Documentation
¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
var ( // If the Store has never had a Certificate pushed into the store, // the Store must return this error. Uninitialized error = fmt.Errorf("cyber store: Uninitialized Store") // If the Store has an Expired Certificate, tools that verify the // validity (or depend on a valid Certificate) should return this. Expired error = fmt.Errorf("cyber store: Expired Certificate") )
Functions ¶
func TLSCertificate ¶
func TLSCertificate(store Store) (*tls.Certificate, error)
Given a `store.Store`, create a `tls.Certificate` out of the Store, for use in TLS Connections. This is most helpful to provide a TLS Peer Certificate for use in mutual authentication.
Types ¶
type Store ¶
type Store interface {
// Get the last known Certificate. When the Store is first initialized,
// and no Certificate is on record, the correct behavior is to return
// a nil Certificate, and a `store.Uninitialized` error.
//
// The application can then take higher level action, such as creating
// a self-signed Certificate (using Sign below) and calling `Update`.
//
// Avoid creating or signing a new Certificate in this function if at all
// possible.
Certificate() (*x509.Certificate, error)
// Store a new copy of the Certificate. After this call, all calls to
// Certificate above must return this certificate.
Update(x509.Certificate) error
// Get the public key that relates to the private key in the store.
// Most practically, this is used to create a x509.CertificateRequest,
// so it can be basically anything that it understands.
Public() crypto.PublicKey
// Sign (maybe using `rand`) the `digest`, and return the signature.
// See the `crypto.Signer` interface for more on how this should work
// (including the details on how hashing is done and passed into this
// funcntion).
Sign(rand io.Reader, digest []byte, opts crypto.SignerOpts) ([]byte, error)
// Decrypt (maybe using `rand`) the ciphertext `msg`, configured using
// options `DecrypterOpts`, and return the plaintext.
Decrypt(rand io.Reader, msg []byte, opts crypto.DecrypterOpts) ([]byte, error)
}
A Store, at its core, does a single thing. That one thing is to store x509 Certificates, Recieve x509 Certificates, and preform Signatures using the Private key that relates to the Public key.
This API does not require that the implementation provide the private key. This is intentional, since a store that is hardware backed likely ought to flat out refuse to provide the private key.
As such, the idea is that this should be as simple as possible. When in doubt, force complexity explicitly out of this interface.
This interface is also unaware of the CA. This is the responsibility of the caller, and no logic involving who issued the CA is actually needed in here.
This type also implements the `crypto.Signer` interface, to be used directly by higher level types.
Source Files
Directories