpdate time.Time

	Entries []x509.RevocationListEntry
}

type Certificate

type Certificate struct {
	*x509.Certificate
	// contains filtered or unexported fields
}

Certificate embeds an *x509.Certificate and represents the added semantics that this certificate is a CA certificate.

func LoadCertificate

func LoadCertificate(path string) (*Certificate, error)

func LoadChain

func LoadChain(certFiles []string) ([]*Certificate, error)

LoadChain takes a list of filenames containing pem-formatted certificates, and returns a chain representing all of those certificates in order. It ensures that the resulting chain is valid. The final file is expected to be a root certificate, which the chain will be verified against, but which will not be included in the resulting chain.

func NewCertificate

func NewCertificate(ic *x509.Certificate) (*Certificate, error)

NewCertificate wraps an in-memory cert in an issuance.Certificate, marking it as an issuer cert. It may fail if the certificate does not contain the attributes expected of an issuer certificate.

func (*Certificate) NameID

func (ic *Certificate) NameID() NameID

NameID is equivalent to SubjectNameID(ic), but faster because it is precomputed.

type HexMarshalableBytes

type HexMarshalableBytes []byte

func (HexMarshalableBytes) MarshalJSON

func (h HexMarshalableBytes) MarshalJSON() ([]byte, error)

type IssuanceRequest

type IssuanceRequest struct {
	// PublicKey is of type MarshalablePublicKey so we can log an IssuanceRequest as a JSON object.
	PublicKey    MarshalablePublicKey
	SubjectKeyId HexMarshalableBytes

	Serial HexMarshalableBytes

	NotBefore time.Time
	NotAfter  time.Time

	CommonName string
	DNSNames   []string

	IncludeMustStaple bool
	IncludeCTPoison   bool
	// contains filtered or unexported fields
}

IssuanceRequest describes a certificate issuance request

It can be marshaled as JSON for logging purposes, though note that sctList and precertDER will be omitted from the marshaled output because they are unexported.

func RequestFromPrecert

func RequestFromPrecert(precert *x509.Certificate, scts []ct.SignedCertificateTimestamp) (*IssuanceRequest, error)

RequestFromPrecert constructs a final certificate IssuanceRequest matching the provided precertificate. It returns an error if the precertificate doesn't contain the CT poison extension.

type Issuer

type Issuer struct {
	// TODO(#7159): make Cert, Signer, and Linter private when all signing ops
	// are handled through this package (e.g. the CA doesn't need direct access
	// while signing CRLs anymore).
	Cert   *Certificate
	Signer crypto.Signer
	Linter *linter.Linter
	// contains filtered or unexported fields
}

Issuer is capable of issuing new certificates.

func LoadIssuer

func LoadIssuer(config IssuerConfig, clk clock.Clock) (*Issuer, error)

LoadIssuer constructs a new Issuer, loading its certificate from disk and its private key material from the indicated location. It also verifies that the issuer metadata (such as AIA URLs) is well-formed.

func (*Issuer) IsActive

func (i *Issuer) IsActive() bool

IsActive is true if the issuer is willing to issue precertificates, and false if the issuer is only willing to issue final certificates, OCSP, and CRLs.

func (*Issuer) Issue

func (i *Issuer) Issue(token *issuanceToken) ([]byte, error)

Issue performs a real issuance using an issuanceToken resulting from a previous call to Prepare(). Call this at most once per token. Calls after the first will receive an error.

func (*Issuer) IssueCRL

func (i *Issuer) IssueCRL(prof *CRLProfile, req *CRLRequest) ([]byte, error)

func (*Issuer) KeyType

func (i *Issuer) KeyType() x509.PublicKeyAlgorithm

KeyType returns either x509.RSA or x509.ECDSA, depending on whether the issuer has an RSA or ECDSA keypair. This is useful for determining which issuance requests should be routed to this issuer.

func (*Issuer) Name

func (i *Issuer) Name() string

Name provides the Common Name specified in the issuer's certificate.

func (*Issuer) NameID

func (i *Issuer) NameID() NameID

NameID provides the NameID of the issuer's certificate.

func (*Issuer) Prepare

func (i *Issuer) Prepare(prof *Profile, req *IssuanceRequest) ([]byte, *issuanceToken, error)

Prepare combines the given profile and request with the Issuer's information to create a template certificate. It then generates a linting certificate from that template and runs the linter over it. If successful, returns both the linting certificate (which can be stored) and an issuanceToken. The issuanceToken can be used to sign a matching certificate with this Issuer's private key.

type IssuerConfig

type IssuerConfig struct {
	// Active determines if the issuer can be used to sign precertificates. All
	// issuers, regardless of this field, can be used to sign final certificates
	// (for which an issuance token is presented), OCSP responses, and CRLs.
	// All Active issuers of a given key type (RSA or ECDSA) are part of a pool
	// and each precertificate will be issued randomly from a selected pool.
	// The selection of which pool depends on the precertificate's key algorithm.
	Active bool

	IssuerURL  string `validate:"required,url"`
	OCSPURL    string `validate:"required,url"`
	CRLURLBase string `validate:"omitempty,url,startswith=http://,endswith=/"`

