x509svid

package

v1.0.2 Latest Latest Go to latest Published: May 18, 2023 License: Apache-2.0 Imports: 13 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/accuknox/spire

Documentation ¶

Index ¶

Constants
func ParseAndValidateCSR(csrDER []byte, td spiffeid.TrustDomain) (csr *x509.CertificateRequest, err error)
func UniqueIDAttribute(id spiffeid.ID) pkix.AttributeTypeAndValue
func ValidateCSR(csr *x509.CertificateRequest, td spiffeid.TrustDomain) error
type UpstreamCA
- func NewUpstreamCA(keypair x509util.Keypair, trustDomain spiffeid.TrustDomain, ...) *UpstreamCA
- func (ca *UpstreamCA) SignCSR(ctx context.Context, csrDER []byte, preferredTTL time.Duration) (*x509.Certificate, error)
type UpstreamCAOptions

Constants ¶

View Source

const (
	DefaultUpstreamCABackdate = time.Second * 10
	DefaultUpstreamCATTL      = time.Hour
)

Variables ¶

This section is empty.

Functions ¶

func ParseAndValidateCSR ¶

func ParseAndValidateCSR(csrDER []byte, td spiffeid.TrustDomain) (csr *x509.CertificateRequest, err error)

func UniqueIDAttribute ¶

func UniqueIDAttribute(id spiffeid.ID) pkix.AttributeTypeAndValue

UniqueIDAttribute returns a X.500 Unique ID attribute (OID 2.5.4.45) for the given SPIFFE ID for inclusion in an X509-SVID to satisfy RFC 5280 requirements that the subject "DN MUST be unique for each subject entity certified by the one CA as defined by the issuer field" (see issue #3110 for the discussion on this).

The unique ID is composed of a SHA256 hash of the SPIFFE ID, truncated to 128-bits (16 bytes), and then hex encoded. This *SHOULD* be large enough to provide collision resistance on the input domain (i.e. registration entry SPIFFE IDs registered with this server), which ranges from very- to somewhat-restricted depending on the registration scheme and how much influence an attacker can have on workload registration.

func ValidateCSR ¶

func ValidateCSR(csr *x509.CertificateRequest, td spiffeid.TrustDomain) error

Types ¶

type UpstreamCA ¶

type UpstreamCA struct {
	// contains filtered or unexported fields
}

func NewUpstreamCA ¶

func NewUpstreamCA(keypair x509util.Keypair, trustDomain spiffeid.TrustDomain, options UpstreamCAOptions) *UpstreamCA

func (*UpstreamCA) SignCSR ¶

func (ca *UpstreamCA) SignCSR(ctx context.Context, csrDER []byte, preferredTTL time.Duration) (*x509.Certificate, error)

type UpstreamCAOptions ¶

type UpstreamCAOptions struct {
	Backdate time.Duration
	Clock    clock.Clock
}

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL