Documentation ¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
var ( // DefaultBackdate length of time to backdate certificates to avoid // clock skew validation issues. DefaultBackdate = time.Minute // DefaultDisableRenewal disables renewals per provisioner. DefaultDisableRenewal = false // DefaultAllowRenewalAfterExpiry allows renewals even if the certificate is // expired. DefaultAllowRenewalAfterExpiry = false // DefaultEnableSSHCA enable SSH CA features per provisioner or globally // for all provisioners. DefaultEnableSSHCA = false // GlobalProvisionerClaims default claims for the Authority. Can be overridden // by provisioner specific claims. GlobalProvisionerClaims = provisioner.Claims{ MinTLSDur: &provisioner.Duration{Duration: 5 * time.Minute}, MaxTLSDur: &provisioner.Duration{Duration: 24 * time.Hour}, DefaultTLSDur: &provisioner.Duration{Duration: 24 * time.Hour}, MinUserSSHDur: &provisioner.Duration{Duration: 5 * time.Minute}, MaxUserSSHDur: &provisioner.Duration{Duration: 24 * time.Hour}, DefaultUserSSHDur: &provisioner.Duration{Duration: 16 * time.Hour}, MinHostSSHDur: &provisioner.Duration{Duration: 5 * time.Minute}, MaxHostSSHDur: &provisioner.Duration{Duration: 30 * 24 * time.Hour}, DefaultHostSSHDur: &provisioner.Duration{Duration: 30 * 24 * time.Hour}, EnableSSHCA: &DefaultEnableSSHCA, DisableRenewal: &DefaultDisableRenewal, AllowRenewalAfterExpiry: &DefaultAllowRenewalAfterExpiry, } )
var ( // DefaultTLSMinVersion default minimum version of TLS. DefaultTLSMinVersion = TLSVersion(1.2) // DefaultTLSMaxVersion default maximum version of TLS. DefaultTLSMaxVersion = TLSVersion(1.3) // DefaultTLSRenegotiation default TLS connection renegotiation policy. DefaultTLSRenegotiation = false // Never regnegotiate. // DefaultTLSCipherSuites specifies default step ciphersuite(s). // These are TLS 1.0 - 1.2 cipher suites. DefaultTLSCipherSuites = CipherSuites{ "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", } // ApprovedTLSCipherSuites smallstep approved ciphersuites. ApprovedTLSCipherSuites = CipherSuites{ "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256", } // DefaultTLSOptions represents the default TLS version as well as the cipher // suites used in the TLS certificates. DefaultTLSOptions = TLSOptions{ CipherSuites: DefaultTLSCipherSuites, MinVersion: DefaultTLSMinVersion, MaxVersion: DefaultTLSMaxVersion, Renegotiation: DefaultTLSRenegotiation, } )
Functions ¶
This section is empty.
Types ¶
type ASN1DN ¶
type ASN1DN struct { Country string `json:"country,omitempty"` Organization string `json:"organization,omitempty"` OrganizationalUnit string `json:"organizationalUnit,omitempty"` Locality string `json:"locality,omitempty"` Province string `json:"province,omitempty"` StreetAddress string `json:"streetAddress,omitempty"` SerialNumber string `json:"serialNumber,omitempty"` CommonName string `json:"commonName,omitempty"` }
ASN1DN contains ASN1.DN attributes that are used in Subject and Issuer x509 Certificate blocks.
type AuthConfig ¶
type AuthConfig struct { *cas.Options AuthorityID string `json:"authorityId,omitempty"` DeploymentType string `json:"deploymentType,omitempty"` Provisioners provisioner.List `json:"provisioners,omitempty"` Admins []*linkedca.Admin `json:"-"` Template *ASN1DN `json:"template,omitempty"` Claims *provisioner.Claims `json:"claims,omitempty"` DisableIssuedAtCheck bool `json:"disableIssuedAtCheck,omitempty"` Backdate *provisioner.Duration `json:"backdate,omitempty"` EnableAdmin bool `json:"enableAdmin,omitempty"` }
AuthConfig represents the configuration options for the authority. An underlaying registration authority can also be configured using the cas.Options.
func (*AuthConfig) Validate ¶
func (c *AuthConfig) Validate(audiences provisioner.Audiences) error
Validate validates the authority configuration.
type Bastion ¶
type Bastion struct { Hostname string `json:"hostname"` User string `json:"user,omitempty"` Port string `json:"port,omitempty"` Command string `json:"cmd,omitempty"` Flags string `json:"flags,omitempty"` }
Bastion contains the custom properties used on bastion.
type CipherSuites ¶
type CipherSuites []string
CipherSuites represents an array of string codes representing the cipher suites.
func (CipherSuites) Validate ¶
func (c CipherSuites) Validate() error
Validate implements models.Validator and checks that a cipher suite is valid.
func (CipherSuites) Value ¶
func (c CipherSuites) Value() []uint16
Value returns an []uint16 for the cipher suites.
type Config ¶
type Config struct { Root multiString `json:"root"` FederatedRoots []string `json:"federatedRoots"` IntermediateCert string `json:"crt"` IntermediateKey string `json:"key"` Address string `json:"address"` InsecureAddress string `json:"insecureAddress"` DNSNames []string `json:"dnsNames"` KMS *kms.Options `json:"kms,omitempty"` SSH *SSHConfig `json:"ssh,omitempty"` Logger json.RawMessage `json:"logger,omitempty"` DB *db.Config `json:"db,omitempty"` Monitoring json.RawMessage `json:"monitoring,omitempty"` AuthorityConfig *AuthConfig `json:"authority,omitempty"` TLS *TLSOptions `json:"tls,omitempty"` Password string `json:"password,omitempty"` Templates *templates.Templates `json:"templates,omitempty"` CommonName string `json:"commonName,omitempty"` }
Config represents the CA configuration and it's mapped to a JSON object.
func LoadConfiguration ¶
LoadConfiguration parses the given filename in JSON format and returns the configuration struct.
func (*Config) GetAudiences ¶
func (c *Config) GetAudiences() provisioner.Audiences
GetAudiences returns the legacy and possible urls without the ports that will be used as the default provisioner audiences. The CA might have proxies in front so we cannot rely on the port.
func (*Config) Init ¶
func (c *Config) Init()
Init initializes the minimal configuration required to create an authority. This is mainly used on embedded authorities.
type Host ¶
type Host struct { HostID string `json:"hid"` HostTags []HostTag `json:"host_tags"` Hostname string `json:"hostname"` }
Host defines expected attributes for an ssh host.
type HostTag ¶
HostTag are tagged with k,v pairs. These tags are how a user is ultimately associated with a host.
type SSHConfig ¶
type SSHConfig struct { HostKey string `json:"hostKey"` UserKey string `json:"userKey"` Keys []*SSHPublicKey `json:"keys,omitempty"` AddUserPrincipal string `json:"addUserPrincipal,omitempty"` AddUserCommand string `json:"addUserCommand,omitempty"` Bastion *Bastion `json:"bastion,omitempty"` }
SSHConfig contains the user and host keys.
type SSHPublicKey ¶
type SSHPublicKey struct { Type string `json:"type"` Federated bool `json:"federated"` Key jose.JSONWebKey `json:"key"` // contains filtered or unexported fields }
SSHPublicKey contains a public key used by federated CAs to keep old signing keys for this ca.
func (*SSHPublicKey) PublicKey ¶
func (k *SSHPublicKey) PublicKey() ssh.PublicKey
PublicKey returns the ssh public key.
func (*SSHPublicKey) Validate ¶
func (k *SSHPublicKey) Validate() error
Validate checks the fields in SSHPublicKey.
type TLSOptions ¶
type TLSOptions struct { CipherSuites CipherSuites `json:"cipherSuites"` MinVersion TLSVersion `json:"minVersion"` MaxVersion TLSVersion `json:"maxVersion"` Renegotiation bool `json:"renegotiation"` }
TLSOptions represents the TLS options that can be specified on *tls.Config types to configure HTTPS servers and clients.
func (*TLSOptions) TLSConfig ¶
func (t *TLSOptions) TLSConfig() *tls.Config
TLSConfig returns the tls.Config equivalent of the TLSOptions.
type TLSVersion ¶
type TLSVersion float64
TLSVersion represents a TLS version number.
func (TLSVersion) String ¶
func (v TLSVersion) String() string
String returns the Go constant for the TLSVersion.
func (TLSVersion) Validate ¶
func (v TLSVersion) Validate() error
Validate implements models.Validator and checks that a cipher suite is valid.
func (TLSVersion) Value ¶
func (v TLSVersion) Value() uint16
Value returns the Go constant for the TLSVersion.