Documentation ¶
Index ¶
- Constants
- Variables
- func IsValidForAddUser(cert *ssh.Certificate) error
- func NewContextWithSkipTokenReuse(ctx context.Context) context.Context
- func SkipTokenReuseFromContext(ctx context.Context) bool
- type ASN1DN
- type AuthConfig
- type Authority
- func (a *Authority) Authorize(ctx context.Context, token string) ([]provisioner.SignOption, error)
- func (a *Authority) AuthorizeSign(token string) ([]provisioner.SignOption, error)
- func (a *Authority) CheckSSHHost(ctx context.Context, principal string, token string) (bool, error)
- func (a *Authority) GetDatabase() db.AuthDB
- func (a *Authority) GetEncryptedKey(kid string) (string, error)
- func (a *Authority) GetFederation() (federation []*x509.Certificate, err error)
- func (a *Authority) GetProvisioners(cursor string, limit int) (provisioner.List, string, error)
- func (a *Authority) GetRootCertificate() *x509.Certificate
- func (a *Authority) GetRootCertificates() []*x509.Certificate
- func (a *Authority) GetRoots() ([]*x509.Certificate, error)
- func (a *Authority) GetSSHBastion(ctx context.Context, user string, hostname string) (*Bastion, error)
- func (a *Authority) GetSSHConfig(ctx context.Context, typ string, data map[string]string) ([]templates.Output, error)
- func (a *Authority) GetSSHFederation(context.Context) (*SSHKeys, error)
- func (a *Authority) GetSSHHosts(ctx context.Context, cert *x509.Certificate) ([]Host, error)
- func (a *Authority) GetSSHRoots(context.Context) (*SSHKeys, error)
- func (a *Authority) GetTLSCertificate() (*tls.Certificate, error)
- func (a *Authority) GetTLSOptions() *TLSOptions
- func (a *Authority) LoadProvisionerByCertificate(crt *x509.Certificate) (provisioner.Interface, error)
- func (a *Authority) LoadProvisionerByID(id string) (provisioner.Interface, error)
- func (a *Authority) Rekey(oldCert *x509.Certificate, pk crypto.PublicKey) ([]*x509.Certificate, error)
- func (a *Authority) RekeySSH(ctx context.Context, oldCert *ssh.Certificate, pub ssh.PublicKey, ...) (*ssh.Certificate, error)
- func (a *Authority) Renew(oldCert *x509.Certificate) ([]*x509.Certificate, error)
- func (a *Authority) RenewSSH(ctx context.Context, oldCert *ssh.Certificate) (*ssh.Certificate, error)
- func (a *Authority) Revoke(ctx context.Context, revokeOpts *RevokeOptions) error
- func (a *Authority) Root(sum string) (*x509.Certificate, error)
- func (a *Authority) Shutdown() error
- func (a *Authority) Sign(csr *x509.CertificateRequest, signOpts provisioner.SignOptions, ...) ([]*x509.Certificate, error)
- func (a *Authority) SignSSH(ctx context.Context, key ssh.PublicKey, opts provisioner.SignSSHOptions, ...) (*ssh.Certificate, error)
- func (a *Authority) SignSSHAddUser(ctx context.Context, key ssh.PublicKey, subject *ssh.Certificate) (*ssh.Certificate, error)
- func (a *Authority) Version() Version
- type Bastion
- type CipherSuites
- type Claims
- type Config
- type Host
- type HostTag
- type Option
- func WithConfig(config *Config) Option
- func WithConfigFile(filename string) Option
- func WithDatabase(db db.AuthDB) Option
- func WithGetIdentityFunc(...) Option
- func WithKeyManager(k kms.KeyManager) Option
- func WithSSHBastionFunc(fn func(ctx context.Context, user, host string) (*Bastion, error)) Option
- func WithSSHCheckHost(...) Option
- func WithSSHGetHosts(fn func(ctx context.Context, cert *x509.Certificate) ([]Host, error)) Option
- func WithSSHHostSigner(s crypto.Signer) Option
- func WithSSHUserSigner(s crypto.Signer) Option
- func WithX509FederatedBundle(pemCerts []byte) Option
- func WithX509FederatedCerts(certs ...*x509.Certificate) Option
- func WithX509RootBundle(pemCerts []byte) Option
- func WithX509RootCerts(rootCerts ...*x509.Certificate) Option
- func WithX509Signer(crt *x509.Certificate, s crypto.Signer) Option
- type RevokeOptions
- type SSHConfig
- type SSHKeys
- type SSHPublicKey
- type TLSOptions
- type TLSVersion
- type Version
Constants ¶
