Documentation
¶
Overview ¶
Package tlsca provides internal TLS certificate authority used for mutual TLS authentication with the auth server and internal teleport components and external clients
Index ¶
- Variables
- func CalculatePins(certsBytes []byte) ([]string, error)
- func ClusterName(subject pkix.Name) (string, error)
- func GenerateCertificateRequestPEM(subject pkix.Name, priv crypto.Signer) ([]byte, error)
- func GenerateSelfSignedCA(entity pkix.Name, dnsNames []string, ttl time.Duration) ([]byte, []byte, error)
- func GenerateSelfSignedCAWithConfig(config GenerateCAConfig) (certPEM []byte, err error)
- func GenerateSelfSignedCAWithSigner(signer crypto.Signer, entity pkix.Name, dnsNames []string, ttl time.Duration) ([]byte, error)
- func MarshalCertificatePEM(cert *x509.Certificate) ([]byte, error)
- func MarshalPrivateKeyPEM(privateKey *rsa.PrivateKey) []byte
- func MarshalPublicKeyFromPrivateKeyPEM(privateKey crypto.PrivateKey) ([]byte, error)
- func ParseCertificatePEM(bytes []byte) (*x509.Certificate, error)
- func ParseCertificatePEMs(bytes []byte) ([]*x509.Certificate, error)
- func ParseCertificateRequestPEM(bytes []byte) (*x509.CertificateRequest, error)
- func ParsePrivateKeyDER(der []byte) (crypto.Signer, error)
- func ParsePrivateKeyPEM(bytes []byte) (crypto.Signer, error)
- func ParsePublicKeyDER(der []byte) (crypto.PublicKey, error)
- func ParsePublicKeyPEM(bytes []byte) (interface{}, error)
- type CertAuthority
- type CertificateRequest
- type GenerateCAConfig
- type Identity
- type RouteToApp
- type RouteToDatabase
Constants ¶
This section is empty.
Variables ¶
View Source
var ( // KubeUsersASN1ExtensionOID is an extension ID used when encoding/decoding // license payload into certificates KubeUsersASN1ExtensionOID = asn1.ObjectIdentifier{1, 3, 9999, 1, 1} // KubeGroupsASN1ExtensionOID is an extension ID used when encoding/decoding // license payload into certificates KubeGroupsASN1ExtensionOID = asn1.ObjectIdentifier{1, 3, 9999, 1, 2} // KubeClusterASN1ExtensionOID is an extension ID used when encoding/decoding // target kubernetes cluster name into certificates. KubeClusterASN1ExtensionOID = asn1.ObjectIdentifier{1, 3, 9999, 1, 3} // AppSessionIDASN1ExtensionOID is an extension ID used to encode the application // session ID into a certificate. AppSessionIDASN1ExtensionOID = asn1.ObjectIdentifier{1, 3, 9999, 1, 4} // AppClusterNameASN1ExtensionOID is an extension ID used to encode the application // cluster name into a certificate. AppClusterNameASN1ExtensionOID = asn1.ObjectIdentifier{1, 3, 9999, 1, 5} // AppPublicAddrASN1ExtensionOID is an extension ID used to encode the application // public address into a certificate. AppPublicAddrASN1ExtensionOID = asn1.ObjectIdentifier{1, 3, 9999, 1, 6} // TeleportClusterASN1ExtensionOID is an extension ID used when encoding/decoding // origin teleport cluster name into certificates. TeleportClusterASN1ExtensionOID = asn1.ObjectIdentifier{1, 3, 9999, 1, 7} // MFAVerifiedASN1ExtensionOID is an extension ID used when encoding/decoding // the MFAVerified flag into certificates. MFAVerifiedASN1ExtensionOID = asn1.ObjectIdentifier{1, 3, 9999, 1, 8} // ClientIPASN1ExtensionOID is an extension ID used when encoding/decoding // the client IP into certificates. ClientIPASN1ExtensionOID = asn1.ObjectIdentifier{1, 3, 9999, 1, 9} // AppNameASN1ExtensionOID is an extension ID used when encoding/decoding // application name into a certificate. AppNameASN1ExtensionOID = asn1.ObjectIdentifier{1, 3, 9999, 1, 10} // AppAWSRoleARNASN1ExtensionOID is an extension ID used when encoding/decoding // AWS role ARN into a certificate. AppAWSRoleARNASN1ExtensionOID = asn1.ObjectIdentifier{1, 3, 9999, 1, 11} // AWSRoleARNsASN1ExtensionOID is an extension ID used when encoding/decoding // allowed AWS role ARNs into a certificate. AWSRoleARNsASN1ExtensionOID = asn1.ObjectIdentifier{1, 3, 9999, 1, 12} // RenewableCertificateASN1ExtensionOID is an extension ID used to indicate // that a certificate may be renewed by a certificate renewal bot. RenewableCertificateASN1ExtensionOID = asn1.ObjectIdentifier{1, 3, 9999, 1, 13} // GenerationASN1ExtensionOID is an extension OID used to count the number // of times this certificate has been renewed. GenerationASN1ExtensionOID = asn1.ObjectIdentifier{1, 3, 9999, 1, 14} // PrivateKeyPolicyASN1ExtensionOID is an extension ID used to determine the // private key policy supported by the certificate. PrivateKeyPolicyASN1ExtensionOID = asn1.ObjectIdentifier{1, 3, 9999, 1, 15} // DatabaseServiceNameASN1ExtensionOID is an extension ID used when encoding/decoding // database service name into certificates. DatabaseServiceNameASN1ExtensionOID = asn1.ObjectIdentifier{1, 3, 9999, 2, 1} // DatabaseProtocolASN1ExtensionOID is an extension ID used when encoding/decoding // database protocol into certificates. DatabaseProtocolASN1ExtensionOID = asn1.ObjectIdentifier{1, 3, 9999, 2, 2} // DatabaseUsernameASN1ExtensionOID is an extension ID used when encoding/decoding // database username into certificates. DatabaseUsernameASN1ExtensionOID = asn1.ObjectIdentifier{1, 3, 9999, 2, 3} // DatabaseNameASN1ExtensionOID is an extension ID used when encoding/decoding // database name into certificates. DatabaseNameASN1ExtensionOID = asn1.ObjectIdentifier{1, 3, 9999, 2, 4} // DatabaseNamesASN1ExtensionOID is an extension OID used when encoding/decoding // allowed database names into certificates. DatabaseNamesASN1ExtensionOID = asn1.ObjectIdentifier{1, 3, 9999, 2, 5} // DatabaseUsersASN1ExtensionOID is an extension OID used when encoding/decoding // allowed database users into certificates. DatabaseUsersASN1ExtensionOID = asn1.ObjectIdentifier{1, 3, 9999, 2, 6} // ImpersonatorASN1ExtensionOID is an extension OID used when encoding/decoding // impersonator user ImpersonatorASN1ExtensionOID = asn1.ObjectIdentifier{1, 3, 9999, 2, 7} // ActiveRequestsASN1ExtensionOID is an extension OID used when encoding/decoding // active access requests into certificates. ActiveRequestsASN1ExtensionOID = asn1.ObjectIdentifier{1, 3, 9999, 2, 8} // DisallowReissueASN1ExtensionOID is an extension OID used to flag that a // requests to generate new certificates using this certificate should be // denied. DisallowReissueASN1ExtensionOID = asn1.ObjectIdentifier{1, 3, 9999, 2, 9} // AllowedResourcesASN1ExtensionOID is an extension OID used to list the // resources which the certificate should be able to grant access to AllowedResourcesASN1ExtensionOID = asn1.ObjectIdentifier{1, 3, 9999, 2, 10} // SystemRolesASN1ExtensionOID is an extension OID used to indicate system roles // (auth, proxy, node, etc). Note that some certs correspond to a single specific // system role, and use `pkix.Name.Organization` to encode this value. This extension // is specifically used for "multi-role" certs. SystemRolesASN1ExtensionOID = asn1.ObjectIdentifier{1, 3, 9999, 2, 11} // PreviousIdentityExpiresASN1ExtensionOID is the RFC3339 timestamp representing the hard // deadline of the session on a certificates issued after an MFA check. // See https://github.com/gravitational/teleport/issues/18544. PreviousIdentityExpiresASN1ExtensionOID = asn1.ObjectIdentifier{1, 3, 9999, 2, 12} )
Custom ranges are taken from this article
https://serverfault.com/questions/551477/is-there-reserved-oid-space-for-internal-enterprise-cas
Functions ¶
func CalculatePins ¶
CalculatePins returns the SPKI pins for the given set of concatenated PEM-encoded certificates
func ClusterName ¶
ClusterName returns cluster name from organization
func GenerateCertificateRequestPEM ¶
GenerateCertificateRequestPEM returns PEM-encoded certificate signing request from the provided subject and private key.
func GenerateSelfSignedCA ¶
func GenerateSelfSignedCA(entity pkix.Name, dnsNames []string, ttl time.Duration) ([]byte, []byte, error)
GenerateSelfSignedCA generates self-signed certificate authority used for internal inter-node communications
func GenerateSelfSignedCAWithConfig ¶
func GenerateSelfSignedCAWithConfig(config GenerateCAConfig) (certPEM []byte, err error)
GenerateSelfSignedCAWithConfig generates a new CA certificate from the specified configuration. Returns PEM-encoded private key/certificate payloads upon success
func GenerateSelfSignedCAWithSigner ¶
func GenerateSelfSignedCAWithSigner(signer crypto.Signer, entity pkix.Name, dnsNames []string, ttl time.Duration) ([]byte, error)
GenerateSelfSignedCAWithSigner generates self-signed certificate authority used for internal inter-node communications
func MarshalCertificatePEM ¶
func MarshalCertificatePEM(cert *x509.Certificate) ([]byte, error)
MarshalCertificatePEM takes a *x509.Certificate and returns the PEM encoded bytes.
func MarshalPrivateKeyPEM ¶
func MarshalPrivateKeyPEM(privateKey *rsa.PrivateKey) []byte
MarshalPrivateKeyPEM marshals provided rsa.PrivateKey into PEM format.
func MarshalPublicKeyFromPrivateKeyPEM ¶
func MarshalPublicKeyFromPrivateKeyPEM(privateKey crypto.PrivateKey) ([]byte, error)
MarshalPublicKeyFromPrivateKeyPEM extracts public key from private key and returns PEM marshaled key
func ParseCertificatePEM ¶
func ParseCertificatePEM(bytes []byte) (*x509.Certificate, error)
ParseCertificatePEM parses PEM-encoded certificate
func ParseCertificatePEMs ¶
func ParseCertificatePEMs(bytes []byte) ([]*x509.Certificate, error)
ParseCertificatePEM parses multiple PEM-encoded certificates
func ParseCertificateRequestPEM ¶
func ParseCertificateRequestPEM(bytes []byte) (*x509.CertificateRequest, error)
ParseCertificateRequestPEM parses PEM-encoded certificate signing request
func ParsePrivateKeyDER ¶
ParsePrivateKeyDER parses unencrypted DER-encoded private key
func ParsePrivateKeyPEM ¶
ParsePrivateKeyPEM parses PEM-encoded private key
func ParsePublicKeyDER ¶
ParsePublicKeyDER parses unencrypted DER-encoded publice key
func ParsePublicKeyPEM ¶
ParsePublicKeyPEM parses public key PEM
Types ¶
type CertAuthority ¶
type CertAuthority struct {
// Cert is a CA certificate
Cert *x509.Certificate
// Signer is a private key based signer
Signer crypto.Signer
}
CertAuthority is X.509 certificate authority
func FromCertAndSigner ¶
func FromCertAndSigner(certPEM []byte, signer crypto.Signer) (*CertAuthority, error)
FromCertAndSigner returns a CertAuthority with the given raw certificate and signer.
func FromKeys ¶
func FromKeys(certPEM, keyPEM []byte) (*CertAuthority, error)
FromKeys returns new CA from PEM encoded certificate and private key. Private Key is optional, if omitted CA won't be able to issue new certificates, only verify them
func FromTLSCertificate ¶
func FromTLSCertificate(ca tls.Certificate) (*CertAuthority, error)
FromTLSCertificate returns a CertAuthority with the given TLS certificate.
func (*CertAuthority) GenerateCertificate ¶
func (ca *CertAuthority) GenerateCertificate(req CertificateRequest) ([]byte, error)
GenerateCertificate generates certificate from request
type CertificateRequest ¶
type CertificateRequest struct {
// Clock is a clock used to get current or test time
Clock clockwork.Clock
// PublicKey is a public key to sign
PublicKey crypto.PublicKey
// Subject is a subject to include in certificate
Subject pkix.Name
// NotAfter is a time after which the issued certificate
// will be no longer valid
NotAfter time.Time
// DNSNames is a list of DNS names to add to certificate
DNSNames []string
// Optional. ExtraExtensions to populate.
// Note: ExtraExtensions can override ExtKeyUsage and SANs (like DNSNames).
ExtraExtensions []pkix.Extension
// Optional. KeyUsage for the certificate.
KeyUsage x509.KeyUsage
// Optional. CRL endpoints.
CRLDistributionPoints []string
}
CertificateRequest is a X.509 signing certificate request
func (*CertificateRequest) CheckAndSetDefaults ¶
func (c *CertificateRequest) CheckAndSetDefaults() error
CheckAndSetDefaults checks and sets default values
type GenerateCAConfig ¶
type GenerateCAConfig struct {
Signer crypto.Signer
Entity pkix.Name
DNSNames []string
IPAddresses []net.IP
TTL time.Duration
Clock clockwork.Clock
}
GenerateCAConfig defines the configuration for generating self-signed CA certificates
type Identity ¶
type Identity struct {
// Username is a username or name of the node connection
Username string
// Impersonator is a username of a user impersonating this user
Impersonator string
// Groups is a list of groups (Teleport roles) encoded in the identity
Groups []string
// SystemRoles is a list of system roles (e.g. auth, proxy, node, etc) used
// in "multi-role" certificates. Single-role certificates encode the system role
// in `Groups` for back-compat reasons.
SystemRoles []string
// Usage is a list of usage restrictions encoded in the identity
Usage []string
// Principals is a list of Unix logins allowed.
Principals []string
// KubernetesGroups is a list of Kubernetes groups allowed
KubernetesGroups []string
// KubernetesUsers is a list of Kubernetes users allowed
KubernetesUsers []string
// Expires specifies whenever the session will expire
Expires time.Time
// RouteToCluster specifies the target cluster
// if present in the session
RouteToCluster string
// KubernetesCluster specifies the target kubernetes cluster for TLS
// identities. This can be empty on older Teleport clients.
KubernetesCluster string
// Traits hold claim data used to populate a role at runtime.
Traits wrappers.Traits
// RouteToApp holds routing information for applications. Routing metadata
// allows Teleport web proxy to route HTTP requests to the appropriate
// cluster and Teleport application proxy within the cluster.
RouteToApp RouteToApp
// TeleportCluster is the name of the teleport cluster that this identity
// originated from. For TLS certs this may not be the same as cert issuer,
// in case of multi-hop requests that originate from a remote cluster.
TeleportCluster string
// RouteToDatabase contains routing information for databases.
RouteToDatabase RouteToDatabase
// DatabaseNames is a list of allowed database names.
DatabaseNames []string
// DatabaseUsers is a list of allowed database users.
DatabaseUsers []string
// MFAVerified is the UUID of an MFA device when this Identity was
// confirmed immediately after an MFA check.
MFAVerified string
// PreviousIdentityExpires is the expiry time of the identity/cert that this
// identity/cert was derived from. It is used to determine a session's hard
// deadline in cases where both require_session_mfa and disconnect_expired_cert
// are enabled. See https://github.com/gravitational/teleport/issues/18544.
PreviousIdentityExpires time.Time
// ClientIP is an observed IP of the client that this Identity represents.
ClientIP string
// AWSRoleARNs is a list of allowed AWS role ARNs user can assume.
AWSRoleARNs []string
// ActiveRequests is a list of UUIDs of active requests for this Identity.
ActiveRequests []string
// DisallowReissue is a flag that, if set, instructs the auth server to
// deny any attempts to reissue new certificates while authenticated with
// this certificate.
DisallowReissue bool
// Renewable indicates that this identity is allowed to renew it's
// own credentials. This is only enabled for certificate renewal bots.
Renewable bool
// Generation counts the number of times this certificate has been renewed.
Generation uint64
// AllowedResourceIDs lists the resources the identity should be allowed to
// access.
AllowedResourceIDs []types.ResourceID
// PrivateKeyPolicy is the private key policy supported by this identity.
PrivateKeyPolicy keys.PrivateKeyPolicy
}
Identity is an identity of the user or service, e.g. Proxy or Node
func FromSubject ¶
FromSubject returns identity from subject name
func (*Identity) CheckAndSetDefaults ¶
CheckAndSetDefaults checks and sets default values
func (*Identity) GetEventIdentity ¶
func (*Identity) GetRouteToApp ¶
func (id *Identity) GetRouteToApp() (RouteToApp, error)
GetRouteToApp returns application routing data. If missing, returns an error.
func (Identity) GetUserMetadata ¶
func (id Identity) GetUserMetadata() events.UserMetadata
type RouteToApp ¶
type RouteToApp struct {
// SessionID is a UUIDv4 used to identify application sessions created by
// this certificate. The reason a UUID was used instead of a hash of the
// SubjectPublicKeyInfo like the CA pin is for UX consistency. For example,
// the SessionID is emitted in the audit log, using a UUID matches how SSH
// sessions are identified.
SessionID string
// PublicAddr (and ClusterName) are used to route requests issued with this
// certificate to the appropriate application proxy/cluster.
PublicAddr string
// ClusterName (and PublicAddr) are used to route requests issued with this
// certificate to the appropriate application proxy/cluster.
ClusterName string
// Name is the app name.
Name string
// AWSRoleARN is the AWS role to assume when accessing AWS console.
AWSRoleARN string
}
RouteToApp holds routing information for applications.
type RouteToDatabase ¶
type RouteToDatabase struct {
// ServiceName is the name of the Teleport database proxy service
// to route requests to.
ServiceName string
// Protocol is the database protocol.
//
// It is embedded in identity so clients can understand what type
// of database this is without contacting server.
Protocol string
// Username is an optional database username to serve as a default
// username to connect as.
Username string
// Database is an optional database name to serve as a default
// database to connect to.
Database string
}
RouteToDatabase contains routing information for databases.
func (RouteToDatabase) String ¶
func (r RouteToDatabase) String() string
String returns string representation of the database routing struct.
Source Files
Click to show internal directories.
Click to hide internal directories.