Documentation ¶
Overview ¶
Package local implements certificate signature functionality for CFSSL.
Index ¶
- func OverrideHosts(template *x509.Certificate, hosts []string)
- func PopulateSubjectFromCSR(s *signer.Subject, req pkix.Name) pkix.Name
- type LintError
- type Signer
- func NewDynamicSigner(getPriv func() crypto.Signer, getCaCert func() *x509.Certificate, ...) (*Signer, error)
- func NewSigner(priv crypto.Signer, cert *x509.Certificate, sigAlgo x509.SignatureAlgorithm, ...) (*Signer, error)
- func NewSignerFromFile(caFile, caKeyFile string, policy *config.Signing) (*Signer, error)
- func (s *Signer) Certificate(label, profile string) (*x509.Certificate, error)
- func (s *Signer) GetDBAccessor() certdb.Accessor
- func (s *Signer) Info(req info.Req) (resp *info.Resp, err error)
- func (s *Signer) Policy() *config.Signing
- func (s *Signer) SetDBAccessor(dba certdb.Accessor)
- func (s *Signer) SetPolicy(policy *config.Signing)
- func (s *Signer) SetReqModifier(func(*http.Request, []byte))
- func (s *Signer) SigAlgo() x509.SignatureAlgorithm
- func (s *Signer) Sign(req signer.SignRequest) (cert []byte, err error)
- func (s *Signer) SignFromPrecert(precert *x509.Certificate, scts []ct.SignedCertificateTimestamp) ([]byte, error)
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func OverrideHosts ¶
func OverrideHosts(template *x509.Certificate, hosts []string)
OverrideHosts fills template's IPAddresses, EmailAddresses, DNSNames, and URIs with the content of hosts, if it is not nil.
Types ¶
type LintError ¶
type LintError struct {
ErrorResults map[string]lint.LintResult
}
LintError is an error type returned when pre-issuance linting is configured in a signing profile and a TBS Certificate fails linting. It wraps the concrete zlint LintResults so that callers can further inspect the cause of the failing lints.
type Signer ¶
type Signer struct {
// contains filtered or unexported fields
}
Signer contains a signer that uses the standard library to support both ECDSA and RSA CA keys.
func NewDynamicSigner ¶
func NewDynamicSigner(getPriv func() crypto.Signer, getCaCert func() *x509.Certificate, getSigAlgo func() x509.SignatureAlgorithm, policy *config.Signing) (*Signer, error)
NewDynamicSigner 动态 Signer, 从 func 获取私钥和证书
func NewSigner ¶
func NewSigner(priv crypto.Signer, cert *x509.Certificate, sigAlgo x509.SignatureAlgorithm, policy *config.Signing) (*Signer, error)
NewSigner creates a new Signer directly from a private key and certificate, with optional policy.
func NewSignerFromFile ¶
NewSignerFromFile generates a new local signer from a caFile and a caKey file, both PEM encoded.
func (*Signer) Certificate ¶
func (s *Signer) Certificate(label, profile string) (*x509.Certificate, error)
Certificate returns the signer's certificate.
func (*Signer) GetDBAccessor ¶
GetDBAccessor returns the signers' cert db accessor
func (*Signer) SetDBAccessor ¶
SetDBAccessor sets the signers' cert db accessor
func (*Signer) SetReqModifier ¶
SetReqModifier does nothing for local
func (*Signer) SigAlgo ¶
func (s *Signer) SigAlgo() x509.SignatureAlgorithm
SigAlgo returns the RSA signer's signature algorithm.
func (*Signer) Sign ¶
func (s *Signer) Sign(req signer.SignRequest) (cert []byte, err error)
Sign signs a new certificate based on the PEM-encoded client certificate or certificate request with the signing profile, specified by profileName.
func (*Signer) SignFromPrecert ¶
func (s *Signer) SignFromPrecert(precert *x509.Certificate, scts []ct.SignedCertificateTimestamp) ([]byte, error)
SignFromPrecert creates and signs a certificate from an existing precertificate that was previously signed by Signer.ca and inserts the provided SCTs into the new certificate. The resulting certificate will be a exact copy of the precert except for the removal of the poison extension and the addition of the SCT list extension. SignFromPrecert does not verify that the contents of the certificate still match the signing profile of the signer, it only requires that the precert was previously signed by the Signers CA. Similarly, any linting configured by the profile used to sign the precert will not be re-applied to the final cert and must be done separately by the caller.