scep

package

v0.21.0 Latest Latest Go to latest Published: Jul 6, 2022 License: Apache-2.0 Imports: 16 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/smallstep/certificates

Links

Open Source Insights

Documentation ¶

Overview ¶

Package scep implements Simple Certificate Enrollment Protocol related functionality.

Index ¶

Constants
func NewContext(ctx context.Context, a *Authority) context.Context
type Authority
type AuthorityOptions
type CertRepMessage
type ContextKey
type DB
type FailInfo
type FailInfoName
type Options
- func (o *Options) Validate() error
type PKIMessage
type Provisioner
type Service
- func NewService(ctx context.Context, opts Options) (*Service, error)
type SignAuthority

Constants ¶

View Source

const (
	// ProvisionerContextKey provisioner key
	ProvisionerContextKey = ContextKey("provisioner")
)

Variables ¶

This section is empty.

Functions ¶

func NewContext ¶ added in v0.20.0

func NewContext(ctx context.Context, a *Authority) context.Context

NewContext adds the given authority to the context.

Types ¶

type Authority ¶

type Authority struct {
	// contains filtered or unexported fields
}

Authority is the layer that handles all SCEP interactions.

func FromContext ¶ added in v0.20.0

func FromContext(ctx context.Context) (a *Authority, ok bool)

FromContext returns the current authority from the given context.

func MustFromContext ¶ added in v0.20.0

func MustFromContext(ctx context.Context) *Authority

MustFromContext returns the current authority from the given context. It will panic if the authority is not in the context.

func New ¶

func New(signAuth SignAuthority, ops AuthorityOptions) (*Authority, error)

New returns a new Authority that implements the SCEP interface.

func (*Authority) CreateFailureResponse ¶

func (a *Authority) CreateFailureResponse(ctx context.Context, csr *x509.CertificateRequest, msg *PKIMessage, info FailInfoName, infoText string) (*PKIMessage, error)

CreateFailureResponse creates an appropriately signed reply for PKI operations

func (*Authority) DecryptPKIEnvelope ¶

func (a *Authority) DecryptPKIEnvelope(ctx context.Context, msg *PKIMessage) error

DecryptPKIEnvelope decrypts an enveloped message

func (*Authority) GetCACaps ¶

func (a *Authority) GetCACaps(ctx context.Context) []string

GetCACaps returns the CA capabilities

func (*Authority) GetCACertificates ¶

func (a *Authority) GetCACertificates(ctx context.Context) ([]*x509.Certificate, error)

GetCACertificates returns the certificate (chain) for the CA

func (*Authority) GetLinkExplicit ¶

func (a *Authority) GetLinkExplicit(provName string, abs bool, baseURL *url.URL, inputs ...string) string

GetLinkExplicit returns the requested link from the directory.

func (*Authority) LoadProvisionerByName ¶ added in v0.18.1

func (a *Authority) LoadProvisionerByName(name string) (provisioner.Interface, error)

LoadProvisionerByName calls out to the SignAuthority interface to load a provisioner by name.

func (*Authority) MatchChallengePassword ¶

func (a *Authority) MatchChallengePassword(ctx context.Context, password string) (bool, error)

MatchChallengePassword verifies a SCEP challenge password

func (*Authority) SignCSR ¶

func (a *Authority) SignCSR(ctx context.Context, csr *x509.CertificateRequest, msg *PKIMessage) (*PKIMessage, error)

SignCSR creates an x509.Certificate based on a CSR template and Cert Authority credentials returns a new PKIMessage with CertRep data

type AuthorityOptions ¶

type AuthorityOptions struct {
	// Service provides the certificate chain, the signer and the decrypter to the Authority
	Service *Service
	// DNS is the host used to generate accurate SCEP links. By default the authority
	// will use the Host from the request, so this value will only be used if
	// request.Host is empty.
	DNS string
	// Prefix is a URL path prefix under which the SCEP api is served. This
	// prefix is required to generate accurate SCEP links.
	Prefix string
}

AuthorityOptions required to create a new SCEP Authority.

type CertRepMessage ¶

type CertRepMessage struct {
	microscep.PKIStatus
	microscep.RecipientNonce
	microscep.FailInfo

	Certificate *x509.Certificate
	// contains filtered or unexported fields
}

CertRepMessage is a type of PKIMessage

type ContextKey ¶

type ContextKey string

ContextKey is the key type for storing and searching for SCEP request essentials in the context of a request.

type DB ¶

type DB interface {
	StoreCertificate(crt *x509.Certificate) error
}

type FailInfo ¶

type FailInfo struct {
	Name FailInfoName
	Text string
}

FailInfo models a failInfo object consisting of a name/identifier and a failInfoText, the latter of which can be more descriptive and is intended to be read by humans.

type FailInfoName ¶

type FailInfoName microscep.FailInfo

FailInfoName models the name/value of failInfo

type Options ¶

type Options struct {
	// CertificateChain is the issuer certificate, along with any other bundled certificates
	// to be returned in the chain for consumers. Configured in the ca.json crt property.
	CertificateChain []*x509.Certificate
	// Signer signs CSRs in SCEP. Configured in the ca.json key property.
	Signer crypto.Signer `json:"-"`
	// Decrypter decrypts encrypted SCEP messages. Configured in the ca.json key property.
	Decrypter crypto.Decrypter `json:"-"`
}

func (*Options) Validate ¶

func (o *Options) Validate() error

Validate checks the fields in Options.

type PKIMessage ¶

type PKIMessage struct {
	microscep.TransactionID
	microscep.MessageType
	microscep.SenderNonce
	*microscep.CSRReqMessage

	*CertRepMessage

	// DER Encoded PKIMessage
	Raw []byte

	// parsed
	P7 *pkcs7.PKCS7

	// Used to sign message
	Recipients []*x509.Certificate
	// contains filtered or unexported fields
}

PKIMessage defines the possible SCEP message types

type Provisioner ¶

type Provisioner interface {
	AuthorizeSign(ctx context.Context, token string) ([]provisioner.SignOption, error)
	GetName() string
	DefaultTLSCertDuration() time.Duration
	GetOptions() *provisioner.Options
	GetChallengePassword() string
	GetCapabilities() []string
	ShouldIncludeRootInChain() bool
	GetContentEncryptionAlgorithm() int
}

Provisioner is an interface that implements a subset of the provisioner.Interface -- only those methods required by the SCEP api/authority.

type Service ¶

type Service struct {
	// contains filtered or unexported fields
}

Service is a wrapper for crypto.Signer and crypto.Decrypter

func NewService ¶

func NewService(ctx context.Context, opts Options) (*Service, error)

type SignAuthority ¶

type SignAuthority interface {
	Sign(cr *x509.CertificateRequest, opts provisioner.SignOptions, signOpts ...provisioner.SignOption) ([]*x509.Certificate, error)
	LoadProvisionerByName(string) (provisioner.Interface, error)
}

SignAuthority is the interface for a signing authority

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
api Package api implements a SCEP HTTP server.	Package api implements a SCEP HTTP server.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL