x509svid

package
v1.11.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Oct 23, 2024 License: Apache-2.0 Imports: 13 Imported by: 1

Documentation

Index

Constants

View Source
const (
	DefaultUpstreamCABackdate = time.Second * 10
	DefaultUpstreamCATTL      = time.Hour
)

Variables

This section is empty.

Functions

func ParseAndValidateCSR

func ParseAndValidateCSR(csrDER []byte, td spiffeid.TrustDomain) (csr *x509.CertificateRequest, err error)

func UniqueIDAttribute added in v1.4.2

func UniqueIDAttribute(id spiffeid.ID) pkix.AttributeTypeAndValue

UniqueIDAttribute returns a X.500 Unique ID attribute (OID 2.5.4.45) for the given SPIFFE ID for inclusion in an X509-SVID to satisfy RFC 5280 requirements that the subject "DN MUST be unique for each subject entity certified by the one CA as defined by the issuer field" (see issue #3110 for the discussion on this).

The unique ID is composed of a SHA256 hash of the SPIFFE ID, truncated to 128-bits (16 bytes), and then hex encoded. This *SHOULD* be large enough to provide collision resistance on the input domain (i.e. registration entry SPIFFE IDs registered with this server), which ranges from very- to somewhat-restricted depending on the registration scheme and how much influence an attacker can have on workload registration.

func ValidateCSR

func ValidateCSR(csr *x509.CertificateRequest, td spiffeid.TrustDomain) error

Types

type UpstreamCA

type UpstreamCA struct {
	// contains filtered or unexported fields
}

func NewUpstreamCA

func NewUpstreamCA(keypair x509util.Keypair, trustDomain spiffeid.TrustDomain, options UpstreamCAOptions) *UpstreamCA

func (*UpstreamCA) SignCSR

func (ca *UpstreamCA) SignCSR(ctx context.Context, csrDER []byte, preferredTTL time.Duration) (*x509.Certificate, error)

type UpstreamCAOptions

type UpstreamCAOptions struct {
	Backdate time.Duration
	Clock    clock.Clock
}

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL