ca

package
v0.0.0-...-23a808a Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Sep 22, 2024 License: BSD-3-Clause Imports: 28 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	DefaultConfigFileName     = "ca.conf"
	DefaultCertFileName       = "ca.pem"
	DefaultAuditLogFileName   = "audit.log"
	DefaultAuditLogKeepCopies = 5
	DefaultDriverName         = "file"

	AuditLogRotationSuffix = ".%d"
)

Variables

View Source 
var (
	LogMessageTypeRoll  = siglog.MustMessageType("roll")
	LogMessageTypeIssue = siglog.MustMessageType("issue")
	LogMessageTypeNote  = siglog.MustMessageType("note")
)
View Source 
var ErrNoDriver = errors.New("driver not found")

Functions

func AddDriver 

func AddDriver(name string, driver DriverFactory)

func LogConfigForKey 

func LogConfigForKey(key crypto.PublicKey) *siglog.LogStreamConfig

func Names 

func Names() []string

Types

type CA 

type CA struct {
	Config *Config
	// contains filtered or unexported fields
}

func CreateCA 

func CreateCA(ctx context.Context, path string, cust CertCustomiser, p prompt.PasswordPrompt) (*CA, error)

CreateCA creates a new CA object and initializes the key, certificate and audit log on disk. If the key or certificate already exist they will be used as is. The audit log must not exist prior to this call. keyCryptOptionscan be used to customize how the key will be encrypted (if created) or decrypted (if already existing).

func LoadCA 

func LoadCA(ctx context.Context, path string, auditor siglog.MessageChecker, p prompt.PasswordPrompt) (*CA, error)

LoadCA loads an existing CA. The certificate and audit log must already exist and the audit log will be verified. auditor can be non-nil to perform additional verification as the log is verified. keyCryptOptions can be non-nil to customize how the key will be decrypted when/if it is loaded. The private key for the CA does not need to exist for the CA to be loaded. An attempt to load the private key will only be made if an operation which requires it is performed upon the loaded CA.

func MaybeLoadCa 

func MaybeLoadCa(ctx context.Context, path string, isDir bool, p prompt.PasswordPrompt) (*CA, error)

MaybeLoadCa will inspect the path and attempt to load the CA if it looks like a CA config file or directory. It will return (nil, nil) if no attempt is made to load the CA. The path should exist as either a file or a directory.

func (*CA) Certificate 

func (c *CA) Certificate() *x509.Certificate

func (*CA) Close 

func (c *CA) Close() error

func (*CA) LogNote 

func (c *CA) LogNote(note []byte) error

func (*CA) LogRotate 

func (c *CA) LogRotate(oldLog io.Writer) (err error)

func (*CA) NextSerialNumber 

func (c *CA) NextSerialNumber() *big.Int

func (*CA) PublicKey 

func (c *CA) PublicKey() crypto.PublicKey

func (*CA) Sign 

func (c *CA) Sign(template *x509.Certificate, csr *x509.CertificateRequest) ([]byte, error)

func (*CA) String 

func (c *CA) String() string

type CertCustomiser 

type CertCustomiser func(certificate *x509.Certificate) error

func JoinCustomisers 

func JoinCustomisers(customisers ...CertCustomiser) CertCustomiser

type CertTrace 

type CertTrace struct {
	Description string    `json:"description"`
	NotAfter    time.Time `json:"not_after"`
	Serial      []byte    `json:"serial"`
	Sha512_256  []byte    `json:"sha512_256"`
}

CertTrace is just enough info about a certificate to tell if a CA really did issue it and when, and to generate a CRL.

func MakeTrace 

func MakeTrace(cert *x509.Certificate) *CertTrace

func ParseLogRollMessage 

func ParseLogRollMessage(payload []byte) (cert *x509.Certificate, traces []*CertTrace, err error)

func ParseTrace 

func ParseTrace(line string) (*CertTrace, error)

func ParseTraces 

func ParseTraces(lines []byte) ([]*CertTrace, error)

func (*CertTrace) Equal 

func (ct *CertTrace) Equal(ot *CertTrace) bool

func (*CertTrace) String 

func (ct *CertTrace) String() string

type Config 

type Config struct {
	Log struct {
		Path string
		/*
			KeepCopies is the number of past audit logs to keep for the CA.
			Use an integer value here, 0 for the default number, or -1 to not
			keep any copies.
		*/
		KeepCopies int `yaml:"keep_copies"`
	} `yaml:"log"`
	Certificate struct {
		Path string `yaml:"path"`
	} `yaml:"certificate"`
	Driver       string              `yaml:"driver"`
	DriverConfig UntypedDriverConfig `yaml:"driver_config"`
	// contains filtered or unexported fields
}

func (*Config) CertificateFilePath 

func (c *Config) CertificateFilePath() string

func (*Config) DriverName 

func (c *Config) DriverName() string

func (*Config) LogFilePath 

func (c *Config) LogFilePath() string

func (*Config) LogFilesToKeep 

func (c *Config) LogFilesToKeep() int

func (*Config) MakeDriver 

func (c *Config) MakeDriver() (Driver, error)

func (*Config) RelConfigPath 

func (c *Config) RelConfigPath(configValue, defaultValue string) string

type Driver 

type Driver interface {
	io.Closer

	// InitPrivateKey should create a new private key only if one does not
	// already exist. If one does exist it should return the public part and
	// a signer. This will be called once when a CA is created.
	InitPrivateKey(prompt prompt.PasswordPrompt) (publicKey crypto.PublicKey, certCustomiser CertCustomiser, signer crypto.Signer, err error)

	// GetSigner returns the signer that this driver stores. It may use the prompt
	// to get a pin or passphrase during the call to GetSigner, or after it has
	// returned during a call to methods on the returned signer.
	GetSigner(certificate *x509.Certificate, prompt prompt.PasswordPrompt) (crypto.Signer, error)

	// SetCertificate is called a single time on completion of the CA's
	// initialisation. If the driver stores certificates then this is the time
	// to save it. It does not need to store the certificate.
	SetCertificate(certificate *x509.Certificate, prompt prompt.PasswordPrompt) error
}

type DriverFactory 

type DriverFactory interface {
	String() string
	NewDriverConfig() any
	NewDriver(caConfig *Config, driverConfig any) (Driver, error)
}

func GetDriverFactory 

func GetDriverFactory(name string) DriverFactory

type LogAuditor 

type LogAuditor struct {
	CaCert      *x509.Certificate
	CertsIssued []*CertTrace
	// contains filtered or unexported fields
}

LogAuditor checks a CA log to ensure it is in the correct format. Things that are checked:

  • Message sequence: The first message must be a roll message, and if there is a second, then it must be the last in the sequence.
  • A closing roll message must contain all the certificates that the opening roll message contains and additionally all the certificate issued since the opening roll message.
  • This auditor is shown more than one log stream, the opening roll message must match the closing roll message of the previous stream.
  • Issue messages must contain a certificate followed by a CSR. The certificate must have been issued by the CA, and the key in the CSR matches the key in the certificate.

func (*LogAuditor) CheckMessage 

func (a *LogAuditor) CheckMessage(seq int, m *siglog.Message) error

func (LogAuditor) InitCA 

func (a LogAuditor) InitCA(ca *CA) error

type UntypedDriverConfig 

type UntypedDriverConfig struct {
	// contains filtered or unexported fields
}

func (*UntypedDriverConfig) UnmarshalDriverConfig 

func (dc *UntypedDriverConfig) UnmarshalDriverConfig(v interface{}) error

func (*UntypedDriverConfig) UnmarshalYAML 

func (dc *UntypedDriverConfig) UnmarshalYAML(unmarshal func(interface{}) error) error

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.