cautils

package
v0.13.3 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Sep 30, 2019 License: Apache-2.0 Imports: 38 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	SignType = iota
	RevokeType
	SSHUserSignType
	SSHHostSignType
)

Token signing types

Variables

This section is empty.

Functions

func ACMECreateCertFlow added in v0.13.0 

func ACMECreateCertFlow(ctx *cli.Context, provisionerName string) error

ACMECreateCertFlow performs an ACME transaction to get a new certificate.

func ACMESignCSRFlow added in v0.13.0 

func ACMESignCSRFlow(ctx *cli.Context, csr *x509.CertificateRequest, certFile, provisionerName string) error

ACMESignCSRFlow performs an ACME transaction using an existing CSR to get a new certificate.

func NewTokenFlow 

func NewTokenFlow(ctx *cli.Context, typ int, subject string, sans []string, caURL, root string, notBefore, notAfter time.Time, certNotBefore, certNotAfter provisioner.TimeDuration) (string, error)

NewTokenFlow implements the common flow used to generate a token

func OfflineTokenFlow 

func OfflineTokenFlow(ctx *cli.Context, typ int, subject string, sans []string, notBefore, notAfter time.Time, certNotBefore, certNotAfter provisioner.TimeDuration) (string, error)

OfflineTokenFlow generates a provisioning token using either

  1. static configuration from ca.json (created with `step ca init`)
  2. input from command line flags

These two options are mutually exclusive and priority is given to ca.json.

Types

type CaClient 

type CaClient interface {
	Sign(req *api.SignRequest) (*api.SignResponse, error)
	SignSSH(req *api.SignSSHRequest) (*api.SignSSHResponse, error)
	Renew(tr http.RoundTripper) (*api.SignResponse, error)
	Revoke(req *api.RevokeRequest, tr http.RoundTripper) (*api.RevokeResponse, error)
}

CaClient is the interface implemented by client used to sign, renew, or revoke certificates.

type CertificateFlow 

type CertificateFlow struct {
	// contains filtered or unexported fields
}

CertificateFlow manages the flow to retrieve a new certificate.

func NewCertificateFlow 

func NewCertificateFlow(ctx *cli.Context) (*CertificateFlow, error)

NewCertificateFlow initializes a cli flow to get a new certificate.

func (*CertificateFlow) CreateSignRequest 

func (f *CertificateFlow) CreateSignRequest(ctx *cli.Context, tok, subject string, sans []string) (*api.SignRequest, crypto.PrivateKey, error)

CreateSignRequest is a helper function that given an x509 OTT returns a simple but secure sign request as well as the private key used.

func (*CertificateFlow) GenerateSSHToken 

func (f *CertificateFlow) GenerateSSHToken(ctx *cli.Context, subject, certType string, principals []string, validAfter, validBefore provisioner.TimeDuration) (string, error)

GenerateSSHToken generates a token used to authorize the sign of an SSH certificate.

func (*CertificateFlow) GenerateToken 

func (f *CertificateFlow) GenerateToken(ctx *cli.Context, subject string, sans []string) (string, error)

GenerateToken generates a token for immediate use (therefore only default validity values will be used). The token is generated either with the offline token flow or the online mode.

func (*CertificateFlow) GetClient 

func (f *CertificateFlow) GetClient(ctx *cli.Context, subject, tok string) (CaClient, error)

GetClient returns the client used to send requests to the CA.

func (*CertificateFlow) Sign 

func (f *CertificateFlow) Sign(ctx *cli.Context, token string, csr api.CertificateRequest, crtFile string) error

Sign signs the CSR using the online or the offline certificate authority.

type ErrACMEToken added in v0.13.0 

type ErrACMEToken struct {
	Name string
}

ErrACMEToken is the error type returned when the user attempts a Token Flow while using an ACME provisioner.

func (*ErrACMEToken) Error added in v0.13.0 

func (e *ErrACMEToken) Error() string

Error implements the error interface.

type OfflineCA 

type OfflineCA struct {
	// contains filtered or unexported fields
}

OfflineCA is a wrapper on top of the certificates authority methods that is used to sign certificates without an online CA.

func NewOfflineCA 

func NewOfflineCA(configFile string) (*OfflineCA, error)

NewOfflineCA initializes an offlineCA.

func (*OfflineCA) Audience 

func (c *OfflineCA) Audience(tokType int) string

Audience returns the token audience.

func (*OfflineCA) CaURL 

func (c *OfflineCA) CaURL() string

CaURL returns the CA URL using the first DNS entry.

func (*OfflineCA) GenerateToken 

func (c *OfflineCA) GenerateToken(ctx *cli.Context, typ int, subject string, sans []string, notBefore, notAfter time.Time, certNotBefore, certNotAfter provisioner.TimeDuration) (string, error)

GenerateToken creates the token used by the authority to authorize requests.

func (*OfflineCA) Provisioners 

func (c *OfflineCA) Provisioners() provisioner.List

Provisioners returns the list of configured provisioners.

func (*OfflineCA) Renew 

func (c *OfflineCA) Renew(rt http.RoundTripper) (*api.SignResponse, error)

Renew is a wrapper on top of certificates Renew method. It returns an api.SignResponse with the requested certificate and the intermediate.

func (*OfflineCA) Revoke 

func (c *OfflineCA) Revoke(req *api.RevokeRequest, rt http.RoundTripper) (*api.RevokeResponse, error)

Revoke is a wrapper on top of certificates Revoke method. It returns an api.RevokeResponse.

func (*OfflineCA) Root 

func (c *OfflineCA) Root() string

Root returns the path of the file used as root certificate.

func (*OfflineCA) Sign 

func (c *OfflineCA) Sign(req *api.SignRequest) (*api.SignResponse, error)

Sign is a wrapper on top of certificates Authorize and Sign methods. It returns an api.SignResponse with the requested certificate and the intermediate.

func (*OfflineCA) SignSSH 

func (c *OfflineCA) SignSSH(req *api.SignSSHRequest) (*api.SignSSHResponse, error)

SignSSH is a wrapper on top of certificate Authorize and SignSSH methods. It returns an api.SignSSHResponse with the signed certificate.

func (*OfflineCA) VerifyClientCert 

func (c *OfflineCA) VerifyClientCert(certFile, keyFile string) error

VerifyClientCert verifies and validates the client cert/key pair using the offline CA root and intermediate certificates.

type TokenGenerator 

type TokenGenerator struct {
	// contains filtered or unexported fields
}

TokenGenerator is a helper used to generate different types of tokens used in the CA.

func NewTokenGenerator 

func NewTokenGenerator(kid, iss, aud, root string, notBefore, notAfter time.Time, jwk *jose.JSONWebKey) *TokenGenerator

NewTokenGenerator initializes a new token generator with the common fields.

func (*TokenGenerator) RevokeToken 

func (t *TokenGenerator) RevokeToken(sub string) (string, error)

RevokeToken generates a X.509 certificate revoke token.

func (*TokenGenerator) SignSSHToken 

func (t *TokenGenerator) SignSSHToken(sub, certType string, principals []string, notBefore, notAfter provisioner.TimeDuration) (string, error)

SignSSHToken generates a SSH certificate signing token.

func (*TokenGenerator) SignToken 

func (t *TokenGenerator) SignToken(sub string, sans []string) (string, error)

SignToken generates a X.509 certificate signing token. If sans is empty, we will use the subject (common name) as the only SAN.

func (*TokenGenerator) Token 

func (t *TokenGenerator) Token(sub string, opts ...token.Options) (string, error)

Token generates a generic token with the given subject and options.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.