authority

package
v1.28.0-rc.1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Aug 10, 2023 License: Apache-2.0 Imports: 8 Imported by: 4

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type CertificateAuthority

type CertificateAuthority struct {
	// RawCert is an optional field to determine if signing cert/key pairs have changed
	RawCert []byte
	// RawKey is an optional field to determine if signing cert/key pairs have changed
	RawKey []byte

	Certificate *x509.Certificate
	PrivateKey  crypto.Signer
}

CertificateAuthority implements a certificate authority that supports policy based signing. It's used by the signing controller.

func (*CertificateAuthority) Sign

func (ca *CertificateAuthority) Sign(crDER []byte, policy SigningPolicy) ([]byte, error)

Sign signs a certificate request, applying a SigningPolicy and returns a DER encoded x509 certificate.

type PermissiveSigningPolicy

type PermissiveSigningPolicy struct {
	// TTL is used in certificate NotAfter calculation as described above.
	TTL time.Duration

	// Usages are the allowed usages of a certificate.
	Usages []capi.KeyUsage

	// Backdate is used in certificate NotBefore calculation as described above.
	Backdate time.Duration

	// Short is the duration used to determine if the lifetime of a certificate should be considered short.
	Short time.Duration

	// Now defaults to time.Now but can be stubbed for testing
	Now func() time.Time
}

PermissiveSigningPolicy is the signing policy historically used by the local signer.

  • It forwards all SANs from the original signing request.
  • It sets allowed usages as configured in the policy.
  • It zeros all extensions.
  • It sets BasicConstraints to true.
  • It sets IsCA to false.
  • It validates that the signer has not expired.
  • It sets NotBefore and NotAfter: All certificates set NotBefore = Now() - Backdate. Long-lived certificates set NotAfter = Now() + TTL - Backdate. Short-lived certificates set NotAfter = Now() + TTL. All certificates truncate NotAfter to the expiration date of the signer.

type SigningPolicy

type SigningPolicy interface {
	// contains filtered or unexported methods
}

SigningPolicy validates a CertificateRequest before it's signed by the CertificateAuthority. It may default or otherwise mutate a certificate template.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL