Documentation ¶
Index ¶
- func CertMatchesPolicy[Certificate *x509.Certificate | *google_x509.Certificate](cert Certificate, expectedSub string, expectedIssuers []string) (bool, string, string, error)
- func CreateIdentitiesList(mvs MonitoredValues) []string
- func MonitoredValuesExist(mvs MonitoredValues) bool
- func OIDMatchesPolicy[Certificate *x509.Certificate | *google_x509.Certificate](cert Certificate, oid asn1.ObjectIdentifier, extensionValues []string) (bool, asn1.ObjectIdentifier, string, error)
- func PrintMonitoredIdentities(monitoredIdentities []MonitoredIdentity) ([]byte, error)
- type CertificateIdentity
- type LogEntry
- type MonitoredIdentity
- type MonitoredValues
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func CertMatchesPolicy ¶
func CertMatchesPolicy[Certificate *x509.Certificate | *google_x509.Certificate](cert Certificate, expectedSub string, expectedIssuers []string) (bool, string, string, error)
CertMatchesPolicy returns true if a certificate contains a given subject and optionally a given issuer expectedSub and expectedIssuers can be regular expressions CertMatchesPolicy also returns the matched subject and issuer on success
func CreateIdentitiesList ¶
func CreateIdentitiesList(mvs MonitoredValues) []string
CreateIdentitiesList takes in a MonitoredValues input and returns a list of all currently monitored identities. It returns a list of strings.
func MonitoredValuesExist ¶
func MonitoredValuesExist(mvs MonitoredValues) bool
MonitoredValuesExist checks if there are monitored values in an input and returns accordingly.
func OIDMatchesPolicy ¶
func OIDMatchesPolicy[Certificate *x509.Certificate | *google_x509.Certificate](cert Certificate, oid asn1.ObjectIdentifier, extensionValues []string) (bool, asn1.ObjectIdentifier, string, error)
OIDMatchesPolicy returns if a certificate contains both a given OID field and a matching value associated with that field if true, it returns the OID extension and extension value that were matched on
func PrintMonitoredIdentities ¶
func PrintMonitoredIdentities(monitoredIdentities []MonitoredIdentity) ([]byte, error)
PrintMonitoredIdentities formats a list of monitored identities and corresponding log entries using JSON tagging into JSON formatting.
Types ¶
type CertificateIdentity ¶
type CertificateIdentity struct { CertSubject string `yaml:"certSubject"` Issuers []string `yaml:"issuers"` }
CertificateIdentity holds a certificate subject and an optional list of identity issuers
type LogEntry ¶
type LogEntry struct { CertSubject string Issuer string Fingerprint string Subject string Index int64 UUID string OIDExtension asn1.ObjectIdentifier ExtensionValue string }
LogEntry holds a certificate subject, issuer, OID extension and associated value, and log entry metadata
type MonitoredIdentity ¶
type MonitoredIdentity struct { Identity string `json:"identity"` FoundIdentityEntries []LogEntry `json:"foundIdentityEntries"` }
MonitoredIdentity holds an identity and associated log entries matching the identity being monitored.
func CreateMonitoredIdentities ¶
func CreateMonitoredIdentities(inputIdentityEntries []LogEntry, monitoredIdentities []string) []MonitoredIdentity
CreateMonitoredIdentities takes in a list of IdentityEntries and groups them by associated identity based on an input list of identities to monitor. It returns a list of MonitoredIdentities.
type MonitoredValues ¶
type MonitoredValues struct { // CertificateIdentities contains a list of subjects and issuers CertificateIdentities []CertificateIdentity `yaml:"certIdentities"` // Fingerprints contains a list of key fingerprints. Values are as follows: // For keys, certificates, and minisign, hex-encoded SHA-256 digest // of the DER-encoded PKIX public key or certificate // For SSH and PGP, the standard for each ecosystem: // For SSH, unpadded base-64 encoded SHA-256 digest of the key // For PGP, hex-encoded SHA-1 digest of a key, which can be either // a primary key or subkey Fingerprints []string `yaml:"fingerprints"` // Subjects contains a list of subjects that are not specified in a // certificate, such as a SSH key or PGP key email address Subjects []string `yaml:"subjects"` // OIDMatchers represents a list of OID extension fields and associated values, // which includes those constructed directly, those supported by Fulcio, and any constructed via dot notation. OIDMatchers []extensions.OIDExtension `yaml:"oidMatchers"` }
MonitoredValues holds a set of values to compare against a given entry