const ( // SSHAddUserPrincipal is the principal that will run the add user command. // Defaults to "provisioner" but it can be changed in the configuration. SSHAddUserPrincipal = "provisioner" // SSHAddUserCommand is the default command to run to add a new user. // Defaults to "sudo useradd -m <principal>; nc -q0 localhost 22" but it can be changed in the // configuration. The string "<principal>" will be replace by the new // principal to add. SSHAddUserCommand = "sudo useradd -m <principal>; nc -q0 localhost 22" )
Variables ¶
var ( // DefaultTLSMinVersion default minimum version of TLS. DefaultTLSMinVersion = TLSVersion(1.2) // DefaultTLSMaxVersion default maximum version of TLS. DefaultTLSMaxVersion = TLSVersion(1.3) // DefaultTLSRenegotiation default TLS connection renegotiation policy. DefaultTLSRenegotiation = false // Never regnegotiate. // DefaultTLSCipherSuites specifies default step ciphersuite(s). DefaultTLSCipherSuites = CipherSuites{ "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305", "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", } // ApprovedTLSCipherSuites smallstep approved ciphersuites. ApprovedTLSCipherSuites = CipherSuites{ "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305", } )
var ( // DefaultTLSOptions represents the default TLS version as well as the cipher // suites used in the TLS certificates. DefaultTLSOptions = TLSOptions{ CipherSuites: CipherSuites{ "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", }, MinVersion: 1.2, MaxVersion: 1.2, Renegotiation: false, } )
var GlobalVersion = Version{
Version: "0.0.0",
}
GlobalVersion stores the version information of the server.
Functions ¶
func IsValidForAddUser ¶ added in v0.14.4
func IsValidForAddUser(cert *ssh.Certificate) error
IsValidForAddUser checks if a user provisioner certificate can be issued to the given certificate.
func NewContextWithSkipTokenReuse ¶ added in v0.14.0
NewContextWithSkipTokenReuse creates a new context from ctx and attaches a value to skip the token reuse.
func SkipTokenReuseFromContext ¶ added in v0.14.0
SkipTokenReuseFromContext returns if the token reuse needs to be ignored.
Types ¶
type ASN1DN ¶ added in v0.15.2
type ASN1DN struct { Country string `json:"country,omitempty" step:"country"` Organization string `json:"organization,omitempty" step:"organization"` OrganizationalUnit string `json:"organizationalUnit,omitempty" step:"organizationalUnit"` Locality string `json:"locality,omitempty" step:"locality"` Province string `json:"province,omitempty" step:"province"` StreetAddress string `json:"streetAddress,omitempty" step:"streetAddress"` CommonName string `json:"commonName,omitempty" step:"commonName"` }
ASN1DN contains ASN1.DN attributes that are used in Subject and Issuer x509 Certificate blocks.
type AuthConfig ¶
type AuthConfig struct { Provisioners provisioner.List `json:"provisioners"` Template *ASN1DN `json:"template,omitempty"` Claims *provisioner.Claims `json:"claims,omitempty"` DisableIssuedAtCheck bool `json:"disableIssuedAtCheck,omitempty"` Backdate *provisioner.Duration `json:"backdate,omitempty"` }
AuthConfig represents the configuration options for the authority.
func (*AuthConfig) Validate ¶
func (c *AuthConfig) Validate(audiences provisioner.Audiences) error
Validate validates the authority configuration.
type Authority ¶
type Authority struct {
// contains filtered or unexported fields
}
Authority implements the Certificate Authority internal interface.
func NewEmbedded ¶ added in v0.14.5
NewEmbedded initializes an authority that can be embedded in a different project without the limitations of the config.
func (*Authority) Authorize ¶
func (a *Authority) Authorize(ctx context.Context, token string) ([]provisioner.SignOption, error)
Authorize grabs the method from the context and authorizes the request by validating the one-time-token.
func (*Authority) AuthorizeSign ¶ added in v0.10.0
func (a *Authority) AuthorizeSign(token string) ([]provisioner.SignOption, error)
AuthorizeSign authorizes a signature request by validating and authenticating a token that must be sent w/ the request.
NOTE: This method is deprecated and should not be used. We make it available in the short term os as not to break existing clients.
func (*Authority) CheckSSHHost ¶ added in v0.14.0
CheckSSHHost checks the given principal has been registered before.
func (*Authority) GetDatabase ¶ added in v0.11.0
GetDatabase returns the authority database. If the configuration does not define a database, GetDatabase will return a db.SimpleDB instance.
func (*Authority) GetEncryptedKey ¶
GetEncryptedKey returns the JWE key corresponding to the given kid argument.
func (*Authority) GetFederation ¶ added in v0.8.3
func (a *Authority) GetFederation() (federation []*x509.Certificate, err error)
GetFederation returns all the root certificates in the federation. This method implements the Authority interface.
func (*Authority) GetProvisioners ¶
GetProvisioners returns a map listing each provisioner and the JWK Key Set with their public keys.
func (*Authority) GetRootCertificate ¶
func (a *Authority) GetRootCertificate() *x509.Certificate
GetRootCertificate returns the server root certificate.
func (*Authority) GetRootCertificates ¶ added in v0.8.3
func (a *Authority) GetRootCertificates() []*x509.Certificate
GetRootCertificates returns the server root certificates.
In the Authority interface we also have a similar method, GetRoots, at the moment the functionality of these two methods are almost identical, but this method is intended to be used internally by CA HTTP server to load the roots that will be set in the tls.Config while GetRoots will be used by the Authority interface and might have extra checks in the future.
func (*Authority) GetRoots ¶ added in v0.8.3
func (a *Authority) GetRoots() ([]*x509.Certificate, error)
GetRoots returns all the root certificates for this CA. This method implements the Authority interface.
func (*Authority) GetSSHBastion ¶ added in v0.14.0
func (a *Authority) GetSSHBastion(ctx context.Context, user string, hostname string) (*Bastion, error)
GetSSHBastion returns the bastion configuration, for the given pair user, hostname.
func (*Authority) GetSSHConfig ¶ added in v0.14.0
func (a *Authority) GetSSHConfig(ctx context.Context, typ string, data map[string]string) ([]templates.Output, error)
GetSSHConfig returns rendered templates for clients (user) or servers (host).
func (*Authority) GetSSHFederation ¶ added in v0.14.0
GetSSHFederation returns the public keys for federated SSH signers.
func (*Authority) GetSSHHosts ¶ added in v0.14.0
GetSSHHosts returns a list of valid host principals.
func (*Authority) GetSSHRoots ¶ added in v0.14.0
GetSSHRoots returns the SSH User and Host public keys.
func (*Authority) GetTLSCertificate ¶
func (a *Authority) GetTLSCertificate() (*tls.Certificate, error)
GetTLSCertificate creates a new leaf certificate to be used by the CA HTTPS server.
func (*Authority) GetTLSOptions ¶
func (a *Authority) GetTLSOptions() *TLSOptions
GetTLSOptions returns the tls options configured.
func (*Authority) LoadProvisionerByCertificate ¶ added in v0.10.0
func (a *Authority) LoadProvisionerByCertificate(crt *x509.Certificate) (provisioner.Interface, error)
LoadProvisionerByCertificate returns an interface to the provisioner that provisioned the certificate.
func (*Authority) LoadProvisionerByID ¶ added in v0.13.0
func (a *Authority) LoadProvisionerByID(id string) (provisioner.Interface, error)
LoadProvisionerByID returns an interface to the provisioner with the given ID.
func (*Authority) Rekey ¶ added in v0.15.0
func (a *Authority) Rekey(oldCert *x509.Certificate, pk crypto.PublicKey) ([]*x509.Certificate, error)
Rekey is used for rekeying and renewing based on the public key. If the public key is 'nil' then it's assumed that the cert should be renewed using the existing public key. If the public key is not 'nil' then it's assumed that the cert should be rekeyed. For both Rekey and Renew all other attributes of the new certificate should match the old certificate. The exceptions are 'AuthorityKeyId' (which may have changed), 'SubjectKeyId' (different in case of rekey), and 'NotBefore/NotAfter' (the validity duration of the new certificate should be equal to the old one, but starting 'now').
func (*Authority) RekeySSH ¶ added in v0.14.0
func (a *Authority) RekeySSH(ctx context.Context, oldCert *ssh.Certificate, pub ssh.PublicKey, signOpts ...provisioner.SignOption) (*ssh.Certificate, error)
RekeySSH creates a signed SSH certificate using the old SSH certificate as a template.
func (*Authority) Renew ¶
func (a *Authority) Renew(oldCert *x509.Certificate) ([]*x509.Certificate, error)
Renew creates a new Certificate identical to the old certificate, except with a validity window that begins 'now'.
func (*Authority) RenewSSH ¶ added in v0.14.0
func (a *Authority) RenewSSH(ctx context.Context, oldCert *ssh.Certificate) (*ssh.Certificate, error)
RenewSSH creates a signed SSH certificate using the old SSH certificate as a template.
func (*Authority) Revoke ¶ added in v0.10.0
func (a *Authority) Revoke(ctx context.Context, revokeOpts *RevokeOptions) error
Revoke revokes a certificate.
NOTE: Only supports passive revocation - prevent existing certificates from being renewed.
TODO: Add OCSP and CRL support.
func (*Authority) Root ¶
func (a *Authority) Root(sum string) (*x509.Certificate, error)
Root returns the certificate corresponding to the given SHA sum argument.
func (*Authority) Shutdown ¶ added in v0.10.0
Shutdown safely shuts down any clients, databases, etc. held by the Authority.
func (*Authority) Sign ¶
func (a *Authority) Sign(csr *x509.CertificateRequest, signOpts provisioner.SignOptions, extraOpts ...provisioner.SignOption) ([]*x509.Certificate, error)
Sign creates a signed certificate from a certificate signing request.
func (*Authority) SignSSH ¶ added in v0.12.0
func (a *Authority) SignSSH(ctx context.Context, key ssh.PublicKey, opts provisioner.SignSSHOptions, signOpts ...provisioner.SignOption) (*ssh.Certificate, error)
SignSSH creates a signed SSH certificate with the given public key and options.
func (*Authority) SignSSHAddUser ¶ added in v0.12.0
func (a *Authority) SignSSHAddUser(ctx context.Context, key ssh.PublicKey, subject *ssh.Certificate) (*ssh.Certificate, error)
SignSSHAddUser signs a certificate that provisions a new user in a server.
type Bastion ¶ added in v0.14.0
type Bastion struct { Hostname string `json:"hostname"` User string `json:"user,omitempty"` Port string `json:"port,omitempty"` Command string `json:"cmd,omitempty"` Flags string `json:"flags,omitempty"` }
Bastion contains the custom properties used on bastion.
type CipherSuites ¶ added in v0.15.2
type CipherSuites []string
CipherSuites represents an array of string codes representing the cipher suites.
func (CipherSuites) Validate ¶ added in v0.15.2
func (c CipherSuites) Validate() error
Validate implements models.Validator and checks that a cipher suite is valid.
func (CipherSuites) Value ¶ added in v0.15.2
func (c CipherSuites) Value() []uint16
Value returns an []uint16 for the cipher suites.
type Claims ¶ added in v0.8.4
type Claims struct { jose.Claims SANs []string `json:"sans,omitempty"` Email string `json:"email,omitempty"` Nonce string `json:"nonce,omitempty"` }
Claims extends jose.Claims with step attributes.
type Config ¶
type Config struct { Root multiString `json:"root"` FederatedRoots []string `json:"federatedRoots"` IntermediateCert string `json:"crt"` IntermediateKey string `json:"key"` Address string `json:"address"` DNSNames []string `json:"dnsNames"` KMS *kms.Options `json:"kms,omitempty"` SSH *SSHConfig `json:"ssh,omitempty"` Logger json.RawMessage `json:"logger,omitempty"` DB *db.Config `json:"db,omitempty"` Monitoring json.RawMessage `json:"monitoring,omitempty"` AuthorityConfig *AuthConfig `json:"authority,omitempty"` TLS *TLSOptions `json:"tls,omitempty"` Password string `json:"password,omitempty"` Templates *templates.Templates `json:"templates,omitempty"` }
Config represents the CA configuration and it's mapped to a JSON object.
func LoadConfiguration ¶
LoadConfiguration parses the given filename in JSON format and returns the configuration struct.
type Host ¶ added in v0.15.2
type Host struct { HostID string `json:"hid"` HostTags []HostTag `json:"host_tags"` Hostname string `json:"hostname"` }
Host defines expected attributes for an ssh host.
type HostTag ¶ added in v0.15.2
HostTag are tagged with k,v pairs. These tags are how a user is ultimately associated with a host.
type Option ¶ added in v0.11.0
Option sets options to the Authority.
func WithConfig ¶ added in v0.14.5
WithConfig replaces the current config with the given one. No validation is performed in the given value.
func WithConfigFile ¶ added in v0.14.5
WithConfigFile reads the given filename as a configuration file and replaces the current one. No validation is performed in the given configuration.
func WithDatabase ¶ added in v0.11.0
WithDatabase sets an already initialized authority database to a new authority. This option is intended to be use on graceful reloads.
func WithGetIdentityFunc ¶ added in v0.14.0
func WithGetIdentityFunc(fn func(ctx context.Context, p provisioner.Interface, email string) (*provisioner.Identity, error)) Option
WithGetIdentityFunc sets a custom function to retrieve the identity from an external resource.
func WithKeyManager ¶ added in v0.14.0
func WithKeyManager(k kms.KeyManager) Option
WithKeyManager defines the key manager used to get and create keys, and sign certificates.
func WithSSHBastionFunc ¶ added in v0.14.0
WithSSHBastionFunc sets a custom function to get the bastion for a given user-host pair.
func WithSSHCheckHost ¶ added in v0.14.0
func WithSSHCheckHost(fn func(ctx context.Context, principal string, tok string, roots []*x509.Certificate) (bool, error)) Option
WithSSHCheckHost sets a custom function to check whether a given host is step ssh enabled. The token is used to validate the request, while the roots are used to validate the token.
func WithSSHGetHosts ¶ added in v0.14.0
WithSSHGetHosts sets a custom function to get the bastion for a given user-host pair.
func WithSSHHostSigner ¶ added in v0.14.0
WithSSHHostSigner defines the signer used to sign SSH host certificates.
func WithSSHUserSigner ¶ added in v0.14.0
WithSSHUserSigner defines the signer used to sign SSH user certificates.
func WithX509FederatedBundle ¶ added in v0.14.0
WithX509FederatedBundle is an option that allows to define the list of federated certificates. This option will replace any federated certificate defined before.
func WithX509FederatedCerts ¶ added in v0.14.0
func WithX509FederatedCerts(certs ...*x509.Certificate) Option
WithX509FederatedCerts is an option that allows to define the list of federated certificates. This option will replace any federated certificate defined before.
func WithX509RootBundle ¶ added in v0.14.0
WithX509RootBundle is an option that allows to define the list of root certificates. This option will replace any root certificate defined before.
func WithX509RootCerts ¶ added in v0.14.0
func WithX509RootCerts(rootCerts ...*x509.Certificate) Option
WithX509RootCerts is an option that allows to define the list of root certificates to use. This option will replace any root certificate defined before.
func WithX509Signer ¶ added in v0.14.0
func WithX509Signer(crt *x509.Certificate, s crypto.Signer) Option
WithX509Signer defines the signer used to sign X509 certificates.
type RevokeOptions ¶ added in v0.10.0
type RevokeOptions struct { Serial string Reason string ReasonCode int PassiveOnly bool MTLS bool Crt *x509.Certificate OTT string }
RevokeOptions are the options for the Revoke API.
type SSHConfig ¶ added in v0.12.0
type SSHConfig struct { HostKey string `json:"hostKey"` UserKey string `json:"userKey"` Keys []*SSHPublicKey `json:"keys,omitempty"` AddUserPrincipal string `json:"addUserPrincipal,omitempty"` AddUserCommand string `json:"addUserCommand,omitempty"` Bastion *Bastion `json:"bastion,omitempty"` }
SSHConfig contains the user and host keys.
type SSHPublicKey ¶ added in v0.14.0
type SSHPublicKey struct { Type string `json:"type"` Federated bool `json:"federated"` Key jose.JSONWebKey `json:"key"` // contains filtered or unexported fields }
SSHPublicKey contains a public key used by federated CAs to keep old signing keys for this ca.
func (*SSHPublicKey) PublicKey ¶ added in v0.14.0
func (k *SSHPublicKey) PublicKey() ssh.PublicKey
PublicKey returns the ssh public key.
func (*SSHPublicKey) Validate ¶ added in v0.14.0
func (k *SSHPublicKey) Validate() error
Validate checks the fields in SSHPublicKey.
type TLSOptions ¶ added in v0.15.2
type TLSOptions struct { CipherSuites CipherSuites `json:"cipherSuites"` MinVersion TLSVersion `json:"minVersion"` MaxVersion TLSVersion `json:"maxVersion"` Renegotiation bool `json:"renegotiation"` }
TLSOptions represents the TLS options that can be specified on *tls.Config types to configure HTTPS servers and clients.
func (*TLSOptions) TLSConfig ¶ added in v0.15.2
func (t *TLSOptions) TLSConfig() *tls.Config
TLSConfig returns the tls.Config equivalent of the TLSOptions.
type TLSVersion ¶ added in v0.15.2
type TLSVersion float64
TLSVersion represents a TLS version number.
func (TLSVersion) String ¶ added in v0.15.2
func (v TLSVersion) String() string
String returns the Go constant for the TLSVersion.
func (TLSVersion) Validate ¶ added in v0.15.2
func (v TLSVersion) Validate() error
Validate implements models.Validator and checks that a cipher suite is valid.
func (TLSVersion) Value ¶ added in v0.15.2
func (v TLSVersion) Value() uint16
Value returns the Go constant for the TLSVersion.