Documentation

Overview

    Package config contains the configuration logic for CFSSL.

    Index

    Constants

    This section is empty.

    Variables

    View Source
    var ExtKeyUsage = map[string]x509.ExtKeyUsage{
    	"any":              x509.ExtKeyUsageAny,
    	"server auth":      x509.ExtKeyUsageServerAuth,
    	"client auth":      x509.ExtKeyUsageClientAuth,
    	"code signing":     x509.ExtKeyUsageCodeSigning,
    	"email protection": x509.ExtKeyUsageEmailProtection,
    	"s/mime":           x509.ExtKeyUsageEmailProtection,
    	"ipsec end system": x509.ExtKeyUsageIPSECEndSystem,
    	"ipsec tunnel":     x509.ExtKeyUsageIPSECTunnel,
    	"ipsec user":       x509.ExtKeyUsageIPSECUser,
    	"timestamping":     x509.ExtKeyUsageTimeStamping,
    	"ocsp signing":     x509.ExtKeyUsageOCSPSigning,
    	"microsoft sgc":    x509.ExtKeyUsageMicrosoftServerGatedCrypto,
    	"netscape sgc":     x509.ExtKeyUsageNetscapeServerGatedCrypto,
    }

      ExtKeyUsage contains a mapping of string names to extended key usages.

      View Source
      var KeyUsage = map[string]x509.KeyUsage{
      	"signing":            x509.KeyUsageDigitalSignature,
      	"digital signature":  x509.KeyUsageDigitalSignature,
      	"content commitment": x509.KeyUsageContentCommitment,
      	"key encipherment":   x509.KeyUsageKeyEncipherment,
      	"key agreement":      x509.KeyUsageKeyAgreement,
      	"data encipherment":  x509.KeyUsageDataEncipherment,
      	"cert sign":          x509.KeyUsageCertSign,
      	"crl sign":           x509.KeyUsageCRLSign,
      	"encipher only":      x509.KeyUsageEncipherOnly,
      	"decipher only":      x509.KeyUsageDecipherOnly,
      }

        KeyUsage contains a mapping of string names to key usages.

        Functions

        This section is empty.

        Types

        type AuthKey

        type AuthKey struct {
        	// Type contains information needed to select the appropriate
        	// constructor. For example, "standard" for HMAC-SHA-256,
        	// "standard-ip" for HMAC-SHA-256 incorporating the client's
        	// IP.
        	Type string `json:"type"`
        	// Key contains the key information, such as a hex-encoded
        	// HMAC key.
        	Key string `json:"key"`
        }

          An AuthKey contains an entry for a key used for authentication.

          type AuthRemote

          type AuthRemote struct {
          	RemoteName  string `json:"remote"`
          	AuthKeyName string `json:"auth_key"`
          }

            AuthRemote is an authenticated remote signer.

            type CAConstraint

            type CAConstraint struct {
            	IsCA           bool `json:"is_ca"`
            	MaxPathLen     int  `json:"max_path_len"`
            	MaxPathLenZero bool `json:"max_path_len_zero"`
            }

              CAConstraint specifies various CA constraints on the signed certificate. CAConstraint would verify against (and override) the CA extensions in the given CSR.

              type CSRWhitelist

              type CSRWhitelist struct {
              	Subject, PublicKeyAlgorithm, PublicKey, SignatureAlgorithm bool
              	DNSNames, IPAddresses, EmailAddresses, URIs                bool
              }

                A CSRWhitelist stores booleans for fields in the CSR. If a CSRWhitelist is not present in a SigningProfile, all of these fields may be copied from the CSR into the signed certificate. If a CSRWhitelist *is* present in a SigningProfile, only those fields with a `true` value in the CSRWhitelist may be copied from the CSR to the signed certificate. Note that some of these fields, like Subject, can be provided or partially provided through the API. Since API clients are expected to be trusted, but CSRs are not, fields provided through the API are not subject to whitelisting through this mechanism.

