ca

Documentation

Index

• type CA
  • func New(caStore store.Store, preparer policy.Preparer) (*CA, error)
  • func (c CA) CertPool() (*x509.CertPool, error)
  • func (c CA) CreateCRL(rand io.Reader, revokedCerts []pkix.RevokedCertificate, now, expiry time.Time) ([]byte, error)
  • func (c CA) Sign(rand io.Reader, template *x509.Certificate) ([]byte, error)
  • func (c CA) SignWithoutPreparing(rand io.Reader, template *x509.Certificate) ([]byte, error)

Types

type CA

type CA struct {
	Store    store.Store
	Preparer policy.Preparer
}

Encapsulation of a Certificate Authority. This has a set of defined operations to be used in conjunction with other packages in this library, such as a keystore.

This struct and collection of functions exists only to sign CSRs and preform other CA operations that require a private key. The behavior of this module is designed to be simple, predictable, and default to sane and safe behavior.

func New

func New(
	caStore store.Store,
	preparer policy.Preparer,
) (*CA, error)

Create a new CA Struct from the given `store.Store` and `policy.Preparer`.

This will double check the provided CA is valid for purposes of CA Signing.

func (CA) CertPool

func (c CA) CertPool() (*x509.CertPool, error)

Create an x509.CertPool out of our Certificate. In the future this function is likely to output all known root and intermediary Certificates.

func (CA) CreateCRL

func (c CA) CreateCRL(rand io.Reader, revokedCerts []pkix.RevokedCertificate, now, expiry time.Time) ([]byte, error)

func (CA) Sign

func (c CA) Sign(rand io.Reader, template *x509.Certificate) ([]byte, error)

Sign an x509.Certificate template (as one would pass to CreateCertificate) first running it through the given CA Preparer. This will set things like the Serial, NotAfter and NotBefore.

There are no safey checks to see if signing this Certificate is, in fact, a good idea, this will just sign a given Certificate with the CA key.

func (CA) SignWithoutPreparing

func (c CA) SignWithoutPreparing(rand io.Reader, template *x509.Certificate) ([]byte, error)

Sign an x509.Certificate template (as one would pass to CreateCertificate) without first running it through the CA's Preparer. This is usually a very dangerous and ill advised move, since this will bypas the controls and policies the CA has put into place.

The only exception to this rule is if the Certificate was put through the Preparer in the code block calling this, and has explicitly overridden known defaults in a thoughtful and meaningful way.

There are no safey checks to see if signing this Certificate is, in fact, a good idea, this will just sign a given Certificate with the CA key.