authority

package
v0.8.2 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Dec 21, 2018 License: Apache-2.0 Imports: 27 Imported by: 38

Documentation

Index

Constants

View Source 
const DefaultProvisionersLimit = 20

DefaultProvisionersLimit is the default limit for listing provisioners.

View Source 
const DefaultProvisionersMax = 100

DefaultProvisionersMax is the maximum limit for listing provisioners.

Variables

View Source 
var (
	// DefaultTLSOptions represents the default TLS version as well as the cipher
	// suites used in the TLS certificates.
	DefaultTLSOptions = tlsutil.TLSOptions{
		CipherSuites: x509util.CipherSuites{
			"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
			"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
			"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
		},
		MinVersion:    1.2,
		MaxVersion:    1.2,
		Renegotiation: false,
	}
)

Functions

This section is empty.

Types

type AuthConfig 

type AuthConfig struct {
	Provisioners         []*Provisioner     `json:"provisioners,omitempty"`
	Template             *x509util.ASN1DN   `json:"template,omitempty"`
	Claims               *ProvisionerClaims `json:"claims,omitempty"`
	DisableIssuedAtCheck bool               `json:"disableIssuedAtCheck,omitempty"`
}

AuthConfig represents the configuration options for the authority.

func (*AuthConfig) Validate 

func (c *AuthConfig) Validate() error

Validate validates the authority configuration.

type Authority 

type Authority struct {
	// contains filtered or unexported fields
}

Authority implements the Certificate Authority internal interface.

func New 

func New(config *Config) (*Authority, error)

New creates and initiates a new Authority type.

func (*Authority) Authorize 

func (a *Authority) Authorize(ott string) ([]interface{}, error)

Authorize authorizes a signature request by validating and authenticating a OTT that must be sent w/ the request.

func (*Authority) GetEncryptedKey 

func (a *Authority) GetEncryptedKey(kid string) (string, error)

GetEncryptedKey returns the JWE key corresponding to the given kid argument.

func (*Authority) GetProvisioners 

func (a *Authority) GetProvisioners(cursor string, limit int) ([]*Provisioner, string, error)

GetProvisioners returns a map listing each provisioner and the JWK Key Set with their public keys.

func (*Authority) GetRootCertificate 

func (a *Authority) GetRootCertificate() *x509.Certificate

GetRootCertificate returns the server root certificate.

func (*Authority) GetTLSCertificate 

func (a *Authority) GetTLSCertificate() (*tls.Certificate, error)

GetTLSCertificate creates a new leaf certificate to be used by the CA HTTPS server.

func (*Authority) GetTLSOptions 

func (a *Authority) GetTLSOptions() *tlsutil.TLSOptions

GetTLSOptions returns the tls options configured.

func (*Authority) Renew 

func (a *Authority) Renew(ocx *x509.Certificate) (*x509.Certificate, *x509.Certificate, error)

Renew creates a new Certificate identical to the old certificate, except with a validity window that begins 'now'.

func (*Authority) Root 

func (a *Authority) Root(sum string) (*x509.Certificate, error)

Root returns the certificate corresponding to the given SHA sum argument.

func (*Authority) Sign 

func (a *Authority) Sign(csr *x509.CertificateRequest, signOpts SignOptions, extraOpts ...interface{}) (*x509.Certificate, *x509.Certificate, error)

Sign creates a signed certificate from a certificate signing request.

type Config 

type Config struct {
	Root             string              `json:"root"`
	IntermediateCert string              `json:"crt"`
	IntermediateKey  string              `json:"key"`
	Address          string              `json:"address"`
	DNSNames         []string            `json:"dnsNames"`
	Logger           json.RawMessage     `json:"logger,omitempty"`
	Monitoring       json.RawMessage     `json:"monitoring,omitempty"`
	AuthorityConfig  *AuthConfig         `json:"authority,omitempty"`
	TLS              *tlsutil.TLSOptions `json:"tls,omitempty"`
	Password         string              `json:"password,omitempty"`
}

Config represents the CA configuration and it's mapped to a JSON object.

func LoadConfiguration 

func LoadConfiguration(filename string) (*Config, error)

LoadConfiguration parses the given filename in JSON format and returns the configuration struct.

func (*Config) Save 

func (c *Config) Save(filename string) error

Save saves the configuration to the given filename.

func (*Config) Validate 

func (c *Config) Validate() error

Validate validates the configuration.

type Provisioner 

type Provisioner struct {
	Name         string             `json:"name,omitempty"`
	Type         string             `json:"type,omitempty"`
	Key          *jose.JSONWebKey   `json:"key,omitempty"`
	EncryptedKey string             `json:"encryptedKey,omitempty"`
	Claims       *ProvisionerClaims `json:"claims,omitempty"`
}

Provisioner - authorized entity that can sign tokens necessary for signature requests.

func (*Provisioner) ID 

func (p *Provisioner) ID() string

ID returns the provisioner identifier. The name and credential id should uniquely identify any provisioner.

func (*Provisioner) Init 

func (p *Provisioner) Init(global *ProvisionerClaims) error

Init initializes and validates a the fields of Provisioner type.

type ProvisionerClaims 

type ProvisionerClaims struct {
	MinTLSDur      *duration `json:"minTLSCertDuration,omitempty"`
	MaxTLSDur      *duration `json:"maxTLSCertDuration,omitempty"`
	DefaultTLSDur  *duration `json:"defaultTLSCertDuration,omitempty"`
	DisableRenewal *bool     `json:"disableRenewal,omitempty"`
	// contains filtered or unexported fields
}

ProvisionerClaims so that individual provisioners can override global claims.

func (*ProvisionerClaims) DefaultTLSCertDuration 

func (pc *ProvisionerClaims) DefaultTLSCertDuration() time.Duration

DefaultTLSCertDuration returns the default TLS cert duration for the provisioner. If the default is not set within the provisioner, then the global default from the authority configuration will be used.

func (*ProvisionerClaims) Init 

func (pc *ProvisionerClaims) Init(global *ProvisionerClaims) (*ProvisionerClaims, error)

Init initializes and validates the individual provisioner claims.

func (*ProvisionerClaims) IsDisableRenewal 

func (pc *ProvisionerClaims) IsDisableRenewal() bool

IsDisableRenewal returns if the renewal flow is disabled for the provisioner. If the property is not set within the provisioner, then the global value from the authority configuration will be used.

func (*ProvisionerClaims) MaxTLSCertDuration 

func (pc *ProvisionerClaims) MaxTLSCertDuration() time.Duration

MaxTLSCertDuration returns the maximum TLS cert duration for the provisioner. If the maximum is not set within the provisioner, then the global maximum from the authority configuration will be used.

func (*ProvisionerClaims) MinTLSCertDuration 

func (pc *ProvisionerClaims) MinTLSCertDuration() time.Duration

MinTLSCertDuration returns the minimum TLS cert duration for the provisioner. If the minimum is not set within the provisioner, then the global minimum from the authority configuration will be used.

func (*ProvisionerClaims) Validate 

func (pc *ProvisionerClaims) Validate() error

Validate validates and modifies the Claims with default values.

type SignOptions 

type SignOptions struct {
	NotAfter  time.Time `json:"notAfter"`
	NotBefore time.Time `json:"notBefore"`
}

SignOptions contains the options that can be passed to the Authority.Sign method.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.