Documentation ¶
Overview ¶
Package tlsca provides internal TLS certificate authority used for mutual TLS authentication with the auth server and internal teleport components and external clients
Index ¶
- Variables
- func ClusterName(subject pkix.Name) (string, error)
- func GenerateRSAPrivateKeyPEM() ([]byte, error)
- func GenerateSelfSignedCA(entity pkix.Name, dnsNames []string, ttl time.Duration) ([]byte, []byte, error)
- func GenerateSelfSignedCAWithPrivateKey(priv *rsa.PrivateKey, entity pkix.Name, dnsNames []string, ttl time.Duration) ([]byte, []byte, error)
- func MarshalCertificatePEM(cert *x509.Certificate) ([]byte, error)
- func MarshalPublicKeyFromPrivateKeyPEM(privateKey crypto.PrivateKey) ([]byte, error)
- func ParseCertificatePEM(bytes []byte) (*x509.Certificate, error)
- func ParseCertificateRequestPEM(bytes []byte) (*x509.CertificateRequest, error)
- func ParsePrivateKeyDER(der []byte) (crypto.Signer, error)
- func ParsePrivateKeyPEM(bytes []byte) (crypto.Signer, error)
- func ParsePublicKeyDER(der []byte) (crypto.PublicKey, error)
- func ParsePublicKeyPEM(bytes []byte) (interface{}, error)
- type CertAuthority
- type CertificateRequest
- type Identity
Constants ¶
This section is empty.
Variables ¶
var KubeGroupsASN1ExtensionOID = asn1.ObjectIdentifier{1, 3, 9999, 1, 2}
KubeGroupsASN1ExtensionOID is an extension ID used when encoding/decoding license payload into certificates
var KubeUsersASN1ExtensionOID = asn1.ObjectIdentifier{1, 3, 9999, 1, 1}
KubeUsersASN1ExtensionOID is an extension ID used when encoding/decoding license payload into certificates
Functions ¶
func ClusterName ¶
ClusterName returns cluster name from organization
func GenerateRSAPrivateKeyPEM ¶
GenerateRSAPrivateKeyPEM generates new RSA private key and returns PEM encoded bytes
func GenerateSelfSignedCA ¶
func GenerateSelfSignedCA(entity pkix.Name, dnsNames []string, ttl time.Duration) ([]byte, []byte, error)
GenerateSelfSignedCA generates self-signed certificate authority used for internal inter-node communications
func GenerateSelfSignedCAWithPrivateKey ¶
func GenerateSelfSignedCAWithPrivateKey(priv *rsa.PrivateKey, entity pkix.Name, dnsNames []string, ttl time.Duration) ([]byte, []byte, error)
GenerateSelfSignedCA generates self-signed certificate authority used for internal inter-node communications
func MarshalCertificatePEM ¶
func MarshalCertificatePEM(cert *x509.Certificate) ([]byte, error)
MarshalCertificatePEM takes a *x509.Certificate and returns the PEM encoded bytes.
func MarshalPublicKeyFromPrivateKeyPEM ¶
func MarshalPublicKeyFromPrivateKeyPEM(privateKey crypto.PrivateKey) ([]byte, error)
MarshalPublicKeyFromPrivateKeyPEM extracts public key from private key and returns PEM marshalled key
func ParseCertificatePEM ¶
func ParseCertificatePEM(bytes []byte) (*x509.Certificate, error)
ParseCertificatePEM parses PEM-encoded certificate
func ParseCertificateRequestPEM ¶
func ParseCertificateRequestPEM(bytes []byte) (*x509.CertificateRequest, error)
ParseCertificateRequestPEM parses PEM-encoded certificate signing request
func ParsePrivateKeyDER ¶
ParsePrivateKeyDER parses unencrypted DER-encoded private key
func ParsePrivateKeyPEM ¶
ParsePrivateKeyPEM parses PEM-encoded private key
func ParsePublicKeyDER ¶
ParsePublicKeyDER parses unencrypted DER-encoded publice key
func ParsePublicKeyPEM ¶
ParsePublicKeyPEM parses public key PEM
Types ¶
type CertAuthority ¶
type CertAuthority struct { // Cert is a CA certificate Cert *x509.Certificate // Signer is a private key based signer Signer crypto.Signer }
CertAuthority is X.509 certificate authority
func New ¶
func New(certPEM, keyPEM []byte) (*CertAuthority, error)
New returns new CA from PEM encoded certificate and private key. Private Key is optional, if omitted CA won't be able to issue new certificates, only verify them
func (*CertAuthority) GenerateCertificate ¶
func (ca *CertAuthority) GenerateCertificate(req CertificateRequest) ([]byte, error)
GenerateCertificate generates certificate from request
type CertificateRequest ¶
type CertificateRequest struct { // Clock is a clock used to get current or test time Clock clockwork.Clock // PublicKey is a public key to sign PublicKey crypto.PublicKey // Subject is a subject to include in certificate Subject pkix.Name // NotAfter is a time after which the issued certificate // will be no longer valid NotAfter time.Time // DNSNames is a list of DNS names to add to certificate DNSNames []string }
CertificateRequest is a X.509 signing certificate request
func (*CertificateRequest) CheckAndSetDefaults ¶
func (c *CertificateRequest) CheckAndSetDefaults() error
CheckAndSetDefaults checks and sets default values
type Identity ¶
type Identity struct { // Username is a username or name of the node connection Username string // Groups is a list of groups (Teleport roles) encoded in the identity Groups []string // Usage is a list of usage restrictions encoded in the identity Usage []string // Principals is a list of Unix logins allowed. Principals []string // KubernetesGroups is a list of Kubernetes groups allowed KubernetesGroups []string // KubernetesUsers is a list of Kubernetes users allowed KubernetesUsers []string // Expires specifies whenever the session will expire Expires time.Time // RouteToCluster specifies the target cluster // if present in the session RouteToCluster string // Traits hold claim data used to populate a role at runtime. Traits wrappers.Traits }
Identity is an identity of the user or service, e.g. Proxy or Node
func FromSubject ¶
FromSubject returns identity from subject name
func (*Identity) CheckAndSetDefaults ¶
CheckAndSetDefaults checks and sets default values