Documentation ¶
Index ¶
- Constants
- Variables
- type AuthConfig
- type Authority
- func (a *Authority) Authorize(ctx context.Context, ott string) ([]provisioner.SignOption, error)
- func (a *Authority) AuthorizeSign(ott string) ([]provisioner.SignOption, error)
- func (a *Authority) GetDatabase() db.AuthDB
- func (a *Authority) GetEncryptedKey(kid string) (string, error)
- func (a *Authority) GetFederation() (federation []*x509.Certificate, err error)
- func (a *Authority) GetProvisioners(cursor string, limit int) (provisioner.List, string, error)
- func (a *Authority) GetRootCertificate() *x509.Certificate
- func (a *Authority) GetRootCertificates() []*x509.Certificate
- func (a *Authority) GetRoots() ([]*x509.Certificate, error)
- func (a *Authority) GetTLSCertificate() (*tls.Certificate, error)
- func (a *Authority) GetTLSOptions() *tlsutil.TLSOptions
- func (a *Authority) LoadProvisionerByCertificate(crt *x509.Certificate) (provisioner.Interface, error)
- func (a *Authority) LoadProvisionerByID(id string) (provisioner.Interface, error)
- func (a *Authority) Renew(oldCert *x509.Certificate) (*x509.Certificate, *x509.Certificate, error)
- func (a *Authority) Revoke(opts *RevokeOptions) error
- func (a *Authority) Root(sum string) (*x509.Certificate, error)
- func (a *Authority) Shutdown() error
- func (a *Authority) Sign(csr *x509.CertificateRequest, signOpts provisioner.Options, ...) (*x509.Certificate, *x509.Certificate, error)
- func (a *Authority) SignSSH(key ssh.PublicKey, opts provisioner.SSHOptions, ...) (*ssh.Certificate, error)
- func (a *Authority) SignSSHAddUser(key ssh.PublicKey, subject *ssh.Certificate) (*ssh.Certificate, error)
- type Claims
- type Config
- type ErrorResponse
- type Option
- type RevokeOptions
- type SSHConfig
Constants ¶
const ( // SSHAddUserPrincipal is the principal that will run the add user command. // Defaults to "provisioner" but it can be changed in the configuration. SSHAddUserPrincipal = "provisioner" // SSHAddUserCommand is the default command to run to add a new user. // Defaults to "sudo useradd -m <principal>; nc -q0 localhost 22" but it can be changed in the // configuration. The string "<principal>" will be replace by the new // principal to add. SSHAddUserCommand = "sudo useradd -m <principal>; nc -q0 localhost 22" )
Variables ¶
var ( // DefaultTLSOptions represents the default TLS version as well as the cipher // suites used in the TLS certificates. DefaultTLSOptions = tlsutil.TLSOptions{ CipherSuites: x509util.CipherSuites{ "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", }, MinVersion: 1.2, MaxVersion: 1.2, Renegotiation: false, } )
Functions ¶
This section is empty.
Types ¶
type AuthConfig ¶
type AuthConfig struct { Provisioners provisioner.List `json:"provisioners"` Template *x509util.ASN1DN `json:"template,omitempty"` Claims *provisioner.Claims `json:"claims,omitempty"` DisableIssuedAtCheck bool `json:"disableIssuedAtCheck,omitempty"` }
AuthConfig represents the configuration options for the authority.
func (*AuthConfig) Validate ¶
func (c *AuthConfig) Validate(audiences provisioner.Audiences) error
Validate validates the authority configuration.
type Authority ¶
type Authority struct {
// contains filtered or unexported fields
}
Authority implements the Certificate Authority internal interface.
func (*Authority) Authorize ¶
func (a *Authority) Authorize(ctx context.Context, ott string) ([]provisioner.SignOption, error)
Authorize grabs the method from the context and authorizes a signature request by validating the one-time-token.
func (*Authority) AuthorizeSign ¶ added in v0.10.0
func (a *Authority) AuthorizeSign(ott string) ([]provisioner.SignOption, error)
AuthorizeSign authorizes a signature request by validating and authenticating a OTT that must be sent w/ the request.
NOTE: This method is deprecated and should not be used. We make it available in the short term os as not to break existing clients.
func (*Authority) GetDatabase ¶ added in v0.11.0
GetDatabase returns the authority database. If the configuration does not define a database, GetDatabase will return a db.SimpleDB instance.
func (*Authority) GetEncryptedKey ¶
GetEncryptedKey returns the JWE key corresponding to the given kid argument.
func (*Authority) GetFederation ¶ added in v0.8.3
func (a *Authority) GetFederation() (federation []*x509.Certificate, err error)
GetFederation returns all the root certificates in the federation. This method implements the Authority interface.
func (*Authority) GetProvisioners ¶
GetProvisioners returns a map listing each provisioner and the JWK Key Set with their public keys.
func (*Authority) GetRootCertificate ¶
func (a *Authority) GetRootCertificate() *x509.Certificate
GetRootCertificate returns the server root certificate.
func (*Authority) GetRootCertificates ¶ added in v0.8.3
func (a *Authority) GetRootCertificates() []*x509.Certificate
GetRootCertificates returns the server root certificates.
In the Authority interface we also have a similar method, GetRoots, at the moment the functionality of these two methods are almost identical, but this method is intended to be used internally by CA HTTP server to load the roots that will be set in the tls.Config while GetRoots will be used by the Authority interface and might have extra checks in the future.
func (*Authority) GetRoots ¶ added in v0.8.3
func (a *Authority) GetRoots() ([]*x509.Certificate, error)
GetRoots returns all the root certificates for this CA. This method implements the Authority interface.
func (*Authority) GetTLSCertificate ¶
func (a *Authority) GetTLSCertificate() (*tls.Certificate, error)
GetTLSCertificate creates a new leaf certificate to be used by the CA HTTPS server.
func (*Authority) GetTLSOptions ¶
func (a *Authority) GetTLSOptions() *tlsutil.TLSOptions
GetTLSOptions returns the tls options configured.
func (*Authority) LoadProvisionerByCertificate ¶ added in v0.10.0
func (a *Authority) LoadProvisionerByCertificate(crt *x509.Certificate) (provisioner.Interface, error)
LoadProvisionerByCertificate returns an interface to the provisioner that provisioned the certificate.
func (*Authority) LoadProvisionerByID ¶ added in v0.13.0
func (a *Authority) LoadProvisionerByID(id string) (provisioner.Interface, error)
LoadProvisionerByID returns an interface to the provisioner with the given ID.
func (*Authority) Renew ¶
func (a *Authority) Renew(oldCert *x509.Certificate) (*x509.Certificate, *x509.Certificate, error)
Renew creates a new Certificate identical to the old certificate, except with a validity window that begins 'now'.
func (*Authority) Revoke ¶ added in v0.10.0
func (a *Authority) Revoke(opts *RevokeOptions) error
Revoke revokes a certificate.
NOTE: Only supports passive revocation - prevent existing certificates from being renewed.
TODO: Add OCSP and CRL support.
func (*Authority) Root ¶
func (a *Authority) Root(sum string) (*x509.Certificate, error)
Root returns the certificate corresponding to the given SHA sum argument.
func (*Authority) Shutdown ¶ added in v0.10.0
Shutdown safely shuts down any clients, databases, etc. held by the Authority.
func (*Authority) Sign ¶
func (a *Authority) Sign(csr *x509.CertificateRequest, signOpts provisioner.Options, extraOpts ...provisioner.SignOption) (*x509.Certificate, *x509.Certificate, error)
Sign creates a signed certificate from a certificate signing request.
func (*Authority) SignSSH ¶ added in v0.12.0
func (a *Authority) SignSSH(key ssh.PublicKey, opts provisioner.SSHOptions, signOpts ...provisioner.SignOption) (*ssh.Certificate, error)
SignSSH creates a signed SSH certificate with the given public key and options.
func (*Authority) SignSSHAddUser ¶ added in v0.12.0
func (a *Authority) SignSSHAddUser(key ssh.PublicKey, subject *ssh.Certificate) (*ssh.Certificate, error)
SignSSHAddUser signs a certificate that provisions a new user in a server.
type Claims ¶ added in v0.8.4
type Claims struct { jose.Claims SANs []string `json:"sans,omitempty"` Email string `json:"email,omitempty"` Nonce string `json:"nonce,omitempty"` }
Claims extends jose.Claims with step attributes.
type Config ¶
type Config struct { Root multiString `json:"root"` FederatedRoots []string `json:"federatedRoots"` IntermediateCert string `json:"crt"` IntermediateKey string `json:"key"` Address string `json:"address"` DNSNames []string `json:"dnsNames"` SSH *SSHConfig `json:"ssh,omitempty"` Logger json.RawMessage `json:"logger,omitempty"` DB *db.Config `json:"db,omitempty"` Monitoring json.RawMessage `json:"monitoring,omitempty"` AuthorityConfig *AuthConfig `json:"authority,omitempty"` TLS *tlsutil.TLSOptions `json:"tls,omitempty"` Password string `json:"password,omitempty"` }
Config represents the CA configuration and it's mapped to a JSON object.
func LoadConfiguration ¶
LoadConfiguration parses the given filename in JSON format and returns the configuration struct.
type ErrorResponse ¶ added in v0.13.0
ErrorResponse represents an error in JSON format.
type Option ¶ added in v0.11.0
type Option func(*Authority)
Option sets options to the Authority.
func WithDatabase ¶ added in v0.11.0
WithDatabase sets an already initialized authority database to a new authority. This option is intended to be use on graceful reloads.
type RevokeOptions ¶ added in v0.10.0
type RevokeOptions struct { Serial string Reason string ReasonCode int PassiveOnly bool MTLS bool Crt *x509.Certificate OTT string }
RevokeOptions are the options for the Revoke API.