cautils

package
v0.28.2 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Nov 20, 2024 License: Apache-2.0 Imports: 58 Imported by: 6

Documentation

Index

Constants

View Source
const (
	SignType = iota
	RevokeType
	SSHUserSignType
	SSHHostSignType
	SSHRevokeType
	SSHRenewType
	SSHRekeyType
	RenewType
)

Token signing types

Variables

This section is empty.

Functions

func ACMECreateCertFlow added in v0.13.0

func ACMECreateCertFlow(ctx *cli.Context, provisionerName string) error

ACMECreateCertFlow performs an ACME transaction to get a new certificate.

func ACMESignCSRFlow added in v0.13.0

func ACMESignCSRFlow(ctx *cli.Context, csr *x509.CertificateRequest, certFile, provisionerName string) error

ACMESignCSRFlow performs an ACME transaction using an existing CSR to get a new certificate.

func BootstrapAuthority added in v0.18.0

func BootstrapAuthority(ctx *cli.Context, caURL, fingerprint string) (err error)

BootstrapAuthority bootstraps an authority using only the caURL and fingerprint.

func BootstrapTeamAuthority added in v0.18.0

func BootstrapTeamAuthority(ctx *cli.Context, team, teamAuthority string) error

BootstrapTeamAuthority does a request to api.smallstep.com to bootstrap the configuration of a given team/authority.

func NewAdminClient added in v0.16.0

func NewAdminClient(ctx *cli.Context, opts ...ca.ClientOption) (*ca.AdminClient, error)

NewAdminClient returns a client for the mgmt API of the online CA.

func NewIdentityTokenFlow added in v0.14.0

func NewIdentityTokenFlow(ctx *cli.Context, caURL, root string) (string, error)

NewIdentityTokenFlow implements the flow to generate a token using only an OIDC provisioner.

func NewTokenFlow

func NewTokenFlow(ctx *cli.Context, tokType int, subject string, sans []string, caURL, root string, notBefore, notAfter time.Time, certNotBefore, certNotAfter provisioner.TimeDuration, opts ...Option) (string, error)

NewTokenFlow implements the common flow used to generate a token

func NewUnauthenticatedAdminClient added in v0.23.1

func NewUnauthenticatedAdminClient(ctx *cli.Context, opts ...ca.ClientOption) (*ca.AdminClient, error)

NewUnauthenticatedAdminClient returns a unauthenticated client for the mgmt API of the online CA.

func OfflineTokenFlow

func OfflineTokenFlow(ctx *cli.Context, typ int, subject string, sans []string, notBefore, notAfter time.Time, certNotBefore, certNotAfter provisioner.TimeDuration) (string, error)

OfflineTokenFlow generates a provisioning token using either

  1. static configuration from ca.json (created with `step ca init`)
  2. input from command line flags

These two options are mutually exclusive and priority is given to ca.json.

func UseContext added in v0.18.0

func UseContext(ctx *cli.Context) (ret bool)

UseContext returns true if contexts should be used, false otherwise.

func WarnContext added in v0.18.0

func WarnContext()

WarnContext outputs a warning informing users about the option to use contexts.

Types

type ACMETokenError added in v0.22.0

type ACMETokenError struct {
	Name string
}

ACMETokenError is the error type returned when the user attempts a Token Flow while using an ACME provisioner.

func (*ACMETokenError) Error added in v0.22.0

func (e *ACMETokenError) Error() string

Error implements the error interface.

type CaClient

type CaClient interface {
	Sign(req *api.SignRequest) (*api.SignResponse, error)
	Renew(tr http.RoundTripper) (*api.SignResponse, error)
	RenewWithToken(ott string) (*api.SignResponse, error)
	Revoke(req *api.RevokeRequest, tr http.RoundTripper) (*api.RevokeResponse, error)
	Rekey(req *api.RekeyRequest, tr http.RoundTripper) (*api.SignResponse, error)
	SSHSign(req *api.SSHSignRequest) (*api.SSHSignResponse, error)
	SSHRenew(req *api.SSHRenewRequest) (*api.SSHRenewResponse, error)
	SSHRekey(req *api.SSHRekeyRequest) (*api.SSHRekeyResponse, error)
	SSHRevoke(req *api.SSHRevokeRequest) (*api.SSHRevokeResponse, error)
	SSHRoots() (*api.SSHRootsResponse, error)
	SSHFederation() (*api.SSHRootsResponse, error)
	SSHConfig(req *api.SSHConfigRequest) (*api.SSHConfigResponse, error)
	SSHCheckHost(principal string, token string) (*api.SSHCheckPrincipalResponse, error)
	SSHGetHosts() (*api.SSHGetHostsResponse, error)
	SSHBastion(req *api.SSHBastionRequest) (*api.SSHBastionResponse, error)
	Version() (*api.VersionResponse, error)
	GetRootCAs() *x509.CertPool
	GetCaURL() string
}

CaClient is the interface implemented by a client used to sign, renew, revoke certificates among other things.

func NewClient added in v0.14.0

func NewClient(ctx *cli.Context, opts ...ca.ClientOption) (CaClient, error)

NewClient returns a client of an online or offline CA. Requires the flags `offline`, `ca-config`, `ca-url`, and `root`.

type CertificateFlow

type CertificateFlow struct {
	// contains filtered or unexported fields
}

CertificateFlow manages the flow to retrieve a new certificate.

func NewCertificateFlow

func NewCertificateFlow(ctx *cli.Context, opts ...Option) (*CertificateFlow, error)

NewCertificateFlow initializes a cli flow to get a new certificate.

func (*CertificateFlow) CreateSignRequest

func (f *CertificateFlow) CreateSignRequest(ctx *cli.Context, tok, subject string, sans []string) (*api.SignRequest, crypto.PrivateKey, error)

CreateSignRequest is a helper function that given an x509 OTT returns a simple but secure sign request as well as the private key used.

func (*CertificateFlow) GenerateIdentityToken added in v0.14.0

func (f *CertificateFlow) GenerateIdentityToken(ctx *cli.Context) (string, error)

GenerateIdentityToken generates a token using only an OIDC provisioner.

func (*CertificateFlow) GenerateSSHToken

func (f *CertificateFlow) GenerateSSHToken(ctx *cli.Context, subject string, typ int, principals []string, validAfter, validBefore provisioner.TimeDuration) (string, error)

GenerateSSHToken generates a token used to authorize the sign of an SSH certificate.

func (*CertificateFlow) GenerateToken

func (f *CertificateFlow) GenerateToken(ctx *cli.Context, subject string, sans []string) (string, error)

GenerateToken generates a token for immediate use (therefore only default validity values will be used). The token is generated either with the offline token flow or the online mode.

func (*CertificateFlow) GetClient

func (f *CertificateFlow) GetClient(ctx *cli.Context, tok string, options ...ca.ClientOption) (CaClient, error)

GetClient returns the client used to send requests to the CA.

func (*CertificateFlow) Sign

func (f *CertificateFlow) Sign(ctx *cli.Context, tok string, csr api.CertificateRequest, crtFile string) error

Sign signs the CSR using the online or the offline certificate authority.

type OfflineCA

type OfflineCA struct {
	// contains filtered or unexported fields
}

OfflineCA is a wrapper on top of the certificates authority methods that is used to sign certificates without an online CA.

func NewOfflineCA

func NewOfflineCA(ctx *cli.Context, configFile string) (*OfflineCA, error)

NewOfflineCA initializes an offlineCA.

func (*OfflineCA) Audience

func (c *OfflineCA) Audience(tokType int) string

Audience returns the token audience.

func (*OfflineCA) CaURL

func (c *OfflineCA) CaURL() string

CaURL returns the CA URL using the first DNS entry.

func (*OfflineCA) GenerateToken

func (c *OfflineCA) GenerateToken(ctx *cli.Context, tokType int, subject string, sans []string, notBefore, notAfter time.Time, certNotBefore, certNotAfter provisioner.TimeDuration) (string, error)

GenerateToken creates the token used by the authority to authorize requests.

func (*OfflineCA) GetCaURL added in v0.19.0

func (c *OfflineCA) GetCaURL() string

GetCaURL returns the configured CA url.

func (*OfflineCA) GetRootCAs added in v0.14.0

func (c *OfflineCA) GetRootCAs() *x509.CertPool

GetRootCAs return the cert pool for the ca, as it's an offline ca, a pool is not required and it always returns nil.

func (*OfflineCA) Provisioners

func (c *OfflineCA) Provisioners() provisioner.List

Provisioners returns the list of configured provisioners.

func (*OfflineCA) Rekey added in v0.17.0

Rekey implements the step-ca client interface Rekey method for an offline client.

func (*OfflineCA) Renew

func (c *OfflineCA) Renew(rt http.RoundTripper) (*api.SignResponse, error)

Renew is a wrapper on top of certificates Renew method. It returns an api.SignResponse with the requested certificate and the intermediate.

func (*OfflineCA) RenewWithToken added in v0.19.0

func (c *OfflineCA) RenewWithToken(ott string) (*api.SignResponse, error)

RenewWithToken is a wrapper on top of certificates AuthorizeRenew and Renew method. It returns an api.SignResponse with the requested certificate and the intermediate.

func (*OfflineCA) Revoke

Revoke is a wrapper on top of certificates Revoke method. It returns an api.RevokeResponse.

func (*OfflineCA) Root

func (c *OfflineCA) Root() string

Root returns the path of the file used as root certificate.

func (*OfflineCA) SSHBastion added in v0.14.0

func (c *OfflineCA) SSHBastion(req *api.SSHBastionRequest) (*api.SSHBastionResponse, error)

SSHBastion is a wrapper on top of the GetSSHBastion method. It returns an api.SSHBastionResponse.

func (*OfflineCA) SSHCheckHost added in v0.14.0

func (c *OfflineCA) SSHCheckHost(principal, tok string) (*api.SSHCheckPrincipalResponse, error)

SSHCheckHost is a wrapper on top of the CheckSSHHost method. It returns an api.SSHCheckPrincipalResponse.

func (*OfflineCA) SSHConfig added in v0.14.0

func (c *OfflineCA) SSHConfig(req *api.SSHConfigRequest) (*api.SSHConfigResponse, error)

SSHConfig is a wrapper on top of the GetSSHConfig method. It returns an api.SSHConfigResponse.

func (*OfflineCA) SSHFederation added in v0.14.0

func (c *OfflineCA) SSHFederation() (*api.SSHRootsResponse, error)

SSHFederation is a wrapper on top of the GetSSHFederation method. It returns an api.SSHRootsResponse.

func (*OfflineCA) SSHGetHosts added in v0.14.0

func (c *OfflineCA) SSHGetHosts() (*api.SSHGetHostsResponse, error)

SSHGetHosts is a wrapper on top of the CheckSSHHost method. It returns an api.SSHCheckPrincipalResponse.

func (*OfflineCA) SSHRekey added in v0.14.0

func (c *OfflineCA) SSHRekey(req *api.SSHRekeyRequest) (*api.SSHRekeyResponse, error)

SSHRekey is a wrapper on top of certificates SSHRekey method. It returns an api.SSHRekeyResponse.

func (*OfflineCA) SSHRenew added in v0.14.0

func (c *OfflineCA) SSHRenew(req *api.SSHRenewRequest) (*api.SSHRenewResponse, error)

SSHRenew is a wrapper on top of certificates SSHRenew method. It returns an api.SSHRenewResponse.

func (*OfflineCA) SSHRevoke added in v0.14.0

func (c *OfflineCA) SSHRevoke(req *api.SSHRevokeRequest) (*api.SSHRevokeResponse, error)

SSHRevoke is a wrapper on top of certificates SSHRevoke method. It returns an api.SSHRevokeResponse.

func (*OfflineCA) SSHRoots added in v0.14.0

func (c *OfflineCA) SSHRoots() (*api.SSHRootsResponse, error)

SSHRoots is a wrapper on top of the GetSSHRoots method. It returns an api.SSHRootsResponse.

func (*OfflineCA) SSHSign added in v0.14.0

func (c *OfflineCA) SSHSign(req *api.SSHSignRequest) (*api.SSHSignResponse, error)

SSHSign is a wrapper on top of certificate Authorize and SignSSH methods. It returns an api.SSHSignResponse with the signed certificate.

func (*OfflineCA) Sign

func (c *OfflineCA) Sign(req *api.SignRequest) (*api.SignResponse, error)

Sign is a wrapper on top of certificates Authorize and Sign methods. It returns an api.SignResponse with the requested certificate and the intermediate.

func (*OfflineCA) VerifyClientCert

func (c *OfflineCA) VerifyClientCert(certFile, keyFile string) error

VerifyClientCert verifies and validates the client cert/key pair using the offline CA root and intermediate certificates.

func (*OfflineCA) Version added in v0.14.0

func (c *OfflineCA) Version() (*api.VersionResponse, error)

Version is a wrapper on top of the Version method. It returns an api.VersionResponse.

type Option added in v0.27.4

type Option interface {
	// contains filtered or unexported methods
}

func WithCertificateRequest added in v0.27.4

func WithCertificateRequest(cr *x509.CertificateRequest) Option

WithCertificateRequest sets the X509 certificate request used in the request.

func WithConfirmationFingerprint added in v0.27.4

func WithConfirmationFingerprint(fp string) Option

WithConfirmationFingerprint sets the confirmation fingerprint used in the request.

func WithSSHPublicKey added in v0.27.4

func WithSSHPublicKey(key ssh.PublicKey) Option

WithSSHPublicKey sets the SSH public key used in the request.

type TokenGenerator

type TokenGenerator struct {
	// contains filtered or unexported fields
}

TokenGenerator is a helper used to generate different types of tokens used in the CA.

func NewTokenGenerator

func NewTokenGenerator(kid, iss, aud, root string, notBefore, notAfter time.Time, jwk *jose.JSONWebKey) *TokenGenerator

NewTokenGenerator initializes a new token generator with the common fields.

func (*TokenGenerator) RevokeToken

func (t *TokenGenerator) RevokeToken(sub string, opts ...token.Options) (string, error)

RevokeToken generates a X.509 certificate revoke token.

func (*TokenGenerator) SignSSHToken

func (t *TokenGenerator) SignSSHToken(sub, certType string, principals []string, notBefore, notAfter provisioner.TimeDuration, opts ...token.Options) (string, error)

SignSSHToken generates a SSH certificate signing token.

func (*TokenGenerator) SignToken

func (t *TokenGenerator) SignToken(sub string, sans []string, opts ...token.Options) (string, error)

SignToken generates a X.509 certificate signing token. If sans is empty, we will use the subject (common name) as the only SAN.

func (*TokenGenerator) Token

func (t *TokenGenerator) Token(sub string, opts ...token.Options) (string, error)

Token generates a generic token with the given subject and options.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL