Documentation

Index

Constants

View Source
const (
	PEMTypeCertificate = "CERTIFICATE"
	PEMTypePKCS1       = "RSA PRIVATE KEY"
	PEMTypePKCS8       = "PRIVATE KEY"
)
View Source
const (
	DefaultLeafGroup = "controller"
)
View Source
const (
	// DefaultValidityYears is the max age a certificate is signed for using the
	// DefaultRequestSigner
	DefaultValidityYears = 10
)

Variables

View Source
var (
	DefaultPemHeaders = map[string]string{}
)
View Source
var (
	HeaderLeafGroup = "leaf.pki.juju.is/group"
)
View Source
var LeafSubjectTemplate = pkix.Name{
	Organization: Organisation,
	CommonName:   "Juju server certificate",
}

LeafSubjectTemplate is the default pkix.Name used for all leaf certificates made from a DefaultAuthority

View Source
var (
	// NotBeforeJitter is the amount of time before now that a certificate is
	// valid for
	NotBeforeJitter = time.Minute * -5
)
View Source
var Organisation = []string{"Juju"}

Organisation default organisation set on all certificates

Functions

func CSRToCertificate

func CSRToCertificate(csr *x509.CertificateRequest) *x509.Certificate

CSRToCertificate copies all fields from a CertificateRequest into a new x509 Certificate. No policy check is performed this is just a straight 1 to 1 copy.

func CertificateToPemString

func CertificateToPemString(headers map[string]string,
	cert *x509.Certificate, chain ...*x509.Certificate) (string, error)

CertificateToPemString transforms an x509 certificate to a pem string

func CertificateToPemWriter

func CertificateToPemWriter(writer io.Writer, headers map[string]string,
	cert *x509.Certificate, chain ...*x509.Certificate) error

CertificateToPemWriter transforms an x509 certificate to pem format on the supplied writer

func ECDSAP224

func ECDSAP224() (crypto.Signer, error)

ECDSAP224 returns a ECDSA 224 private key

func ECDSAP256

func ECDSAP256() (crypto.Signer, error)

ECDSAP224 returns a ECDSA 256 private key

func ECDSAP384

func ECDSAP384() (crypto.Signer, error)

ECDSA384 returns a ECDSA 384 private key

func Fingerprint

func Fingerprint(pemData []byte) (string, []byte, error)

Fingerprint returns a human-readable SHA-256 fingerprint for a certificate stored in the PEM format. The returned fingerprint matches the output of: openssl x509 -noout -fingerprint -sha256 -inform pem -in cert.pem. Also returns the remainder of the input for the next blocks.

func IsPemCA

func IsPemCA(pemData []byte) (bool, error)

IsPemCA returns true if the supplied pem certificate is a CA

func LeafHasDNSNames

func LeafHasDNSNames(leaf Leaf, dnsNames []string) bool

LeafHasDNSNames tests a diven Leaf to see if it contains the supplied DNS names

func MakeX509NameFromDefaults

func MakeX509NameFromDefaults(template, request *pkix.Name) pkix.Name

MakeX509NameFromDefaults constructs a new x509 name from the merging of a default and request name. Fields not set in the request name will be copied from the default name.

func NewCA

func NewCA(commonName string, signer crypto.Signer) (*x509.Certificate, error)

Helper method to generate a new certificate authority using the provided common name and signer.

func PublicKeysEqual

func PublicKeysEqual(key1, key2 interface{}) bool

func RSA2048

func RSA2048() (crypto.Signer, error)

RSA2048 returns a RSA 2048 private key

func RSA3072

func RSA3072() (crypto.Signer, error)

RSA3072 returns a RSA 3072 private key

func SignerToPemString

func SignerToPemString(signer crypto.Signer) (string, error)

SignerToPemString transforms a crypto signer to PKCS8 pem string

func SignerToPemWriter

func SignerToPemWriter(writer io.Writer, signer crypto.Signer) error

SignerToPemWriter transforms a crypto signer to PKCS8 pem using the supplied writer

func UnmarshalPemData

func UnmarshalPemData(pemData []byte) ([]*x509.Certificate, []crypto.Signer, error)

UnmarshalPemData unmarshals a set of pem data into certificates and signers

func UnmarshalSignerFromPemBlock

func UnmarshalSignerFromPemBlock(block *pem.Block) (crypto.Signer, error)

UnmarshalSignerFromPemBlock transforms a given pem block to a crypto signer

Types

type Authority

type Authority interface {
	// Leaf Authority implements the Leaf interface
	Leaf

	// LeafForGroup returns the leaf associated with the given group. Returns
	// error if no leaf exists for the given group.
	LeafForGroup(string) (Leaf, error)

	// LeafGroupFromPemCertKey loads an already existing certificate key pair as
	// a new leaf at the given group. Returns error if a leaf for the given
	// group already exists or an error occurred loading the pem data.
	LeafGroupFromPemCertKey(group string, certPem, key []byte) (Leaf, error)

	// LeafRequestForGroup starts a new leaf request for the given group. If a
	// leaf already exists it will be overwritten with this request when
	// committed.
	LeafRequestForGroup(string) LeafRequest

	// LeafRange is a method for safely iterating over all the leafs for the
	// given Authority. Supplied function should return false to stop iteration
	// early.
	LeafRange(func(leaf Leaf) bool)
}

Authority represents a secure means of issuing groups of common interest certificates that share a certificate authority. Authority should only be shared around between trusted parties. Authority should be considered thread safe.

type CertificateRequestSigner

type CertificateRequestSigner interface {
	SignCSR(*x509.CertificateRequest) (*x509.Certificate, []*x509.Certificate, error)
}

CertificateRequestSigner is an interface for signing CSR's under a CA

type CertificateRequestSignerFn

type CertificateRequestSignerFn func(*x509.CertificateRequest) (*x509.Certificate, []*x509.Certificate, error)

CertificateRequestSignerFn implements CertificateRequestSigner

func (CertificateRequestSignerFn) SignCSR

SignCSR implements CertificateRequestSigner SignCSR

type DefaultAuthority

type DefaultAuthority struct {
	// contains filtered or unexported fields
}

DefaultAuthority is a juju implementation of the Authority interface. It's main difference is the ability to set a common leaf private key so all leafs use the same key.

func NewDefaultAuthority

func NewDefaultAuthority(authority *x509.Certificate, signer crypto.Signer,
	chain ...*x509.Certificate) (*DefaultAuthority, error)

NewDefaultAuthority generates a new DefaultAuthority for the supplied CA cert and keys. Error is returned when the supplied certificate is not a CA.

func NewDefaultAuthorityPem

func NewDefaultAuthorityPem(pemBlock []byte) (*DefaultAuthority, error)

NewDefaultAuthorityPem generates a new DefaultAuthority for the supplied pem block. The pem block must contain a valid CA certificate and associated private key.

func NewDefaultAuthorityPemCAKey

func NewDefaultAuthorityPemCAKey(caPem, keyPem []byte) (*DefaultAuthority, error)

NewDefaultAuthorityPemCAKey generates a new DefaultAuthority for the supplied pem ca and key. Returns error if the supplied cert is not a ca or passing of the pem data fails.

func (*DefaultAuthority) Certificate

func (a *DefaultAuthority) Certificate() *x509.Certificate

Certificate implements Leaf interface method. Returns the CA's certificate

func (*DefaultAuthority) Chain

func (a *DefaultAuthority) Chain() []*x509.Certificate

Chain implements Leaf interface method. Returns the CA's chain if it is an intermediate.

func (*DefaultAuthority) LeafForGroup

func (a *DefaultAuthority) LeafForGroup(group string) (Leaf, error)

LeafForGroup implements Authority interface method.

func (*DefaultAuthority) LeafGroupFromPemCertKey

func (a *DefaultAuthority) LeafGroupFromPemCertKey(group string,
	certPem, key []byte) (Leaf, error)

LeafGroupFromPemCertKey implements Authority interface method.

func (*DefaultAuthority) LeafRange

func (a *DefaultAuthority) LeafRange(ranger func(leaf Leaf) bool)

LeafRange implements Authority interface method.

func (*DefaultAuthority) LeafRequestForGroup

func (a *DefaultAuthority) LeafRequestForGroup(group string) LeafRequest

LeafRequestForGroup implements Authority interface method. Starts a new leaf request for the given group overwritting any existing leaf when the request is committed.

func (*DefaultAuthority) SetLeafSigner

func (a *DefaultAuthority) SetLeafSigner(signer crypto.Signer)

SetLeafSigner sets a default signer to use for all new created leafs on this authority.

func (*DefaultAuthority) Signer

func (a *DefaultAuthority) Signer() crypto.Signer

Signer implements Leaf interface method. Returns the signer used for this authority.

func (*DefaultAuthority) TLSCertificate

func (a *DefaultAuthority) TLSCertificate() *tls.Certificate

TLSCertificate implements Leaf interface method. Returns a tls certificate that can be used in tls connections.

func (*DefaultAuthority) ToPemParts

func (a *DefaultAuthority) ToPemParts() (cert, key []byte, err error)

ToPemParts implements the Leaf interface method. Returns this authority split into certificate and key pem components.

type DefaultLeaf

type DefaultLeaf struct {
	// contains filtered or unexported fields
}

DefaultLeaf is a default implementation of the Leaf interface

func NewDefaultLeaf

func NewDefaultLeaf(group string, cert *x509.Certificate,
	chain []*x509.Certificate, signer crypto.Signer) *DefaultLeaf

NewDefaultLeaf constructs a new DefaultLeaf for the supplied certificate and key

func NewDefaultLeafPem

func NewDefaultLeafPem(group string, pemBlock []byte) (*DefaultLeaf, error)

NewDefaultLeafPem constructs a new DefaultLeaf from the supplied PEM data

func (*DefaultLeaf) Certificate

func (d *DefaultLeaf) Certificate() *x509.Certificate

Certificate implements Leaf Certificate

func (*DefaultLeaf) Chain

func (d *DefaultLeaf) Chain() []*x509.Certificate

Chain implements Leaf Chain

func (*DefaultLeaf) Signer

func (d *DefaultLeaf) Signer() crypto.Signer

Signer implements Leaf interface Signer

func (*DefaultLeaf) TLSCertificate

func (d *DefaultLeaf) TLSCertificate() *tls.Certificate

TLSCertificate implements Leaf interface TLSCertificate

func (*DefaultLeaf) ToPemParts

func (d *DefaultLeaf) ToPemParts() ([]byte, []byte, error)

ToPemParts implements Leaf interface ToPemParts

type DefaultLeafRequest

type DefaultLeafRequest struct {
	// contains filtered or unexported fields
}

DefaultLeafRequest is a default implementation of the LeafRequest interface

func NewDefaultLeafRequest

func NewDefaultLeafRequest(subject pkix.Name,
	requestSigner CertificateRequestSigner, maker LeafMaker) *DefaultLeafRequest

NewDefaultLeafRequest create a DefaultLeafRequest object that implements LeafRequest

func NewDefaultLeafRequestWithSigner

func NewDefaultLeafRequestWithSigner(subject pkix.Name, signer crypto.Signer,
	requestSigner CertificateRequestSigner,
	maker LeafMaker) *DefaultLeafRequest

NewDefaultLeafRequestWithSigner create a DefaultLeafRequest object that implements LeafRequest. Takes a default signer to use for all certificate creation instead of generating a new one.

func (*DefaultLeafRequest) AddDNSNames

func (d *DefaultLeafRequest) AddDNSNames(dnsNames ...string) LeafRequest

AddDNSNames implements LeafRequest AddDNSNames

func (*DefaultLeafRequest) AddIPAddresses

func (d *DefaultLeafRequest) AddIPAddresses(ipAddresses ...net.IP) LeafRequest

AddIPAddresses implements LeafRequest AddIPAddresses

func (*DefaultLeafRequest) Commit

func (d *DefaultLeafRequest) Commit() (Leaf, error)

Commit implements Leaf Commit

type DefaultRequestSigner

type DefaultRequestSigner struct {
	// contains filtered or unexported fields
}

DefaultRequestSigner is a default implementation of CertificateRequestSigner

func NewDefaultRequestSigner

func NewDefaultRequestSigner(
	authority *x509.Certificate,
	chain []*x509.Certificate,
	privKey interface{}) *DefaultRequestSigner

NewDefaultRequestSigner creates a new DefaultRequestSigner for the supplied CA and key

func (*DefaultRequestSigner) SignCSR

SignCSR implements CertificateRequestSigner SignCSR

type KeyProfile

type KeyProfile func() (crypto.Signer, error)

KeyProfile is a convience way of getting a crypto private key with a default set of attributes

var (
	//DefaultKeyProfile KeyProfile = RSA3072
	DefaultKeyProfile KeyProfile = RSA3072
)

type Leaf

type Leaf interface {
	// Certificate returns the x509 certificate of this leaf. May be nil if no
	// certificate exists yet. Call Commit to sign the leaf.
	Certificate() *x509.Certificate

	// Chain is the certificate signing chain for this leaf in the case of
	// intermediate CA's
	Chain() []*x509.Certificate

	// Signer is the crypto key used for signing operations on this leaf.
	Signer() crypto.Signer

	// Convenience method for generating a tls certificate for use in tls
	// transport.
	TLSCertificate() *tls.Certificate

	// Convenience method for converting this leaf to pem parts of
	// certificate/chain and private key
	ToPemParts() (cert, key []byte, err error)
}

Leaf represents a certificate and is associated key for signing operations.

type LeafMaker

type LeafMaker func(*x509.Certificate, []*x509.Certificate, crypto.Signer) (Leaf, error)

LeafMaker describes a function that can construct new Leaf's from the supplied certificate and crypto signer

type LeafRequest

type LeafRequest interface {
	// AddDNSNames adds the specificed dns names to the LeafRequest
	AddDNSNames(...string) LeafRequest

	// AddIPAddresses adds the specificed ip addresses to the LeafRequest
	AddIPAddresses(...net.IP) LeafRequest

	// Commit transforms the LeafRequest to a new Leaf
	Commit() (Leaf, error)
}

LeafRequest is an intermediate unit for requesting new leafs with specific attributes.

Directories

Path Synopsis
test
tls