scep

package
v0.17.1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Aug 27, 2021 License: Apache-2.0 Imports: 15 Imported by: 0

Documentation

Index

Constants

View Source
const (
	// ProvisionerContextKey provisioner key
	ProvisionerContextKey = ContextKey("provisioner")
)

Variables

This section is empty.

Functions

This section is empty.

Types

type Authority

type Authority struct {
	// contains filtered or unexported fields
}

Authority is the layer that handles all SCEP interactions.

func New

func New(signAuth SignAuthority, ops AuthorityOptions) (*Authority, error)

New returns a new Authority that implements the SCEP interface.

func (*Authority) CreateFailureResponse

func (a *Authority) CreateFailureResponse(ctx context.Context, csr *x509.CertificateRequest, msg *PKIMessage, info FailInfoName, infoText string) (*PKIMessage, error)

CreateFailureResponse creates an appropriately signed reply for PKI operations

func (*Authority) DecryptPKIEnvelope

func (a *Authority) DecryptPKIEnvelope(ctx context.Context, msg *PKIMessage) error

DecryptPKIEnvelope decrypts an enveloped message

func (*Authority) GetCACaps

func (a *Authority) GetCACaps(ctx context.Context) []string

GetCACaps returns the CA capabilities

func (*Authority) GetCACertificates

func (a *Authority) GetCACertificates() ([]*x509.Certificate, error)

GetCACertificates returns the certificate (chain) for the CA

func (*Authority) GetLinkExplicit

func (a *Authority) GetLinkExplicit(provName string, abs bool, baseURL *url.URL, inputs ...string) string

GetLinkExplicit returns the requested link from the directory.

func (*Authority) LoadProvisionerByID

func (a *Authority) LoadProvisionerByID(id string) (provisioner.Interface, error)

LoadProvisionerByID calls out to the SignAuthority interface to load a provisioner by ID.

func (*Authority) MatchChallengePassword

func (a *Authority) MatchChallengePassword(ctx context.Context, password string) (bool, error)

MatchChallengePassword verifies a SCEP challenge password

func (*Authority) SignCSR

func (a *Authority) SignCSR(ctx context.Context, csr *x509.CertificateRequest, msg *PKIMessage) (*PKIMessage, error)

SignCSR creates an x509.Certificate based on a CSR template and Cert Authority credentials returns a new PKIMessage with CertRep data func (msg *PKIMessage) SignCSR(crtAuth *x509.Certificate, keyAuth *rsa.PrivateKey, template *x509.Certificate) (*PKIMessage, error) { func (a *Authority) SignCSR(ctx context.Context, msg *PKIMessage, template *x509.Certificate) (*PKIMessage, error) {

type AuthorityOptions

type AuthorityOptions struct {
	// Service provides the certificate chain, the signer and the decrypter to the Authority
	Service *Service
	// DNS is the host used to generate accurate SCEP links. By default the authority
	// will use the Host from the request, so this value will only be used if
	// request.Host is empty.
	DNS string
	// Prefix is a URL path prefix under which the SCEP api is served. This
	// prefix is required to generate accurate SCEP links.
	Prefix string
}

AuthorityOptions required to create a new SCEP Authority.

type CertRepMessage

type CertRepMessage struct {
	microscep.PKIStatus
	microscep.RecipientNonce
	microscep.FailInfo

	Certificate *x509.Certificate
	// contains filtered or unexported fields
}

CertRepMessage is a type of PKIMessage

type ContextKey

type ContextKey string

ContextKey is the key type for storing and searching for SCEP request essentials in the context of a request.

type DB

type DB interface {
	StoreCertificate(crt *x509.Certificate) error
}

type Error

type Error struct {
	Message string `json:"message"`
	Status  int    `json:"-"`
}

Error is an SCEP error type

func (*Error) Error

func (e *Error) Error() string

Error implements the error interface.

type FailInfo

type FailInfo struct {
	Name FailInfoName
	Text string
}

FailInfo models a failInfo object consisting of a name/identifier and a failInfoText, the latter of which can be more descriptive and is intended to be read by humans.

type FailInfoName

type FailInfoName microscep.FailInfo

FailInfoName models the name/value of failInfo

type Interface

type Interface interface {
	LoadProvisionerByID(string) (provisioner.Interface, error)
	GetLinkExplicit(provName string, absoluteLink bool, baseURL *url.URL, inputs ...string) string

	GetCACertificates() ([]*x509.Certificate, error)
	DecryptPKIEnvelope(ctx context.Context, msg *PKIMessage) error
	SignCSR(ctx context.Context, csr *x509.CertificateRequest, msg *PKIMessage) (*PKIMessage, error)
	CreateFailureResponse(ctx context.Context, csr *x509.CertificateRequest, msg *PKIMessage, info FailInfoName, infoText string) (*PKIMessage, error)
	MatchChallengePassword(ctx context.Context, password string) (bool, error)
	GetCACaps(ctx context.Context) []string
}

Interface is the SCEP authority interface.

type Options

type Options struct {
	// CertificateChain is the issuer certificate, along with any other bundled certificates
	// to be returned in the chain for consumers. Configured in the ca.json crt property.
	CertificateChain []*x509.Certificate
	// Signer signs CSRs in SCEP. Configured in the ca.json key property.
	Signer crypto.Signer `json:"-"`
	// Decrypter decrypts encrypted SCEP messages. Configured in the ca.json key property.
	Decrypter crypto.Decrypter `json:"-"`
}

func (*Options) Validate

func (o *Options) Validate() error

Validate checks the fields in Options.

type PKIMessage

type PKIMessage struct {
	microscep.TransactionID
	microscep.MessageType
	microscep.SenderNonce
	*microscep.CSRReqMessage

	*CertRepMessage

	// DER Encoded PKIMessage
	Raw []byte

	// parsed
	P7 *pkcs7.PKCS7

	// Used to sign message
	Recipients []*x509.Certificate
	// contains filtered or unexported fields
}

PKIMessage defines the possible SCEP message types

type Provisioner

type Provisioner interface {
	AuthorizeSign(ctx context.Context, token string) ([]provisioner.SignOption, error)
	GetName() string
	DefaultTLSCertDuration() time.Duration
	GetOptions() *provisioner.Options
	GetChallengePassword() string
	GetCapabilities() []string
}

Provisioner is an interface that implements a subset of the provisioner.Interface -- only those methods required by the SCEP api/authority.

func ProvisionerFromContext

func ProvisionerFromContext(ctx context.Context) (Provisioner, error)

ProvisionerFromContext searches the context for a SCEP provisioner. Returns the provisioner or an error.

type Service

type Service struct {
	// contains filtered or unexported fields
}

Service is a wrapper for crypto.Signer and crypto.Decrypter

func NewService

func NewService(ctx context.Context, opts Options) (*Service, error)

type SignAuthority

type SignAuthority interface {
	Sign(cr *x509.CertificateRequest, opts provisioner.SignOptions, signOpts ...provisioner.SignOption) ([]*x509.Certificate, error)
	LoadProvisionerByID(string) (provisioner.Interface, error)
}

SignAuthority is the interface for a signing authority

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL