Documentation ¶
Index ¶
- Constants
- func ACMECreateCertFlow(ctx *cli.Context, provisionerName string) error
- func ACMESignCSRFlow(ctx *cli.Context, csr *x509.CertificateRequest, ...) error
- func BootstrapAuthority(ctx *cli.Context, caURL, fingerprint string) (err error)
- func BootstrapTeamAuthority(ctx *cli.Context, team, teamAuthority string) error
- func NewAdminClient(ctx *cli.Context, opts ...ca.ClientOption) (*ca.AdminClient, error)
- func NewIdentityTokenFlow(ctx *cli.Context, caURL, root string) (string, error)
- func NewTokenFlow(ctx *cli.Context, tokType int, subject string, sans []string, ...) (string, error)
- func OfflineTokenFlow(ctx *cli.Context, typ int, subject string, sans []string, ...) (string, error)
- func UseContext(ctx *cli.Context) (ret bool)
- func WarnContext()
- type CaClient
- type CertificateFlow
- func (f *CertificateFlow) CreateSignRequest(ctx *cli.Context, tok, subject string, sans []string) (*api.SignRequest, crypto.PrivateKey, error)
- func (f *CertificateFlow) GenerateIdentityToken(ctx *cli.Context) (string, error)
- func (f *CertificateFlow) GenerateSSHToken(ctx *cli.Context, subject string, typ int, principals []string, ...) (string, error)
- func (f *CertificateFlow) GenerateToken(ctx *cli.Context, subject string, sans []string) (string, error)
- func (f *CertificateFlow) GetClient(ctx *cli.Context, tok string, options ...ca.ClientOption) (CaClient, error)
- func (f *CertificateFlow) Sign(ctx *cli.Context, tok string, csr api.CertificateRequest, crtFile string) error
- type ErrACMEToken
- type OfflineCA
- func (c *OfflineCA) Audience(tokType int) string
- func (c *OfflineCA) CaURL() string
- func (c *OfflineCA) GenerateToken(ctx *cli.Context, tokType int, subject string, sans []string, ...) (string, error)
- func (c *OfflineCA) GetRootCAs() *x509.CertPool
- func (c *OfflineCA) Provisioners() provisioner.List
- func (c *OfflineCA) Rekey(req *api.RekeyRequest, rt http.RoundTripper) (*api.SignResponse, error)
- func (c *OfflineCA) Renew(rt http.RoundTripper) (*api.SignResponse, error)
- func (c *OfflineCA) Revoke(req *api.RevokeRequest, rt http.RoundTripper) (*api.RevokeResponse, error)
- func (c *OfflineCA) Root() string
- func (c *OfflineCA) SSHBastion(req *api.SSHBastionRequest) (*api.SSHBastionResponse, error)
- func (c *OfflineCA) SSHCheckHost(principal, tok string) (*api.SSHCheckPrincipalResponse, error)
- func (c *OfflineCA) SSHConfig(req *api.SSHConfigRequest) (*api.SSHConfigResponse, error)
- func (c *OfflineCA) SSHFederation() (*api.SSHRootsResponse, error)
- func (c *OfflineCA) SSHGetHosts() (*api.SSHGetHostsResponse, error)
- func (c *OfflineCA) SSHRekey(req *api.SSHRekeyRequest) (*api.SSHRekeyResponse, error)
- func (c *OfflineCA) SSHRenew(req *api.SSHRenewRequest) (*api.SSHRenewResponse, error)
- func (c *OfflineCA) SSHRevoke(req *api.SSHRevokeRequest) (*api.SSHRevokeResponse, error)
- func (c *OfflineCA) SSHRoots() (*api.SSHRootsResponse, error)
- func (c *OfflineCA) SSHSign(req *api.SSHSignRequest) (*api.SSHSignResponse, error)
- func (c *OfflineCA) Sign(req *api.SignRequest) (*api.SignResponse, error)
- func (c *OfflineCA) VerifyClientCert(certFile, keyFile string) error
- func (c *OfflineCA) Version() (*api.VersionResponse, error)
- type TokenGenerator
- func (t *TokenGenerator) RevokeToken(sub string, opts ...token.Options) (string, error)
- func (t *TokenGenerator) SignSSHToken(sub, certType string, principals []string, ...) (string, error)
- func (t *TokenGenerator) SignToken(sub string, sans []string, opts ...token.Options) (string, error)
- func (t *TokenGenerator) Token(sub string, opts ...token.Options) (string, error)
Constants ¶
const ( SignType = iota RevokeType SSHUserSignType SSHHostSignType SSHRevokeType SSHRenewType SSHRekeyType )
Token signing types
Variables ¶
This section is empty.
