authority

package
v0.8.1-rc.1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Nov 27, 2018 License: Apache-2.0 Imports: 26 Imported by: 38

Documentation

Index

Constants

View Source
const DefaultProvisionersLimit = 20

DefaultProvisionersLimit is the default limit for listing provisioners.

View Source
const DefaultProvisionersMax = 100

DefaultProvisionersMax is the maximum limit for listing provisioners.

Variables

View Source
var (
	// DefaultTLSOptions represents the default TLS version as well as the cipher
	// suites used in the TLS certificates.
	DefaultTLSOptions = tlsutil.TLSOptions{
		CipherSuites: x509util.CipherSuites{
			"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
			"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
			"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
		},
		MinVersion:    1.2,
		MaxVersion:    1.2,
		Renegotiation: false,
	}
)

Functions

This section is empty.

Types

type AuthConfig

type AuthConfig struct {
	Provisioners         []*Provisioner     `json:"provisioners,omitempty"`
	Template             *x509util.ASN1DN   `json:"template,omitempty"`
	Claims               *ProvisionerClaims `json:"claims,omitempty"`
	DisableIssuedAtCheck bool               `json:"disableIssuedAtCheck,omitempty"`
}

AuthConfig represents the configuration options for the authority.

func (*AuthConfig) Validate

func (c *AuthConfig) Validate() error

Validate validates the authority configuration.

type Authority

type Authority struct {
	// contains filtered or unexported fields
}

Authority implements the Certificate Authority internal interface.

func New

func New(config *Config) (*Authority, error)

New creates and initiates a new Authority type.

func (*Authority) Authorize

func (a *Authority) Authorize(ott string) ([]interface{}, error)

Authorize authorizes a signature request by validating and authenticating a OTT that must be sent w/ the request.

func (*Authority) GetEncryptedKey

func (a *Authority) GetEncryptedKey(kid string) (string, error)

GetEncryptedKey returns the JWE key corresponding to the given kid argument.

func (*Authority) GetProvisioners

func (a *Authority) GetProvisioners(cursor string, limit int) ([]*Provisioner, string, error)

GetProvisioners returns a map listing each provisioner and the JWK Key Set with their public keys.

func (*Authority) GetRootCertificate

func (a *Authority) GetRootCertificate() *x509.Certificate

GetRootCertificate returns the server root certificate.

func (*Authority) GetTLSCertificate

func (a *Authority) GetTLSCertificate() (*tls.Certificate, error)

GetTLSCertificate creates a new leaf certificate to be used by the CA HTTPS server.

func (*Authority) GetTLSOptions

func (a *Authority) GetTLSOptions() *tlsutil.TLSOptions

GetTLSOptions returns the tls options configured.

func (*Authority) Renew

Renew creates a new Certificate identical to the old certificate, except with a validity window that begins 'now'.

func (*Authority) Root

func (a *Authority) Root(sum string) (*x509.Certificate, error)

Root returns the certificate corresponding to the given SHA sum argument.

func (*Authority) Sign

func (a *Authority) Sign(csr *x509.CertificateRequest, signOpts SignOptions, extraOpts ...interface{}) (*x509.Certificate, *x509.Certificate, error)

Sign creates a signed certificate from a certificate signing request.

type Config

type Config struct {
	Root             string              `json:"root"`
	IntermediateCert string              `json:"crt"`
	IntermediateKey  string              `json:"key"`
	Address          string              `json:"address"`
	DNSNames         []string            `json:"dnsNames"`
	Logger           json.RawMessage     `json:"logger,omitempty"`
	Monitoring       json.RawMessage     `json:"monitoring,omitempty"`
	AuthorityConfig  *AuthConfig         `json:"authority,omitempty"`
	TLS              *tlsutil.TLSOptions `json:"tls,omitempty"`
	Password         string              `json:"password,omitempty"`
}

Config represents the CA configuration and it's mapped to a JSON object.

func LoadConfiguration

func LoadConfiguration(filename string) (*Config, error)

LoadConfiguration parses the given filename in JSON format and returns the configuration struct.

func (*Config) Save

func (c *Config) Save(filename string) error

Save saves the configuration to the given filename.

func (*Config) Validate

func (c *Config) Validate() error

Validate validates the configuration.

type Provisioner

type Provisioner struct {
	Name         string             `json:"name,omitempty"`
	Type         string             `json:"type,omitempty"`
	Key          *jose.JSONWebKey   `json:"key,omitempty"`
	EncryptedKey string             `json:"encryptedKey,omitempty"`
	Claims       *ProvisionerClaims `json:"claims,omitempty"`
}

Provisioner - authorized entity that can sign tokens necessary for signature requests.

func (*Provisioner) ID

func (p *Provisioner) ID() string

ID returns the provisioner identifier. The name and credential id should uniquely identify any provisioner.

func (*Provisioner) Init

func (p *Provisioner) Init(global *ProvisionerClaims) error

Init initializes and validates a the fields of Provisioner type.

type ProvisionerClaims

type ProvisionerClaims struct {
	MinTLSDur      *duration `json:"minTLSCertDuration,omitempty"`
	MaxTLSDur      *duration `json:"maxTLSCertDuration,omitempty"`
	DefaultTLSDur  *duration `json:"defaultTLSCertDuration,omitempty"`
	DisableRenewal *bool     `json:"disableRenewal,omitempty"`
	// contains filtered or unexported fields
}

ProvisionerClaims so that individual provisioners can override global claims.

func (*ProvisionerClaims) DefaultTLSCertDuration

func (pc *ProvisionerClaims) DefaultTLSCertDuration() time.Duration

DefaultTLSCertDuration returns the default TLS cert duration for the provisioner. If the default is not set within the provisioner, then the global default from the authority configuration will be used.

func (*ProvisionerClaims) Init

Init initializes and validates the individual provisioner claims.

func (*ProvisionerClaims) IsDisableRenewal

func (pc *ProvisionerClaims) IsDisableRenewal() bool

IsDisableRenewal returns if the renewal flow is disabled for the provisioner. If the property is not set within the provisioner, then the global value from the authority configuration will be used.

func (*ProvisionerClaims) MaxTLSCertDuration

func (pc *ProvisionerClaims) MaxTLSCertDuration() time.Duration

MaxTLSCertDuration returns the maximum TLS cert duration for the provisioner. If the maximum is not set within the provisioner, then the global maximum from the authority configuration will be used.

func (*ProvisionerClaims) MinTLSCertDuration

func (pc *ProvisionerClaims) MinTLSCertDuration() time.Duration

MinTLSCertDuration returns the minimum TLS cert duration for the provisioner. If the minimum is not set within the provisioner, then the global minimum from the authority configuration will be used.

func (*ProvisionerClaims) Validate

func (pc *ProvisionerClaims) Validate() error

Validate validates and modifies the Claims with default values.

type SignOptions

type SignOptions struct {
	NotAfter  time.Time `json:"notAfter"`
	NotBefore time.Time `json:"notBefore"`
}

SignOptions contains the options that can be passed to the Authority.Sign method.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL