Version: v4.24.0 Latest Latest

This package is not in the latest version of its module.

Go to latest
Published: Feb 10, 2023 License: Apache-2.0 Imports: 12 Imported by: 10




View Source
const SDKName = "Venafi VCert-Go"


View Source
var LocalIP string


This section is empty.


type AllowedKeyConfiguration

type AllowedKeyConfiguration struct {
	KeyType   certificate.KeyType
	KeySizes  []int
	KeyCurves []certificate.EllipticCurve

AllowedKeyConfiguration contains an allowed key type with its sizes or curves

type Authentication

type Authentication struct {
	User         string
	Password     string
	APIKey       string
	RefreshToken string
	Scope        string
	ClientId     string
	AccessToken  string
	ClientPKCS12 bool

Authentication provides a struct for authentication data. Either specify User and Password for Trust Platform or specify an APIKey for Cloud.

type Connector

type Connector interface {
	// GetType returns a connector type (cloud/TPP/fake). Can be useful because some features are not supported by a Cloud connection.
	GetType() ConnectorType
	// SetZone sets a zone (by name) for requests with this connector.
	SetZone(z string)
	// GetZonesByParent returns a list of valid zones specified by parent
	GetZonesByParent(parent string) ([]string, error)
	Ping() (err error)
	// Authenticate is usually called by NewClient and it is not required that you manually call it.
	Authenticate(auth *Authentication) (err error)
	// ReadPolicyConfiguration returns information about zone policies. It can be used for checking request compatibility with policies.
	ReadPolicyConfiguration() (policy *Policy, err error)
	// ReadZoneConfiguration returns the zone configuration. A zone configuration includes zone policy and additional zone information.
	ReadZoneConfiguration() (config *ZoneConfiguration, err error)
	// GenerateRequest update certificate.Request with data from zone configuration.
	GenerateRequest(config *ZoneConfiguration, req *certificate.Request) (err error)
	// RequestCertificate makes a request to the server with data for enrolling the certificate.
	RequestCertificate(req *certificate.Request) (requestID string, err error)
	// RetrieveCertificate immediately returns an enrolled certificate. Otherwise, RetrieveCertificate waits and retries during req.Timeout.
	RetrieveCertificate(req *certificate.Request) (certificates *certificate.PEMCollection, err error)
	IsCSRServiceGenerated(req *certificate.Request) (bool, error)
	RevokeCertificate(req *certificate.RevocationRequest) error
	RenewCertificate(req *certificate.RenewalRequest) (requestID string, err error)
	// ImportCertificate adds an existing certificate to Venafi Platform even if the certificate was not issued by Venafi Cloud or Venafi Platform. For information purposes.
	ImportCertificate(req *certificate.ImportRequest) (*certificate.ImportResponse, error)
	// SetHTTPClient allows to set custom http.Client to this Connector.
	SetHTTPClient(client *http.Client)
	// ListCertificates
	ListCertificates(filter Filter) ([]certificate.CertificateInfo, error)
	SetPolicy(name string, ps *policy.PolicySpecification) (string, error)
	GetPolicy(name string) (*policy.PolicySpecification, error)
	RequestSSHCertificate(req *certificate.SshCertRequest) (response *certificate.SshCertificateObject, err error)
	RetrieveSSHCertificate(req *certificate.SshCertRequest) (response *certificate.SshCertificateObject, err error)
	RetrieveSshConfig(ca *certificate.SshCaTemplateRequest) (*certificate.SshConfig, error)
	SearchCertificates(req *certificate.SearchRequest) (*certificate.CertSearchResponse, error)
	// Returns a valid certificate
	// If it returns no error, the certificate returned should be the latest [1]
	// exact matching zone [2], CN and sans.DNS [3] provided, with a minimum
	// validity of `certMinTimeLeft`
	// [1] the one with longest validity; field named ValidTo for TPP and
	// validityEnd for VaaS
	// [2] application name for VaaS
	// [3] an array of strings representing the DNS names
	SearchCertificate(zone string, cn string, sans *certificate.Sans, certMinTimeLeft time.Duration) (*certificate.CertificateInfo, error)
	RetrieveAvailableSSHTemplates() ([]certificate.SshAvaliableTemplate, error)
	RetrieveCertificateMetaData(dn string) (*certificate.CertificateMetaData, error)
	RetrieveSystemVersion() (string, error)

Connector provides a common interface for external communications with TPP or Venafi Cloud

type ConnectorType

type ConnectorType int

ConnectorType represents the available connectors

const (
	ConnectorTypeUndefined ConnectorType = iota
	// ConnectorTypeFake is a fake connector for tests
	// ConnectorTypeCloud represents the Cloud connector type
	// ConnectorTypeTPP represents the TPP connector type

func (ConnectorType) String

func (t ConnectorType) String() string

type ErrCertificatePending

type ErrCertificatePending struct {
	CertificateID string
	Status        string

todo: replace with verror ErrCertificatePending provides a common error structure for a timeout while retrieving a certificate

func (ErrCertificatePending) Error

func (err ErrCertificatePending) Error() string

type ErrCertificateRejected added in v4.15.0

type ErrCertificateRejected struct {
	CertificateID string
	Status        string

func (ErrCertificateRejected) Error added in v4.15.0

func (err ErrCertificateRejected) Error() string

type ErrRetrieveCertificateTimeout

type ErrRetrieveCertificateTimeout struct {
	CertificateID string

todo: replace with verror ErrRetrieveCertificateTimeout provides a common error structure for a timeout while retrieving a certificate

func (ErrRetrieveCertificateTimeout) Error

type Filter

type Filter struct {
	Limit       *int
	WithExpired bool

type Policy

type Policy struct {
	SubjectCNRegexes []string
	SubjectORegexes  []string
	SubjectOURegexes []string
	SubjectSTRegexes []string
	SubjectLRegexes  []string
	SubjectCRegexes  []string
	// AllowedKeyConfigurations lists all allowed key configurations. Certificate key configuration have to be listed in this list.
	// For example: If key has type RSA and length 2048 bit for satisfying the policy, that list must contain AT LEAST ONE configuration with type RSA and value 2048 in KeySizes list of this configuration.
	AllowedKeyConfigurations []AllowedKeyConfiguration
	// DnsSanRegExs is a list of regular expressions that show allowable DNS names in SANs.
	DnsSanRegExs []string
	// IpSanRegExs is a list of regular expressions that show allowable DNS names in SANs.
	IpSanRegExs    []string
	EmailSanRegExs []string
	UriSanRegExs   []string
	UpnSanRegExs   []string
	AllowWildcards bool
	AllowKeyReuse  bool

Policy is struct that contains restrictions for certificates. Most of the fields contains list of regular expression. For satisfying policies, all values in the certificate field must match AT LEAST ONE regular expression in corresponding policy field.

func (*Policy) SimpleValidateCertificateRequest

func (p *Policy) SimpleValidateCertificateRequest(request certificate.Request) error

SimpleValidateCertificateRequest functions just check Common Name and SANs mathching with policies

func (*Policy) ValidateCertificateRequest

func (p *Policy) ValidateCertificateRequest(request *certificate.Request) error

ValidateCertificateRequest validates the request against the Policy

type ZoneConfiguration

type ZoneConfiguration struct {
	Organization       string
	OrganizationalUnit []string
	Country            string
	Province           string
	Locality           string
	HashAlgorithm         x509.SignatureAlgorithm
	CustomAttributeValues map[string]string
	KeyConfiguration      *AllowedKeyConfiguration

ZoneConfiguration provides a common structure for certificate request data provided by the remote endpoint

func NewZoneConfiguration

func NewZoneConfiguration() *ZoneConfiguration

NewZoneConfiguration creates a new zone configuration which creates the map used in the configuration

func (*ZoneConfiguration) UpdateCertificateRequest

func (z *ZoneConfiguration) UpdateCertificateRequest(request *certificate.Request)

UpdateCertificateRequest updates a certificate request based on the zone configuration retrieved from the remote endpoint

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL