Documentation ¶
Overview ¶
Package scep implements Simple Certificate Enrollment Protocol related functionality.
Index ¶
- Constants
- type Authority
- func (a *Authority) CreateFailureResponse(ctx context.Context, csr *x509.CertificateRequest, msg *PKIMessage, ...) (*PKIMessage, error)
- func (a *Authority) DecryptPKIEnvelope(ctx context.Context, msg *PKIMessage) error
- func (a *Authority) GetCACaps(ctx context.Context) []string
- func (a *Authority) GetCACertificates(ctx context.Context) ([]*x509.Certificate, error)
- func (a *Authority) GetLinkExplicit(provName string, abs bool, baseURL *url.URL, inputs ...string) string
- func (a *Authority) LoadProvisionerByName(name string) (provisioner.Interface, error)
- func (a *Authority) MatchChallengePassword(ctx context.Context, password string) (bool, error)
- func (a *Authority) SignCSR(ctx context.Context, csr *x509.CertificateRequest, msg *PKIMessage) (*PKIMessage, error)
- type AuthorityOptions
- type CertRepMessage
- type ContextKey
- type DB
- type FailInfo
- type FailInfoName
- type Options
- type PKIMessage
- type Provisioner
- type Service
- type SignAuthority
Constants ¶
const ( // ProvisionerContextKey provisioner key ProvisionerContextKey = ContextKey("provisioner") )
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Authority ¶
type Authority struct {
// contains filtered or unexported fields
}
Authority is the layer that handles all SCEP interactions.
func New ¶
func New(signAuth SignAuthority, ops AuthorityOptions) (*Authority, error)
New returns a new Authority that implements the SCEP interface.
func (*Authority) CreateFailureResponse ¶
func (a *Authority) CreateFailureResponse(ctx context.Context, csr *x509.CertificateRequest, msg *PKIMessage, info FailInfoName, infoText string) (*PKIMessage, error)
CreateFailureResponse creates an appropriately signed reply for PKI operations
func (*Authority) DecryptPKIEnvelope ¶
func (a *Authority) DecryptPKIEnvelope(ctx context.Context, msg *PKIMessage) error
DecryptPKIEnvelope decrypts an enveloped message
func (*Authority) GetCACertificates ¶
GetCACertificates returns the certificate (chain) for the CA
func (*Authority) GetLinkExplicit ¶
func (a *Authority) GetLinkExplicit(provName string, abs bool, baseURL *url.URL, inputs ...string) string
GetLinkExplicit returns the requested link from the directory.
func (*Authority) LoadProvisionerByName ¶ added in v0.18.1
func (a *Authority) LoadProvisionerByName(name string) (provisioner.Interface, error)
LoadProvisionerByName calls out to the SignAuthority interface to load a provisioner by name.
func (*Authority) MatchChallengePassword ¶
MatchChallengePassword verifies a SCEP challenge password
func (*Authority) SignCSR ¶
func (a *Authority) SignCSR(ctx context.Context, csr *x509.CertificateRequest, msg *PKIMessage) (*PKIMessage, error)
SignCSR creates an x509.Certificate based on a CSR template and Cert Authority credentials returns a new PKIMessage with CertRep data
type AuthorityOptions ¶
type AuthorityOptions struct { // Service provides the certificate chain, the signer and the decrypter to the Authority Service *Service // DNS is the host used to generate accurate SCEP links. By default the authority // will use the Host from the request, so this value will only be used if // request.Host is empty. DNS string // Prefix is a URL path prefix under which the SCEP api is served. This // prefix is required to generate accurate SCEP links. Prefix string }
AuthorityOptions required to create a new SCEP Authority.
type CertRepMessage ¶
type CertRepMessage struct { microscep.PKIStatus microscep.RecipientNonce microscep.FailInfo Certificate *x509.Certificate // contains filtered or unexported fields }
CertRepMessage is a type of PKIMessage
type ContextKey ¶
type ContextKey string
ContextKey is the key type for storing and searching for SCEP request essentials in the context of a request.
type DB ¶
type DB interface {
StoreCertificate(crt *x509.Certificate) error
}
type FailInfo ¶
type FailInfo struct { Name FailInfoName Text string }
FailInfo models a failInfo object consisting of a name/identifier and a failInfoText, the latter of which can be more descriptive and is intended to be read by humans.
type FailInfoName ¶
FailInfoName models the name/value of failInfo
type Options ¶
type Options struct { // CertificateChain is the issuer certificate, along with any other bundled certificates // to be returned in the chain for consumers. Configured in the ca.json crt property. CertificateChain []*x509.Certificate // Signer signs CSRs in SCEP. Configured in the ca.json key property. Signer crypto.Signer `json:"-"` // Decrypter decrypts encrypted SCEP messages. Configured in the ca.json key property. Decrypter crypto.Decrypter `json:"-"` }
type PKIMessage ¶
type PKIMessage struct { microscep.TransactionID microscep.MessageType microscep.SenderNonce *microscep.CSRReqMessage *CertRepMessage // DER Encoded PKIMessage Raw []byte // parsed P7 *pkcs7.PKCS7 // Used to sign message Recipients []*x509.Certificate // contains filtered or unexported fields }
PKIMessage defines the possible SCEP message types
type Provisioner ¶
type Provisioner interface { AuthorizeSign(ctx context.Context, token string) ([]provisioner.SignOption, error) GetName() string DefaultTLSCertDuration() time.Duration GetOptions() *provisioner.Options GetChallengePassword() string GetCapabilities() []string ShouldIncludeRootInChain() bool GetContentEncryptionAlgorithm() int }
Provisioner is an interface that implements a subset of the provisioner.Interface -- only those methods required by the SCEP api/authority.
type Service ¶
type Service struct {
// contains filtered or unexported fields
}
Service is a wrapper for crypto.Signer and crypto.Decrypter
type SignAuthority ¶
type SignAuthority interface { Sign(cr *x509.CertificateRequest, opts provisioner.SignOptions, signOpts ...provisioner.SignOption) ([]*x509.Certificate, error) LoadProvisionerByName(string) (provisioner.Interface, error) }
SignAuthority is the interface for a signing authority