ca

package
v0.5.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jul 8, 2022 License: Apache-2.0 Imports: 12 Imported by: 3

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func MakeX509 added in v0.5.1 

func MakeX509(ctx context.Context, principal identity.Principal, publicKey crypto.PublicKey) (*x509.Certificate, error)

func VerifyCertChain added in v0.5.1 

func VerifyCertChain(certs []*x509.Certificate, signer crypto.Signer) error

Types

type CertificateAuthority 

type CertificateAuthority interface {
	CreateCertificate(context.Context, identity.Principal, crypto.PublicKey) (*CodeSigningCertificate, error)
	Root(ctx context.Context) ([]byte, error)
}

CertificateAuthority implements certificate creation with a detached SCT and fetching the CA trust bundle.

type CodeSigningCertificate 

type CodeSigningCertificate struct {
	FinalCertificate *x509.Certificate
	FinalChain       []*x509.Certificate
	// contains filtered or unexported fields
}

func CreateCSCFromDER 

func CreateCSCFromDER(cert []byte, chain []*x509.Certificate) (*CodeSigningCertificate, error)

func CreateCSCFromPEM 

func CreateCSCFromPEM(cert string, chain []string) (*CodeSigningCertificate, error)

func (*CodeSigningCertificate) CertPEM 

func (c *CodeSigningCertificate) CertPEM() (string, error)

func (*CodeSigningCertificate) ChainPEM 

func (c *CodeSigningCertificate) ChainPEM() ([]string, error)

type CodeSigningPreCertificate 

type CodeSigningPreCertificate struct {
	// PreCert contains the precertificate. Not a valid certificate due to a critical poison extension.
	PreCert *x509.Certificate
	// CertChain contains the certificate chain to verify the precertificate.
	CertChain []*x509.Certificate
	// PrivateKey contains the signing key used to sign the precertificate. Will be used to sign the certificate.
	// Included in case the signing key is rotated in between precertificate generation and final issuance.
	PrivateKey crypto.Signer
}

CodeSigningPreCertificate holds a precertificate and chain.

type EmbeddedSCTCA 

type EmbeddedSCTCA interface {
	CreatePrecertificate(context.Context, identity.Principal, crypto.PublicKey) (*CodeSigningPreCertificate, error)
	IssueFinalCertificate(ctx context.Context, precert *CodeSigningPreCertificate, sct *ct.SignedCertificateTimestamp) (*CodeSigningCertificate, error)
}

EmbeddedSCTCA implements precertificate and certificate issuance. Certificates will contain an embedded SCT.

type Extensions added in v0.5.1 

type Extensions struct {

	// The OIDC issuer. Should match `iss` claim of ID token or, in the case of
	// a federated login like Dex it should match the issuer URL of the
	// upstream issuer. The issuer is not set the extensions are invalid and
	// will fail to render.
	Issuer string // OID 1.3.6.1.4.1.57264.1.1

	// Triggering event of the Github Workflow. Matches the `event_name` claim of ID
	// tokens from Github Actions
	GithubWorkflowTrigger string // OID 1.3.6.1.4.1.57264.1.2

	// SHA of git commit being built in Github Actions. Matches the `sha` claim of ID
	// tokens from Github Actions
	GithubWorkflowSHA string // OID 1.3.6.1.4.1.57264.1.3

	// Name of Github Actions Workflow. Matches the `workflow` claim of the ID
	// tokens from Github Actions
	GithubWorkflowName string // OID 1.3.6.1.4.1.57264.1.4

	// Repository of the Github Actions Workflow. Matches the `repository` claim of the ID
	// tokens from Github Actions
	GithubWorkflowRepository string // OID 1.3.6.1.4.1.57264.1.5

	// Git Ref of the Github Actions Workflow. Matches the `ref` claim of the ID tokens
	// from Github Actions
	GithubWorkflowRef string // 1.3.6.1.4.1.57264.1.6
}

Extensions contains all custom x509 extensions defined by Fulcio

func (Extensions) Render added in v0.5.1 

func (e Extensions) Render() ([]pkix.Extension, error)

type SignerCerts added in v0.5.1 

type SignerCerts struct {
	// Signer signs issued certificates
	Signer crypto.Signer
	// Certs contains the chain of certificates from intermediate to root
	Certs []*x509.Certificate
}

SignerCerts holds a certificate chain and signer.

func (*SignerCerts) GetSignerWithChain added in v0.5.1 

func (s *SignerCerts) GetSignerWithChain() ([]*x509.Certificate, crypto.Signer)

type SignerCertsMutex added in v0.5.1 

type SignerCertsMutex struct {
	sync.RWMutex

	// Certs contains the chain of certificates from intermediate to root
	Certs []*x509.Certificate
	// Signer signs issued certificates
	Signer crypto.Signer
}

SignerCertsMutex holds a certificate chain and signer, and holds a reader lock when accessing the chain and signer. Use if a separate thread can concurrently update the chain and signer.

func (*SignerCertsMutex) GetSignerWithChain added in v0.5.1 

func (s *SignerCertsMutex) GetSignerWithChain() ([]*x509.Certificate, crypto.Signer)

type SignerWithChain added in v0.5.1 

type SignerWithChain interface {
	GetSignerWithChain() ([]*x509.Certificate, crypto.Signer)
}

SignerWithChain provides a getter for a CA's certificate chain and signing key.

type ValidationError 

type ValidationError error

ValidationError indicates that there is an issue with the content in the HTTP Request that should result in an HTTP 400 Bad Request error being returned to the client

Source Files

View all Source files

Directories

Path Synopsis
googleca
v1

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.