ca

package
v1.6.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Feb 28, 2023 License: Apache-2.0 Imports: 48 Imported by: 7

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func MaxSVIDTTL added in v1.0.1

func MaxSVIDTTL() time.Duration

MaxSVIDTTL returns the maximum SVID lifetime that can be guaranteed to not be cut artificially short by a scheduled rotation.

func MaxSVIDTTLForCATTL added in v1.0.1

func MaxSVIDTTLForCATTL(caTTL time.Duration) time.Duration

MaxSVIDTTLForCATTL returns the maximum SVID TTL that can be guaranteed given a specific CA TTL. In other words, given a CA TTL, what is the largest SVID TTL that is guaranteed to not be cut artificially short by a scheduled rotation?

func MinCATTLForSVIDTTL added in v1.0.1

func MinCATTLForSVIDTTL(svidTTL time.Duration) time.Duration

MinCATTLForSVIDTTL returns the minimum CA TTL necessary to guarantee an SVID TTL of the provided value. In other words, given an SVID TTL, what is the minimum CA TTL that will guarantee that the SVIDs lifetime won't be cut artificially short by a scheduled rotation?

Types

type AgentX509SVIDParams added in v1.6.0

type AgentX509SVIDParams struct {
	// Public Key
	PublicKey crypto.PublicKey

	// SPIFFE ID of the agent
	SPIFFEID spiffeid.ID
}

AgentX509SVIDParams are parameters relevant to agent X509-SVID creation

type BundleUpdater added in v0.10.0

type BundleUpdater interface {
	AppendX509Roots(ctx context.Context, roots []*x509.Certificate) error
	AppendJWTKeys(ctx context.Context, keys []*common.PublicKey) ([]*common.PublicKey, error)
	LogError(err error, msg string)
}

BundleUpdater is the interface used by the UpstreamClient to append bundle updates.

type CA

type CA struct {
	// contains filtered or unexported fields
}

func NewCA

func NewCA(config Config) *CA

func (*CA) JWTKey

func (ca *CA) JWTKey() *JWTKey

func (*CA) SetJWTKey

func (ca *CA) SetJWTKey(jwtKey *JWTKey)

func (*CA) SetX509CA

func (ca *CA) SetX509CA(x509CA *X509CA)

func (*CA) SignAgentX509SVID added in v1.6.0

func (ca *CA) SignAgentX509SVID(ctx context.Context, params AgentX509SVIDParams) ([]*x509.Certificate, error)

func (*CA) SignDownstreamX509CA added in v1.6.0

func (ca *CA) SignDownstreamX509CA(ctx context.Context, params DownstreamX509CAParams) ([]*x509.Certificate, error)

func (*CA) SignServerX509SVID

func (ca *CA) SignServerX509SVID(ctx context.Context, params ServerX509SVIDParams) ([]*x509.Certificate, error)

func (*CA) SignWorkloadJWTSVID added in v1.6.0

func (ca *CA) SignWorkloadJWTSVID(ctx context.Context, params WorkloadJWTSVIDParams) (string, error)

func (*CA) SignWorkloadX509SVID added in v1.6.0

func (ca *CA) SignWorkloadX509SVID(ctx context.Context, params WorkloadX509SVIDParams) ([]*x509.Certificate, error)

func (*CA) X509CA

func (ca *CA) X509CA() *X509CA

type Config

type Config struct {
	Log           logrus.FieldLogger
	Clock         clock.Clock
	Metrics       telemetry.Metrics
	TrustDomain   spiffeid.TrustDomain
	CredBuilder   *credtemplate.Builder
	CredValidator *credvalidator.Validator
	HealthChecker health.Checker
}

type DownstreamX509CAParams added in v1.6.0

type DownstreamX509CAParams struct {
	// Public Key
	PublicKey crypto.PublicKey

	// TTL is the desired time-to-live of the SVID. Regardless of the TTL, the
	// lifetime of the certificate will be capped to that of the signing cert.
	TTL time.Duration
}

DownstreamX509CAParams are parameters relevant to downstream X.509 CA creation

type JWTKey

type JWTKey struct {
	// The signer used to sign keys
	Signer crypto.Signer

	// Kid is the JWT key ID (i.e. "kid" claim)
	Kid string

	// NotAfter is the expiration time of the JWT key.
	NotAfter time.Time
}

type JWTKeyEntry

type JWTKeyEntry = journal.JWTKeyEntry

type Journal

type Journal struct {
	// contains filtered or unexported fields
}

Journal stores X509 CAs and JWT keys on disk as they are rotated by the manager. The data format on disk is a PEM encoded protocol buffer.

func LoadJournal

func LoadJournal(path string) (*Journal, error)

func (*Journal) AppendJWTKey

func (j *Journal) AppendJWTKey(slotID string, issuedAt time.Time, jwtKey *JWTKey) error

func (*Journal) AppendX509CA

func (j *Journal) AppendX509CA(slotID string, issuedAt time.Time, x509CA *X509CA) error

func (*Journal) Entries

func (j *Journal) Entries() *JournalEntries

type JournalEntries

type JournalEntries = journal.Entries

type ManagedCA

type ManagedCA interface {
	SetX509CA(*X509CA)
	SetJWTKey(*JWTKey)
}

type Manager

type Manager struct {
	// contains filtered or unexported fields
}

func NewManager

func NewManager(c ManagerConfig) *Manager

func (*Manager) Initialize

func (m *Manager) Initialize(ctx context.Context) error

func (*Manager) PublishJWTKey added in v0.10.0

func (m *Manager) PublishJWTKey(ctx context.Context, jwtKey *common.PublicKey) ([]*common.PublicKey, error)

PublishJWTKey publishes the passed JWK to the upstream server using the configured UpstreamAuthority plugin, then appends to the bundle the JWKs returned by the upstream server, and finally it returns the updated list of JWT keys contained in the bundle.

The following cases may arise when calling this function:

- The UpstreamAuthority plugin doesn't implement PublishJWTKey, in which case we receive an Unimplemented error from the upstream server, and hence we log a one time warning about this, append the passed JWK to the bundle, and return the updated list of JWT keys.

- The UpstreamAuthority plugin returned an error, then we return the error.

- There is no UpstreamAuthority plugin configured, then assumes we are the root server and just appends the passed JWK to the bundle and returns the updated list of JWT keys.

func (*Manager) Run

func (m *Manager) Run(ctx context.Context) error

type ManagerConfig

type ManagerConfig struct {
	CA            ManagedCA
	CredBuilder   *credtemplate.Builder
	CredValidator *credvalidator.Validator
	Catalog       catalog.Catalog
	TrustDomain   spiffeid.TrustDomain
	X509CAKeyType keymanager.KeyType
	JWTKeyType    keymanager.KeyType
	Dir           string
	Log           logrus.FieldLogger
	Metrics       telemetry.Metrics
	Clock         clock.Clock
	HealthChecker health.Checker
}

type ServerCA

type ServerCA interface {
	SignDownstreamX509CA(ctx context.Context, params DownstreamX509CAParams) ([]*x509.Certificate, error)
	SignServerX509SVID(ctx context.Context, params ServerX509SVIDParams) ([]*x509.Certificate, error)
	SignAgentX509SVID(ctx context.Context, params AgentX509SVIDParams) ([]*x509.Certificate, error)
	SignWorkloadX509SVID(ctx context.Context, params WorkloadX509SVIDParams) ([]*x509.Certificate, error)
	SignWorkloadJWTSVID(ctx context.Context, params WorkloadJWTSVIDParams) (string, error)
}

ServerCA is an interface for Server CAs

type ServerX509SVIDParams

type ServerX509SVIDParams struct {
	// Public Key
	PublicKey crypto.PublicKey
}

ServerX509SVIDParams are parameters relevant to server X509-SVID creation

type UpstreamClient added in v0.10.0

type UpstreamClient struct {
	// contains filtered or unexported fields
}

UpstreamClient is used to interact with and stream updates from the UpstreamAuthority plugin.

func NewUpstreamClient added in v0.10.0

func NewUpstreamClient(config UpstreamClientConfig) *UpstreamClient

NewUpstreamClient returns a new UpstreamAuthority plugin client.

func (*UpstreamClient) Close added in v0.10.0

func (u *UpstreamClient) Close() error

Close closes the client, stopping any open streams against the UpstreamAuthority plugin.

func (*UpstreamClient) MintX509CA added in v0.10.0

func (u *UpstreamClient) MintX509CA(ctx context.Context, csr []byte, ttl time.Duration, validateX509CA ValidateX509CAFunc) (_ []*x509.Certificate, err error)

MintX509CA mints an X.509CA using the UpstreamAuthority. It maintains an open stream to the UpstreamAuthority plugin to receive and append X.509 root updates to the bundle. The stream remains open until another call to MintX509CA happens or the client is closed.

func (*UpstreamClient) PublishJWTKey added in v0.10.0

func (u *UpstreamClient) PublishJWTKey(ctx context.Context, jwtKey *common.PublicKey) (_ []*common.PublicKey, err error)

PublishJWTKey publishes the JWT key to the UpstreamAuthority. It maintains an open stream to the UpstreamAuthority plugin to receive and append JWT key updates to the bundle. The stream remains open until another call to PublishJWTKey happens or the client is closed.

func (*UpstreamClient) WaitUntilMintX509CAStreamDone added in v0.10.0

func (u *UpstreamClient) WaitUntilMintX509CAStreamDone(ctx context.Context) error

WaitUntilMintX509CAStreamDone waits until the MintX509CA stream has stopped.

func (*UpstreamClient) WaitUntilPublishJWTKeyStreamDone added in v0.10.0

func (u *UpstreamClient) WaitUntilPublishJWTKeyStreamDone(ctx context.Context) error

WaitUntilPublishJWTKeyStreamDone waits until the MintX509CA stream has stopped.

type UpstreamClientConfig added in v0.10.0

type UpstreamClientConfig struct {
	UpstreamAuthority upstreamauthority.UpstreamAuthority
	BundleUpdater     BundleUpdater
}

UpstreamClientConfig is the configuration for an UpstreamClient. Each field is required.

type ValidateX509CAFunc added in v1.2.0

type ValidateX509CAFunc = func(x509CA, x509Roots []*x509.Certificate) error

ValidateX509CAFunc is used by the upstream client to validate an X509CA newly minted by an upstream authority before it accepts it.

type WorkloadJWTSVIDParams added in v1.6.0

type WorkloadJWTSVIDParams struct {
	// SPIFFE ID of the SVID
	SPIFFEID spiffeid.ID

	// TTL is the desired time-to-live of the SVID. Regardless of the TTL, the
	// lifetime of the token will be capped to that of the signing key.
	TTL time.Duration

	// Audience is used for audience claims
	Audience []string
}

WorkloadJWTSVIDParams are parameters relevant to workload JWT-SVID creation

type WorkloadX509SVIDParams added in v1.6.0

type WorkloadX509SVIDParams struct {
	// Public Key
	PublicKey crypto.PublicKey

	// SPIFFE ID of the SVID
	SPIFFEID spiffeid.ID

	// DNSNames is used to add DNS SAN's to the X509 SVID. The first entry
	// is also added as the CN.
	DNSNames []string

	// TTL is the desired time-to-live of the SVID. Regardless of the TTL, the
	// lifetime of the certificate will be capped to that of the signing cert.
	TTL time.Duration

	// Subject of the SVID. Default subject is used if it is empty.
	Subject pkix.Name
}

WorkloadX509SVIDParams are parameters relevant to workload X509-SVID creation

type X509CA

type X509CA struct {
	// Signer is used to sign child certificates.
	Signer crypto.Signer

	// Certificate is the CA certificate.
	Certificate *x509.Certificate

	// UpstreamChain contains the CA certificate and intermediates necessary to
	// chain back to the upstream trust bundle. It is only set if the CA is
	// signed by an UpstreamCA.
	UpstreamChain []*x509.Certificate
}

type X509CAEntry

type X509CAEntry = journal.X509CAEntry

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL