Documentation

Index

Constants

This section is empty.

Variables

View Source
var DisableIdentity = false

    DisableIdentity is a global variable to disable the identity.

    View Source
    var UserAgent = "step-http-client/1.0"

      UserAgent will set the User-Agent header in the client requests.

      Functions

      func BootstrapClient

      func BootstrapClient(ctx context.Context, token string, options ...TLSOption) (*http.Client, error)

        BootstrapClient is a helper function that using the given bootstrap token return an http.Client configured with a Transport prepared to do TLS connections using the client certificate returned by the certificate authority. By default the server will kick off a routine that will renew the certificate after 2/3rd of the certificate's lifetime has expired.

        Usage:

        // Default example with certificate rotation.
        client, err := ca.BootstrapClient(ctx.Background(), token)
        
        // Example canceling automatic certificate rotation.
        ctx, cancel := context.WithCancel(context.Background())
        defer cancel()
        client, err := ca.BootstrapClient(ctx, token)
        if err != nil {
          return err
        }
        resp, err := client.Get("https://internal.smallstep.com")
        

        func BootstrapListener

        func BootstrapListener(ctx context.Context, token string, inner net.Listener, options ...TLSOption) (net.Listener, error)

          BootstrapListener is a helper function that using the given token returns a TLS listener which accepts connections from an inner listener and wraps each connection with Server.

          Without any extra option the server will be configured for mTLS, it will require and verify clients certificates, but options can be used to drop this requirement, the most common will be only verify the certs if given with ca.VerifyClientCertIfGiven(), or add extra CAs with ca.AddClientCA(*x509.Certificate).

          Usage:

          inner, err := net.Listen("tcp", ":443")
          if err != nil {
            return nil
          }
          ctx, cancel := context.WithCancel(context.Background())
          defer cancel()
          lis, err := ca.BootstrapListener(ctx, token, inner)
          if err != nil {
              return err
          }
          srv := grpc.NewServer()
          ... // register services
          srv.Serve(lis)
          

          func BootstrapServer

          func BootstrapServer(ctx context.Context, token string, base *http.Server, options ...TLSOption) (*http.Server, error)

            BootstrapServer is a helper function that using the given token returns the given http.Server configured with a TLS certificate signed by the Certificate Authority. By default the server will kick off a routine that will renew the certificate after 2/3rd of the certificate's lifetime has expired.

            Without any extra option the server will be configured for mTLS, it will require and verify clients certificates, but options can be used to drop this requirement, the most common will be only verify the certs if given with ca.VerifyClientCertIfGiven(), or add extra CAs with ca.AddClientCA(*x509.Certificate).

            Usage:

            // Default example with certificate rotation.
            srv, err := ca.BootstrapServer(context.Background(), token, &http.Server{
                Addr: ":443",
                Handler: handler,
            })
            
            // Example canceling automatic certificate rotation.
            ctx, cancel := context.WithCancel(context.Background())
            defer cancel()
            srv, err := ca.BootstrapServer(ctx, token, &http.Server{
                Addr: ":443",
                Handler: handler,
            })
            if err != nil {
                return err
            }
            srv.ListenAndServeTLS("", "")
            

            func Certificate

            func Certificate(sign *api.SignResponse) (*x509.Certificate, error)

              Certificate returns the server or client certificate from the sign response.

              func CreateCertificateRequest

              func CreateCertificateRequest(commonName string, sans ...string) (*api.CertificateRequest, crypto.PrivateKey, error)

                CreateCertificateRequest creates a new CSR with the given common name and SANs. If no san is provided the commonName will set also a SAN.

                func CreateIdentityRequest

                func CreateIdentityRequest(commonName string, sans ...string) (*api.CertificateRequest, crypto.PrivateKey, error)

                  CreateIdentityRequest returns a new CSR to create the identity. If an identity was already present it reuses the private key.

                  func CreateSignRequest

                  func CreateSignRequest(ott string) (*api.SignRequest, crypto.PrivateKey, error)

                    CreateSignRequest is a helper function that given an x509 OTT returns a simple but secure sign request as well as the private key used.

                    func IntermediateCertificate

                    func IntermediateCertificate(sign *api.SignResponse) (*x509.Certificate, error)

                      IntermediateCertificate returns the CA intermediate certificate from the sign response.

                      func LoadDefaultIdentity

                      func LoadDefaultIdentity() (*identity.Identity, error)

                        LoadDefaultIdentity is a wrapper for identity.LoadDefaultIdentity.

                        func RootCertificate

                        func RootCertificate(sign *api.SignResponse) (*x509.Certificate, error)

                          RootCertificate returns the root certificate from the sign response.

                          func StopHandler

                          func StopHandler(servers ...Stopper)

                            StopHandler watches SIGINT, SIGTERM on a list of servers implementing the Stopper interface, and when one of those signals is caught we'll run Stop (SIGINT, SIGTERM) on all servers.

                            func StopReloaderHandler

                            func StopReloaderHandler(servers ...StopReloader)

                              StopReloaderHandler watches SIGINT, SIGTERM and SIGHUP on a list of servers implementing the StopReloader interface, and when one of those signals is caught we'll run Stop (SIGINT, SIGTERM) or Reload (SIGHUP) on all servers.

                              func TLSCertificate

                              func TLSCertificate(sign *api.SignResponse, pk crypto.PrivateKey) (*tls.Certificate, error)

                                TLSCertificate creates a new TLS certificate from the sign response and the private key used.

                                func WithRenewBefore

                                func WithRenewBefore(b time.Duration) func(r *TLSRenewer) error

                                  WithRenewBefore modifies a tlsRenewer by setting the renewBefore attribute.

                                  func WithRenewJitter

                                  func WithRenewJitter(j time.Duration) func(r *TLSRenewer) error

                                    WithRenewJitter modifies a tlsRenewer by setting the renewJitter attribute.

                                    func WriteDefaultIdentity

                                    func WriteDefaultIdentity(certChain []api.Certificate, key crypto.PrivateKey) error

                                      WriteDefaultIdentity is a wrapper for identity.WriteDefaultIdentity.

                                      Types

                                      type ACMEClient

                                      type ACMEClient struct {
                                      	Key *jose.JSONWebKey
                                      	// contains filtered or unexported fields
                                      }

                                        ACMEClient implements an HTTP client to an ACME API.

                                        func NewACMEClient

                                        func NewACMEClient(endpoint string, contact []string, opts ...ClientOption) (*ACMEClient, error)

                                          NewACMEClient initializes a new ACMEClient.

                                          func (*ACMEClient) FinalizeOrder

                                          func (c *ACMEClient) FinalizeOrder(url string, csr *x509.CertificateRequest) error

                                            FinalizeOrder makes a finalize request to the ACME api.

                                            func (*ACMEClient) GetAccountOrders

                                            func (c *ACMEClient) GetAccountOrders() ([]string, error)

                                              GetAccountOrders retrieves the orders belonging to the given account.

                                              func (*ACMEClient) GetAuthz

                                              func (c *ACMEClient) GetAuthz(url string) (*acme.Authz, error)

                                                GetAuthz returns the Authz at the given path.

                                                func (*ACMEClient) GetCertificate

                                                func (c *ACMEClient) GetCertificate(url string) (*x509.Certificate, []*x509.Certificate, error)

                                                  GetCertificate retrieves the certificate along with all intermediates.

                                                  func (*ACMEClient) GetChallenge

                                                  func (c *ACMEClient) GetChallenge(url string) (*acme.Challenge, error)

                                                    GetChallenge returns the Challenge at the given path. With the validate parameter set to True this method will attempt to validate the challenge before returning it.

                                                    func (*ACMEClient) GetDirectory

                                                    func (c *ACMEClient) GetDirectory() (*acme.Directory, error)

                                                      GetDirectory makes a directory request to the ACME api and returns an ACME directory object.

                                                      func (*ACMEClient) GetNonce

                                                      func (c *ACMEClient) GetNonce() (string, error)

                                                        GetNonce makes a nonce request to the ACME api and returns an ACME directory object.

                                                        func (*ACMEClient) GetOrder

                                                        func (c *ACMEClient) GetOrder(url string) (*acme.Order, error)

                                                          GetOrder returns the Order at the given path.

                                                          func (*ACMEClient) NewOrder

                                                          func (c *ACMEClient) NewOrder(payload []byte) (*acme.Order, error)

                                                            NewOrder creates and returns the information for a new ACME order.

                                                            func (*ACMEClient) ValidateChallenge

                                                            func (c *ACMEClient) ValidateChallenge(url string) error

                                                              ValidateChallenge returns the Challenge at the given path. With the validate parameter set to True this method will attempt to validate the challenge before returning it.

                                                              type CA

                                                              type CA struct {
                                                              	// contains filtered or unexported fields
                                                              }

                                                                CA is the type used to build the complete certificate authority. It builds the HTTP server, set ups the middlewares and the HTTP handlers.

                                                                func New

                                                                func New(config *authority.Config, opts ...Option) (*CA, error)

                                                                  New creates and initializes the CA with the given configuration and options.

                                                                  func (*CA) Init

                                                                  func (ca *CA) Init(config *authority.Config) (*CA, error)

                                                                    Init initializes the CA with the given configuration.

                                                                    func (*CA) Reload

                                                                    func (ca *CA) Reload() error

                                                                      Reload reloads the configuration of the CA and calls to the server Reload method.

                                                                      func (*CA) Run

                                                                      func (ca *CA) Run() error

                                                                        Run starts the CA calling to the server ListenAndServe method.

                                                                        func (*CA) Stop

                                                                        func (ca *CA) Stop() error

                                                                          Stop stops the CA calling to the server Shutdown method.

                                                                          type Client

                                                                          type Client struct {
                                                                          	// contains filtered or unexported fields
                                                                          }

                                                                            Client implements an HTTP client for the CA server.

                                                                            func Bootstrap

                                                                            func Bootstrap(token string) (*Client, error)

                                                                              Bootstrap is a helper function that initializes a client with the configuration in the bootstrap token.

                                                                              func NewClient

                                                                              func NewClient(endpoint string, opts ...ClientOption) (*Client, error)

                                                                                NewClient creates a new Client with the given endpoint and options.

                                                                                func (*Client) Federation

                                                                                func (c *Client) Federation() (*api.FederationResponse, error)

                                                                                  Federation performs the get federation request to the CA and returns the api.FederationResponse struct.

                                                                                  func (*Client) GetClientTLSConfig

                                                                                  func (c *Client) GetClientTLSConfig(ctx context.Context, sign *api.SignResponse, pk crypto.PrivateKey, options ...TLSOption) (*tls.Config, error)

                                                                                    GetClientTLSConfig returns a tls.Config for client use configured with the sign certificate, and a new certificate pool with the sign root certificate. The client certificate will automatically rotate before expiring.

                                                                                    func (*Client) GetRootCAs

                                                                                    func (c *Client) GetRootCAs() *x509.CertPool

                                                                                      GetRootCAs returns the RootCAs certificate pool from the configured transport.

                                                                                      func (*Client) GetServerTLSConfig

                                                                                      func (c *Client) GetServerTLSConfig(ctx context.Context, sign *api.SignResponse, pk crypto.PrivateKey, options ...TLSOption) (*tls.Config, error)

                                                                                        GetServerTLSConfig returns a tls.Config for server use configured with the sign certificate, and a new certificate pool with the sign root certificate. The returned tls.Config will only verify the client certificate if provided. The server certificate will automatically rotate before expiring.

                                                                                        func (*Client) Health

                                                                                        func (c *Client) Health() (*api.HealthResponse, error)

                                                                                          Health performs the health request to the CA and returns the api.HealthResponse struct.

                                                                                          func (*Client) ProvisionerKey

                                                                                          func (c *Client) ProvisionerKey(kid string) (*api.ProvisionerKeyResponse, error)

                                                                                            ProvisionerKey performs the request to the CA to get the encrypted key for the given provisioner kid and returns the api.ProvisionerKeyResponse struct with the encrypted key.

                                                                                            func (*Client) Provisioners

                                                                                            func (c *Client) Provisioners(opts ...ProvisionerOption) (*api.ProvisionersResponse, error)

                                                                                              Provisioners performs the provisioners request to the CA and returns the api.ProvisionersResponse struct with a map of provisioners.

                                                                                              ProvisionerOption WithProvisionerCursor and WithProvisionLimit can be used to paginate the provisioners.

                                                                                              func (*Client) Renew

                                                                                              func (c *Client) Renew(tr http.RoundTripper) (*api.SignResponse, error)

                                                                                                Renew performs the renew request to the CA and returns the api.SignResponse struct.

                                                                                                func (*Client) Revoke

                                                                                                func (c *Client) Revoke(req *api.RevokeRequest, tr http.RoundTripper) (*api.RevokeResponse, error)

                                                                                                  Revoke performs the revoke request to the CA and returns the api.RevokeResponse struct.

                                                                                                  func (*Client) Root

                                                                                                  func (c *Client) Root(sha256Sum string) (*api.RootResponse, error)

                                                                                                    Root performs the root request to the CA with the given SHA256 and returns the api.RootResponse struct. It uses an insecure client, but it checks the resulting root certificate with the given SHA256, returning an error if they do not match.

                                                                                                    func (*Client) RootFingerprint

                                                                                                    func (c *Client) RootFingerprint() (string, error)

                                                                                                      RootFingerprint is a helper method that returns the current root fingerprint. It does an health connection and gets the fingerprint from the TLS verified chains.

                                                                                                      func (*Client) Roots

                                                                                                      func (c *Client) Roots() (*api.RootsResponse, error)

                                                                                                        Roots performs the get roots request to the CA and returns the api.RootsResponse struct.

                                                                                                        func (*Client) SSHBastion

                                                                                                        func (c *Client) SSHBastion(req *api.SSHBastionRequest) (*api.SSHBastionResponse, error)

                                                                                                          SSHBastion performs the POST /ssh/bastion request to the CA.

                                                                                                          func (*Client) SSHCheckHost

                                                                                                          func (c *Client) SSHCheckHost(principal string, token string) (*api.SSHCheckPrincipalResponse, error)

                                                                                                            SSHCheckHost performs the POST /ssh/check-host request to the CA with the given principal.

                                                                                                            func (*Client) SSHConfig

                                                                                                            func (c *Client) SSHConfig(req *api.SSHConfigRequest) (*api.SSHConfigResponse, error)

                                                                                                              SSHConfig performs the POST /ssh/config request to the CA to get the ssh configuration templates.

                                                                                                              func (*Client) SSHFederation

                                                                                                              func (c *Client) SSHFederation() (*api.SSHRootsResponse, error)

                                                                                                                SSHFederation performs the get /ssh/federation request to the CA and returns the api.SSHRootsResponse struct.

                                                                                                                func (*Client) SSHGetHosts

                                                                                                                func (c *Client) SSHGetHosts() (*api.SSHGetHostsResponse, error)

                                                                                                                  SSHGetHosts performs the GET /ssh/get-hosts request to the CA.

                                                                                                                  func (*Client) SSHRekey

                                                                                                                  func (c *Client) SSHRekey(req *api.SSHRekeyRequest) (*api.SSHRekeyResponse, error)

                                                                                                                    SSHRekey performs the POST /ssh/rekey request to the CA and returns the api.SSHRekeyResponse struct.

