ca

Documentation

Index

• Constants
• type CertificateType
  • func (ct CertificateType) Args() []string
  • func (ct CertificateType) String() string
• type Client
  • func (c Client) GetCAPublicKey() (*PublicKeyReply, error)
  • func (c Client) SignPublicKey(args SignArgs) (*SignReply, error)
• type PublicKey
  • func NewPublicKey(filename string) (*PublicKey, error)
  • func (p *PublicKey) Fingerprint() string
  • func (p PublicKey) Marshal() []byte
  • func (p PublicKey) String() string
  • func (p *PublicKey) Type() string
  • func (p PublicKey) WriteFile(filename string, perm os.FileMode) error
• type PublicKeyReply
• type Server
  • func NewServer(privateKeyPath string, publicKeyPath string, skipConfirmation bool) (Server, error)
  • func (ca Server) GetCAPublicKey(args struct{}, reply *PublicKeyReply) error
  • func (ca *Server) SignPublicKey(args SignArgs, reply *SignReply) error
• type SignArgs
  • func (args SignArgs) Args() []string
  • func (args SignArgs) String() string
• type SignReply

Constants

const (
	// ServerName is the name that the CA client expects to find the server at.
	ServerName = "CA"
)

Types

type CertificateType

type CertificateType bool

CertificateType represents the type of the certificate in the request

const (
	// HostCertificate represents a SSH host certficate
	HostCertificate CertificateType = true
	// UserCertificate represents a SSH user certificate
	UserCertificate CertificateType = false
)

func (CertificateType) Args

func (ct CertificateType) Args() []string

Args converts the CertificateType into ssh-keygen args.

func (CertificateType) String

func (ct CertificateType) String() string

String implementation for Stringer.

type Client

type Client struct {
	*rpc.Client
}

Client wraps rpc.Client and provides functions to call the SSH CA RPCs.

func (Client) GetCAPublicKey

func (c Client) GetCAPublicKey() (*PublicKeyReply, error)

GetCAPublicKey represents the GetCAPublicKey RPC call

func (Client) SignPublicKey

func (c Client) SignPublicKey(args SignArgs) (*SignReply, error)

SignPublicKey represents the SignPublicKey RPC call

type PublicKey

type PublicKey struct {
	Data []byte
	// contains filtered or unexported fields
}

PublicKey is a wrapper around an ssh.PublicKey which uses the file representation, rather than the wire representation.

func NewPublicKey

func NewPublicKey(filename string) (*PublicKey, error)

NewPublicKey creates a new PublicKey from a file.

func (*PublicKey) Fingerprint

func (p *PublicKey) Fingerprint() string

Fingerprint returns the SHA256 fingerprint of the public key.

func (PublicKey) Marshal

func (p PublicKey) Marshal() []byte

Marshal returns the underlying bytes of the public key.

func (PublicKey) String

func (p PublicKey) String() string

func (*PublicKey) Type

func (p *PublicKey) Type() string

Type returns the algorithm of the public key.

func (PublicKey) WriteFile

func (p PublicKey) WriteFile(filename string, perm os.FileMode) error

WriteFile writes the PublicKey to a file.

type PublicKeyReply

type PublicKeyReply struct {
	CAPublicKey *PublicKey
}

PublicKeyReply encapsulates the public key of the CA and represents the value of GetCAPublicKey.

type Server

type Server struct {
	// PrivateKeyPath is the path to the private key for the CA.
	// This is never read by the program, but rather used as an argument for
	// ssh-keygen.
	PrivateKeyPath string
	// PublicKey is the public key of the CA.
	// This is read into the server on startup in order to respond to
	// GetCAPublicKey.
	PublicKey *PublicKey
	// True iff confirmation should be skipped when responding to SignPublicKey.
	SkipConfirmation bool
	// contains filtered or unexported fields
}

Server encapsulates a SSH CA and provides a net/rpc compatible type signature. It exposes functions to sign public keys and return the public CA certificate.

func NewServer

func NewServer(privateKeyPath string, publicKeyPath string, skipConfirmation bool) (Server, error)

NewServer constructs a CAServer using the paths to a SSH CA private key and public key. If publicKeyPath is the empty string, it is inferred from the privateKeyPath.

func (Server) GetCAPublicKey

func (ca Server) GetCAPublicKey(args struct{}, reply *PublicKeyReply) error

GetCAPublicKey returns the public key of the trusted CA

func (*Server) SignPublicKey

func (ca *Server) SignPublicKey(args SignArgs, reply *SignReply) error

SignPublicKey takes a SSH public key and signing options and signs it with ssh-keygen

type SignArgs

type SignArgs struct {
	// Identity is passed as the argument to -I in ssh-keygen.
	Identity string
	// CertificateType represents the type of certificate to be generated. If it's a host
	// certificate, then -h is passed to ssh-keygen.
	CertificateType CertificateType
	// Principals is passed as the argument to -n to ssh-keygen.
	Principals []string
	// PublicKey contains the regular SSH public key that is being signed.
	PublicKey *PublicKey
}

SignArgs represents the options available (or at least an important subset of them) when generating the command line.

func (SignArgs) Args

func (args SignArgs) Args() []string

Args converts SignArgs to ssh-keygen args

func (SignArgs) String

func (args SignArgs) String() string

String identifies a SignPublicKey request. It generates a string version of the request parameters and the key fingerprint. As a side-effect, this also validates the public key.

type SignReply

type SignReply struct {
	// Certificate contains the signed SSH certificate.
	Certificate *PublicKey
}

SignReply represents the reply from SignPublicKey