identity

package
v0.16.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Oct 19, 2021 License: Apache-2.0 Imports: 11 Imported by: 13

Documentation

Index

Constants

View Source 
const (
	ConfigFieldCert       = "cert"
	ConfigFieldKey        = "key"
	ConfigFieldServerCert = "server_cert"
	ConfigFieldServerKey  = "server_key"
	ConfigFieldCa         = "ca"
)
View Source 
const (
	StorageFile = "file"
	StoragePem  = "pem"
)

Variables

This section is empty.

Functions

func LoadKey 

func LoadKey(keyAddr string) (crypto.PrivateKey, error)

Types

type Config added in v0.16.0 

type Config struct {
	Key        string `json:"key" yaml:"key" mapstructure:"key"`
	Cert       string `json:"cert" yaml:"cert" mapstructure:"cert"`
	ServerCert string `json:"server_cert,omitempty" yaml:"server_cert,omitempty" mapstructure:"server_cert,omitempty"`
	ServerKey  string `json:"server_key,omitempty" yaml:"server_key,omitempty" mapstructure:"server_key,omitempty"`
	CA         string `json:"ca,omitempty" yaml:"ca,omitempty" mapstructure:"ca"`
}

Config represents the basic data structure for and identity configuration. A Config provides details on where the x509 certificates and private keys are located/stored for the identity. These values are interpreted by the LoadIdentity function to produce an Identity that can be used to create crypto configurations (i.e. tls.Config). Storage locations include files, in-memory PEM, and hardware tokens.

Key, Cert, ServerCert, ServerKey, and CA are URLs with the following schemes: `file`, `pem`. Additionally, Key supports `engine`. If the value is not in URL format it is assumed to be `file`.

Example: `file://path/to/my/cert.pem` or `path/to/my/cert.pem' Example: `pem://-----BEGIN CERTIFICATE-----\nMIIB/TCCAYCgAwIBAgIBATAMBggqhk...`

func NewConfigFromMap added in v0.16.0 

func NewConfigFromMap(identityMap map[interface{}]interface{}) (*Config, error)

NewConfigFromMap will parse a standard identity configuration section that has been loaded from JSON/YAML/etc. parse functions that return interface{} maps. It expects the following fields to be defined as strings if present. If any fields are missing they are left as empty string in the resulting Config.

func NewConfigFromMapWithPathContext added in v0.16.0 

func NewConfigFromMapWithPathContext(identityMap map[interface{}]interface{}, pathContext string) (*Config, error)

NewConfigFromMapWithPathContext performs the same checks as NewConfigFromMap but also allows a path context to be provided for error messages when parsing deep or complex configuration.

Example: 

`NewConfigFromMapWithPathContext(myMap, "my.path")` errors would be formatted as "value [my.path.cert] must be a string"`

func (*Config) Validate added in v0.16.0 

func (config *Config) Validate() error

Validate validates the current IdentityConfiguration to have non-empty values all fields except ServerKey which assumes that Key is a suitable default.

func (*Config) ValidateForClient added in v0.16.0 

func (config *Config) ValidateForClient() error

ValidateForClient validates the current IdentityConfiguration has enough values to initiate a client connection. For example: a tls.Config for a client in mTLS

func (*Config) ValidateForClientWithPathContext added in v0.16.0 

func (config *Config) ValidateForClientWithPathContext(pathContext string) error

ValidateForClientWithPathContext performs the same checks as ValidateForClient but also allows a path context to be provided for error messages when parsing deep or complex configuration.

Example: 

`ValidateForClientWithPathContext("my.path")`  errors would be formatted as "required configuration value [my.path.cert]..."`

func (*Config) ValidateForServer added in v0.16.0 

func (config *Config) ValidateForServer() error

ValidateForServer validates the current IdentityConfiguration has enough values to a client connection. For example: a tls.Config for a server in mTLS

func (*Config) ValidateForServerWithPathContext added in v0.16.0 

func (config *Config) ValidateForServerWithPathContext(pathContext string) error

ValidateForServerWithPathContext performs the same checks as ValidateForServer but also allows a path context to be provided for error messages when parsing deep or complex configuration.

Example: 

`ValidateWithPathContext("my.path")`  errors would be formatted as "required configuration value [my.path.cert]..."`

func (*Config) ValidateWithPathContext added in v0.16.0 

func (config *Config) ValidateWithPathContext(pathContext string) error

ValidateWithPathContext performs the same checks as Validate but also allows a path context to be provided for error messages when parsing deep or complex configuration.

Example: 

`ValidateWithPathContext("my.path")`  errors would be formatted as "required configuration value [my.path.cert]..."`

type ID 

type ID struct {
	Config
	// contains filtered or unexported fields
}

func (*ID) CA 

func (id *ID) CA() *x509.CertPool

CA returns the ID's current CA certificate pool that is used by all tls.Config's generated from it.

func (*ID) Cert 

func (id *ID) Cert() *tls.Certificate

Cert returns the ID's current client certificate that is used by all tls.Config's generated from it.

func (*ID) ClientTLSConfig 

func (id *ID) ClientTLSConfig() *tls.Config

ClientTLSConfig returns a new tls.Config instance that will delegate client certificate lookup to the current ID. Calling Reload on the source ID can update which client certificate is used if the internal Config is altered by calling Config or if the values the Config points to are altered (i.e. file update).

Generating multiple tls.Config's by calling this method will return tls.Config's that are all tied to this ID's Config and client certificates.

func (*ID) GetClientCertificate added in v0.15.27 

func (id *ID) GetClientCertificate(config *tls.Config, _ *tls.CertificateRequestInfo) (*tls.Certificate, error)

GetClientCertificate is used to satisfy tls.Config's GetClientCertificate requirements. Allows client certificates to be updated after enrollment extensions without disconnecting the current client. New settings will be used on re-connect.

func (*ID) GetConfig added in v0.16.0 

func (id *ID) GetConfig() *Config

GetConfig returns the internally stored copy of the Config that was used to create the ID. The returned Config can be used to create additional IDs but those IDs will not share the same Config.

func (*ID) GetConfigForClient added in v0.16.0 

func (id *ID) GetConfigForClient(config *tls.Config, _ *tls.ClientHelloInfo) (*tls.Config, error)

GetConfigForClient is used to satisfy tls.Config's GetConfigForClient requirements. Allows servers to have up-to-date CA chains after enrollment extension.

func (*ID) GetServerCertificate added in v0.15.27 

func (id *ID) GetServerCertificate(_ *tls.ClientHelloInfo) (*tls.Certificate, error)

GetServerCertificate is used to satisfy tls.Config's GetCertificate requirements. Allows server certificates to be updated after enrollment extensions without stopping listeners and disconnecting clients. New settings are used for all new incoming connection.

func (*ID) Reload added in v0.15.27 

func (id *ID) Reload() error

Reload re-interprets the internal Config that was used to create this ID. This instance of the ID is updated with new client, server, and ca configuration. All tls.Config's generated from this ID will use the newly loaded values for new connections.

func (*ID) ServerCert 

func (id *ID) ServerCert() *tls.Certificate

ServerCert returns the ID's current server certificate that is used by all tls.Config's generated from it.

func (*ID) ServerTLSConfig 

func (id *ID) ServerTLSConfig() *tls.Config

ServerTLSConfig returns a new tls.Config instance that will delegate server certificate lookup to the current ID. Calling Reload on the source ID will update which server certificate is used if the internal Config is altered by calling Config or if the values the Config points to are altered (i.e. file update).

Generating multiple tls.Config's by calling this method will return tls.Config's that are all tied to this ID's Config.

func (*ID) SetCert added in v0.15.47 

func (id *ID) SetCert(pem string) error

SetCert persists a new PEM as the ID's client certificate.

func (*ID) SetServerCert added in v0.15.47 

func (id *ID) SetServerCert(pem string) error

SetServerCert persists a new PEM as the ID's server certificate.

type Identity 

type Identity interface {
	Cert() *tls.Certificate
	ServerCert() *tls.Certificate
	CA() *x509.CertPool
	ServerTLSConfig() *tls.Config
	ClientTLSConfig() *tls.Config
	Reload() error

	SetCert(pem string) error
	SetServerCert(pem string) error

	GetConfig() *Config
}

func LoadIdentity 

func LoadIdentity(cfg Config) (Identity, error)

type TokenId 

type TokenId struct {
	Identity
	Token string
	Data  map[uint32][]byte
}

func LoadClientIdentity 

func LoadClientIdentity(certPath, keyPath, caCertPath string) (*TokenId, error)

func LoadServerIdentity 

func LoadServerIdentity(clientCertPath, serverCertPath, keyPath, caCertPath string) (*TokenId, error)

func NewClientTokenIdentity added in v0.15.47 

func NewClientTokenIdentity(clientCert *x509.Certificate, privateKey crypto.PrivateKey, caCerts []*x509.Certificate) *TokenId

func NewIdentity 

func NewIdentity(id Identity) *TokenId

func (*TokenId) ClientTLSConfig 

func (i *TokenId) ClientTLSConfig() *tls.Config

func (*TokenId) ServerTLSConfig 

func (i *TokenId) ServerTLSConfig() *tls.Config

func (*TokenId) ShallowCloneWithNewToken 

func (i *TokenId) ShallowCloneWithNewToken(token string) *TokenId

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.