Documentation ¶
Index ¶
- func ContainsMustStaple(extensions []pkix.Extension) bool
- type CRLProfile
- type CRLProfileConfig
- type CRLRequest
- type Certificate
- type HexMarshalableBytes
- type IssuanceRequest
- type Issuer
- func (i *Issuer) IsActive() bool
- func (i *Issuer) Issue(token *issuanceToken) ([]byte, error)
- func (i *Issuer) IssueCRL(prof *CRLProfile, req *CRLRequest) ([]byte, error)
- func (i *Issuer) KeyType() x509.PublicKeyAlgorithm
- func (i *Issuer) Name() string
- func (i *Issuer) NameID() NameID
- func (i *Issuer) Prepare(prof *Profile, req *IssuanceRequest) ([]byte, *issuanceToken, error)
- type IssuerConfig
- type IssuerLoc
- type MarshalablePublicKey
- type NameID
- type PolicyConfig
- type Profile
- type ProfileConfig
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func ContainsMustStaple ¶
ContainsMustStaple returns true if the provided set of extensions includes an entry whose OID and value both match the expected values for the OCSP Must-Staple (a.k.a. id-pe-tlsFeature) extension.
Types ¶
type CRLProfile ¶
type CRLProfile struct {
// contains filtered or unexported fields
}
func NewCRLProfile ¶
func NewCRLProfile(config CRLProfileConfig) (*CRLProfile, error)
type CRLProfileConfig ¶
type CRLRequest ¶
type Certificate ¶
type Certificate struct { *x509.Certificate // contains filtered or unexported fields }
Certificate embeds an *x509.Certificate and represents the added semantics that this certificate is a CA certificate.
func LoadCertificate ¶
func LoadCertificate(path string) (*Certificate, error)
func LoadChain ¶
func LoadChain(certFiles []string) ([]*Certificate, error)
LoadChain takes a list of filenames containing pem-formatted certificates, and returns a chain representing all of those certificates in order. It ensures that the resulting chain is valid. The final file is expected to be a root certificate, which the chain will be verified against, but which will not be included in the resulting chain.
func NewCertificate ¶
func NewCertificate(ic *x509.Certificate) (*Certificate, error)
NewCertificate wraps an in-memory cert in an issuance.Certificate, marking it as an issuer cert. It may fail if the certificate does not contain the attributes expected of an issuer certificate.
func (*Certificate) NameID ¶
func (ic *Certificate) NameID() NameID
NameID is equivalent to SubjectNameID(ic), but faster because it is precomputed.
type HexMarshalableBytes ¶
type HexMarshalableBytes []byte
func (HexMarshalableBytes) MarshalJSON ¶
func (h HexMarshalableBytes) MarshalJSON() ([]byte, error)
type IssuanceRequest ¶
type IssuanceRequest struct { // PublicKey is of type MarshalablePublicKey so we can log an IssuanceRequest as a JSON object. PublicKey MarshalablePublicKey SubjectKeyId HexMarshalableBytes Serial HexMarshalableBytes NotBefore time.Time NotAfter time.Time CommonName string DNSNames []string IncludeMustStaple bool IncludeCTPoison bool // contains filtered or unexported fields }
IssuanceRequest describes a certificate issuance request
It can be marshaled as JSON for logging purposes, though note that sctList and precertDER will be omitted from the marshaled output because they are unexported.
func RequestFromPrecert ¶
func RequestFromPrecert(precert *x509.Certificate, scts []ct.SignedCertificateTimestamp) (*IssuanceRequest, error)
RequestFromPrecert constructs a final certificate IssuanceRequest matching the provided precertificate. It returns an error if the precertificate doesn't contain the CT poison extension.
type Issuer ¶
type Issuer struct { // TODO(#7159): make Cert, Signer, and Linter private when all signing ops // are handled through this package (e.g. the CA doesn't need direct access // while signing CRLs anymore). Cert *Certificate Signer crypto.Signer Linter *linter.Linter // contains filtered or unexported fields }
Issuer is capable of issuing new certificates.
func LoadIssuer ¶
func LoadIssuer(config IssuerConfig, clk clock.Clock) (*Issuer, error)
LoadIssuer constructs a new Issuer, loading its certificate from disk and its private key material from the indicated location. It also verifies that the issuer metadata (such as AIA URLs) is well-formed.
func (*Issuer) IsActive ¶
IsActive is true if the issuer is willing to issue precertificates, and false if the issuer is only willing to issue final certificates, OCSP, and CRLs.
func (*Issuer) Issue ¶
Issue performs a real issuance using an issuanceToken resulting from a previous call to Prepare(). Call this at most once per token. Calls after the first will receive an error.
func (*Issuer) IssueCRL ¶
func (i *Issuer) IssueCRL(prof *CRLProfile, req *CRLRequest) ([]byte, error)
func (*Issuer) KeyType ¶
func (i *Issuer) KeyType() x509.PublicKeyAlgorithm
KeyType returns either x509.RSA or x509.ECDSA, depending on whether the issuer has an RSA or ECDSA keypair. This is useful for determining which issuance requests should be routed to this issuer.
func (*Issuer) Prepare ¶
func (i *Issuer) Prepare(prof *Profile, req *IssuanceRequest) ([]byte, *issuanceToken, error)
Prepare combines the given profile and request with the Issuer's information to create a template certificate. It then generates a linting certificate from that template and runs the linter over it. If successful, returns both the linting certificate (which can be stored) and an issuanceToken. The issuanceToken can be used to sign a matching certificate with this Issuer's private key.
type IssuerConfig ¶
type IssuerConfig struct { // Active determines if the issuer can be used to sign precertificates. All // issuers, regardless of this field, can be used to sign final certificates // (for which an issuance token is presented), OCSP responses, and CRLs. // All Active issuers of a given key type (RSA or ECDSA) are part of a pool // and each precertificate will be issued randomly from a selected pool. // The selection of which pool depends on the precertificate's key algorithm. Active bool IssuerURL string `validate:"required,url"` OCSPURL string `validate:"required,url"` CRLURLBase string `validate:"omitempty,url,startswith=http://,endswith=/"` Location IssuerLoc }
IssuerConfig describes the constraints on and URLs used by a single issuer.
type IssuerLoc ¶
type IssuerLoc struct { // A file from which a private key will be read and parsed. File string `validate:"required_without_all=ConfigFile PKCS11"` // A file from which a pkcs11key.Config will be read and parsed, if File is not set. ConfigFile string `validate:"required_without_all=PKCS11 File"` // An in-memory pkcs11key.Config, which will be used if ConfigFile is not set. PKCS11 *pkcs11key.Config `validate:"required_without_all=ConfigFile File"` // A file from which a certificate will be read and parsed. CertFile string `validate:"required"` // Number of sessions to open with the HSM. For maximum performance, // this should be equal to the number of cores in the HSM. Defaults to 1. NumSessions int }
IssuerLoc describes the on-disk location and parameters that an issuer should use to retrieve its certificate and private key. Only one of File, ConfigFile, or PKCS11 should be set.
type MarshalablePublicKey ¶
MarshalablePublicKey is a wrapper for crypto.PublicKey with a custom JSON marshaller that encodes the public key as a DER-encoded SubjectPublicKeyInfo.
func (MarshalablePublicKey) MarshalJSON ¶
func (pk MarshalablePublicKey) MarshalJSON() ([]byte, error)
type NameID ¶
type NameID int64
NameID is a statistically-unique small ID which can be computed from both CA and end-entity certs to link them together into a validation chain. It is computed as a truncated hash over the issuer Subject Name bytes, or over the end-entity's Issuer Name bytes, which are required to be equal.
func IssuerNameID ¶
func IssuerNameID(ee *x509.Certificate) NameID
IssuerNameID returns the IssuerNameID (a truncated hash over the raw bytes of the Issuer Distinguished Name) of the given end-entity certificate. Useful for performing lookups in contexts that don't expect hash collisions.
func ResponderNameID ¶
ResponderNameID returns the NameID (a truncated hash over the raw bytes of the Responder Distinguished Name) of the given OCSP Response. As per the OCSP spec, it is technically possible for this field to not be populated: the OCSP Response can instead contain a SHA-1 hash of the Issuer Public Key as the Responder ID. However, all OCSP responses that we produce contain it, because the Go stdlib always includes it.
func SubjectNameID ¶
func SubjectNameID(ic *Certificate) NameID
SubjectNameID returns the NameID (a truncated hash over the raw bytes of a Distinguished Name) of this issuer certificate's Subject. Useful for storing as a lookup key in contexts that don't expect hash collisions.
type PolicyConfig ¶
type PolicyConfig struct {
OID string `validate:"required"`
}
PolicyConfig describes a policy
type Profile ¶
type Profile struct {
// contains filtered or unexported fields
}
Profile is the validated structure created by reading in ProfileConfigs and IssuerConfigs
func NewProfile ¶
func NewProfile(profileConfig *ProfileConfig) (*Profile, error)
NewProfile converts the profile config into a usable profile.
type ProfileConfig ¶
type ProfileConfig struct { // AllowMustStaple, when false, causes all IssuanceRequests which specify the // OCSP Must Staple extension to be rejected. AllowMustStaple bool // AllowCTPoison has no effect. // Deprecated: We will always allow the CT Poison extension because it is // mandated for Precertificates. AllowCTPoison bool // AllowSCTList has no effect. // Deprecated: We intend to include SCTs in all final Certificates for the // foreseeable future. AllowSCTList bool // AllowCommonName has no effect. // Deprecated: Rather than rejecting IssuanceRequests which include a common // name, we would prefer to simply drop the CN. Use `OmitCommonName` instead. AllowCommonName bool // OmitCommonName causes the CN field to be excluded from the resulting // certificate, regardless of its inclusion in the IssuanceRequest. OmitCommonName bool // OmitKeyEncipherment causes the keyEncipherment bit to be omitted from the // Key Usage field of all certificates (instead of only from ECDSA certs). OmitKeyEncipherment bool // OmitClientAuth causes the id-kp-clientAuth OID (TLS Client Authentication) // to be omitted from the EKU extension. OmitClientAuth bool // OmitSKID causes the Subject Key Identifier extension to be omitted. OmitSKID bool MaxValidityPeriod config.Duration MaxValidityBackdate config.Duration // LintConfig is a path to a zlint config file, which can be used to control // the behavior of zlint's "customizable lints". LintConfig string // IgnoredLints is a list of lint names that we know will fail for this // profile, and which we know it is safe to ignore. IgnoredLints []string // Deprecated: we do not respect this field. Policies []PolicyConfig `validate:"-"` }
ProfileConfig describes the certificate issuance constraints for all issuers.