	Location IssuerLoc
}

IssuerConfig describes the constraints on and URLs used by a single issuer.

type IssuerLoc

type IssuerLoc struct {
	// A file from which a private key will be read and parsed.
	File string `validate:"required_without_all=ConfigFile PKCS11"`
	// A file from which a pkcs11key.Config will be read and parsed, if File is not set.
	ConfigFile string `validate:"required_without_all=PKCS11 File"`
	// An in-memory pkcs11key.Config, which will be used if ConfigFile is not set.
	PKCS11 *pkcs11key.Config `validate:"required_without_all=ConfigFile File"`
	// A file from which a certificate will be read and parsed.
	CertFile string `validate:"required"`
	// Number of sessions to open with the HSM. For maximum performance,
	// this should be equal to the number of cores in the HSM. Defaults to 1.
	NumSessions int
}

IssuerLoc describes the on-disk location and parameters that an issuer should use to retrieve its certificate and private key. Only one of File, ConfigFile, or PKCS11 should be set.

type MarshalablePublicKey

type MarshalablePublicKey struct {
	crypto.PublicKey
}

MarshalablePublicKey is a wrapper for crypto.PublicKey with a custom JSON marshaller that encodes the public key as a DER-encoded SubjectPublicKeyInfo.

func (MarshalablePublicKey) MarshalJSON

func (pk MarshalablePublicKey) MarshalJSON() ([]byte, error)

type NameID

type NameID int64

NameID is a statistically-unique small ID which can be computed from both CA and end-entity certs to link them together into a validation chain. It is computed as a truncated hash over the issuer Subject Name bytes, or over the end-entity's Issuer Name bytes, which are required to be equal.

func IssuerNameID

func IssuerNameID(ee *x509.Certificate) NameID

IssuerNameID returns the IssuerNameID (a truncated hash over the raw bytes of the Issuer Distinguished Name) of the given end-entity certificate. Useful for performing lookups in contexts that don't expect hash collisions.

func ResponderNameID

func ResponderNameID(resp *ocsp.Response) NameID

ResponderNameID returns the NameID (a truncated hash over the raw bytes of the Responder Distinguished Name) of the given OCSP Response. As per the OCSP spec, it is technically possible for this field to not be populated: the OCSP Response can instead contain a SHA-1 hash of the Issuer Public Key as the Responder ID. However, all OCSP responses that we produce contain it, because the Go stdlib always includes it.

func SubjectNameID

func SubjectNameID(ic *Certificate) NameID

SubjectNameID returns the NameID (a truncated hash over the raw bytes of a Distinguished Name) of this issuer certificate's Subject. Useful for storing as a lookup key in contexts that don't expect hash collisions.

type PolicyConfig

type PolicyConfig struct {
	OID string `validate:"required"`
}

PolicyConfig describes a policy

type Profile

type Profile struct {
	// contains filtered or unexported fields
}

Profile is the validated structure created by reading in ProfileConfigs and IssuerConfigs

func NewProfile

func NewProfile(profileConfig *ProfileConfig) (*Profile, error)

NewProfile converts the profile config into a usable profile.

func (*Profile) GenerateValidity

func (p *Profile) GenerateValidity(now time.Time) (time.Time, time.Time)

GenerateValidity returns a notBefore/notAfter pair bracketing the input time, based on the profile's configured backdate and validity.

type ProfileConfig

type ProfileConfig struct {
	// AllowMustStaple, when false, causes all IssuanceRequests which specify the
	// OCSP Must Staple extension to be rejected.
	AllowMustStaple bool
	// AllowCTPoison has no effect.
	// Deprecated: We will always allow the CT Poison extension because it is
	// mandated for Precertificates.
	AllowCTPoison bool
	// AllowSCTList has no effect.
	// Deprecated: We intend to include SCTs in all final Certificates for the
	// foreseeable future.
	AllowSCTList bool
	// AllowCommonName has no effect.
	// Deprecated: Rather than rejecting IssuanceRequests which include a common
	// name, we would prefer to simply drop the CN. Use `OmitCommonName` instead.
	AllowCommonName bool

	// OmitCommonName causes the CN field to be excluded from the resulting
	// certificate, regardless of its inclusion in the IssuanceRequest.
	OmitCommonName bool
	// OmitKeyEncipherment causes the keyEncipherment bit to be omitted from the
	// Key Usage field of all certificates (instead of only from ECDSA certs).
	OmitKeyEncipherment bool
	// OmitClientAuth causes the id-kp-clientAuth OID (TLS Client Authentication)
	// to be omitted from the EKU extension.
	OmitClientAuth bool
	// OmitSKID causes the Subject Key Identifier extension to be omitted.
	OmitSKID bool

	MaxValidityPeriod   config.Duration
	MaxValidityBackdate config.Duration

	// LintConfig is a path to a zlint config file, which can be used to control
	// the behavior of zlint's "customizable lints".
	LintConfig string
	// IgnoredLints is a list of lint names that we know will fail for this
	// profile, and which we know it is safe to ignore.
	IgnoredLints []string

	// Deprecated: we do not respect this field.
	Policies []PolicyConfig `validate:"-"`
}

ProfileConfig describes the certificate issuance constraints for all issuers.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL