cautils

package
v0.14.7-rc.1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jul 21, 2020 License: Apache-2.0 Imports: 38 Imported by: 6

Documentation

Index

Constants

View Source
const (
	SignType = iota
	RevokeType
	SSHUserSignType
	SSHHostSignType
	SSHRevokeType
	SSHRenewType
	SSHRekeyType
)

Token signing types

Variables

This section is empty.

Functions

func ACMECreateCertFlow added in v0.13.0

func ACMECreateCertFlow(ctx *cli.Context, provisionerName string) error

ACMECreateCertFlow performs an ACME transaction to get a new certificate.

func ACMESignCSRFlow added in v0.13.0

func ACMESignCSRFlow(ctx *cli.Context, csr *x509.CertificateRequest, certFile, provisionerName string) error

ACMESignCSRFlow performs an ACME transaction using an existing CSR to get a new certificate.

func BootstrapTeam added in v0.14.0

func BootstrapTeam(ctx *cli.Context, name string) error

BootstrapTeam does a request to api.smallstep.com to bootstrap the configuration of the given team name.

func NewIdentityTokenFlow added in v0.14.0

func NewIdentityTokenFlow(ctx *cli.Context, caURL, root string) (string, error)

NewIdentityTokenFlow implements the flow to generate a token using only an OIDC provisioner.

func NewTokenFlow

func NewTokenFlow(ctx *cli.Context, tokType int, subject string, sans []string, caURL, root string, notBefore, notAfter time.Time, certNotBefore, certNotAfter provisioner.TimeDuration) (string, error)

NewTokenFlow implements the common flow used to generate a token

func OfflineTokenFlow

func OfflineTokenFlow(ctx *cli.Context, typ int, subject string, sans []string, notBefore, notAfter time.Time, certNotBefore, certNotAfter provisioner.TimeDuration) (string, error)

OfflineTokenFlow generates a provisioning token using either

  1. static configuration from ca.json (created with `step ca init`)
  2. input from command line flags

These two options are mutually exclusive and priority is given to ca.json.

Types

type CaClient

type CaClient interface {
	Sign(req *api.SignRequest) (*api.SignResponse, error)
	Renew(tr http.RoundTripper) (*api.SignResponse, error)
	Revoke(req *api.RevokeRequest, tr http.RoundTripper) (*api.RevokeResponse, error)
	SSHSign(req *api.SSHSignRequest) (*api.SSHSignResponse, error)
	SSHRenew(req *api.SSHRenewRequest) (*api.SSHRenewResponse, error)
	SSHRekey(req *api.SSHRekeyRequest) (*api.SSHRekeyResponse, error)
	SSHRevoke(req *api.SSHRevokeRequest) (*api.SSHRevokeResponse, error)
	SSHRoots() (*api.SSHRootsResponse, error)
	SSHFederation() (*api.SSHRootsResponse, error)
	SSHConfig(req *api.SSHConfigRequest) (*api.SSHConfigResponse, error)
	SSHCheckHost(principal string, token string) (*api.SSHCheckPrincipalResponse, error)
	SSHGetHosts() (*api.SSHGetHostsResponse, error)
	SSHBastion(req *api.SSHBastionRequest) (*api.SSHBastionResponse, error)
	Version() (*api.VersionResponse, error)
	GetRootCAs() *x509.CertPool
}

CaClient is the interface implemented by a client used to sign, renew, revoke certificates among other things.

func NewClient added in v0.14.0

func NewClient(ctx *cli.Context, opts ...ca.ClientOption) (CaClient, error)

NewClient returns a client of an online or offline CA. Requires the flags `offline`, `ca-config`, `ca-url`, and `root`.

type CertificateFlow

type CertificateFlow struct {
	// contains filtered or unexported fields
}

CertificateFlow manages the flow to retrieve a new certificate.

func NewCertificateFlow

func NewCertificateFlow(ctx *cli.Context) (*CertificateFlow, error)

NewCertificateFlow initializes a cli flow to get a new certificate.

func (*CertificateFlow) CreateSignRequest

func (f *CertificateFlow) CreateSignRequest(ctx *cli.Context, tok, subject string, sans []string) (*api.SignRequest, crypto.PrivateKey, error)

CreateSignRequest is a helper function that given an x509 OTT returns a simple but secure sign request as well as the private key used.

func (*CertificateFlow) GenerateIdentityToken added in v0.14.0

func (f *CertificateFlow) GenerateIdentityToken(ctx *cli.Context) (string, error)

GenerateIdentityToken generates a token using only an OIDC provisioner.

func (*CertificateFlow) GenerateSSHToken

func (f *CertificateFlow) GenerateSSHToken(ctx *cli.Context, subject string, typ int, principals []string, validAfter, validBefore provisioner.TimeDuration) (string, error)

GenerateSSHToken generates a token used to authorize the sign of an SSH certificate.

func (*CertificateFlow) GenerateToken

func (f *CertificateFlow) GenerateToken(ctx *cli.Context, subject string, sans []string) (string, error)

GenerateToken generates a token for immediate use (therefore only default validity values will be used). The token is generated either with the offline token flow or the online mode.

func (*CertificateFlow) GetClient

func (f *CertificateFlow) GetClient(ctx *cli.Context, tok string, options ...ca.ClientOption) (CaClient, error)

GetClient returns the client used to send requests to the CA.

func (*CertificateFlow) Sign

func (f *CertificateFlow) Sign(ctx *cli.Context, token string, csr api.CertificateRequest, crtFile string) error

Sign signs the CSR using the online or the offline certificate authority.

type ErrACMEToken added in v0.13.0

type ErrACMEToken struct {
	Name string
}

ErrACMEToken is the error type returned when the user attempts a Token Flow while using an ACME provisioner.

func (*ErrACMEToken) Error added in v0.13.0

func (e *ErrACMEToken) Error() string

Error implements the error interface.

type OfflineCA

type OfflineCA struct {
	// contains filtered or unexported fields
}

OfflineCA is a wrapper on top of the certificates authority methods that is used to sign certificates without an online CA.

func NewOfflineCA

func NewOfflineCA(configFile string) (*OfflineCA, error)

NewOfflineCA initializes an offlineCA.

func (*OfflineCA) Audience

func (c *OfflineCA) Audience(tokType int) string

Audience returns the token audience.

func (*OfflineCA) CaURL

func (c *OfflineCA) CaURL() string

CaURL returns the CA URL using the first DNS entry.

func (*OfflineCA) GenerateToken

func (c *OfflineCA) GenerateToken(ctx *cli.Context, tokType int, subject string, sans []string, notBefore, notAfter time.Time, certNotBefore, certNotAfter provisioner.TimeDuration) (string, error)

GenerateToken creates the token used by the authority to authorize requests.

func (*OfflineCA) GetRootCAs added in v0.14.0

func (c *OfflineCA) GetRootCAs() *x509.CertPool

GetRootCAs return the cert pool for the ca, as it's an offline ca, a pool is not required and it always returns nil.

func (*OfflineCA) Provisioners

func (c *OfflineCA) Provisioners() provisioner.List

Provisioners returns the list of configured provisioners.

func (*OfflineCA) Renew

func (c *OfflineCA) Renew(rt http.RoundTripper) (*api.SignResponse, error)

Renew is a wrapper on top of certificates Renew method. It returns an api.SignResponse with the requested certificate and the intermediate.

func (*OfflineCA) Revoke

Revoke is a wrapper on top of certificates Revoke method. It returns an api.RevokeResponse.

func (*OfflineCA) Root

func (c *OfflineCA) Root() string

Root returns the path of the file used as root certificate.

func (*OfflineCA) SSHBastion added in v0.14.0

func (c *OfflineCA) SSHBastion(req *api.SSHBastionRequest) (*api.SSHBastionResponse, error)

SSHBastion is a wrapper on top of the GetSSHBastion method. It returns an api.SSHBastionResponse.

func (*OfflineCA) SSHCheckHost added in v0.14.0

func (c *OfflineCA) SSHCheckHost(principal string, tok string) (*api.SSHCheckPrincipalResponse, error)

SSHCheckHost is a wrapper on top of the CheckSSHHost method. It returns an api.SSHCheckPrincipalResponse.

func (*OfflineCA) SSHConfig added in v0.14.0

func (c *OfflineCA) SSHConfig(req *api.SSHConfigRequest) (*api.SSHConfigResponse, error)

SSHConfig is a wrapper on top of the GetSSHConfig method. It returns an api.SSHConfigResponse.

func (*OfflineCA) SSHFederation added in v0.14.0

func (c *OfflineCA) SSHFederation() (*api.SSHRootsResponse, error)

SSHFederation is a wrapper on top of the GetSSHFederation method. It returns an api.SSHRootsResponse.

func (*OfflineCA) SSHGetHosts added in v0.14.0

func (c *OfflineCA) SSHGetHosts() (*api.SSHGetHostsResponse, error)

SSHGetHosts is a wrapper on top of the CheckSSHHost method. It returns an api.SSHCheckPrincipalResponse.

func (*OfflineCA) SSHRekey added in v0.14.0

func (c *OfflineCA) SSHRekey(req *api.SSHRekeyRequest) (*api.SSHRekeyResponse, error)

SSHRekey is a wrapper on top of certificates SSHRekey method. It returns an api.SSHRekeyResponse.

func (*OfflineCA) SSHRenew added in v0.14.0

func (c *OfflineCA) SSHRenew(req *api.SSHRenewRequest) (*api.SSHRenewResponse, error)

SSHRenew is a wrapper on top of certificates SSHRenew method. It returns an api.SSHRenewResponse.

func (*OfflineCA) SSHRevoke added in v0.14.0

func (c *OfflineCA) SSHRevoke(req *api.SSHRevokeRequest) (*api.SSHRevokeResponse, error)

SSHRevoke is a wrapper on top of certificates SSHRevoke method. It returns an api.SSHRevokeResponse.

func (*OfflineCA) SSHRoots added in v0.14.0

func (c *OfflineCA) SSHRoots() (*api.SSHRootsResponse, error)

SSHRoots is a wrapper on top of the GetSSHRoots method. It returns an api.SSHRootsResponse.

func (*OfflineCA) SSHSign added in v0.14.0

func (c *OfflineCA) SSHSign(req *api.SSHSignRequest) (*api.SSHSignResponse, error)

SSHSign is a wrapper on top of certificate Authorize and SignSSH methods. It returns an api.SSHSignResponse with the signed certificate.

func (*OfflineCA) Sign

func (c *OfflineCA) Sign(req *api.SignRequest) (*api.SignResponse, error)

Sign is a wrapper on top of certificates Authorize and Sign methods. It returns an api.SignResponse with the requested certificate and the intermediate.

func (*OfflineCA) VerifyClientCert

func (c *OfflineCA) VerifyClientCert(certFile, keyFile string) error

VerifyClientCert verifies and validates the client cert/key pair using the offline CA root and intermediate certificates.

func (*OfflineCA) Version added in v0.14.0

func (c *OfflineCA) Version() (*api.VersionResponse, error)

Version is a wrapper on top of the Version method. It returns an api.VersionResponse.

type TokenGenerator

type TokenGenerator struct {
	// contains filtered or unexported fields
}

TokenGenerator is a helper used to generate different types of tokens used in the CA.

func NewTokenGenerator

func NewTokenGenerator(kid, iss, aud, root string, notBefore, notAfter time.Time, jwk *jose.JSONWebKey) *TokenGenerator

NewTokenGenerator initializes a new token generator with the common fields.

func (*TokenGenerator) RevokeToken

func (t *TokenGenerator) RevokeToken(sub string, opts ...token.Options) (string, error)

RevokeToken generates a X.509 certificate revoke token.

func (*TokenGenerator) SignSSHToken

func (t *TokenGenerator) SignSSHToken(sub, certType string, principals []string, notBefore, notAfter provisioner.TimeDuration, opts ...token.Options) (string, error)

SignSSHToken generates a SSH certificate signing token.

func (*TokenGenerator) SignToken

func (t *TokenGenerator) SignToken(sub string, sans []string, opts ...token.Options) (string, error)

SignToken generates a X.509 certificate signing token. If sans is empty, we will use the subject (common name) as the only SAN.

func (*TokenGenerator) Token

func (t *TokenGenerator) Token(sub string, opts ...token.Options) (string, error)

Token generates a generic token with the given subject and options.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL