Documentation ¶
Index ¶
- Variables
- func BootstrapClient(ctx context.Context, token string, options ...TLSOption) (*http.Client, error)
- func BootstrapListener(ctx context.Context, token string, inner net.Listener, options ...TLSOption) (net.Listener, error)
- func BootstrapServer(ctx context.Context, token string, base *http.Server, options ...TLSOption) (*http.Server, error)
- func Certificate(sign *api.SignResponse) (*x509.Certificate, error)
- func CreateCertificateRequest(commonName string, sans ...string) (*api.CertificateRequest, crypto.PrivateKey, error)
- func CreateIdentityRequest(commonName string, sans ...string) (*api.CertificateRequest, crypto.PrivateKey, error)
- func CreateSignRequest(ott string) (*api.SignRequest, crypto.PrivateKey, error)
- func IntermediateCertificate(sign *api.SignResponse) (*x509.Certificate, error)
- func LoadDefaultIdentity() (*identity.Identity, error)
- func RootCertificate(sign *api.SignResponse) (*x509.Certificate, error)
- func StopHandler(servers ...Stopper)
- func StopReloaderHandler(servers ...StopReloader)
- func TLSCertificate(sign *api.SignResponse, pk crypto.PrivateKey) (*tls.Certificate, error)
- func WithRenewBefore(b time.Duration) func(r *TLSRenewer) error
- func WithRenewJitter(j time.Duration) func(r *TLSRenewer) error
- func WriteDefaultIdentity(certChain []api.Certificate, key crypto.PrivateKey) error
- type ACMEClient
- func (c *ACMEClient) FinalizeOrder(url string, csr *x509.CertificateRequest) error
- func (c *ACMEClient) GetAccountOrders() ([]string, error)
- func (c *ACMEClient) GetAuthz(url string) (*acme.Authorization, error)
- func (c *ACMEClient) GetCertificate(url string) (*x509.Certificate, []*x509.Certificate, error)
- func (c *ACMEClient) GetChallenge(url string) (*acme.Challenge, error)
- func (c *ACMEClient) GetDirectory() (*acmeAPI.Directory, error)
- func (c *ACMEClient) GetNonce() (string, error)
- func (c *ACMEClient) GetOrder(url string) (*acme.Order, error)
- func (c *ACMEClient) NewOrder(payload []byte) (*acme.Order, error)
- func (c *ACMEClient) ValidateChallenge(url string) error
- type AdminClient
- func (c *AdminClient) CreateAdmin(createAdminRequest *adminAPI.CreateAdminRequest) (*linkedca.Admin, error)
- func (c *AdminClient) CreateProvisioner(prov *linkedca.Provisioner) (*linkedca.Provisioner, error)
- func (c *AdminClient) GetAdmin(id string) (*linkedca.Admin, error)
- func (c *AdminClient) GetAdmins(opts ...AdminOption) ([]*linkedca.Admin, error)
- func (c *AdminClient) GetAdminsPaginate(opts ...AdminOption) (*adminAPI.GetAdminsResponse, error)
- func (c *AdminClient) GetProvisioner(opts ...ProvisionerOption) (*linkedca.Provisioner, error)
- func (c *AdminClient) GetProvisioners(opts ...AdminOption) (provisioner.List, error)
- func (c *AdminClient) GetProvisionersPaginate(opts ...ProvisionerOption) (*adminAPI.GetProvisionersResponse, error)
- func (c *AdminClient) RemoveAdmin(id string) error
- func (c *AdminClient) RemoveProvisioner(opts ...ProvisionerOption) error
- func (c *AdminClient) UpdateAdmin(id string, uar *adminAPI.UpdateAdminRequest) (*linkedca.Admin, error)
- func (c *AdminClient) UpdateProvisioner(name string, prov *linkedca.Provisioner) error
- type AdminOption
- type CA
- type Client
- func (c *Client) Federation() (*api.FederationResponse, error)
- func (c *Client) GetClientTLSConfig(ctx context.Context, sign *api.SignResponse, pk crypto.PrivateKey, ...) (*tls.Config, error)
- func (c *Client) GetRootCAs() *x509.CertPool
- func (c *Client) GetServerTLSConfig(ctx context.Context, sign *api.SignResponse, pk crypto.PrivateKey, ...) (*tls.Config, error)
- func (c *Client) Health() (*api.HealthResponse, error)
- func (c *Client) ProvisionerKey(kid string) (*api.ProvisionerKeyResponse, error)
- func (c *Client) Provisioners(opts ...ProvisionerOption) (*api.ProvisionersResponse, error)
- func (c *Client) Rekey(req *api.RekeyRequest, tr http.RoundTripper) (*api.SignResponse, error)
- func (c *Client) Renew(tr http.RoundTripper) (*api.SignResponse, error)
- func (c *Client) Revoke(req *api.RevokeRequest, tr http.RoundTripper) (*api.RevokeResponse, error)
- func (c *Client) Root(sha256Sum string) (*api.RootResponse, error)
- func (c *Client) RootFingerprint() (string, error)
- func (c *Client) Roots() (*api.RootsResponse, error)
- func (c *Client) SSHBastion(req *api.SSHBastionRequest) (*api.SSHBastionResponse, error)
- func (c *Client) SSHCheckHost(principal string, token string) (*api.SSHCheckPrincipalResponse, error)
- func (c *Client) SSHConfig(req *api.SSHConfigRequest) (*api.SSHConfigResponse, error)
- func (c *Client) SSHFederation() (*api.SSHRootsResponse, error)
- func (c *Client) SSHGetHosts() (*api.SSHGetHostsResponse, error)
- func (c *Client) SSHRekey(req *api.SSHRekeyRequest) (*api.SSHRekeyResponse, error)
- func (c *Client) SSHRenew(req *api.SSHRenewRequest) (*api.SSHRenewResponse, error)
- func (c *Client) SSHRevoke(req *api.SSHRevokeRequest) (*api.SSHRevokeResponse, error)
- func (c *Client) SSHRoots() (*api.SSHRootsResponse, error)
- func (c *Client) SSHSign(req *api.SSHSignRequest) (*api.SSHSignResponse, error)
- func (c *Client) SetTransport(tr http.RoundTripper)
- func (c *Client) Sign(req *api.SignRequest) (*api.SignResponse, error)
- func (c *Client) Transport(ctx context.Context, sign *api.SignResponse, pk crypto.PrivateKey, ...) (*http.Transport, error)
- func (c *Client) Version() (*api.VersionResponse, error)
- type ClientOption
- func WithAdminX5C(certs []*x509.Certificate, key interface{}, passwordFile string) ClientOption
- func WithCABundle(bundle []byte) ClientOption
- func WithCertificate(cert tls.Certificate) ClientOption
- func WithRetryFunc(fn RetryFunc) ClientOption
- func WithRootFile(filename string) ClientOption
- func WithRootSHA256(sum string) ClientOption
- func WithTransport(tr http.RoundTripper) ClientOption
- type Option
- func WithConfigFile(name string) Option
- func WithDatabase(db db.AuthDB) Option
- func WithIssuerPassword(password []byte) Option
- func WithLinkedCAToken(token string) Option
- func WithPassword(password []byte) Option
- func WithSSHHostPassword(password []byte) Option
- func WithSSHUserPassword(password []byte) Option
- type Provisioner
- type ProvisionerOption
- type RenewFunc
- type RetryFunc
- type StopReloader
- type Stopper
- type TLSOption
- func AddClientCA(cert *x509.Certificate) TLSOption
- func AddFederationToCAs() TLSOption
- func AddFederationToClientCAs() TLSOption
- func AddFederationToRootCAs() TLSOption
- func AddRootCA(cert *x509.Certificate) TLSOption
- func AddRootsToCAs() TLSOption
- func AddRootsToClientCAs() TLSOption
- func AddRootsToRootCAs() TLSOption
- func RequireAndVerifyClientCert() TLSOption
- func VerifyClientCertIfGiven() TLSOption
- type TLSOptionCtx
- type TLSRenewer
- func (r *TLSRenewer) GetCertificate(clientHello *tls.ClientHelloInfo) (*tls.Certificate, error)
- func (r *TLSRenewer) GetCertificateForCA(clientHello *tls.ClientHelloInfo) (*tls.Certificate, error)
- func (r *TLSRenewer) GetClientCertificate(*tls.CertificateRequestInfo) (*tls.Certificate, error)
- func (r *TLSRenewer) Run()
- func (r *TLSRenewer) RunContext(ctx context.Context)
- func (r *TLSRenewer) Stop() bool
Constants ¶
This section is empty.
Variables ¶
var DisableIdentity = false
DisableIdentity is a global variable to disable the identity.
var UserAgent = "step-http-client/1.0"
UserAgent will set the User-Agent header in the client requests.
Functions ¶
func BootstrapClient ¶
BootstrapClient is a helper function that using the given bootstrap token return an http.Client configured with a Transport prepared to do TLS connections using the client certificate returned by the certificate authority. By default the server will kick off a routine that will renew the certificate after 2/3rd of the certificate's lifetime has expired.
Usage:
// Default example with certificate rotation. client, err := ca.BootstrapClient(ctx.Background(), token) // Example canceling automatic certificate rotation. ctx, cancel := context.WithCancel(context.Background()) defer cancel() client, err := ca.BootstrapClient(ctx, token) if err != nil { return err } resp, err := client.Get("https://internal.smallstep.com")
func BootstrapListener ¶ added in v0.8.4
func BootstrapListener(ctx context.Context, token string, inner net.Listener, options ...TLSOption) (net.Listener, error)
BootstrapListener is a helper function that using the given token returns a TLS listener which accepts connections from an inner listener and wraps each connection with Server.
Without any extra option the server will be configured for mTLS, it will require and verify clients certificates, but options can be used to drop this requirement, the most common will be only verify the certs if given with ca.VerifyClientCertIfGiven(), or add extra CAs with ca.AddClientCA(*x509.Certificate).
Usage:
inner, err := net.Listen("tcp", ":443") if err != nil { return nil } ctx, cancel := context.WithCancel(context.Background()) defer cancel() lis, err := ca.BootstrapListener(ctx, token, inner) if err != nil { return err } srv := grpc.NewServer() ... // register services srv.Serve(lis)
func BootstrapServer ¶
func BootstrapServer(ctx context.Context, token string, base *http.Server, options ...TLSOption) (*http.Server, error)
BootstrapServer is a helper function that using the given token returns the given http.Server configured with a TLS certificate signed by the Certificate Authority. By default the server will kick off a routine that will renew the certificate after 2/3rd of the certificate's lifetime has expired.
Without any extra option the server will be configured for mTLS, it will require and verify clients certificates, but options can be used to drop this requirement, the most common will be only verify the certs if given with ca.VerifyClientCertIfGiven(), or add extra CAs with ca.AddClientCA(*x509.Certificate).
Usage:
// Default example with certificate rotation. srv, err := ca.BootstrapServer(context.Background(), token, &http.Server{ Addr: ":443", Handler: handler, }) // Example canceling automatic certificate rotation. ctx, cancel := context.WithCancel(context.Background()) defer cancel() srv, err := ca.BootstrapServer(ctx, token, &http.Server{ Addr: ":443", Handler: handler, }) if err != nil { return err } srv.ListenAndServeTLS("", "")
func Certificate ¶
func Certificate(sign *api.SignResponse) (*x509.Certificate, error)
Certificate returns the server or client certificate from the sign response.
func CreateCertificateRequest ¶ added in v0.14.0
func CreateCertificateRequest(commonName string, sans ...string) (*api.CertificateRequest, crypto.PrivateKey, error)
CreateCertificateRequest creates a new CSR with the given common name and SANs. If no san is provided the commonName will set also a SAN.
func CreateIdentityRequest ¶ added in v0.14.0
func CreateIdentityRequest(commonName string, sans ...string) (*api.CertificateRequest, crypto.PrivateKey, error)
CreateIdentityRequest returns a new CSR to create the identity. If an identity was already present it reuses the private key.
func CreateSignRequest ¶
func CreateSignRequest(ott string) (*api.SignRequest, crypto.PrivateKey, error)
CreateSignRequest is a helper function that given an x509 OTT returns a simple but secure sign request as well as the private key used.
func IntermediateCertificate ¶
func IntermediateCertificate(sign *api.SignResponse) (*x509.Certificate, error)
IntermediateCertificate returns the CA intermediate certificate from the sign response.
func LoadDefaultIdentity ¶ added in v0.14.0
LoadDefaultIdentity is a wrapper for identity.LoadDefaultIdentity.
func RootCertificate ¶
func RootCertificate(sign *api.SignResponse) (*x509.Certificate, error)
RootCertificate returns the root certificate from the sign response.
func StopHandler ¶ added in v0.10.0
func StopHandler(servers ...Stopper)
StopHandler watches SIGINT, SIGTERM on a list of servers implementing the Stopper interface, and when one of those signals is caught we'll run Stop (SIGINT, SIGTERM) on all servers.
func StopReloaderHandler ¶
func StopReloaderHandler(servers ...StopReloader)
StopReloaderHandler watches SIGINT, SIGTERM and SIGHUP on a list of servers implementing the StopReloader interface, and when one of those signals is caught we'll run Stop (SIGINT, SIGTERM) or Reload (SIGHUP) on all servers.
func TLSCertificate ¶
func TLSCertificate(sign *api.SignResponse, pk crypto.PrivateKey) (*tls.Certificate, error)
TLSCertificate creates a new TLS certificate from the sign response and the private key used.
func WithRenewBefore ¶
func WithRenewBefore(b time.Duration) func(r *TLSRenewer) error
WithRenewBefore modifies a tlsRenewer by setting the renewBefore attribute.
func WithRenewJitter ¶
func WithRenewJitter(j time.Duration) func(r *TLSRenewer) error
WithRenewJitter modifies a tlsRenewer by setting the renewJitter attribute.
func WriteDefaultIdentity ¶ added in v0.14.0
func WriteDefaultIdentity(certChain []api.Certificate, key crypto.PrivateKey) error
WriteDefaultIdentity is a wrapper for identity.WriteDefaultIdentity.
Types ¶
type ACMEClient ¶ added in v0.13.0
type ACMEClient struct { Key *jose.JSONWebKey // contains filtered or unexported fields }
ACMEClient implements an HTTP client to an ACME API.
func NewACMEClient ¶ added in v0.13.0
func NewACMEClient(endpoint string, contact []string, opts ...ClientOption) (*ACMEClient, error)
NewACMEClient initializes a new ACMEClient.
func (*ACMEClient) FinalizeOrder ¶ added in v0.13.0
func (c *ACMEClient) FinalizeOrder(url string, csr *x509.CertificateRequest) error
FinalizeOrder makes a finalize request to the ACME api.
func (*ACMEClient) GetAccountOrders ¶ added in v0.13.0
func (c *ACMEClient) GetAccountOrders() ([]string, error)
GetAccountOrders retrieves the orders belonging to the given account.
func (*ACMEClient) GetAuthz ¶ added in v0.13.0
func (c *ACMEClient) GetAuthz(url string) (*acme.Authorization, error)
GetAuthz returns the Authz at the given path.
func (*ACMEClient) GetCertificate ¶ added in v0.13.0
func (c *ACMEClient) GetCertificate(url string) (*x509.Certificate, []*x509.Certificate, error)
GetCertificate retrieves the certificate along with all intermediates.
func (*ACMEClient) GetChallenge ¶ added in v0.13.0
func (c *ACMEClient) GetChallenge(url string) (*acme.Challenge, error)
GetChallenge returns the Challenge at the given path. With the validate parameter set to True this method will attempt to validate the challenge before returning it.
func (*ACMEClient) GetDirectory ¶ added in v0.13.0
func (c *ACMEClient) GetDirectory() (*acmeAPI.Directory, error)
GetDirectory makes a directory request to the ACME api and returns an ACME directory object.
func (*ACMEClient) GetNonce ¶ added in v0.13.0
func (c *ACMEClient) GetNonce() (string, error)
GetNonce makes a nonce request to the ACME api and returns an ACME directory object.
func (*ACMEClient) GetOrder ¶ added in v0.13.0
func (c *ACMEClient) GetOrder(url string) (*acme.Order, error)
GetOrder returns the Order at the given path.
func (*ACMEClient) NewOrder ¶ added in v0.13.0
func (c *ACMEClient) NewOrder(payload []byte) (*acme.Order, error)
NewOrder creates and returns the information for a new ACME order.
func (*ACMEClient) ValidateChallenge ¶ added in v0.13.0
func (c *ACMEClient) ValidateChallenge(url string) error
ValidateChallenge returns the Challenge at the given path. With the validate parameter set to True this method will attempt to validate the challenge before returning it.
type AdminClient ¶ added in v0.16.0
type AdminClient struct {
// contains filtered or unexported fields
}
AdminClient implements an HTTP client for the CA server.
func NewAdminClient ¶ added in v0.16.0
func NewAdminClient(endpoint string, opts ...ClientOption) (*AdminClient, error)
NewAdminClient creates a new AdminClient with the given endpoint and options.
func (*AdminClient) CreateAdmin ¶ added in v0.16.0
func (c *AdminClient) CreateAdmin(createAdminRequest *adminAPI.CreateAdminRequest) (*linkedca.Admin, error)
CreateAdmin performs the POST /admin/admins request to the CA.
func (*AdminClient) CreateProvisioner ¶ added in v0.16.0
func (c *AdminClient) CreateProvisioner(prov *linkedca.Provisioner) (*linkedca.Provisioner, error)
CreateProvisioner performs the POST /admin/provisioners request to the CA.
func (*AdminClient) GetAdmin ¶ added in v0.16.0
func (c *AdminClient) GetAdmin(id string) (*linkedca.Admin, error)
GetAdmin performs the GET /admin/admin/{id} request to the CA.
func (*AdminClient) GetAdmins ¶ added in v0.16.0
func (c *AdminClient) GetAdmins(opts ...AdminOption) ([]*linkedca.Admin, error)
GetAdmins returns all admins from the GET /admin/admins request to the CA.
func (*AdminClient) GetAdminsPaginate ¶ added in v0.16.0
func (c *AdminClient) GetAdminsPaginate(opts ...AdminOption) (*adminAPI.GetAdminsResponse, error)
GetAdminsPaginate returns a page from the the GET /admin/admins request to the CA.
func (*AdminClient) GetProvisioner ¶ added in v0.16.0
func (c *AdminClient) GetProvisioner(opts ...ProvisionerOption) (*linkedca.Provisioner, error)
GetProvisioner performs the GET /admin/provisioners/{name} request to the CA.
func (*AdminClient) GetProvisioners ¶ added in v0.16.0
func (c *AdminClient) GetProvisioners(opts ...AdminOption) (provisioner.List, error)
GetProvisioners returns all admins from the GET /admin/admins request to the CA.
func (*AdminClient) GetProvisionersPaginate ¶ added in v0.16.0
func (c *AdminClient) GetProvisionersPaginate(opts ...ProvisionerOption) (*adminAPI.GetProvisionersResponse, error)
GetProvisionersPaginate performs the GET /admin/provisioners request to the CA.
func (*AdminClient) RemoveAdmin ¶ added in v0.16.0
func (c *AdminClient) RemoveAdmin(id string) error
RemoveAdmin performs the DELETE /admin/admins/{id} request to the CA.
func (*AdminClient) RemoveProvisioner ¶ added in v0.16.0
func (c *AdminClient) RemoveProvisioner(opts ...ProvisionerOption) error
RemoveProvisioner performs the DELETE /admin/provisioners/{name} request to the CA.
func (*AdminClient) UpdateAdmin ¶ added in v0.16.0
func (c *AdminClient) UpdateAdmin(id string, uar *adminAPI.UpdateAdminRequest) (*linkedca.Admin, error)
UpdateAdmin performs the PUT /admin/admins/{id} request to the CA.
func (*AdminClient) UpdateProvisioner ¶ added in v0.16.0
func (c *AdminClient) UpdateProvisioner(name string, prov *linkedca.Provisioner) error
UpdateProvisioner performs the PUT /admin/provisioners/{name} request to the CA.
type AdminOption ¶ added in v0.16.0
type AdminOption func(o *adminOptions) error
AdminOption is the type of options passed to the Admin method.
func WithAdminCursor ¶ added in v0.16.0
func WithAdminCursor(cursor string) AdminOption
WithAdminCursor will request the admins starting with the given cursor.
func WithAdminLimit ¶ added in v0.16.0
func WithAdminLimit(limit int) AdminOption
WithAdminLimit will request the given number of admins.
type CA ¶
type CA struct {
// contains filtered or unexported fields
}
CA is the type used to build the complete certificate authority. It builds the HTTP server, set ups the middlewares and the HTTP handlers.
func (*CA) Reload ¶
Reload reloads the configuration of the CA and calls to the server Reload method.
type Client ¶
type Client struct {
// contains filtered or unexported fields
}
Client implements an HTTP client for the CA server.
func Bootstrap ¶
Bootstrap is a helper function that initializes a client with the configuration in the bootstrap token.
func NewClient ¶
func NewClient(endpoint string, opts ...ClientOption) (*Client, error)
NewClient creates a new Client with the given endpoint and options.
func (*Client) Federation ¶ added in v0.8.3
func (c *Client) Federation() (*api.FederationResponse, error)
Federation performs the get federation request to the CA and returns the api.FederationResponse struct.
func (*Client) GetClientTLSConfig ¶
func (c *Client) GetClientTLSConfig(ctx context.Context, sign *api.SignResponse, pk crypto.PrivateKey, options ...TLSOption) (*tls.Config, error)
GetClientTLSConfig returns a tls.Config for client use configured with the sign certificate, and a new certificate pool with the sign root certificate. The client certificate will automatically rotate before expiring.
func (*Client) GetRootCAs ¶ added in v0.14.0
GetRootCAs returns the RootCAs certificate pool from the configured transport.
func (*Client) GetServerTLSConfig ¶
func (c *Client) GetServerTLSConfig(ctx context.Context, sign *api.SignResponse, pk crypto.PrivateKey, options ...TLSOption) (*tls.Config, error)
GetServerTLSConfig returns a tls.Config for server use configured with the sign certificate, and a new certificate pool with the sign root certificate. The returned tls.Config will only verify the client certificate if provided. The server certificate will automatically rotate before expiring.
func (*Client) Health ¶
func (c *Client) Health() (*api.HealthResponse, error)
Health performs the health request to the CA and returns the api.HealthResponse struct.
func (*Client) ProvisionerKey ¶
func (c *Client) ProvisionerKey(kid string) (*api.ProvisionerKeyResponse, error)
ProvisionerKey performs the request to the CA to get the encrypted key for the given provisioner kid and returns the api.ProvisionerKeyResponse struct with the encrypted key.
func (*Client) Provisioners ¶
func (c *Client) Provisioners(opts ...ProvisionerOption) (*api.ProvisionersResponse, error)
Provisioners performs the provisioners request to the CA and returns the api.ProvisionersResponse struct with a map of provisioners.
ProvisionerOption WithProvisionerCursor and WithProvisionLimit can be used to paginate the provisioners.
func (*Client) Rekey ¶ added in v0.15.15
func (c *Client) Rekey(req *api.RekeyRequest, tr http.RoundTripper) (*api.SignResponse, error)
Rekey performs the rekey request to the CA and returns the api.SignResponse struct.
func (*Client) Renew ¶
func (c *Client) Renew(tr http.RoundTripper) (*api.SignResponse, error)
Renew performs the renew request to the CA and returns the api.SignResponse struct.
func (*Client) Revoke ¶ added in v0.10.0
func (c *Client) Revoke(req *api.RevokeRequest, tr http.RoundTripper) (*api.RevokeResponse, error)
Revoke performs the revoke request to the CA and returns the api.RevokeResponse struct.
func (*Client) Root ¶
func (c *Client) Root(sha256Sum string) (*api.RootResponse, error)
Root performs the root request to the CA with the given SHA256 and returns the api.RootResponse struct. It uses an insecure client, but it checks the resulting root certificate with the given SHA256, returning an error if they do not match.
func (*Client) RootFingerprint ¶ added in v0.11.0
RootFingerprint is a helper method that returns the current root fingerprint. It does an health connection and gets the fingerprint from the TLS verified chains.
func (*Client) Roots ¶ added in v0.8.3
func (c *Client) Roots() (*api.RootsResponse, error)
Roots performs the get roots request to the CA and returns the api.RootsResponse struct.
func (*Client) SSHBastion ¶ added in v0.14.0
func (c *Client) SSHBastion(req *api.SSHBastionRequest) (*api.SSHBastionResponse, error)
SSHBastion performs the POST /ssh/bastion request to the CA.
func (*Client) SSHCheckHost ¶ added in v0.14.0
func (c *Client) SSHCheckHost(principal string, token string) (*api.SSHCheckPrincipalResponse, error)
SSHCheckHost performs the POST /ssh/check-host request to the CA with the given principal.
func (*Client) SSHConfig ¶ added in v0.14.0
func (c *Client) SSHConfig(req *api.SSHConfigRequest) (*api.SSHConfigResponse, error)
SSHConfig performs the POST /ssh/config request to the CA to get the ssh configuration templates.
func (*Client) SSHFederation ¶ added in v0.14.0
func (c *Client) SSHFederation() (*api.SSHRootsResponse, error)
SSHFederation performs the get /ssh/federation request to the CA and returns the api.SSHRootsResponse struct.
func (*Client) SSHGetHosts ¶ added in v0.14.0
func (c *Client) SSHGetHosts() (*api.SSHGetHostsResponse, error)
SSHGetHosts performs the GET /ssh/get-hosts request to the CA.
func (*Client) SSHRekey ¶ added in v0.14.0
func (c *Client) SSHRekey(req *api.SSHRekeyRequest) (*api.SSHRekeyResponse, error)
SSHRekey performs the POST /ssh/rekey request to the CA and returns the api.SSHRekeyResponse struct.
func (*Client) SSHRenew ¶ added in v0.14.0
func (c *Client) SSHRenew(req *api.SSHRenewRequest) (*api.SSHRenewResponse, error)
SSHRenew performs the POST /ssh/renew request to the CA and returns the api.SSHRenewResponse struct.
func (*Client) SSHRevoke ¶ added in v0.14.0
func (c *Client) SSHRevoke(req *api.SSHRevokeRequest) (*api.SSHRevokeResponse, error)
SSHRevoke performs the POST /ssh/revoke request to the CA and returns the api.SSHRevokeResponse struct.
func (*Client) SSHRoots ¶ added in v0.14.0
func (c *Client) SSHRoots() (*api.SSHRootsResponse, error)
SSHRoots performs the GET /ssh/roots request to the CA and returns the api.SSHRootsResponse struct.
func (*Client) SSHSign ¶ added in v0.14.0
func (c *Client) SSHSign(req *api.SSHSignRequest) (*api.SSHSignResponse, error)
SSHSign performs the POST /ssh/sign request to the CA and returns the api.SSHSignResponse struct.
func (*Client) SetTransport ¶ added in v0.10.0
func (c *Client) SetTransport(tr http.RoundTripper)
SetTransport updates the transport of the internal HTTP client.
func (*Client) Sign ¶
func (c *Client) Sign(req *api.SignRequest) (*api.SignResponse, error)
Sign performs the sign request to the CA and returns the api.SignResponse struct.
type ClientOption ¶
type ClientOption func(o *clientOptions) error
ClientOption is the type of options passed to the Client constructor.
func WithAdminX5C ¶ added in v0.16.0
func WithAdminX5C(certs []*x509.Certificate, key interface{}, passwordFile string) ClientOption
WithAdminX5C will set the given file as the X5C certificate for use by the client.
func WithCABundle ¶ added in v0.11.0
func WithCABundle(bundle []byte) ClientOption
WithCABundle will create the transport using the given root certificates. It will fail if a previous option to create the transport has been configured.
func WithCertificate ¶ added in v0.14.0
func WithCertificate(cert tls.Certificate) ClientOption
WithCertificate will set the given certificate as the TLS client certificate in the client.
func WithRetryFunc ¶ added in v0.14.0
func WithRetryFunc(fn RetryFunc) ClientOption
WithRetryFunc defines a method used to retry a request.
func WithRootFile ¶
func WithRootFile(filename string) ClientOption
WithRootFile will create the transport using the given root certificate. It will fail if a previous option to create the transport has been configured.
func WithRootSHA256 ¶
func WithRootSHA256(sum string) ClientOption
WithRootSHA256 will create the transport using an insecure client to retrieve the root certificate using its fingerprint. It will fail if a previous option to create the transport has been configured.
func WithTransport ¶
func WithTransport(tr http.RoundTripper) ClientOption
WithTransport adds a custom transport to the Client. It will fail if a previous option to create the transport has been configured.
type Option ¶
type Option func(o *options)
Option is the type of options passed to the CA constructor.
func WithConfigFile ¶
WithConfigFile sets the given name as the configuration file name in the CA options.
func WithDatabase ¶ added in v0.11.0
WithDatabase sets the given authority database to the CA options.
func WithIssuerPassword ¶ added in v0.15.11
WithIssuerPassword sets the given password as the configured certificate issuer password in the CA options.
func WithLinkedCAToken ¶ added in v0.17.0
WithLinkedCAToken sets the token used to authenticate with the linkedca.
func WithPassword ¶
WithPassword sets the given password as the configured password in the CA options.
func WithSSHHostPassword ¶ added in v0.17.3
WithSSHHostPassword sets the given password to decrypt the key used to sign ssh host certificates.
func WithSSHUserPassword ¶ added in v0.17.3
WithSSHUserPassword sets the given password to decrypt the key used to sign ssh user certificates.
type Provisioner ¶ added in v0.10.0
type Provisioner struct { *Client // contains filtered or unexported fields }
Provisioner is an authorized entity that can sign tokens necessary for signature requests.
func NewProvisioner ¶ added in v0.10.0
func NewProvisioner(name, kid, caURL string, password []byte, opts ...ClientOption) (*Provisioner, error)
NewProvisioner loads and decrypts key material from the CA for the named provisioner. The key identified by `kid` will be used if specified. If `kid` is the empty string we'll use the first key for the named provisioner that decrypts using `password`.
func (*Provisioner) Kid ¶ added in v0.10.0
func (p *Provisioner) Kid() string
Kid returns the provisioners key ID.
func (*Provisioner) Name ¶ added in v0.10.0
func (p *Provisioner) Name() string
Name returns the provisioner's name.
func (*Provisioner) SSHToken ¶ added in v0.14.0
func (p *Provisioner) SSHToken(certType, keyID string, principals []string) (string, error)
SSHToken generates a SSH token.
func (*Provisioner) SetFingerprint ¶ added in v0.11.0
func (p *Provisioner) SetFingerprint(sum string)
SetFingerprint overwrites the default fingerprint used.
type ProvisionerOption ¶
type ProvisionerOption func(o *provisionerOptions) error
ProvisionerOption is the type of options passed to the Provisioner method.
func WithProvisionerCursor ¶
func WithProvisionerCursor(cursor string) ProvisionerOption
WithProvisionerCursor will request the provisioners starting with the given cursor.
func WithProvisionerID ¶ added in v0.16.0
func WithProvisionerID(id string) ProvisionerOption
WithProvisionerID will request the given provisioner.
func WithProvisionerLimit ¶
func WithProvisionerLimit(limit int) ProvisionerOption
WithProvisionerLimit will request the given number of provisioners.
func WithProvisionerName ¶ added in v0.16.0
func WithProvisionerName(name string) ProvisionerOption
WithProvisionerName will request the given provisioner.
type RenewFunc ¶
type RenewFunc func() (*tls.Certificate, error)
RenewFunc defines the type of the functions used to get a new tls certificate.
type RetryFunc ¶ added in v0.14.0
RetryFunc defines the method used to retry a request. If it returns true, the request will be retried once.
type StopReloader ¶
StopReloader is the interface that external commands can implement to stop the server and reload the configuration while running.
type Stopper ¶ added in v0.10.0
type Stopper interface {
Stop() error
}
Stopper is the interface that external commands can implement to stop the server.
type TLSOption ¶
type TLSOption func(ctx *TLSOptionCtx) error
TLSOption defines the type of a function that modifies a tls.Config.
func AddClientCA ¶
func AddClientCA(cert *x509.Certificate) TLSOption
AddClientCA adds to the tls.Config ClientCAs the given certificate. ClientCAs defines the set of root certificate authorities that servers use if required to verify a client certificate by the policy in ClientAuth.
func AddFederationToCAs ¶ added in v0.8.3
func AddFederationToCAs() TLSOption
AddFederationToCAs does a federation request and adds the resulting certs to the tls.Config RootCAs and ClientCAs. Combines the functionality of AddFederationToRootCAs and AddFederationToClientCAs.
func AddFederationToClientCAs ¶ added in v0.8.3
func AddFederationToClientCAs() TLSOption
AddFederationToClientCAs does a federation request and adds to the tls.Config ClientCAs all the certificates in the response. ClientCAs defines the set of root certificate authorities that servers use if required to verify a client certificate by the policy in ClientAuth.
func AddFederationToRootCAs ¶ added in v0.8.3
func AddFederationToRootCAs() TLSOption
AddFederationToRootCAs does a federation request and adds to the tls.Config RootCAs all the certificates in the response. RootCAs defines the set of root certificate authorities that clients use when verifying server certificates.
func AddRootCA ¶
func AddRootCA(cert *x509.Certificate) TLSOption
AddRootCA adds to the tls.Config RootCAs the given certificate. RootCAs defines the set of root certificate authorities that clients use when verifying server certificates.
func AddRootsToCAs ¶ added in v0.8.3
func AddRootsToCAs() TLSOption
AddRootsToCAs does a roots request and adds the resulting certs to the tls.Config RootCAs and ClientCAs. Combines the functionality of AddRootsToRootCAs and AddRootsToClientCAs.
func AddRootsToClientCAs ¶ added in v0.8.3
func AddRootsToClientCAs() TLSOption
AddRootsToClientCAs does a roots request and adds to the tls.Config ClientCAs all the certificates in the response. ClientCAs defines the set of root certificate authorities that servers use if required to verify a client certificate by the policy in ClientAuth.
BootstrapServer method includes this option by default.
func AddRootsToRootCAs ¶ added in v0.8.3
func AddRootsToRootCAs() TLSOption
AddRootsToRootCAs does a roots request and adds to the tls.Config RootCAs all the certificates in the response. RootCAs defines the set of root certificate authorities that clients use when verifying server certificates.
BootstrapServer and BootstrapClient methods include this option by default.
func RequireAndVerifyClientCert ¶
func RequireAndVerifyClientCert() TLSOption
RequireAndVerifyClientCert is a tls.Config option used on servers to enforce a valid TLS client certificate. This is the default option for mTLS servers.
func VerifyClientCertIfGiven ¶
func VerifyClientCertIfGiven() TLSOption
VerifyClientCertIfGiven is a tls.Config option used on on servers to validate a TLS client certificate if it is provided. It does not requires a certificate.
type TLSOptionCtx ¶ added in v0.8.3
type TLSOptionCtx struct { Client *Client Config *tls.Config Sign *api.SignResponse OnRenewFunc []TLSOption // contains filtered or unexported fields }
TLSOptionCtx is the context modified on TLSOption methods.
type TLSRenewer ¶
type TLSRenewer struct { sync.RWMutex RenewCertificate RenewFunc // contains filtered or unexported fields }
TLSRenewer automatically renews a tls certificate using a RenewFunc.
func NewTLSRenewer ¶
func NewTLSRenewer(cert *tls.Certificate, fn RenewFunc, opts ...tlsRenewerOptions) (*TLSRenewer, error)
NewTLSRenewer creates a TLSRenewer for the given cert. It will use the given RenewFunc to get a new certificate when required.
func (*TLSRenewer) GetCertificate ¶
func (r *TLSRenewer) GetCertificate(clientHello *tls.ClientHelloInfo) (*tls.Certificate, error)
GetCertificate returns the current server certificate.
This method is set in the tls.Config GetCertificate property.
func (*TLSRenewer) GetCertificateForCA ¶
func (r *TLSRenewer) GetCertificateForCA(clientHello *tls.ClientHelloInfo) (*tls.Certificate, error)
GetCertificateForCA returns the current server certificate. It can only be used if the renew function creates the new certificate and do not uses a TLS request. It's intended to be use by the certificate authority server.
This method is set in the tls.Config GetCertificate property.
func (*TLSRenewer) GetClientCertificate ¶
func (r *TLSRenewer) GetClientCertificate(*tls.CertificateRequestInfo) (*tls.Certificate, error)
GetClientCertificate returns the current client certificate.
This method is set in the tls.Config GetClientCertificate property.
func (*TLSRenewer) Run ¶
func (r *TLSRenewer) Run()
Run starts the certificate renewer for the given certificate.
func (*TLSRenewer) RunContext ¶
func (r *TLSRenewer) RunContext(ctx context.Context)
RunContext starts the certificate renewer for the given certificate.
func (*TLSRenewer) Stop ¶
func (r *TLSRenewer) Stop() bool
Stop prevents the renew timer from firing.