                                                                                                                    func (*Client) SSHRenew

                                                                                                                    func (c *Client) SSHRenew(req *api.SSHRenewRequest) (*api.SSHRenewResponse, error)

                                                                                                                      SSHRenew performs the POST /ssh/renew request to the CA and returns the api.SSHRenewResponse struct.

                                                                                                                      func (*Client) SSHRevoke

                                                                                                                      func (c *Client) SSHRevoke(req *api.SSHRevokeRequest) (*api.SSHRevokeResponse, error)

                                                                                                                        SSHRevoke performs the POST /ssh/revoke request to the CA and returns the api.SSHRevokeResponse struct.

                                                                                                                        func (*Client) SSHRoots

                                                                                                                        func (c *Client) SSHRoots() (*api.SSHRootsResponse, error)

                                                                                                                          SSHRoots performs the GET /ssh/roots request to the CA and returns the api.SSHRootsResponse struct.

                                                                                                                          func (*Client) SSHSign

                                                                                                                          func (c *Client) SSHSign(req *api.SSHSignRequest) (*api.SSHSignResponse, error)

                                                                                                                            SSHSign performs the POST /ssh/sign request to the CA and returns the api.SSHSignResponse struct.

                                                                                                                            func (*Client) SetTransport

                                                                                                                            func (c *Client) SetTransport(tr http.RoundTripper)

                                                                                                                              SetTransport updates the transport of the internal HTTP client.

                                                                                                                              func (*Client) Sign

                                                                                                                              func (c *Client) Sign(req *api.SignRequest) (*api.SignResponse, error)

                                                                                                                                Sign performs the sign request to the CA and returns the api.SignResponse struct.

                                                                                                                                func (*Client) Transport

                                                                                                                                func (c *Client) Transport(ctx context.Context, sign *api.SignResponse, pk crypto.PrivateKey, options ...TLSOption) (*http.Transport, error)

                                                                                                                                  Transport returns an http.Transport configured to use the client certificate from the sign response.

                                                                                                                                  func (*Client) Version

                                                                                                                                  func (c *Client) Version() (*api.VersionResponse, error)

                                                                                                                                    Version performs the version request to the CA and returns the api.VersionResponse struct.

                                                                                                                                    type ClientOption

                                                                                                                                    type ClientOption func(o *clientOptions) error

                                                                                                                                      ClientOption is the type of options passed to the Client constructor.

                                                                                                                                      func WithCABundle

                                                                                                                                      func WithCABundle(bundle []byte) ClientOption

                                                                                                                                        WithCABundle will create the transport using the given root certificates. It will fail if a previous option to create the transport has been configured.

                                                                                                                                        func WithCertificate

                                                                                                                                        func WithCertificate(crt tls.Certificate) ClientOption

                                                                                                                                          WithCertificate will set the given certificate as the TLS client certificate in the client.

                                                                                                                                          func WithRetryFunc

                                                                                                                                          func WithRetryFunc(fn RetryFunc) ClientOption

                                                                                                                                            WithRetryFunc defines a method used to retry a request.

                                                                                                                                            func WithRootFile

                                                                                                                                            func WithRootFile(filename string) ClientOption

                                                                                                                                              WithRootFile will create the transport using the given root certificate. It will fail if a previous option to create the transport has been configured.

                                                                                                                                              func WithRootSHA256

                                                                                                                                              func WithRootSHA256(sum string) ClientOption

                                                                                                                                                WithRootSHA256 will create the transport using an insecure client to retrieve the root certificate using its fingerprint. It will fail if a previous option to create the transport has been configured.

                                                                                                                                                func WithTransport

                                                                                                                                                func WithTransport(tr http.RoundTripper) ClientOption

                                                                                                                                                  WithTransport adds a custom transport to the Client. It will fail if a previous option to create the transport has been configured.

                                                                                                                                                  type Option

                                                                                                                                                  type Option func(o *options)

                                                                                                                                                    Option is the type of options passed to the CA constructor.

