Package local implements certificate signature functionality for CFSSL.



    This section is empty.


    This section is empty.


    func OverrideHosts

    func OverrideHosts(template *x509.Certificate, hosts []string)

      OverrideHosts fills template's IPAddresses, EmailAddresses, DNSNames, and URIs with the content of hosts, if it is not nil.

      func PopulateSubjectFromCSR

      func PopulateSubjectFromCSR(s *signer.Subject, req pkix.Name) pkix.Name

        PopulateSubjectFromCSR has functionality similar to Name, except it fills the fields of the resulting pkix.Name with req's if the subject's corresponding fields are empty


        type LintError

        type LintError struct {
        	ErrorResults map[string]lint.LintResult

          LintError is an error type returned when pre-issuance linting is configured in a signing profile and a TBS Certificate fails linting. It wraps the concrete zlint LintResults so that callers can further inspect the cause of the failing lints.

          func (*LintError) Error

          func (e *LintError) Error() string

          type Signer

          type Signer struct {
          	// contains filtered or unexported fields

            Signer contains a signer that uses the standard library to support both ECDSA and RSA CA keys.

            func NewSigner

            func NewSigner(priv crypto.Signer, cert *x509.Certificate, sigAlgo x509.SignatureAlgorithm, policy *config.Signing) (*Signer, error)

              NewSigner creates a new Signer directly from a private key and certificate, with optional policy.

              func NewSignerFromFile

              func NewSignerFromFile(caFile, caKeyFile string, policy *config.Signing) (*Signer, error)

                NewSignerFromFile generates a new local signer from a caFile and a caKey file, both PEM encoded.

                func (*Signer) Certificate

                func (s *Signer) Certificate(label, profile string) (*x509.Certificate, error)

                  Certificate returns the signer's certificate.

                  func (*Signer) GetDBAccessor

                  func (s *Signer) GetDBAccessor() certdb.Accessor

                    GetDBAccessor returns the signers' cert db accessor

                    func (*Signer) Info

                    func (s *Signer) Info(req info.Req) (resp *info.Resp, err error)

                      Info return a populated info.Resp struct or an error.

                      func (*Signer) Policy

                      func (s *Signer) Policy() *config.Signing

                        Policy returns the signer's policy.

                        func (*Signer) SetDBAccessor

                        func (s *Signer) SetDBAccessor(dba certdb.Accessor)

                          SetDBAccessor sets the signers' cert db accessor

                          func (*Signer) SetPolicy

                          func (s *Signer) SetPolicy(policy *config.Signing)

                            SetPolicy sets the signer's signature policy.

                            func (*Signer) SetReqModifier

                            func (s *Signer) SetReqModifier(func(*http.Request, []byte))

                              SetReqModifier does nothing for local

                              func (*Signer) SigAlgo

                              func (s *Signer) SigAlgo() x509.SignatureAlgorithm

                                SigAlgo returns the RSA signer's signature algorithm.

                                func (*Signer) Sign

                                func (s *Signer) Sign(req signer.SignRequest) (cert []byte, err error)

                                  Sign signs a new certificate based on the PEM-encoded client certificate or certificate request with the signing profile, specified by profileName.

                                  func (*Signer) SignFromPrecert

                                  func (s *Signer) SignFromPrecert(precert *x509.Certificate, scts []ct.SignedCertificateTimestamp) ([]byte, error)

                                    SignFromPrecert creates and signs a certificate from an existing precertificate that was previously signed by and inserts the provided SCTs into the new certificate. The resulting certificate will be a exact copy of the precert except for the removal of the poison extension and the addition of the SCT list extension. SignFromPrecert does not verify that the contents of the certificate still match the signing profile of the signer, it only requires that the precert was previously signed by the Signers CA. Similarly, any linting configured by the profile used to sign the precert will not be re-applied to the final cert and must be done separately by the caller.

                                    Source Files