Functions ¶
func ACMECreateCertFlow ¶ added in v0.13.0
ACMECreateCertFlow performs an ACME transaction to get a new certificate.
func ACMESignCSRFlow ¶ added in v0.13.0
func ACMESignCSRFlow(ctx *cli.Context, csr *x509.CertificateRequest, certFile, provisionerName string) error
ACMESignCSRFlow performs an ACME transaction using an existing CSR to get a new certificate.
func BootstrapAuthority ¶ added in v0.18.0
BootstrapAuthority bootstraps an authority using only the caURL and fingerprint.
func BootstrapTeamAuthority ¶ added in v0.18.0
BootstrapTeamAuthority does a request to api.smallstep.com to bootstrap the configuration of a given team/authority.
func NewAdminClient ¶ added in v0.16.0
func NewAdminClient(ctx *cli.Context, opts ...ca.ClientOption) (*ca.AdminClient, error)
NewAdminClient returns a client for the mgmt API of the online CA.
func NewIdentityTokenFlow ¶ added in v0.14.0
NewIdentityTokenFlow implements the flow to generate a token using only an OIDC provisioner.
func NewTokenFlow ¶
func NewTokenFlow(ctx *cli.Context, tokType int, subject string, sans []string, caURL, root string, notBefore, notAfter time.Time, certNotBefore, certNotAfter provisioner.TimeDuration) (string, error)
NewTokenFlow implements the common flow used to generate a token
func OfflineTokenFlow ¶
func OfflineTokenFlow(ctx *cli.Context, typ int, subject string, sans []string, notBefore, notAfter time.Time, certNotBefore, certNotAfter provisioner.TimeDuration) (string, error)
OfflineTokenFlow generates a provisioning token using either
- static configuration from ca.json (created with `step ca init`)
- input from command line flags
These two options are mutually exclusive and priority is given to ca.json.
func UseContext ¶ added in v0.18.0
UseContext returns true if contexts should be used, false otherwise.
func WarnContext ¶ added in v0.18.0
func WarnContext()
WarnContext outputs a warning informing users about the option to use contexts.
Types ¶
type CaClient ¶
type CaClient interface { Sign(req *api.SignRequest) (*api.SignResponse, error) Renew(tr http.RoundTripper) (*api.SignResponse, error) Revoke(req *api.RevokeRequest, tr http.RoundTripper) (*api.RevokeResponse, error) Rekey(req *api.RekeyRequest, tr http.RoundTripper) (*api.SignResponse, error) SSHSign(req *api.SSHSignRequest) (*api.SSHSignResponse, error) SSHRenew(req *api.SSHRenewRequest) (*api.SSHRenewResponse, error) SSHRekey(req *api.SSHRekeyRequest) (*api.SSHRekeyResponse, error) SSHRevoke(req *api.SSHRevokeRequest) (*api.SSHRevokeResponse, error) SSHRoots() (*api.SSHRootsResponse, error) SSHFederation() (*api.SSHRootsResponse, error) SSHConfig(req *api.SSHConfigRequest) (*api.SSHConfigResponse, error) SSHCheckHost(principal string, token string) (*api.SSHCheckPrincipalResponse, error) SSHGetHosts() (*api.SSHGetHostsResponse, error) SSHBastion(req *api.SSHBastionRequest) (*api.SSHBastionResponse, error) Version() (*api.VersionResponse, error) GetRootCAs() *x509.CertPool }
CaClient is the interface implemented by a client used to sign, renew, revoke certificates among other things.
type CertificateFlow ¶
type CertificateFlow struct {
// contains filtered or unexported fields
}
CertificateFlow manages the flow to retrieve a new certificate.