                                                                                                                                                    func WithConfigFile

                                                                                                                                                    func WithConfigFile(name string) Option

                                                                                                                                                      WithConfigFile sets the given name as the configuration file name in the CA options.

                                                                                                                                                      func WithDatabase

                                                                                                                                                      func WithDatabase(db db.AuthDB) Option

                                                                                                                                                        WithDatabase sets the given authority database to the CA options.

                                                                                                                                                        func WithPassword

                                                                                                                                                        func WithPassword(password []byte) Option

                                                                                                                                                          WithPassword sets the given password as the configured password in the CA options.

                                                                                                                                                          type Provisioner

                                                                                                                                                          type Provisioner struct {
                                                                                                                                                          	*Client
                                                                                                                                                          	// contains filtered or unexported fields
                                                                                                                                                          }

                                                                                                                                                            Provisioner is an authorized entity that can sign tokens necessary for signature requests.

                                                                                                                                                            func NewProvisioner

                                                                                                                                                            func NewProvisioner(name, kid, caURL string, password []byte, opts ...ClientOption) (*Provisioner, error)

                                                                                                                                                              NewProvisioner loads and decrypts key material from the CA for the named provisioner. The key identified by `kid` will be used if specified. If `kid` is the empty string we'll use the first key for the named provisioner that decrypts using `password`.

                                                                                                                                                              func (*Provisioner) Kid

                                                                                                                                                              func (p *Provisioner) Kid() string

                                                                                                                                                                Kid returns the provisioners key ID.

                                                                                                                                                                func (*Provisioner) Name

                                                                                                                                                                func (p *Provisioner) Name() string

                                                                                                                                                                  Name returns the provisioner's name.

                                                                                                                                                                  func (*Provisioner) SSHToken

                                                                                                                                                                  func (p *Provisioner) SSHToken(certType, keyID string, principals []string) (string, error)

                                                                                                                                                                    SSHToken generates a SSH token.

                                                                                                                                                                    func (*Provisioner) SetFingerprint

                                                                                                                                                                    func (p *Provisioner) SetFingerprint(sum string)

                                                                                                                                                                      SetFingerprint overwrites the default fingerprint used.

                                                                                                                                                                      func (*Provisioner) Token

                                                                                                                                                                      func (p *Provisioner) Token(subject string, sans ...string) (string, error)

                                                                                                                                                                        Token generates a bootstrap token for a subject.

                                                                                                                                                                        type ProvisionerOption

                                                                                                                                                                        type ProvisionerOption func(o *provisionerOptions) error

                                                                                                                                                                          ProvisionerOption is the type of options passed to the Provisioner method.

                                                                                                                                                                          func WithProvisionerCursor

                                                                                                                                                                          func WithProvisionerCursor(cursor string) ProvisionerOption

                                                                                                                                                                            WithProvisionerCursor will request the provisioners starting with the given cursor.

                                                                                                                                                                            func WithProvisionerLimit

                                                                                                                                                                            func WithProvisionerLimit(limit int) ProvisionerOption

                                                                                                                                                                              WithProvisionerLimit will request the given number of provisioners.

                                                                                                                                                                              type RenewFunc

                                                                                                                                                                              type RenewFunc func() (*tls.Certificate, error)

                                                                                                                                                                                RenewFunc defines the type of the functions used to get a new tls certificate.

                                                                                                                                                                                type RetryFunc

                                                                                                                                                                                type RetryFunc func(code int) bool

                                                                                                                                                                                  RetryFunc defines the method used to retry a request. If it returns true, the request will be retried once.

                                                                                                                                                                                  type StopReloader

                                                                                                                                                                                  type StopReloader interface {
                                                                                                                                                                                  	Stop() error
                                                                                                                                                                                  	Reload() error
                                                                                                                                                                                  }

                                                                                                                                                                                    StopReloader is the interface that external commands can implement to stop the server and reload the configuration while running.

                                                                                                                                                                                    type Stopper

                                                                                                                                                                                    type Stopper interface {
                                                                                                                                                                                    	Stop() error
                                                                                                                                                                                    }

                                                                                                                                                                                      Stopper is the interface that external commands can implement to stop the server.

                                                                                                                                                                                      type TLSOption

                                                                                                                                                                                      type TLSOption func(ctx *TLSOptionCtx) error

                                                                                                                                                                                        TLSOption defines the type of a function that modifies a tls.Config.

                                                                                                                                                                                        func AddClientCA

                                                                                                                                                                                        func AddClientCA(cert *x509.Certificate) TLSOption

                                                                                                                                                                                          AddClientCA adds to the tls.Config ClientCAs the given certificate. ClientCAs defines the set of root certificate authorities that servers use if required to verify a client certificate by the policy in ClientAuth.

                                                                                                                                                                                          func AddFederationToCAs

                                                                                                                                                                                          func AddFederationToCAs() TLSOption

                                                                                                                                                                                            AddFederationToCAs does a federation request and adds the resulting certs to the tls.Config RootCAs and ClientCAs. Combines the functionality of AddFederationToRootCAs and AddFederationToClientCAs.

                                                                                                                                                                                            func AddFederationToClientCAs

                                                                                                                                                                                            func AddFederationToClientCAs() TLSOption

                                                                                                                                                                                              AddFederationToClientCAs does a federation request and adds to the tls.Config ClientCAs all the certificates in the response. ClientCAs defines the set of root certificate authorities that servers use if required to verify a client certificate by the policy in ClientAuth.

                                                                                                                                                                                              func AddFederationToRootCAs

                                                                                                                                                                                              func AddFederationToRootCAs() TLSOption

                                                                                                                                                                                                AddFederationToRootCAs does a federation request and adds to the tls.Config RootCAs all the certificates in the response. RootCAs defines the set of root certificate authorities that clients use when verifying server certificates.

                                                                                                                                                                                                func AddRootCA

                                                                                                                                                                                                func AddRootCA(cert *x509.Certificate) TLSOption

                                                                                                                                                                                                  AddRootCA adds to the tls.Config RootCAs the given certificate. RootCAs defines the set of root certificate authorities that clients use when verifying server certificates.

                                                                                                                                                                                                  func AddRootsToCAs

                                                                                                                                                                                                  func AddRootsToCAs() TLSOption

                                                                                                                                                                                                    AddRootsToCAs does a roots request and adds the resulting certs to the tls.Config RootCAs and ClientCAs. Combines the functionality of AddRootsToRootCAs and AddRootsToClientCAs.

                                                                                                                                                                                                    func AddRootsToClientCAs

                                                                                                                                                                                                    func AddRootsToClientCAs() TLSOption

                                                                                                                                                                                                      AddRootsToClientCAs does a roots request and adds to the tls.Config ClientCAs all the certificates in the response. ClientCAs defines the set of root certificate authorities that servers use if required to verify a client certificate by the policy in ClientAuth.

                                                                                                                                                                                                      BootstrapServer method includes this option by default.

                                                                                                                                                                                                      func AddRootsToRootCAs

                                                                                                                                                                                                      func AddRootsToRootCAs() TLSOption

                                                                                                                                                                                                        AddRootsToRootCAs does a roots request and adds to the tls.Config RootCAs all the certificates in the response. RootCAs defines the set of root certificate authorities that clients use when verifying server certificates.

                                                                                                                                                                                                        BootstrapServer and BootstrapClient methods include this option by default.

                                                                                                                                                                                                        func RequireAndVerifyClientCert

                                                                                                                                                                                                        func RequireAndVerifyClientCert() TLSOption

                                                                                                                                                                                                          RequireAndVerifyClientCert is a tls.Config option used on servers to enforce a valid TLS client certificate. This is the default option for mTLS servers.

                                                                                                                                                                                                          func VerifyClientCertIfGiven

                                                                                                                                                                                                          func VerifyClientCertIfGiven() TLSOption

                                                                                                                                                                                                            VerifyClientCertIfGiven is a tls.Config option used on on servers to validate a TLS client certificate if it is provided. It does not requires a certificate.

                                                                                                                                                                                                            type TLSOptionCtx

                                                                                                                                                                                                            type TLSOptionCtx struct {
                                                                                                                                                                                                            	Client      *Client
                                                                                                                                                                                                            	Config      *tls.Config
                                                                                                                                                                                                            	Sign        *api.SignResponse
                                                                                                                                                                                                            	OnRenewFunc []TLSOption
                                                                                                                                                                                                            	// contains filtered or unexported fields
                                                                                                                                                                                                            }

                                                                                                                                                                                                              TLSOptionCtx is the context modified on TLSOption methods.

                                                                                                                                                                                                              type TLSRenewer

                                                                                                                                                                                                              type TLSRenewer struct {
                                                                                                                                                                                                              	sync.RWMutex
                                                                                                                                                                                                              	RenewCertificate RenewFunc
                                                                                                                                                                                                              	// contains filtered or unexported fields
                                                                                                                                                                                                              }

                                                                                                                                                                                                                TLSRenewer automatically renews a tls certificate using a RenewFunc.

                                                                                                                                                                                                                func NewTLSRenewer

                                                                                                                                                                                                                func NewTLSRenewer(cert *tls.Certificate, fn RenewFunc, opts ...tlsRenewerOptions) (*TLSRenewer, error)

                                                                                                                                                                                                                  NewTLSRenewer creates a TLSRenewer for the given cert. It will use the given RenewFunc to get a new certificate when required.

                                                                                                                                                                                                                  func (*TLSRenewer) GetCertificate

                                                                                                                                                                                                                  func (r *TLSRenewer) GetCertificate(clientHello *tls.ClientHelloInfo) (*tls.Certificate, error)

                                                                                                                                                                                                                    GetCertificate returns the current server certificate.

                                                                                                                                                                                                                    This method is set in the tls.Config GetCertificate property.

                                                                                                                                                                                                                    func (*TLSRenewer) GetCertificateForCA

                                                                                                                                                                                                                    func (r *TLSRenewer) GetCertificateForCA(clientHello *tls.ClientHelloInfo) (*tls.Certificate, error)

                                                                                                                                                                                                                      GetCertificateForCA returns the current server certificate. It can only be used if the renew function creates the new certificate and do not uses a TLS request. It's intended to be use by the certificate authority server.

                                                                                                                                                                                                                      This method is set in the tls.Config GetCertificate property.

                                                                                                                                                                                                                      func (*TLSRenewer) GetClientCertificate

                                                                                                                                                                                                                      func (r *TLSRenewer) GetClientCertificate(*tls.CertificateRequestInfo) (*tls.Certificate, error)

                                                                                                                                                                                                                        GetClientCertificate returns the current client certificate.

                                                                                                                                                                                                                        This method is set in the tls.Config GetClientCertificate property.

                                                                                                                                                                                                                        func (*TLSRenewer) Run

                                                                                                                                                                                                                        func (r *TLSRenewer) Run()

                                                                                                                                                                                                                          Run starts the certificate renewer for the given certificate.

                                                                                                                                                                                                                          func (*TLSRenewer) RunContext

                                                                                                                                                                                                                          func (r *TLSRenewer) RunContext(ctx context.Context)

                                                                                                                                                                                                                            RunContext starts the certificate renewer for the given certificate.

                                                                                                                                                                                                                            func (*TLSRenewer) Stop

                                                                                                                                                                                                                            func (r *TLSRenewer) Stop() bool

                                                                                                                                                                                                                              Stop prevents the renew timer from firing.

                                                                                                                                                                                                                              Directories

                                                                                                                                                                                                                              Path Synopsis