Documentation ¶
Index ¶
- Constants
- func CreateCertificateAuthorityExtension(typ Type, certificateID string, keyValuePairs ...string) (pkix.Extension, error)
- func FindCertificateAuthorityExtension(cert *x509.Certificate) (pkix.Extension, bool)
- func Register(t Type, fn CertificateAuthorityServiceNewFunc)
- func RemoveCertificateAuthorityExtension(cert *x509.Certificate)
- type CertificateAuthorityCRLGenerator
- type CertificateAuthorityCreator
- type CertificateAuthorityExtension
- type CertificateAuthorityGetter
- type CertificateAuthorityService
- type CertificateAuthorityServiceNewFunc
- type CertificateAuthoritySigner
- type CertificateAuthorityType
- type CertificateIssuer
- type CreateCRLRequest
- type CreateCRLResponse
- type CreateCertificateAuthorityRequest
- type CreateCertificateAuthorityResponse
- type CreateCertificateRequest
- type CreateCertificateResponse
- type CreateKeyRequest
- type GetCertificateAuthorityRequest
- type GetCertificateAuthorityResponse
- type NotImplementedError
- type Options
- type ProvisionerInfo
- type RenewCertificateRequest
- type RenewCertificateResponse
- type RevokeCertificateRequest
- type RevokeCertificateResponse
- type SignatureAlgorithm
- type SignatureAlgorithmGetter
- type Type
- type ValidationError
Constants ¶
const ( // DefaultCAS is a CertificateAuthorityService using software. DefaultCAS = "" // SoftCAS is a CertificateAuthorityService using software. SoftCAS = "softcas" // CloudCAS is a CertificateAuthorityService using Google Cloud CAS. CloudCAS = "cloudcas" // StepCAS is a CertificateAuthorityService using another step-ca instance. StepCAS = "stepcas" // VaultCAS is a CertificateAuthorityService using Hasicorp Vault PKI. VaultCAS = "vaultcas" // ExternalCAS is a CertificateAuthorityService using an external injected CA implementation ExternalCAS = "externalcas" )
Variables ¶
This section is empty.
Functions ¶
func CreateCertificateAuthorityExtension ¶
func CreateCertificateAuthorityExtension(typ Type, certificateID string, keyValuePairs ...string) (pkix.Extension, error)
CreateCertificateAuthorityExtension returns a X.509 extension that shows the CAS type, id and a list of optional key value pairs.
func FindCertificateAuthorityExtension ¶
func FindCertificateAuthorityExtension(cert *x509.Certificate) (pkix.Extension, bool)
FindCertificateAuthorityExtension returns the certificate authority extension from a signed certificate.
func Register ¶
func Register(t Type, fn CertificateAuthorityServiceNewFunc)
Register adds to the registry a method to create a KeyManager of type t.
func RemoveCertificateAuthorityExtension ¶
func RemoveCertificateAuthorityExtension(cert *x509.Certificate)
RemoveCertificateAuthorityExtension removes the certificate authority extension from a certificate template.
Types ¶
type CertificateAuthorityCRLGenerator ¶ added in v0.23.0
type CertificateAuthorityCRLGenerator interface {
CreateCRL(req *CreateCRLRequest) (*CreateCRLResponse, error)
}
CertificateAuthorityCRLGenerator is an optional interface implemented by CertificateAuthorityService that has a method to create a CRL
type CertificateAuthorityCreator ¶ added in v0.15.6
type CertificateAuthorityCreator interface {
CreateCertificateAuthority(req *CreateCertificateAuthorityRequest) (*CreateCertificateAuthorityResponse, error)
}
CertificateAuthorityCreator is an interface implemented by a CertificateAuthorityService that has a method to create a new certificate authority.
type CertificateAuthorityExtension ¶
type CertificateAuthorityExtension struct { Type string CertificateID string `asn1:"optional,omitempty"` KeyValuePairs []string `asn1:"optional,omitempty"` }
CertificateAuthorityExtension type is used to encode the certificate authority extension.
type CertificateAuthorityGetter ¶
type CertificateAuthorityGetter interface {
GetCertificateAuthority(req *GetCertificateAuthorityRequest) (*GetCertificateAuthorityResponse, error)
}
CertificateAuthorityGetter is an interface implemented by a CertificateAuthorityService that has a method to get the root certificate.
type CertificateAuthorityService ¶
type CertificateAuthorityService interface { CreateCertificate(req *CreateCertificateRequest) (*CreateCertificateResponse, error) RenewCertificate(req *RenewCertificateRequest) (*RenewCertificateResponse, error) RevokeCertificate(req *RevokeCertificateRequest) (*RevokeCertificateResponse, error) }
CertificateAuthorityService is the interface implemented to support external certificate authorities.
type CertificateAuthorityServiceNewFunc ¶
type CertificateAuthorityServiceNewFunc func(ctx context.Context, opts Options) (CertificateAuthorityService, error)
CertificateAuthorityServiceNewFunc is the type that represents the method to initialize a new CertificateAuthorityService.
func LoadCertificateAuthorityServiceNewFunc ¶
func LoadCertificateAuthorityServiceNewFunc(t Type) (CertificateAuthorityServiceNewFunc, bool)
LoadCertificateAuthorityServiceNewFunc returns the function to initialize a KeyManager.
type CertificateAuthoritySigner ¶ added in v0.26.2
CertificateAuthoritySigner is an optional interface implemented by a CertificateAuthorityService that has a method that returns a crypto.Signer using the same key used to issue certificates.
type CertificateAuthorityType ¶ added in v0.15.6
type CertificateAuthorityType int
CertificateAuthorityType indicates the type of Certificate Authority to create.
const ( // RootCA is the type used to create a self-signed certificate suitable for // use as a root CA. RootCA CertificateAuthorityType = iota + 1 // IntermediateCA is the type used to create a subordinated certificate that // can be used to sign additional leaf certificates. IntermediateCA )
type CertificateIssuer ¶ added in v0.15.11
type CertificateIssuer struct { Type string `json:"type"` Provisioner string `json:"provisioner,omitempty"` Certificate string `json:"crt,omitempty"` Key string `json:"key,omitempty"` Password string `json:"password,omitempty"` }
CertificateIssuer contains the properties used to use the StepCAS certificate authority service.
type CreateCRLRequest ¶ added in v0.23.0
type CreateCRLRequest struct {
RevocationList *x509.RevocationList
}
CreateCRLRequest is the request to create a Certificate Revocation List.
type CreateCRLResponse ¶ added in v0.23.0
type CreateCRLResponse struct {
CRL []byte //the CRL in DER format
}
CreateCRLResponse is the response to a Certificate Revocation List request.
type CreateCertificateAuthorityRequest ¶ added in v0.15.6
type CreateCertificateAuthorityRequest struct { Name string Type CertificateAuthorityType Template *x509.Certificate Lifetime time.Duration Backdate time.Duration RequestID string Project string Location string // Parent is the signer of the new CertificateAuthority. Parent *CreateCertificateAuthorityResponse // CreateKey defines the KMS CreateKeyRequest to use when creating a new // CertificateAuthority. If CreateKey is nil, a default algorithm will be // used. CreateKey *CreateKeyRequest }
CreateCertificateAuthorityRequest is the request used to generate a root or intermediate certificate.
type CreateCertificateAuthorityResponse ¶ added in v0.15.6
type CreateCertificateAuthorityResponse struct { Name string Certificate *x509.Certificate CertificateChain []*x509.Certificate KeyName string PublicKey crypto.PublicKey PrivateKey crypto.PrivateKey Signer crypto.Signer }
CreateCertificateAuthorityResponse is the response for CreateCertificateAuthority method and contains the root or intermediate certificate generated as well as the CA chain.
type CreateCertificateRequest ¶
type CreateCertificateRequest struct { Template *x509.Certificate CSR *x509.CertificateRequest Lifetime time.Duration Backdate time.Duration RequestID string Provisioner *ProvisionerInfo IsCAServerCert bool }
CreateCertificateRequest is the request used to sign a new certificate.
type CreateCertificateResponse ¶
type CreateCertificateResponse struct { Certificate *x509.Certificate CertificateChain []*x509.Certificate }
CreateCertificateResponse is the response to a create certificate request.
type CreateKeyRequest ¶ added in v0.17.5
type CreateKeyRequest = apiv1.CreateKeyRequest
CreateKeyRequest is the request used to generate a new key using a KMS.
type GetCertificateAuthorityRequest ¶
type GetCertificateAuthorityRequest struct {
Name string
}
GetCertificateAuthorityRequest is the request used to get the root certificate from a CAS.
type GetCertificateAuthorityResponse ¶
type GetCertificateAuthorityResponse struct { RootCertificate *x509.Certificate IntermediateCertificates []*x509.Certificate }
GetCertificateAuthorityResponse is the response that contains the root certificate.
type NotImplementedError ¶ added in v0.23.0
type NotImplementedError struct {
Message string
}
NotImplementedError is the type of error returned if an operation is not implemented.
func (NotImplementedError) Error ¶ added in v0.23.0
func (e NotImplementedError) Error() string
Error implements the error interface.
func (NotImplementedError) StatusCode ¶ added in v0.23.0
func (e NotImplementedError) StatusCode() int
StatusCode implements the StatusCoder interface and returns the HTTP 501 error.
type Options ¶
type Options struct { // AuthorityID is the the id oc the current authority. This is used on // StepCAS to add information about the origin of a certificate. AuthorityID string `json:"-"` // The type of the CAS to use. Type string `json:"type"` // CertificateAuthority reference: // In StepCAS the value is the CA url, e.g., "https://ca.smallstep.com:9000". // In CloudCAS the format is "projects/*/locations/*/certificateAuthorities/*". // In VaultCAS the value is the url, e.g., "https://vault.smallstep.com". CertificateAuthority string `json:"certificateAuthority,omitempty"` // CertificateAuthorityFingerprint is the root fingerprint used to // authenticate the connection to the CA when using StepCAS. CertificateAuthorityFingerprint string `json:"certificateAuthorityFingerprint,omitempty"` // CertificateIssuer contains the configuration used in StepCAS. CertificateIssuer *CertificateIssuer `json:"certificateIssuer,omitempty"` // Path to the credentials file used in CloudCAS. If not defined the default // authentication mechanism provided by Google SDK will be used. See // https://cloud.google.com/docs/authentication. CredentialsFile string `json:"credentialsFile,omitempty"` // CertificateChain contains the issuer certificate, along with any other // bundled certificates to be returned in the chain to consumers. It is used // used in SoftCAS and it is configured in the crt property of the ca.json. CertificateChain []*x509.Certificate `json:"-"` // Signer is the private key or a KMS signer for the issuer certificate. It // is used in SoftCAS and it is configured in the key property of the // ca.json. Signer crypto.Signer `json:"-"` // CertificateSigner combines CertificateChain and Signer in a callback that // returns the chain of certificate and signer used to sign X.509 // certificates in SoftCAS. CertificateSigner func() ([]*x509.Certificate, crypto.Signer, error) `json:"-"` // IsCreator is set to true when we're creating a certificate authority. It // is used to skip some validations when initializing a // CertificateAuthority. This option is used on SoftCAS and CloudCAS. IsCreator bool `json:"-"` // IsCAGetter is set to true when we're just using the // CertificateAuthorityGetter interface to retrieve the root certificate. It // is used to skip some validations when initializing a // CertificateAuthority. This option is used on StepCAS. IsCAGetter bool `json:"-"` // KeyManager is the KMS used to generate keys in SoftCAS. KeyManager kms.KeyManager `json:"-"` // Project, Location, CaPool and GCSBucket are parameters used in CloudCAS // to create a new certificate authority. If a CaPool does not exist it will // be created. GCSBucket is optional, if not provided GCloud will create a // managed bucket. Project string `json:"-"` Location string `json:"-"` CaPool string `json:"-"` CaPoolTier string `json:"-"` GCSBucket string `json:"-"` // Generic structure to configure any CAS Config json.RawMessage `json:"config,omitempty"` }
Options represents the configuration options used to select and configure the CertificateAuthorityService (CAS) to use.
type ProvisionerInfo ¶ added in v0.22.0
ProvisionerInfo contains information of the provisioner used to authorize a certificate.
type RenewCertificateRequest ¶
type RenewCertificateRequest struct { Template *x509.Certificate CSR *x509.CertificateRequest Lifetime time.Duration Backdate time.Duration Token string RequestID string }
RenewCertificateRequest is the request used to re-sign a certificate.
type RenewCertificateResponse ¶
type RenewCertificateResponse struct { Certificate *x509.Certificate CertificateChain []*x509.Certificate }
RenewCertificateResponse is the response to a renew certificate request.
type RevokeCertificateRequest ¶
type RevokeCertificateRequest struct { Certificate *x509.Certificate SerialNumber string Reason string ReasonCode int PassiveOnly bool RequestID string }
RevokeCertificateRequest is the request used to revoke a certificate.
type RevokeCertificateResponse ¶
type RevokeCertificateResponse struct { Certificate *x509.Certificate CertificateChain []*x509.Certificate }
RevokeCertificateResponse is the response to a revoke certificate request.
type SignatureAlgorithm ¶ added in v0.15.6
type SignatureAlgorithm int
SignatureAlgorithm used for cryptographic signing.
const ( // Not specified. UnspecifiedSignAlgorithm SignatureAlgorithm = iota // RSASSA-PKCS1-v1_5 key and a SHA256 digest. SHA256WithRSA // RSASSA-PKCS1-v1_5 key and a SHA384 digest. SHA384WithRSA // RSASSA-PKCS1-v1_5 key and a SHA512 digest. SHA512WithRSA // RSASSA-PSS key with a SHA256 digest. SHA256WithRSAPSS // RSASSA-PSS key with a SHA384 digest. SHA384WithRSAPSS // RSASSA-PSS key with a SHA512 digest. SHA512WithRSAPSS // ECDSA on the NIST P-256 curve with a SHA256 digest. ECDSAWithSHA256 // ECDSA on the NIST P-384 curve with a SHA384 digest. ECDSAWithSHA384 // ECDSA on the NIST P-521 curve with a SHA512 digest. ECDSAWithSHA512 // EdDSA on Curve25519 with a SHA512 digest. PureEd25519 )
type SignatureAlgorithmGetter ¶ added in v0.17.3
type SignatureAlgorithmGetter interface {
SignatureAlgorithm() x509.SignatureAlgorithm
}
SignatureAlgorithmGetter is an optional implementation in a crypto.Signer that returns the SignatureAlgorithm to use.
type Type ¶
type Type string
Type represents the CAS type used.
func TypeOf ¶ added in v0.26.0
func TypeOf(c CertificateAuthorityService) Type
TypeOf returns the type of the given CertificateAuthorityService.
type ValidationError ¶ added in v0.23.0
type ValidationError struct {
Message string
}
ValidationError is the type of error returned if request is not properly validated.
func (ValidationError) Error ¶ added in v0.23.0
func (e ValidationError) Error() string
NotImplementedError implements the error interface.
func (ValidationError) StatusCode ¶ added in v0.23.0
func (e ValidationError) StatusCode() int
StatusCode implements the StatusCoder interface and returns the HTTP 400 error.