                type CertificatePolicy

                type CertificatePolicy struct {
                	ID         OID
                	Qualifiers []CertificatePolicyQualifier
                }

                  CertificatePolicy represents the ASN.1 PolicyInformation structure from https://tools.ietf.org/html/rfc3280.html#page-106. Valid values of Type are "id-qt-unotice" and "id-qt-cps"

                  type CertificatePolicyQualifier

                  type CertificatePolicyQualifier struct {
                  	Type  string
                  	Value string
                  }

                    CertificatePolicyQualifier represents a single qualifier from an ASN.1 PolicyInformation structure.

                    type Config

                    type Config struct {
                    	Signing  *Signing           `json:"signing"`
                    	OCSP     *ocspConfig.Config `json:"ocsp"`
                    	AuthKeys map[string]AuthKey `json:"auth_keys,omitempty"`
                    	Remotes  map[string]string  `json:"remotes,omitempty"`
                    }

                      Config stores configuration information for the CA.

                      func LoadConfig

                      func LoadConfig(config []byte) (*Config, error)

                        LoadConfig attempts to load the configuration from a byte slice. On error, it returns nil.

                        func LoadFile

                        func LoadFile(path string) (*Config, error)

                          LoadFile attempts to load the configuration file stored at the path and returns the configuration. On error, it returns nil.

                          func (*Config) Valid

                          func (c *Config) Valid() bool

                            Valid ensures that Config is a valid configuration. It should be called immediately after parsing a configuration file.

                            type OID

                              OID is our own version of asn1's ObjectIdentifier, so we can define a custom JSON marshal / unmarshal.

                              func (OID) MarshalJSON

                              func (oid OID) MarshalJSON() ([]byte, error)

                                MarshalJSON marshals an oid into a JSON string.

                                func (*OID) UnmarshalJSON

                                func (oid *OID) UnmarshalJSON(data []byte) (err error)

                                  UnmarshalJSON unmarshals a JSON string into an OID.

                                  type Signing

                                  type Signing struct {
                                  	Profiles map[string]*SigningProfile `json:"profiles"`
                                  	Default  *SigningProfile            `json:"default"`
                                  }

                                    Signing codifies the signature configuration policy for a CA.

                                    func (*Signing) NeedsLocalSigner

                                    func (p *Signing) NeedsLocalSigner() bool

                                      NeedsLocalSigner returns true if one of the profiles doe not have a remote set

                                      func (*Signing) NeedsRemoteSigner

                                      func (p *Signing) NeedsRemoteSigner() bool

                                        NeedsRemoteSigner returns true if one of the profiles has a remote set

                                        func (*Signing) OverrideRemotes

                                        func (p *Signing) OverrideRemotes(remote string) error

                                          OverrideRemotes takes a signing configuration and updates the remote server object to the hostname:port combination sent by remote

                                          func (*Signing) SetClientCertKeyPairFromFile

                                          func (p *Signing) SetClientCertKeyPairFromFile(certFile string, keyFile string) error

                                            SetClientCertKeyPairFromFile updates the properties to set client certificates for mutual authenticated TLS remote requests

                                            func (*Signing) SetRemoteCAs

                                            func (p *Signing) SetRemoteCAs(remoteCAs *x509.CertPool)

                                              SetRemoteCAs updates the properties to set remote CAs for TLS remote requests

                                              func (*Signing) SetRemoteCAsFromFile

                                              func (p *Signing) SetRemoteCAsFromFile(caFile string) error

                                                SetRemoteCAsFromFile reads root CAs from file and updates the properties to set remote CAs for TLS remote requests

                                                func (*Signing) Valid

                                                func (p *Signing) Valid() bool

                                                  Valid checks the signature policies, ensuring they are valid policies. A policy is valid if it has defined at least key usages to be used, and a valid default profile has defined at least a default expiration.

                                                  type SigningProfile

                                                  type SigningProfile struct {
                                                  	Usage               []string     `json:"usages"`
                                                  	IssuerURL           []string     `json:"issuer_urls"`
                                                  	OCSP                string       `json:"ocsp_url"`
                                                  	CRL                 string       `json:"crl_url"`
                                                  	CAConstraint        CAConstraint `json:"ca_constraint"`
                                                  	OCSPNoCheck         bool         `json:"ocsp_no_check"`
                                                  	ExpiryString        string       `json:"expiry"`
                                                  	BackdateString      string       `json:"backdate"`
                                                  	AuthKeyName         string       `json:"auth_key"`
                                                  	CopyExtensions      bool         `json:"copy_extensions"`
                                                  	PrevAuthKeyName     string       `json:"prev_auth_key"` // to suppport key rotation
                                                  	RemoteName          string       `json:"remote"`
                                                  	NotBefore           time.Time    `json:"not_before"`
                                                  	NotAfter            time.Time    `json:"not_after"`
                                                  	NameWhitelistString string       `json:"name_whitelist"`
                                                  	AuthRemote          AuthRemote   `json:"auth_remote"`
                                                  	CTLogServers        []string     `json:"ct_log_servers"`
                                                  	AllowedExtensions   []OID        `json:"allowed_extensions"`
                                                  	CertStore           string       `json:"cert_store"`
                                                  	// LintErrLevel controls preissuance linting for the signing profile.
                                                  	// 0 = no linting is performed [default]
                                                  	// 2..3 = reserved
                                                  	// 3 = all lint results except pass are considered errors
                                                  	// 4 = all lint results except pass and notice are considered errors
                                                  	// 5 = all lint results except pass, notice and warn are considered errors
                                                  	// 6 = all lint results except pass, notice, warn and error are considered errors.
                                                  	// 7 = lint is performed, no lint results are treated as errors.
                                                  	LintErrLevel lint.LintStatus `json:"lint_error_level"`
                                                  	// ExcludeLints lists ZLint lint names to exclude from preissuance linting.
                                                  	ExcludeLints []string `json:"ignored_lints"`
                                                  	// ExcludeLintSources lists ZLint lint sources to exclude from preissuance
                                                  	// linting.
                                                  	ExcludeLintSources []string `json:"ignored_lint_sources"`
                                                  
                                                  	Policies                    []CertificatePolicy
                                                  	Expiry                      time.Duration
                                                  	Backdate                    time.Duration
                                                  	Provider                    auth.Provider
                                                  	PrevProvider                auth.Provider // to suppport key rotation
                                                  	RemoteProvider              auth.Provider
                                                  	RemoteServer                string
                                                  	RemoteCAs                   *x509.CertPool
                                                  	ClientCert                  *tls.Certificate
                                                  	CSRWhitelist                *CSRWhitelist
                                                  	NameWhitelist               *regexp.Regexp
                                                  	ExtensionWhitelist          map[string]bool
                                                  	ClientProvidesSerialNumbers bool
                                                  	// LintRegistry is the collection of lints that should be used if
                                                  	// LintErrLevel is configured. By default all ZLint lints are used. If
                                                  	// ExcludeLints or ExcludeLintSources are set then this registry will be
                                                  	// filtered in populate() to exclude the named lints and lint sources.
                                                  	LintRegistry lint.Registry
                                                  }

                                                    A SigningProfile stores information that the CA needs to store signature policy.

                                                    func DefaultConfig

                                                    func DefaultConfig() *SigningProfile

                                                      DefaultConfig returns a default configuration specifying basic key usage and a 1 year expiration time. The key usages chosen are signing, key encipherment, client auth and server auth.

                                                      func (*SigningProfile) Usages

                                                      func (p *SigningProfile) Usages() (ku x509.KeyUsage, eku []x509.ExtKeyUsage, unk []string)

                                                        Usages parses the list of key uses in the profile, translating them to a list of X.509 key usages and extended key usages. The unknown uses are collected into a slice that is also returned.

                                                        Source Files