ca

package
v0.10.2 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 4, 2021 License: Apache-2.0 Imports: 40 Imported by: 7

Documentation

Index

Constants

View Source 
const (
	// DefaultX509SVIDTTL is the TTL given to X509 SVIDs if not overridden by
	// the server config.
	DefaultX509SVIDTTL = time.Hour

	// DefaultJWTSVIDTTL is the TTL given to JWT SVIDs if a different TTL is
	// not provided in the signing request.
	DefaultJWTSVIDTTL = time.Minute * 5
)
View Source 
const (
	DefaultCATTL = 24 * time.Hour
)

Variables

This section is empty.

Functions

func CreateServerCATemplate 

func CreateServerCATemplate(spiffeID string, publicKey crypto.PublicKey, trustDomain string, notBefore, notAfter time.Time, serialNumber *big.Int, subject pkix.Name) (*x509.Certificate, error)

func CreateX509SVIDTemplate 

func CreateX509SVIDTemplate(spiffeID string, publicKey crypto.PublicKey, trustDomain string, notBefore, notAfter time.Time, serialNumber *big.Int) (*x509.Certificate, error)

func GenerateServerCACSR 

func GenerateServerCACSR(signer crypto.Signer, trustDomain string, subject pkix.Name) ([]byte, error)

func KeyActivationThreshold 

func KeyActivationThreshold(issuedAt, notAfter time.Time) time.Time

Types

type BundleUpdater added in v0.10.0 

type BundleUpdater interface {
	AppendX509Roots(ctx context.Context, roots []*x509.Certificate) error
	AppendJWTKeys(ctx context.Context, keys []*common.PublicKey) ([]*common.PublicKey, error)
	LogError(err error, msg string)
}

BundleUpdater is the interface used by the UpstreamClient to append bundle updates.

type CA 

type CA struct {
	// contains filtered or unexported fields
}

func NewCA 

func NewCA(config Config) *CA

func (*CA) JWTKey 

func (ca *CA) JWTKey() *JWTKey

func (*CA) SetJWTKey 

func (ca *CA) SetJWTKey(jwtKey *JWTKey)

func (*CA) SetX509CA 

func (ca *CA) SetX509CA(x509CA *X509CA)

func (*CA) SignJWTSVID 

func (ca *CA) SignJWTSVID(ctx context.Context, params JWTSVIDParams) (string, error)

func (*CA) SignServerX509SVID 

func (ca *CA) SignServerX509SVID(ctx context.Context, params ServerX509SVIDParams) ([]*x509.Certificate, error)

func (*CA) SignX509CASVID 

func (ca *CA) SignX509CASVID(ctx context.Context, params X509CASVIDParams) ([]*x509.Certificate, error)

func (*CA) SignX509SVID 

func (ca *CA) SignX509SVID(ctx context.Context, params X509SVIDParams) ([]*x509.Certificate, error)

func (*CA) X509CA 

func (ca *CA) X509CA() *X509CA

type Config 

type Config struct {
	Log         logrus.FieldLogger
	Metrics     telemetry.Metrics
	TrustDomain url.URL
	X509SVIDTTL time.Duration
	JWTSVIDTTL  time.Duration
	JWTIssuer   string
	Clock       clock.Clock
	CASubject   pkix.Name
}

type JWTKey 

type JWTKey struct {
	// The signer used to sign keys
	Signer crypto.Signer

	// Kid is the JWT key ID (i.e. "kid" claim)
	Kid string

	// NotAfter is the expiration time of the JWT key.
	NotAfter time.Time
}

type JWTKeyEntry 

type JWTKeyEntry struct {
	// Which JWT Key slot this entry occupied.
	SlotId string `protobuf:"bytes,1,opt,name=slot_id,json=slotId,proto3" json:"slot_id,omitempty"`
	// When the key was issued (unix epoch in seconds)
	IssuedAt int64 `protobuf:"varint,2,opt,name=issued_at,json=issuedAt,proto3" json:"issued_at,omitempty"`
	// When the key expires unix epoch in seconds)
	NotAfter int64 `protobuf:"varint,3,opt,name=not_after,json=notAfter,proto3" json:"not_after,omitempty"`
	// JWT key id (i.e. "kid" claim)
	Kid string `protobuf:"bytes,4,opt,name=kid,proto3" json:"kid,omitempty"`
	// PKIX encoded public key
	PublicKey            []byte   `protobuf:"bytes,5,opt,name=public_key,json=publicKey,proto3" json:"public_key,omitempty"`
	XXX_NoUnkeyedLiteral struct{} `json:"-"`
	XXX_unrecognized     []byte   `json:"-"`
	XXX_sizecache        int32    `json:"-"`
}

func (*JWTKeyEntry) Descriptor 

func (*JWTKeyEntry) Descriptor() ([]byte, []int)

func (*JWTKeyEntry) GetIssuedAt 

func (m *JWTKeyEntry) GetIssuedAt() int64

func (*JWTKeyEntry) GetKid 

func (m *JWTKeyEntry) GetKid() string

func (*JWTKeyEntry) GetNotAfter 

func (m *JWTKeyEntry) GetNotAfter() int64

func (*JWTKeyEntry) GetPublicKey 

func (m *JWTKeyEntry) GetPublicKey() []byte

func (*JWTKeyEntry) GetSlotId 

func (m *JWTKeyEntry) GetSlotId() string

func (*JWTKeyEntry) ProtoMessage 

func (*JWTKeyEntry) ProtoMessage()

func (*JWTKeyEntry) Reset 

func (m *JWTKeyEntry) Reset()

func (*JWTKeyEntry) String 

func (m *JWTKeyEntry) String() string

func (*JWTKeyEntry) XXX_DiscardUnknown 

func (m *JWTKeyEntry) XXX_DiscardUnknown()

func (*JWTKeyEntry) XXX_Marshal 

func (m *JWTKeyEntry) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)

func (*JWTKeyEntry) XXX_Merge 

func (m *JWTKeyEntry) XXX_Merge(src proto.Message)

func (*JWTKeyEntry) XXX_Size 

func (m *JWTKeyEntry) XXX_Size() int

func (*JWTKeyEntry) XXX_Unmarshal 

func (m *JWTKeyEntry) XXX_Unmarshal(b []byte) error

type JWTSVIDParams 

type JWTSVIDParams struct {
	// SPIFFE ID of the SVID
	SpiffeID string

	// TTL is the desired time-to-live of the SVID. Regardless of the TTL, the
	// lifetime of the certificate will be capped to that of the signing cert.
	TTL time.Duration

	// Audience is used for audience claims
	Audience []string
}

JWTSVIDParams are parameters relevant to JWT SVID creation

type Journal 

type Journal struct {
	// contains filtered or unexported fields
}

Journal stores X509 CAs and JWT keys on disk as they are rotated by the manager. The data format on disk is a PEM encoded protocol buffer.

func LoadJournal 

func LoadJournal(path string) (*Journal, error)

func (*Journal) AppendJWTKey 

func (j *Journal) AppendJWTKey(slotID string, issuedAt time.Time, jwtKey *JWTKey) error

func (*Journal) AppendX509CA 

func (j *Journal) AppendX509CA(slotID string, issuedAt time.Time, x509CA *X509CA) error

func (*Journal) Entries 

func (j *Journal) Entries() *JournalEntries

type JournalEntries 

type JournalEntries struct {
	X509CAs              []*X509CAEntry `protobuf:"bytes,1,rep,name=x509CAs,proto3" json:"x509CAs,omitempty"`
	JwtKeys              []*JWTKeyEntry `protobuf:"bytes,2,rep,name=jwtKeys,proto3" json:"jwtKeys,omitempty"`
	XXX_NoUnkeyedLiteral struct{}       `json:"-"`
	XXX_unrecognized     []byte         `json:"-"`
	XXX_sizecache        int32          `json:"-"`
}

func (*JournalEntries) Descriptor 

func (*JournalEntries) Descriptor() ([]byte, []int)

func (*JournalEntries) GetJwtKeys 

func (m *JournalEntries) GetJwtKeys() []*JWTKeyEntry

func (*JournalEntries) GetX509CAs 

func (m *JournalEntries) GetX509CAs() []*X509CAEntry

func (*JournalEntries) ProtoMessage 

func (*JournalEntries) ProtoMessage()

func (*JournalEntries) Reset 

func (m *JournalEntries) Reset()

func (*JournalEntries) String 

func (m *JournalEntries) String() string

func (*JournalEntries) XXX_DiscardUnknown 

func (m *JournalEntries) XXX_DiscardUnknown()

func (*JournalEntries) XXX_Marshal 

func (m *JournalEntries) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)

func (*JournalEntries) XXX_Merge 

func (m *JournalEntries) XXX_Merge(src proto.Message)

func (*JournalEntries) XXX_Size 

func (m *JournalEntries) XXX_Size() int

func (*JournalEntries) XXX_Unmarshal 

func (m *JournalEntries) XXX_Unmarshal(b []byte) error

type ManagedCA 

type ManagedCA interface {
	SetX509CA(*X509CA)
	SetJWTKey(*JWTKey)
}

type Manager 

type Manager struct {
	// contains filtered or unexported fields
}

func NewManager 

func NewManager(c ManagerConfig) *Manager

func (*Manager) Initialize 

func (m *Manager) Initialize(ctx context.Context) error

func (*Manager) PublishJWTKey added in v0.10.0 

func (m *Manager) PublishJWTKey(ctx context.Context, jwtKey *common.PublicKey) ([]*common.PublicKey, error)

PublishJWTKey publishes the passed JWK to the upstream server using the configured UpstreamAuthority plugin, then appends to the bundle the JWKs returned by the upstream server, and finally it returns the updated list of JWT keys contained in the bundle.

The following cases may arise when calling this function:

- The UpstreamAuthority plugin doesn't implement PublishJWTKey, in which case we receive an Unimplemented error from the upstream server, and hence we log a one time warning about this, append the passed JWK to the bundle, and return the updated list of JWT keys.

- The UpstreamAuthority plugin returned an error, then we return the error.

- There is no UpstreamAuthority plugin configured, then assumes we are the root server and just appends the passed JWK to the bundle and returns the updated list of JWT keys.

func (*Manager) Run 

func (m *Manager) Run(ctx context.Context) error

type ManagerConfig 

type ManagerConfig struct {
	CA             ManagedCA
	Catalog        catalog.Catalog
	TrustDomain    url.URL
	UpstreamBundle bool
	CATTL          time.Duration
	X509CAKeyType  keymanager.KeyType
	JWTKeyType     keymanager.KeyType
	CASubject      pkix.Name
	Dir            string
	Log            logrus.FieldLogger
	Metrics        telemetry.Metrics
	Clock          clock.Clock
}

type ServerCA 

type ServerCA interface {
	SignX509SVID(ctx context.Context, params X509SVIDParams) ([]*x509.Certificate, error)
	SignX509CASVID(ctx context.Context, params X509CASVIDParams) ([]*x509.Certificate, error)
	SignJWTSVID(ctx context.Context, params JWTSVIDParams) (string, error)

	// Sign an SVID used to serve SPIRE server TLS endpoints
	// This is required because in some cases, an UpstreamCA root is used to bootstrap
	// agents while upstream_bundle is false. This allows the trust domain roots to be
	// isolated to those managed by SPIRE, but at the same time allows leveraging a stable
	// upstream root for the sole purpose of bootstrapping agents.
	//
	// This should probably not be supported in the long run because simply omitting higher
	// order CA certificates is 1) not a sufficient isolation mechanism [1] and 2) not supported
	// by most X.509 validators without a special flag set [2].
	//
	// All known instances requiring this use case are isolated to demos and other convenience
	// functions, meaning that the UpstreamCA signer is always the root. To support this specific
	// use case, while also minimizing disruption to the CA implementation and interfaces, this
	// method will always return the CA certificate managed by SPIRE as the 2nd element in the
	// certificate chain. No effort will be made to support this use case when the UpstreamCA
	// signer is not the root.
	//
	// TODO: Change the upstream_ca configurable to default to true. Evaluate whether this use
	// case should be supported in the long term.
	//
	// [1]: https://acmccs.github.io/papers/p1407-acerA.pdf
	// [2]: https://www.openssl.org/docs/man1.1.0/man1/openssl-verify.html
	SignServerX509SVID(ctx context.Context, params ServerX509SVIDParams) ([]*x509.Certificate, error)
}

ServerCA is an interface for Server CAs

type ServerX509SVIDParams 

type ServerX509SVIDParams struct {
	// Public Key
	PublicKey crypto.PublicKey
}

X509CASVIDParams are parameters relevant to X509 CA SVID creation

type UpstreamClient added in v0.10.0 

type UpstreamClient struct {
	// contains filtered or unexported fields
}

UpstreamClient is used to interact with and stream updates from the UpstreamAuthority plugin.

func NewUpstreamClient added in v0.10.0 

func NewUpstreamClient(config UpstreamClientConfig) *UpstreamClient

NewUpstreamClient returns a new UpstreamAuthority plugin client.

func (*UpstreamClient) Close added in v0.10.0 

func (u *UpstreamClient) Close() error

Close closes the client, stopping any open streams against the UpstreamAuthority plugin.

func (*UpstreamClient) MintX509CA added in v0.10.0 

func (u *UpstreamClient) MintX509CA(ctx context.Context, csr []byte, ttl time.Duration) (_ []*x509.Certificate, err error)

MintX509CA mints an X.509CA using the UpstreamAuthority. It maintains an open stream to the UpstreamAuthority plugin to receive and append X.509 root updates to the bundle. The stream remains open until another call to MintX509CA happens or the client is closed.

func (*UpstreamClient) PublishJWTKey added in v0.10.0 

func (u *UpstreamClient) PublishJWTKey(ctx context.Context, jwtKey *common.PublicKey) (_ []*common.PublicKey, err error)

PublishJWTKey publishes the JWT key to the UpstreamAuthority. It maintains an open stream to the UpstreamAuthority plugin to receive and append JWT key updates to the bundle. The stream remains open until another call to PublishJWTKey happens or the client is closed.

func (*UpstreamClient) WaitUntilMintX509CAStreamDone added in v0.10.0 

func (u *UpstreamClient) WaitUntilMintX509CAStreamDone(ctx context.Context) error

WaitUntilMintX509CAStreamDone waits until the MintX509CA stream has stopped.

func (*UpstreamClient) WaitUntilPublishJWTKeyStreamDone added in v0.10.0 

func (u *UpstreamClient) WaitUntilPublishJWTKeyStreamDone(ctx context.Context) error

WaitUntilPublishJWTKeyStreamDone waits until the MintX509CA stream has stopped.

type UpstreamClientConfig added in v0.10.0 

type UpstreamClientConfig struct {
	UpstreamAuthority upstreamauthority.UpstreamAuthority
	BundleUpdater     BundleUpdater
	UpstreamBundle    bool
}

UpstreamClientConfig is the configuration for an UpstreamClient. Each field is required.

type X509CA 

type X509CA struct {
	// Signer is used to sign child certificates.
	Signer crypto.Signer

	// Certificate is the CA certificate.
	Certificate *x509.Certificate

	// UpstreamChain contains the CA certificate and intermediates necessary to
	// chain back to the upstream trust bundle. It is only set if the CA is
	// signed by an UpstreamCA and the upstream trust bundle *is* the SPIRE
	// trust bundle (see the upstream_bundle configurable).
	UpstreamChain []*x509.Certificate
}

func SelfSignX509CA 

func SelfSignX509CA(ctx context.Context, signer crypto.Signer, trustDomain string, subject pkix.Name, notBefore, notAfter time.Time) (*X509CA, []*x509.Certificate, error)

func UpstreamSignX509CA 

func UpstreamSignX509CA(ctx context.Context, signer crypto.Signer, trustDomain string, subject pkix.Name, upstreamClient *UpstreamClient, upstreamBundle bool, caTTL time.Duration) (*X509CA, error)

type X509CAEntry 

type X509CAEntry struct {
	// Which X509 CA slot this entry occupied.
	SlotId string `protobuf:"bytes,1,opt,name=slot_id,json=slotId,proto3" json:"slot_id,omitempty"`
	// When the CA was issued (unix epoch in seconds)
	IssuedAt int64 `protobuf:"varint,2,opt,name=issued_at,json=issuedAt,proto3" json:"issued_at,omitempty"`
	// DER encoded CA certificate
	Certificate []byte `protobuf:"bytes,3,opt,name=certificate,proto3" json:"certificate,omitempty"`
	// DER encoded upstream CA chain. See the X509CA struct for details.
	UpstreamChain        [][]byte `protobuf:"bytes,4,rep,name=upstream_chain,json=upstreamChain,proto3" json:"upstream_chain,omitempty"`
	XXX_NoUnkeyedLiteral struct{} `json:"-"`
	XXX_unrecognized     []byte   `json:"-"`
	XXX_sizecache        int32    `json:"-"`
}

func (*X509CAEntry) Descriptor 

func (*X509CAEntry) Descriptor() ([]byte, []int)

func (*X509CAEntry) GetCertificate 

func (m *X509CAEntry) GetCertificate() []byte

func (*X509CAEntry) GetIssuedAt 

func (m *X509CAEntry) GetIssuedAt() int64

func (*X509CAEntry) GetSlotId 

func (m *X509CAEntry) GetSlotId() string

func (*X509CAEntry) GetUpstreamChain 

func (m *X509CAEntry) GetUpstreamChain() [][]byte

func (*X509CAEntry) ProtoMessage 

func (*X509CAEntry) ProtoMessage()

func (*X509CAEntry) Reset 

func (m *X509CAEntry) Reset()

func (*X509CAEntry) String 

func (m *X509CAEntry) String() string

func (*X509CAEntry) XXX_DiscardUnknown 

func (m *X509CAEntry) XXX_DiscardUnknown()

func (*X509CAEntry) XXX_Marshal 

func (m *X509CAEntry) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)

func (*X509CAEntry) XXX_Merge 

func (m *X509CAEntry) XXX_Merge(src proto.Message)

func (*X509CAEntry) XXX_Size 

func (m *X509CAEntry) XXX_Size() int

func (*X509CAEntry) XXX_Unmarshal 

func (m *X509CAEntry) XXX_Unmarshal(b []byte) error

type X509CASVIDParams 

type X509CASVIDParams struct {
	// SPIFFE ID of the SVID
	SpiffeID string

	// Public Key
	PublicKey crypto.PublicKey

	// TTL is the desired time-to-live of the SVID. Regardless of the TTL, the
	// lifetime of the certificate will be capped to that of the signing cert.
	TTL time.Duration
}

X509CASVIDParams are parameters relevant to X509 CA SVID creation

type X509SVIDParams 

type X509SVIDParams struct {
	// SPIFFE ID of the SVID
	SpiffeID string

	// Public Key
	PublicKey crypto.PublicKey

	// TTL is the desired time-to-live of the SVID. Regardless of the TTL, the
	// lifetime of the certificate will be capped to that of the signing cert.
	TTL time.Duration

	// DNSList is used to add DNS SAN's to the X509 SVID. The first entry
	// is also added as the CN.
	DNSList []string

	// Subject of the SVID. Default subject is used if it is empty.
	Subject pkix.Name
}

X509SVIDParams are parameters relevant to X509 SVID creation

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.