func NewCertificateFlow ¶
func NewCertificateFlow(ctx *cli.Context) (*CertificateFlow, error)
NewCertificateFlow initializes a cli flow to get a new certificate.
func (*CertificateFlow) CreateSignRequest ¶
func (f *CertificateFlow) CreateSignRequest(ctx *cli.Context, tok, subject string, sans []string) (*api.SignRequest, crypto.PrivateKey, error)
CreateSignRequest is a helper function that given an x509 OTT returns a simple but secure sign request as well as the private key used.
func (*CertificateFlow) GenerateIdentityToken ¶ added in v0.14.0
func (f *CertificateFlow) GenerateIdentityToken(ctx *cli.Context) (string, error)
GenerateIdentityToken generates a token using only an OIDC provisioner.
func (*CertificateFlow) GenerateSSHToken ¶
func (f *CertificateFlow) GenerateSSHToken(ctx *cli.Context, subject string, typ int, principals []string, validAfter, validBefore provisioner.TimeDuration) (string, error)
GenerateSSHToken generates a token used to authorize the sign of an SSH certificate.
func (*CertificateFlow) GenerateToken ¶
func (f *CertificateFlow) GenerateToken(ctx *cli.Context, subject string, sans []string) (string, error)
GenerateToken generates a token for immediate use (therefore only default validity values will be used). The token is generated either with the offline token flow or the online mode.
func (*CertificateFlow) GetClient ¶
func (f *CertificateFlow) GetClient(ctx *cli.Context, tok string, options ...ca.ClientOption) (CaClient, error)
GetClient returns the client used to send requests to the CA.
func (*CertificateFlow) Sign ¶
func (f *CertificateFlow) Sign(ctx *cli.Context, tok string, csr api.CertificateRequest, crtFile string) error
Sign signs the CSR using the online or the offline certificate authority.
type ErrACMEToken ¶ added in v0.13.0
type ErrACMEToken struct {
Name string
}
ErrACMEToken is the error type returned when the user attempts a Token Flow while using an ACME provisioner.
func (*ErrACMEToken) Error ¶ added in v0.13.0
func (e *ErrACMEToken) Error() string
Error implements the error interface.
type OfflineCA ¶
type OfflineCA struct {
// contains filtered or unexported fields
}
OfflineCA is a wrapper on top of the certificates authority methods that is used to sign certificates without an online CA.
func NewOfflineCA ¶
NewOfflineCA initializes an offlineCA.
func (*OfflineCA) GenerateToken ¶
func (c *OfflineCA) GenerateToken(ctx *cli.Context, tokType int, subject string, sans []string, notBefore, notAfter time.Time, certNotBefore, certNotAfter provisioner.TimeDuration) (string, error)
GenerateToken creates the token used by the authority to authorize requests.
func (*OfflineCA) GetRootCAs ¶ added in v0.14.0
GetRootCAs return the cert pool for the ca, as it's an offline ca, a pool is not required and it always returns nil.
func (*OfflineCA) Provisioners ¶
func (c *OfflineCA) Provisioners() provisioner.List
Provisioners returns the list of configured provisioners.
func (*OfflineCA) Rekey ¶ added in v0.17.0
func (c *OfflineCA) Rekey(req *api.RekeyRequest, rt http.RoundTripper) (*api.SignResponse, error)
Rekey implements the step-ca client interface Rekey method for an offline client.
func (*OfflineCA) Renew ¶
func (c *OfflineCA) Renew(rt http.RoundTripper) (*api.SignResponse, error)
Renew is a wrapper on top of certificates Renew method. It returns an api.SignResponse with the requested certificate and the intermediate.
func (*OfflineCA) Revoke ¶
func (c *OfflineCA) Revoke(req *api.RevokeRequest, rt http.RoundTripper) (*api.RevokeResponse, error)
Revoke is a wrapper on top of certificates Revoke method. It returns an api.RevokeResponse.
func (*OfflineCA) SSHBastion ¶ added in v0.14.0
func (c *OfflineCA) SSHBastion(req *api.SSHBastionRequest) (*api.SSHBastionResponse, error)
SSHBastion is a wrapper on top of the GetSSHBastion method. It returns an api.SSHBastionResponse.
func (*OfflineCA) SSHCheckHost ¶ added in v0.14.0
func (c *OfflineCA) SSHCheckHost(principal, tok string) (*api.SSHCheckPrincipalResponse, error)
SSHCheckHost is a wrapper on top of the CheckSSHHost method. It returns an api.SSHCheckPrincipalResponse.
func (*OfflineCA) SSHConfig ¶ added in v0.14.0
func (c *OfflineCA) SSHConfig(req *api.SSHConfigRequest) (*api.SSHConfigResponse, error)
SSHConfig is a wrapper on top of the GetSSHConfig method. It returns an api.SSHConfigResponse.
func (*OfflineCA) SSHFederation ¶ added in v0.14.0
func (c *OfflineCA) SSHFederation() (*api.SSHRootsResponse, error)
SSHFederation is a wrapper on top of the GetSSHFederation method. It returns an api.SSHRootsResponse.
func (*OfflineCA) SSHGetHosts ¶ added in v0.14.0
func (c *OfflineCA) SSHGetHosts() (*api.SSHGetHostsResponse, error)
SSHGetHosts is a wrapper on top of the CheckSSHHost method. It returns an api.SSHCheckPrincipalResponse.
func (*OfflineCA) SSHRekey ¶ added in v0.14.0
func (c *OfflineCA) SSHRekey(req *api.SSHRekeyRequest) (*api.SSHRekeyResponse, error)
SSHRekey is a wrapper on top of certificates SSHRekey method. It returns an api.SSHRekeyResponse.
func (*OfflineCA) SSHRenew ¶ added in v0.14.0
func (c *OfflineCA) SSHRenew(req *api.SSHRenewRequest) (*api.SSHRenewResponse, error)
SSHRenew is a wrapper on top of certificates SSHRenew method. It returns an api.SSHRenewResponse.
func (*OfflineCA) SSHRevoke ¶ added in v0.14.0
func (c *OfflineCA) SSHRevoke(req *api.SSHRevokeRequest) (*api.SSHRevokeResponse, error)
SSHRevoke is a wrapper on top of certificates SSHRevoke method. It returns an api.SSHRevokeResponse.
func (*OfflineCA) SSHRoots ¶ added in v0.14.0
func (c *OfflineCA) SSHRoots() (*api.SSHRootsResponse, error)
SSHRoots is a wrapper on top of the GetSSHRoots method. It returns an api.SSHRootsResponse.
func (*OfflineCA) SSHSign ¶ added in v0.14.0
func (c *OfflineCA) SSHSign(req *api.SSHSignRequest) (*api.SSHSignResponse, error)
SSHSign is a wrapper on top of certificate Authorize and SignSSH methods. It returns an api.SSHSignResponse with the signed certificate.
func (*OfflineCA) Sign ¶
func (c *OfflineCA) Sign(req *api.SignRequest) (*api.SignResponse, error)
Sign is a wrapper on top of certificates Authorize and Sign methods. It returns an api.SignResponse with the requested certificate and the intermediate.
func (*OfflineCA) VerifyClientCert ¶
VerifyClientCert verifies and validates the client cert/key pair using the offline CA root and intermediate certificates.
type TokenGenerator ¶
type TokenGenerator struct {
// contains filtered or unexported fields
}
TokenGenerator is a helper used to generate different types of tokens used in the CA.
func NewTokenGenerator ¶
func NewTokenGenerator(kid, iss, aud, root string, notBefore, notAfter time.Time, jwk *jose.JSONWebKey) *TokenGenerator
NewTokenGenerator initializes a new token generator with the common fields.
func (*TokenGenerator) RevokeToken ¶
RevokeToken generates a X.509 certificate revoke token.
func (*TokenGenerator) SignSSHToken ¶
func (t *TokenGenerator) SignSSHToken(sub, certType string, principals []string, notBefore, notAfter provisioner.TimeDuration, opts ...token.Options) (string, error)
SignSSHToken generates a SSH certificate signing token.