authority

package
v0.8.5 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 21, 2019 License: Apache-2.0 Imports: 28 Imported by: 38

Documentation

Index

Constants

View Source 
const DefaultProvisionersLimit = 20

DefaultProvisionersLimit is the default limit for listing provisioners.

View Source 
const DefaultProvisionersMax = 100

DefaultProvisionersMax is the maximum limit for listing provisioners.

Variables

View Source 
var (
	// DefaultTLSOptions represents the default TLS version as well as the cipher
	// suites used in the TLS certificates.
	DefaultTLSOptions = tlsutil.TLSOptions{
		CipherSuites: x509util.CipherSuites{
			"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
			"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
			"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
		},
		MinVersion:    1.2,
		MaxVersion:    1.2,
		Renegotiation: false,
	}
)

Functions

This section is empty.

Types

type AuthConfig 

type AuthConfig struct {
	Provisioners         []*Provisioner     `json:"provisioners,omitempty"`
	Template             *x509util.ASN1DN   `json:"template,omitempty"`
	Claims               *ProvisionerClaims `json:"claims,omitempty"`
	DisableIssuedAtCheck bool               `json:"disableIssuedAtCheck,omitempty"`
}

AuthConfig represents the configuration options for the authority.

func (*AuthConfig) Validate 

func (c *AuthConfig) Validate() error

Validate validates the authority configuration.

type Authority 

type Authority struct {
	// contains filtered or unexported fields
}

Authority implements the Certificate Authority internal interface.

func New 

func New(config *Config) (*Authority, error)

New creates and initiates a new Authority type.

func (*Authority) Authorize 

func (a *Authority) Authorize(ott string) ([]interface{}, error)

Authorize authorizes a signature request by validating and authenticating a OTT that must be sent w/ the request.

func (*Authority) GetEncryptedKey 

func (a *Authority) GetEncryptedKey(kid string) (string, error)

GetEncryptedKey returns the JWE key corresponding to the given kid argument.

func (*Authority) GetFederation added in v0.8.3 

func (a *Authority) GetFederation() (federation []*x509.Certificate, err error)

GetFederation returns all the root certificates in the federation. This method implements the Authority interface.

func (*Authority) GetProvisioners 

func (a *Authority) GetProvisioners(cursor string, limit int) ([]*Provisioner, string, error)

GetProvisioners returns a map listing each provisioner and the JWK Key Set with their public keys.

func (*Authority) GetRootCertificate 

func (a *Authority) GetRootCertificate() *x509.Certificate

GetRootCertificate returns the server root certificate.

func (*Authority) GetRootCertificates added in v0.8.3 

func (a *Authority) GetRootCertificates() []*x509.Certificate

GetRootCertificates returns the server root certificates.

In the Authority interface we also have a similar method, GetRoots, at the moment the functionality of these two methods are almost identical, but this method is intended to be used internally by CA HTTP server to load the roots that will be set in the tls.Config while GetRoots will be used by the Authority interface and might have extra checks in the future.

func (*Authority) GetRoots added in v0.8.3 

func (a *Authority) GetRoots() ([]*x509.Certificate, error)

GetRoots returns all the root certificates for this CA. This method implements the Authority interface.

func (*Authority) GetTLSCertificate 

func (a *Authority) GetTLSCertificate() (*tls.Certificate, error)

GetTLSCertificate creates a new leaf certificate to be used by the CA HTTPS server.

func (*Authority) GetTLSOptions 

func (a *Authority) GetTLSOptions() *tlsutil.TLSOptions

GetTLSOptions returns the tls options configured.

func (*Authority) Renew 

func (a *Authority) Renew(ocx *x509.Certificate) (*x509.Certificate, *x509.Certificate, error)

Renew creates a new Certificate identical to the old certificate, except with a validity window that begins 'now'.

func (*Authority) Root 

func (a *Authority) Root(sum string) (*x509.Certificate, error)

Root returns the certificate corresponding to the given SHA sum argument.

func (*Authority) Sign 

func (a *Authority) Sign(csr *x509.CertificateRequest, signOpts SignOptions, extraOpts ...interface{}) (*x509.Certificate, *x509.Certificate, error)

Sign creates a signed certificate from a certificate signing request.

type Claims added in v0.8.4 

type Claims struct {
	jwt.Claims
	SANs []string `json:"sans,omitempty"`
}

Claims extends jwt.Claims with step attributes.

type Config 

type Config struct {
	Root             multiString         `json:"root"`
	FederatedRoots   []string            `json:"federatedRoots"`
	IntermediateCert string              `json:"crt"`
	IntermediateKey  string              `json:"key"`
	Address          string              `json:"address"`
	DNSNames         []string            `json:"dnsNames"`
	Logger           json.RawMessage     `json:"logger,omitempty"`
	Monitoring       json.RawMessage     `json:"monitoring,omitempty"`
	AuthorityConfig  *AuthConfig         `json:"authority,omitempty"`
	TLS              *tlsutil.TLSOptions `json:"tls,omitempty"`
	Password         string              `json:"password,omitempty"`
}

Config represents the CA configuration and it's mapped to a JSON object.

func LoadConfiguration 

func LoadConfiguration(filename string) (*Config, error)

LoadConfiguration parses the given filename in JSON format and returns the configuration struct.

func (*Config) Save 

func (c *Config) Save(filename string) error

Save saves the configuration to the given filename.

func (*Config) Validate 

func (c *Config) Validate() error

Validate validates the configuration.

type Duration added in v0.8.4 

type Duration struct {
	time.Duration
}

Duration is a wrapper around Time.Duration to aid with marshal/unmarshal.

func (*Duration) MarshalJSON added in v0.8.4 

func (d *Duration) MarshalJSON() ([]byte, error)

MarshalJSON parses a duration string and sets it to the duration.

A duration string is a possibly signed sequence of decimal numbers, each with optional fraction and a unit suffix, such as "300ms", "-1.5h" or "2h45m". Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".

func (*Duration) UnmarshalJSON added in v0.8.4 

func (d *Duration) UnmarshalJSON(data []byte) (err error)

UnmarshalJSON parses a duration string and sets it to the duration.

A duration string is a possibly signed sequence of decimal numbers, each with optional fraction and a unit suffix, such as "300ms", "-1.5h" or "2h45m". Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".

type Provisioner 

type Provisioner struct {
	Name         string             `json:"name,omitempty"`
	Type         string             `json:"type,omitempty"`
	Key          *jose.JSONWebKey   `json:"key,omitempty"`
	EncryptedKey string             `json:"encryptedKey,omitempty"`
	Claims       *ProvisionerClaims `json:"claims,omitempty"`
}

Provisioner - authorized entity that can sign tokens necessary for signature requests.

func (*Provisioner) ID 

func (p *Provisioner) ID() string

ID returns the provisioner identifier. The name and credential id should uniquely identify any provisioner.

func (*Provisioner) Init 

func (p *Provisioner) Init(global *ProvisionerClaims) error

Init initializes and validates a the fields of Provisioner type.

type ProvisionerClaims 

type ProvisionerClaims struct {
	MinTLSDur      *Duration `json:"minTLSCertDuration,omitempty"`
	MaxTLSDur      *Duration `json:"maxTLSCertDuration,omitempty"`
	DefaultTLSDur  *Duration `json:"defaultTLSCertDuration,omitempty"`
	DisableRenewal *bool     `json:"disableRenewal,omitempty"`
	// contains filtered or unexported fields
}

ProvisionerClaims so that individual provisioners can override global claims.

func (*ProvisionerClaims) DefaultTLSCertDuration 

func (pc *ProvisionerClaims) DefaultTLSCertDuration() time.Duration

DefaultTLSCertDuration returns the default TLS cert duration for the provisioner. If the default is not set within the provisioner, then the global default from the authority configuration will be used.

func (*ProvisionerClaims) Init 

func (pc *ProvisionerClaims) Init(global *ProvisionerClaims) (*ProvisionerClaims, error)

Init initializes and validates the individual provisioner claims.

func (*ProvisionerClaims) IsDisableRenewal 

func (pc *ProvisionerClaims) IsDisableRenewal() bool

IsDisableRenewal returns if the renewal flow is disabled for the provisioner. If the property is not set within the provisioner, then the global value from the authority configuration will be used.

func (*ProvisionerClaims) MaxTLSCertDuration 

func (pc *ProvisionerClaims) MaxTLSCertDuration() time.Duration

MaxTLSCertDuration returns the maximum TLS cert duration for the provisioner. If the maximum is not set within the provisioner, then the global maximum from the authority configuration will be used.

func (*ProvisionerClaims) MinTLSCertDuration 

func (pc *ProvisionerClaims) MinTLSCertDuration() time.Duration

MinTLSCertDuration returns the minimum TLS cert duration for the provisioner. If the minimum is not set within the provisioner, then the global minimum from the authority configuration will be used.

func (*ProvisionerClaims) Validate 

func (pc *ProvisionerClaims) Validate() error

Validate validates and modifies the Claims with default values.

type SignOptions 

type SignOptions struct {
	NotAfter  time.Time `json:"notAfter"`
	NotBefore time.Time `json:"notBefore"`
}

SignOptions contains the options that can be passed to the Authority.Sign method.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.