apiv1

package
v0.28.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Oct 29, 2024 License: Apache-2.0 Imports: 13 Imported by: 3

Documentation

Index

Constants

View Source
const (
	// DefaultCAS is a CertificateAuthorityService using software.
	DefaultCAS = ""
	// SoftCAS is a CertificateAuthorityService using software.
	SoftCAS = "softcas"
	// CloudCAS is a CertificateAuthorityService using Google Cloud CAS.
	CloudCAS = "cloudcas"
	// StepCAS is a CertificateAuthorityService using another step-ca instance.
	StepCAS = "stepcas"
	// VaultCAS is a CertificateAuthorityService using Hasicorp Vault PKI.
	VaultCAS = "vaultcas"
	// ExternalCAS is a CertificateAuthorityService using an external injected CA implementation
	ExternalCAS = "externalcas"
)

Variables

This section is empty.

Functions

func CreateCertificateAuthorityExtension

func CreateCertificateAuthorityExtension(typ Type, certificateID string, keyValuePairs ...string) (pkix.Extension, error)

CreateCertificateAuthorityExtension returns a X.509 extension that shows the CAS type, id and a list of optional key value pairs.

func FindCertificateAuthorityExtension

func FindCertificateAuthorityExtension(cert *x509.Certificate) (pkix.Extension, bool)

FindCertificateAuthorityExtension returns the certificate authority extension from a signed certificate.

func Register

Register adds to the registry a method to create a KeyManager of type t.

func RemoveCertificateAuthorityExtension

func RemoveCertificateAuthorityExtension(cert *x509.Certificate)

RemoveCertificateAuthorityExtension removes the certificate authority extension from a certificate template.

Types

type CertificateAuthorityCRLGenerator added in v0.23.0

type CertificateAuthorityCRLGenerator interface {
	CreateCRL(req *CreateCRLRequest) (*CreateCRLResponse, error)
}

CertificateAuthorityCRLGenerator is an optional interface implemented by CertificateAuthorityService that has a method to create a CRL

type CertificateAuthorityCreator added in v0.15.6

type CertificateAuthorityCreator interface {
	CreateCertificateAuthority(req *CreateCertificateAuthorityRequest) (*CreateCertificateAuthorityResponse, error)
}

CertificateAuthorityCreator is an interface implemented by a CertificateAuthorityService that has a method to create a new certificate authority.

type CertificateAuthorityExtension

type CertificateAuthorityExtension struct {
	Type          string
	CertificateID string   `asn1:"optional,omitempty"`
	KeyValuePairs []string `asn1:"optional,omitempty"`
}

CertificateAuthorityExtension type is used to encode the certificate authority extension.

type CertificateAuthorityGetter

type CertificateAuthorityGetter interface {
	GetCertificateAuthority(req *GetCertificateAuthorityRequest) (*GetCertificateAuthorityResponse, error)
}

CertificateAuthorityGetter is an interface implemented by a CertificateAuthorityService that has a method to get the root certificate.

type CertificateAuthorityService

type CertificateAuthorityService interface {
	CreateCertificate(req *CreateCertificateRequest) (*CreateCertificateResponse, error)
	RenewCertificate(req *RenewCertificateRequest) (*RenewCertificateResponse, error)
	RevokeCertificate(req *RevokeCertificateRequest) (*RevokeCertificateResponse, error)
}

CertificateAuthorityService is the interface implemented to support external certificate authorities.

type CertificateAuthorityServiceNewFunc

type CertificateAuthorityServiceNewFunc func(ctx context.Context, opts Options) (CertificateAuthorityService, error)

CertificateAuthorityServiceNewFunc is the type that represents the method to initialize a new CertificateAuthorityService.

func LoadCertificateAuthorityServiceNewFunc

func LoadCertificateAuthorityServiceNewFunc(t Type) (CertificateAuthorityServiceNewFunc, bool)

LoadCertificateAuthorityServiceNewFunc returns the function to initialize a KeyManager.

type CertificateAuthoritySigner added in v0.26.2

type CertificateAuthoritySigner interface {
	GetSigner() (crypto.Signer, error)
}

CertificateAuthoritySigner is an optional interface implemented by a CertificateAuthorityService that has a method that returns a crypto.Signer using the same key used to issue certificates.

type CertificateAuthorityType added in v0.15.6

type CertificateAuthorityType int

CertificateAuthorityType indicates the type of Certificate Authority to create.

const (
	// RootCA is the type used to create a self-signed certificate suitable for
	// use as a root CA.
	RootCA CertificateAuthorityType = iota + 1

	// IntermediateCA is the type used to create a subordinated certificate that
	// can be used to sign additional leaf certificates.
	IntermediateCA
)

type CertificateIssuer added in v0.15.11

type CertificateIssuer struct {
	Type        string `json:"type"`
	Provisioner string `json:"provisioner,omitempty"`
	Certificate string `json:"crt,omitempty"`
	Key         string `json:"key,omitempty"`
	Password    string `json:"password,omitempty"`
}

CertificateIssuer contains the properties used to use the StepCAS certificate authority service.

type CreateCRLRequest added in v0.23.0

type CreateCRLRequest struct {
	RevocationList *x509.RevocationList
}

CreateCRLRequest is the request to create a Certificate Revocation List.

type CreateCRLResponse added in v0.23.0

type CreateCRLResponse struct {
	CRL []byte //the CRL in DER format
}

CreateCRLResponse is the response to a Certificate Revocation List request.

type CreateCertificateAuthorityRequest added in v0.15.6

type CreateCertificateAuthorityRequest struct {
	Name      string
	Type      CertificateAuthorityType
	Template  *x509.Certificate
	Lifetime  time.Duration
	Backdate  time.Duration
	RequestID string
	Project   string
	Location  string

	// Parent is the signer of the new CertificateAuthority.
	Parent *CreateCertificateAuthorityResponse

	// CreateKey defines the KMS CreateKeyRequest to use when creating a new
	// CertificateAuthority. If CreateKey is nil, a default algorithm will be
	// used.
	CreateKey *CreateKeyRequest
}

CreateCertificateAuthorityRequest is the request used to generate a root or intermediate certificate.

type CreateCertificateAuthorityResponse added in v0.15.6

type CreateCertificateAuthorityResponse struct {
	Name             string
	Certificate      *x509.Certificate
	CertificateChain []*x509.Certificate
	KeyName          string
	PublicKey        crypto.PublicKey
	PrivateKey       crypto.PrivateKey
	Signer           crypto.Signer
}

CreateCertificateAuthorityResponse is the response for CreateCertificateAuthority method and contains the root or intermediate certificate generated as well as the CA chain.

type CreateCertificateRequest

type CreateCertificateRequest struct {
	Template       *x509.Certificate
	CSR            *x509.CertificateRequest
	Lifetime       time.Duration
	Backdate       time.Duration
	RequestID      string
	Provisioner    *ProvisionerInfo
	IsCAServerCert bool
}

CreateCertificateRequest is the request used to sign a new certificate.

type CreateCertificateResponse

type CreateCertificateResponse struct {
	Certificate      *x509.Certificate
	CertificateChain []*x509.Certificate
}

CreateCertificateResponse is the response to a create certificate request.

type CreateKeyRequest added in v0.17.5

type CreateKeyRequest = apiv1.CreateKeyRequest

CreateKeyRequest is the request used to generate a new key using a KMS.

type GetCertificateAuthorityRequest

type GetCertificateAuthorityRequest struct {
	Name string
}

GetCertificateAuthorityRequest is the request used to get the root certificate from a CAS.

type GetCertificateAuthorityResponse

type GetCertificateAuthorityResponse struct {
	RootCertificate          *x509.Certificate
	IntermediateCertificates []*x509.Certificate
}

GetCertificateAuthorityResponse is the response that contains the root certificate.

type NotImplementedError added in v0.23.0

type NotImplementedError struct {
	Message string
}

NotImplementedError is the type of error returned if an operation is not implemented.

func (NotImplementedError) Error added in v0.23.0

func (e NotImplementedError) Error() string

Error implements the error interface.

func (NotImplementedError) StatusCode added in v0.23.0

func (e NotImplementedError) StatusCode() int

StatusCode implements the StatusCoder interface and returns the HTTP 501 error.

type Options

type Options struct {
	// AuthorityID is the the id oc the current authority. This is used on
	// StepCAS to add information about the origin of a certificate.
	AuthorityID string `json:"-"`

	// The type of the CAS to use.
	Type string `json:"type"`

	// CertificateAuthority reference:
	// In StepCAS the value is the CA url, e.g., "https://ca.smallstep.com:9000".
	// In CloudCAS the format is "projects/*/locations/*/certificateAuthorities/*".
	// In VaultCAS the value is the url, e.g., "https://vault.smallstep.com".
	CertificateAuthority string `json:"certificateAuthority,omitempty"`

	// CertificateAuthorityFingerprint is the root fingerprint used to
	// authenticate the connection to the CA when using StepCAS.
	CertificateAuthorityFingerprint string `json:"certificateAuthorityFingerprint,omitempty"`

	// CertificateIssuer contains the configuration used in StepCAS.
	CertificateIssuer *CertificateIssuer `json:"certificateIssuer,omitempty"`

	// Path to the credentials file used in CloudCAS. If not defined the default
	// authentication mechanism provided by Google SDK will be used. See
	// https://cloud.google.com/docs/authentication.
	CredentialsFile string `json:"credentialsFile,omitempty"`

	// CertificateChain contains the issuer certificate, along with any other
	// bundled certificates to be returned in the chain to consumers. It is used
	// used in SoftCAS and it is configured in the crt property of the ca.json.
	CertificateChain []*x509.Certificate `json:"-"`

	// Signer is the private key or a KMS signer for the issuer certificate. It
	// is used in SoftCAS and it is configured in the key property of the
	// ca.json.
	Signer crypto.Signer `json:"-"`

	// CertificateSigner combines CertificateChain and Signer in a callback that
	// returns the chain of certificate and signer used to sign X.509
	// certificates in SoftCAS.
	CertificateSigner func() ([]*x509.Certificate, crypto.Signer, error) `json:"-"`

	// IsCreator is set to true when we're creating a certificate authority. It
	// is used to skip some validations when initializing a
	// CertificateAuthority. This option is used on SoftCAS and CloudCAS.
	IsCreator bool `json:"-"`

	// IsCAGetter is set to true when we're just using the
	// CertificateAuthorityGetter interface to retrieve the root certificate. It
	// is used to skip some validations when initializing a
	// CertificateAuthority. This option is used on StepCAS.
	IsCAGetter bool `json:"-"`

	// KeyManager is the KMS used to generate keys in SoftCAS.
	KeyManager kms.KeyManager `json:"-"`

	// Project, Location, CaPool and GCSBucket are parameters used in CloudCAS
	// to create a new certificate authority. If a CaPool does not exist it will
	// be created. GCSBucket is optional, if not provided GCloud will create a
	// managed bucket.
	Project    string `json:"-"`
	Location   string `json:"-"`
	CaPool     string `json:"-"`
	CaPoolTier string `json:"-"`
	GCSBucket  string `json:"-"`

	// Generic structure to configure any CAS
	Config json.RawMessage `json:"config,omitempty"`
}

Options represents the configuration options used to select and configure the CertificateAuthorityService (CAS) to use.

func (*Options) Is

func (o *Options) Is(t Type) bool

Is returns if the options have the given type.

func (*Options) Validate

func (o *Options) Validate() error

Validate checks the fields in Options.

type ProvisionerInfo added in v0.22.0

type ProvisionerInfo struct {
	ID   string
	Type string
	Name string
}

ProvisionerInfo contains information of the provisioner used to authorize a certificate.

type RenewCertificateRequest

type RenewCertificateRequest struct {
	Template  *x509.Certificate
	CSR       *x509.CertificateRequest
	Lifetime  time.Duration
	Backdate  time.Duration
	Token     string
	RequestID string
}

RenewCertificateRequest is the request used to re-sign a certificate.

type RenewCertificateResponse

type RenewCertificateResponse struct {
	Certificate      *x509.Certificate
	CertificateChain []*x509.Certificate
}

RenewCertificateResponse is the response to a renew certificate request.

type RevokeCertificateRequest

type RevokeCertificateRequest struct {
	Certificate  *x509.Certificate
	SerialNumber string
	Reason       string
	ReasonCode   int
	PassiveOnly  bool
	RequestID    string
}

RevokeCertificateRequest is the request used to revoke a certificate.

type RevokeCertificateResponse

type RevokeCertificateResponse struct {
	Certificate      *x509.Certificate
	CertificateChain []*x509.Certificate
}

RevokeCertificateResponse is the response to a revoke certificate request.

type SignatureAlgorithm added in v0.15.6

type SignatureAlgorithm int

SignatureAlgorithm used for cryptographic signing.

const (
	// Not specified.
	UnspecifiedSignAlgorithm SignatureAlgorithm = iota
	// RSASSA-PKCS1-v1_5 key and a SHA256 digest.
	SHA256WithRSA
	// RSASSA-PKCS1-v1_5 key and a SHA384 digest.
	SHA384WithRSA
	// RSASSA-PKCS1-v1_5 key and a SHA512 digest.
	SHA512WithRSA
	// RSASSA-PSS key with a SHA256 digest.
	SHA256WithRSAPSS
	// RSASSA-PSS key with a SHA384 digest.
	SHA384WithRSAPSS
	// RSASSA-PSS key with a SHA512 digest.
	SHA512WithRSAPSS
	// ECDSA on the NIST P-256 curve with a SHA256 digest.
	ECDSAWithSHA256
	// ECDSA on the NIST P-384 curve with a SHA384 digest.
	ECDSAWithSHA384
	// ECDSA on the NIST P-521 curve with a SHA512 digest.
	ECDSAWithSHA512
	// EdDSA on Curve25519 with a SHA512 digest.
	PureEd25519
)

type SignatureAlgorithmGetter added in v0.17.3

type SignatureAlgorithmGetter interface {
	SignatureAlgorithm() x509.SignatureAlgorithm
}

SignatureAlgorithmGetter is an optional implementation in a crypto.Signer that returns the SignatureAlgorithm to use.

type Type

type Type string

Type represents the CAS type used.

func TypeOf added in v0.26.0

TypeOf returns the type of the given CertificateAuthorityService.

func (Type) String

func (t Type) String() string

String returns a string from the type. It will always return the lower case version of the Type, as we need a standard type to compare and use as the registry key.

type ValidationError added in v0.23.0

type ValidationError struct {
	Message string
}

ValidationError is the type of error returned if request is not properly validated.

func (ValidationError) Error added in v0.23.0

func (e ValidationError) Error() string

NotImplementedError implements the error interface.

func (ValidationError) StatusCode added in v0.23.0

func (e ValidationError) StatusCode() int

StatusCode implements the StatusCoder interface and returns the HTTP 400 error.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL