signer

package

v0.0.2 Latest Latest Go to latest Published: Jan 22, 2021 License: Apache-2.0 Imports: 18 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/littlegirlpppp/fabric-sdk-go-gm

Links

Open Source Insights

Documentation ¶

Overview ¶

Package signer implements certificate signature functionality for CFSSL.

Index ¶

Variables
func ComputeSKI(template *x509.Certificate) ([]byte, error)
func DefaultSigAlgo(priv crypto.Signer) x509.SignatureAlgorithm
func FillTemplate(template *x509.Certificate, defaultProfile, profile *config.SigningProfile, ...) error
func ParseCertificateRequest(s Signer, csrBytes []byte) (template *x509.Certificate, err error)
func Profile(s Signer, profile string) (*config.SigningProfile, error)
func SplitHosts(hostList string) []string
type Extension
type SignRequest
type Signer
type Subject
- func (s *Subject) Name() pkix.Name

Constants ¶

This section is empty.

Variables ¶

View Source

var (

	// CTPoisonOID is the object ID of the critical poison extension for precertificates
	// https://tools.ietf.org/html/rfc6962#page-9
	CTPoisonOID = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 11129, 2, 4, 3}

	// SCTListOID is the object ID for the Signed Certificate Timestamp certificate extension
	// https://tools.ietf.org/html/rfc6962#page-14
	SCTListOID = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 11129, 2, 4, 2}
)

Functions ¶

func ComputeSKI ¶

func ComputeSKI(template *x509.Certificate) ([]byte, error)

ComputeSKI derives an SKI from the certificate's public key in a standard manner. This is done by computing the SHA-1 digest of the SubjectPublicKeyInfo component of the certificate.

func DefaultSigAlgo ¶

func DefaultSigAlgo(priv crypto.Signer) x509.SignatureAlgorithm

DefaultSigAlgo returns an appropriate X.509 signature algorithm given the CA's private key.

func FillTemplate ¶

func FillTemplate(template *x509.Certificate, defaultProfile, profile *config.SigningProfile, notBefore time.Time, notAfter time.Time) error

FillTemplate is a utility function that tries to load as much of the certificate template as possible from the profiles and current template. It fills in the key uses, expiration, revocation URLs and SKI.

func ParseCertificateRequest ¶

func ParseCertificateRequest(s Signer, csrBytes []byte) (template *x509.Certificate, err error)

ParseCertificateRequest takes an incoming certificate request and builds a certificate template from it.

func Profile ¶

func Profile(s Signer, profile string) (*config.SigningProfile, error)

Profile gets the specific profile from the signer

func SplitHosts ¶

func SplitHosts(hostList string) []string

SplitHosts takes a comma-spearated list of hosts and returns a slice with the hosts split

Types ¶

type Extension ¶

type Extension struct {
	ID       config.OID `json:"id"`
	Critical bool       `json:"critical"`
	Value    string     `json:"value"`
}

Extension represents a raw extension to be included in the certificate. The "value" field must be hex encoded.

type SignRequest ¶

type SignRequest struct {
	Hosts       []string    `json:"hosts"`
	Request     string      `json:"certificate_request"`
	Subject     *Subject    `json:"subject,omitempty"`
	Profile     string      `json:"profile"`
	CRLOverride string      `json:"crl_override"`
	Label       string      `json:"label"`
	Serial      *big.Int    `json:"serial,omitempty"`
	Extensions  []Extension `json:"extensions,omitempty"`
	// If provided, NotBefore will be used without modification (except
	// for canonicalization) as the value of the notBefore field of the
	// certificate. In particular no backdating adjustment will be made
	// when NotBefore is provided.
	NotBefore time.Time
	// If provided, NotAfter will be used without modification (except
	// for canonicalization) as the value of the notAfter field of the
	// certificate.
	NotAfter time.Time
	// If ReturnPrecert is true a certificate with the CT poison extension
	// will be returned from the Signer instead of attempting to retrieve
	// SCTs and populate the tbsCert with them itself. This precert can then
	// be passed to SignFromPrecert with the SCTs in order to create a
	// valid certificate.
	ReturnPrecert bool
}

SignRequest stores a signature request, which contains the hostname, the CSR, optional subject information, and the signature profile.

Extensions provided in the signRequest are copied into the certificate, as long as they are in the ExtensionWhitelist for the signer's policy. Extensions requested in the CSR are ignored, except for those processed by ParseCertificateRequest (mainly subjectAltName).

type Signer ¶

type Signer interface {
	Info(info.Req) (*info.Resp, error)
	Policy() *config.Signing
	SetDBAccessor(certdb.Accessor)
	GetDBAccessor() certdb.Accessor
	SetPolicy(*config.Signing)
	SigAlgo() x509.SignatureAlgorithm
	Sign(req SignRequest) (cert []byte, err error)
	SetReqModifier(func(*http.Request, []byte))
}

A Signer contains a CA's certificate and private key for signing certificates, a Signing policy to refer to and a SignatureAlgorithm.

type Subject ¶

type Subject struct {
	CN           string
	Names        []csr.Name `json:"names"`
	SerialNumber string
}

Subject contains the information that should be used to override the subject information when signing a certificate.

func (*Subject) Name ¶

func (s *Subject) Name() pkix.Name

Name returns the PKIX name for the subject.

Source Files ¶

View all Source files

signer.go

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL