ca

package
v0.9.4 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 4, 2021 License: Apache-2.0 Imports: 37 Imported by: 7

Documentation

Index

Constants

View Source 
const (
	// DefaultX509SVIDTTL is the TTL given to X509 SVIDs if not overridden by
	// the server config.
	DefaultX509SVIDTTL = time.Hour

	// DefaultJWTSVIDTTL is the TTL given to JWT SVIDs if a different TTL is
	// not provided in the signing request.
	DefaultJWTSVIDTTL = time.Minute * 5
)
View Source 
const (
	DefaultCATTL = 24 * time.Hour
)

Variables

This section is empty.

Functions

func CreateServerCATemplate 

func CreateServerCATemplate(spiffeID string, publicKey crypto.PublicKey, trustDomain string, notBefore, notAfter time.Time, serialNumber *big.Int, subject pkix.Name) (*x509.Certificate, error)

func CreateX509SVIDTemplate 

func CreateX509SVIDTemplate(spiffeID string, publicKey crypto.PublicKey, trustDomain string, notBefore, notAfter time.Time, serialNumber *big.Int) (*x509.Certificate, error)

func GenerateServerCACSR 

func GenerateServerCACSR(signer crypto.Signer, trustDomain string, subject pkix.Name) ([]byte, error)

func KeyActivationThreshold 

func KeyActivationThreshold(issuedAt, notAfter time.Time) time.Time

Types

type CA 

type CA struct {
	// contains filtered or unexported fields
}

func NewCA 

func NewCA(config Config) *CA

func (*CA) JWTKey 

func (ca *CA) JWTKey() *JWTKey

func (*CA) SetJWTKey 

func (ca *CA) SetJWTKey(jwtKey *JWTKey)

func (*CA) SetX509CA 

func (ca *CA) SetX509CA(x509CA *X509CA)

func (*CA) SignJWTSVID 

func (ca *CA) SignJWTSVID(ctx context.Context, params JWTSVIDParams) (string, error)

func (*CA) SignServerX509SVID 

func (ca *CA) SignServerX509SVID(ctx context.Context, params ServerX509SVIDParams) ([]*x509.Certificate, error)

func (*CA) SignX509CASVID 

func (ca *CA) SignX509CASVID(ctx context.Context, params X509CASVIDParams) ([]*x509.Certificate, error)

func (*CA) SignX509SVID 

func (ca *CA) SignX509SVID(ctx context.Context, params X509SVIDParams) ([]*x509.Certificate, error)

func (*CA) X509CA 

func (ca *CA) X509CA() *X509CA

type Config 

type Config struct {
	Log         logrus.FieldLogger
	Metrics     telemetry.Metrics
	TrustDomain url.URL
	X509SVIDTTL time.Duration
	JWTSVIDTTL  time.Duration
	JWTIssuer   string
	Clock       clock.Clock
	CASubject   pkix.Name
}

type JWTKey 

type JWTKey struct {
	// The signer used to sign keys
	Signer crypto.Signer

	// Kid is the JWT key ID (i.e. "kid" claim)
	Kid string

	// NotAfter is the expiration time of the JWT key.
	NotAfter time.Time
}

type JWTKeyEntry 

type JWTKeyEntry struct {
	// Which JWT Key slot this entry occupied.
	SlotId string `protobuf:"bytes,1,opt,name=slot_id,json=slotId,proto3" json:"slot_id,omitempty"`
	// When the key was issued (unix epoch in seconds)
	IssuedAt int64 `protobuf:"varint,2,opt,name=issued_at,json=issuedAt,proto3" json:"issued_at,omitempty"`
	// When the key expires unix epoch in seconds)
	NotAfter int64 `protobuf:"varint,3,opt,name=not_after,json=notAfter,proto3" json:"not_after,omitempty"`
	// JWT key id (i.e. "kid" claim)
	Kid string `protobuf:"bytes,4,opt,name=kid,proto3" json:"kid,omitempty"`
	// PKIX encoded public key
	PublicKey            []byte   `protobuf:"bytes,5,opt,name=public_key,json=publicKey,proto3" json:"public_key,omitempty"`
	XXX_NoUnkeyedLiteral struct{} `json:"-"`
	XXX_unrecognized     []byte   `json:"-"`
	XXX_sizecache        int32    `json:"-"`
}

func (*JWTKeyEntry) Descriptor 

func (*JWTKeyEntry) Descriptor() ([]byte, []int)

func (*JWTKeyEntry) GetIssuedAt 

func (m *JWTKeyEntry) GetIssuedAt() int64

func (*JWTKeyEntry) GetKid 

func (m *JWTKeyEntry) GetKid() string

func (*JWTKeyEntry) GetNotAfter 

func (m *JWTKeyEntry) GetNotAfter() int64

func (*JWTKeyEntry) GetPublicKey 

func (m *JWTKeyEntry) GetPublicKey() []byte

func (*JWTKeyEntry) GetSlotId 

func (m *JWTKeyEntry) GetSlotId() string

func (*JWTKeyEntry) ProtoMessage 

func (*JWTKeyEntry) ProtoMessage()

func (*JWTKeyEntry) Reset 

func (m *JWTKeyEntry) Reset()

func (*JWTKeyEntry) String 

func (m *JWTKeyEntry) String() string

func (*JWTKeyEntry) XXX_DiscardUnknown 

func (m *JWTKeyEntry) XXX_DiscardUnknown()

func (*JWTKeyEntry) XXX_Marshal 

func (m *JWTKeyEntry) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)

func (*JWTKeyEntry) XXX_Merge 

func (m *JWTKeyEntry) XXX_Merge(src proto.Message)

func (*JWTKeyEntry) XXX_Size 

func (m *JWTKeyEntry) XXX_Size() int

func (*JWTKeyEntry) XXX_Unmarshal 

func (m *JWTKeyEntry) XXX_Unmarshal(b []byte) error

type JWTSVIDParams 

type JWTSVIDParams struct {
	// SPIFFE ID of the SVID
	SpiffeID string

	// TTL is the desired time-to-live of the SVID. Regardless of the TTL, the
	// lifetime of the certificate will be capped to that of the signing cert.
	TTL time.Duration

	// Audience is used for audience claims
	Audience []string
}

JWTSVIDParams are parameters relevant to JWT SVID creation

type Journal 

type Journal struct {
	// contains filtered or unexported fields
}

Journal stores X509 CAs and JWT keys on disk as they are rotated by the manager. The data format on disk is a PEM encoded protocol buffer.

func LoadJournal 

func LoadJournal(path string) (*Journal, error)

func (*Journal) AppendJWTKey 

func (j *Journal) AppendJWTKey(slotID string, issuedAt time.Time, jwtKey *JWTKey) error

func (*Journal) AppendX509CA 

func (j *Journal) AppendX509CA(slotID string, issuedAt time.Time, x509CA *X509CA) error

func (*Journal) Entries 

func (j *Journal) Entries() *JournalEntries

type JournalEntries 

type JournalEntries struct {
	X509CAs              []*X509CAEntry `protobuf:"bytes,1,rep,name=x509CAs,proto3" json:"x509CAs,omitempty"`
	JwtKeys              []*JWTKeyEntry `protobuf:"bytes,2,rep,name=jwtKeys,proto3" json:"jwtKeys,omitempty"`
	XXX_NoUnkeyedLiteral struct{}       `json:"-"`
	XXX_unrecognized     []byte         `json:"-"`
	XXX_sizecache        int32          `json:"-"`
}

func (*JournalEntries) Descriptor 

func (*JournalEntries) Descriptor() ([]byte, []int)

func (*JournalEntries) GetJwtKeys 

func (m *JournalEntries) GetJwtKeys() []*JWTKeyEntry

func (*JournalEntries) GetX509CAs 

func (m *JournalEntries) GetX509CAs() []*X509CAEntry

func (*JournalEntries) ProtoMessage 

func (*JournalEntries) ProtoMessage()

func (*JournalEntries) Reset 

func (m *JournalEntries) Reset()

func (*JournalEntries) String 

func (m *JournalEntries) String() string

func (*JournalEntries) XXX_DiscardUnknown 

func (m *JournalEntries) XXX_DiscardUnknown()

func (*JournalEntries) XXX_Marshal 

func (m *JournalEntries) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)

func (*JournalEntries) XXX_Merge 

func (m *JournalEntries) XXX_Merge(src proto.Message)

func (*JournalEntries) XXX_Size 

func (m *JournalEntries) XXX_Size() int

func (*JournalEntries) XXX_Unmarshal 

func (m *JournalEntries) XXX_Unmarshal(b []byte) error

type ManagedCA 

type ManagedCA interface {
	SetX509CA(*X509CA)
	SetJWTKey(*JWTKey)
}

type Manager 

type Manager struct {
	// contains filtered or unexported fields
}

func NewManager 

func NewManager(c ManagerConfig) *Manager

func (*Manager) Initialize 

func (m *Manager) Initialize(ctx context.Context) error

func (*Manager) Run 

func (m *Manager) Run(ctx context.Context) error

type ManagerConfig 

type ManagerConfig struct {
	CA             ManagedCA
	Catalog        catalog.Catalog
	TrustDomain    url.URL
	UpstreamBundle bool
	CATTL          time.Duration
	X509CAKeyType  keymanager.KeyType
	JWTKeyType     keymanager.KeyType
	CASubject      pkix.Name
	Dir            string
	Log            logrus.FieldLogger
	Metrics        telemetry.Metrics
	Clock          clock.Clock
}

type ServerCA 

type ServerCA interface {
	SignX509SVID(ctx context.Context, params X509SVIDParams) ([]*x509.Certificate, error)
	SignX509CASVID(ctx context.Context, params X509CASVIDParams) ([]*x509.Certificate, error)
	SignJWTSVID(ctx context.Context, params JWTSVIDParams) (string, error)

	// Sign an SVID used to serve SPIRE server TLS endpoints
	// This is required because in some cases, an UpstreamCA root is used to bootstrap
	// agents while upstream_bundle is false. This allows the trust domain roots to be
	// isolated to those managed by SPIRE, but at the same time allows leveraging a stable
	// upstream root for the sole purpose of bootstrapping agents.
	//
	// This should probably not be supported in the long run because simply omitting higher
	// order CA certificates is 1) not a sufficient isolation mechanism [1] and 2) not supported
	// by most X.509 validators without a special flag set [2].
	//
	// All known instances requiring this use case are isolated to demos and other convenience
	// functions, meaning that the UpstreamCA signer is always the root. To support this specific
	// use case, while also minimizing disruption to the CA implementation and interfaces, this
	// method will always return the CA certificate managed by SPIRE as the 2nd element in the
	// certificate chain. No effort will be made to support this use case when the UpstreamCA
	// signer is not the root.
	//
	// TODO: Change the upstream_ca configurable to default to true. Evaluate whether this use
	// case should be supported in the long term.
	//
	// [1]: https://acmccs.github.io/papers/p1407-acerA.pdf
	// [2]: https://www.openssl.org/docs/man1.1.0/man1/openssl-verify.html
	SignServerX509SVID(ctx context.Context, params ServerX509SVIDParams) ([]*x509.Certificate, error)
}

ServerCA is an interface for Server CAs

type ServerX509SVIDParams 

type ServerX509SVIDParams struct {
	// Public Key
	PublicKey crypto.PublicKey
}

X509CASVIDParams are parameters relevant to X509 CA SVID creation

type X509CA 

type X509CA struct {
	// Signer is used to sign child certificates.
	Signer crypto.Signer

	// Certificate is the CA certificate.
	Certificate *x509.Certificate

	// UpstreamChain contains the CA certificate and intermediates necessary to
	// chain back to the upstream trust bundle. It is only set if the CA is
	// signed by an UpstreamCA and the upstream trust bundle *is* the SPIRE
	// trust bundle (see the upstream_bundle configurable).
	UpstreamChain []*x509.Certificate
}

func SelfSignX509CA 

func SelfSignX509CA(ctx context.Context, signer crypto.Signer, trustDomain string, subject pkix.Name, notBefore, notAfter time.Time) (*X509CA, []*x509.Certificate, error)

func UpstreamSignX509CA 

func UpstreamSignX509CA(ctx context.Context, signer crypto.Signer, trustDomain string, subject pkix.Name, upstreamCA upstreamca.UpstreamCA, upstreamBundle bool, caTTL time.Duration) (*X509CA, []*x509.Certificate, error)

type X509CAEntry 

type X509CAEntry struct {
	// Which X509 CA slot this entry occupied.
	SlotId string `protobuf:"bytes,1,opt,name=slot_id,json=slotId,proto3" json:"slot_id,omitempty"`
	// When the CA was issued (unix epoch in seconds)
	IssuedAt int64 `protobuf:"varint,2,opt,name=issued_at,json=issuedAt,proto3" json:"issued_at,omitempty"`
	// DER encoded CA certificate
	Certificate []byte `protobuf:"bytes,3,opt,name=certificate,proto3" json:"certificate,omitempty"`
	// DER encoded upstream CA chain. See the X509CA struct for details.
	UpstreamChain        [][]byte `protobuf:"bytes,4,rep,name=upstream_chain,json=upstreamChain,proto3" json:"upstream_chain,omitempty"`
	XXX_NoUnkeyedLiteral struct{} `json:"-"`
	XXX_unrecognized     []byte   `json:"-"`
	XXX_sizecache        int32    `json:"-"`
}

func (*X509CAEntry) Descriptor 

func (*X509CAEntry) Descriptor() ([]byte, []int)

func (*X509CAEntry) GetCertificate 

func (m *X509CAEntry) GetCertificate() []byte

func (*X509CAEntry) GetIssuedAt 

func (m *X509CAEntry) GetIssuedAt() int64

func (*X509CAEntry) GetSlotId 

func (m *X509CAEntry) GetSlotId() string

func (*X509CAEntry) GetUpstreamChain 

func (m *X509CAEntry) GetUpstreamChain() [][]byte

func (*X509CAEntry) ProtoMessage 

func (*X509CAEntry) ProtoMessage()

func (*X509CAEntry) Reset 

func (m *X509CAEntry) Reset()

func (*X509CAEntry) String 

func (m *X509CAEntry) String() string

func (*X509CAEntry) XXX_DiscardUnknown 

func (m *X509CAEntry) XXX_DiscardUnknown()

func (*X509CAEntry) XXX_Marshal 

func (m *X509CAEntry) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)

func (*X509CAEntry) XXX_Merge 

func (m *X509CAEntry) XXX_Merge(src proto.Message)

func (*X509CAEntry) XXX_Size 

func (m *X509CAEntry) XXX_Size() int

func (*X509CAEntry) XXX_Unmarshal 

func (m *X509CAEntry) XXX_Unmarshal(b []byte) error

type X509CASVIDParams 

type X509CASVIDParams struct {
	// SPIFFE ID of the SVID
	SpiffeID string

	// Public Key
	PublicKey crypto.PublicKey

	// TTL is the desired time-to-live of the SVID. Regardless of the TTL, the
	// lifetime of the certificate will be capped to that of the signing cert.
	TTL time.Duration
}

X509CASVIDParams are parameters relevant to X509 CA SVID creation

type X509SVIDParams 

type X509SVIDParams struct {
	// SPIFFE ID of the SVID
	SpiffeID string

	// Public Key
	PublicKey crypto.PublicKey

	// TTL is the desired time-to-live of the SVID. Regardless of the TTL, the
	// lifetime of the certificate will be capped to that of the signing cert.
	TTL time.Duration

	// DNSList is used to add DNS SAN's to the X509 SVID. The first entry
	// is also added as the CN.
	DNSList []string
}

X509SVIDParams are parameters relevant to X509 SVID creation

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.