authority

package

v0.10.0 Latest Latest Go to latest Published: Apr 30, 2019 License: Apache-2.0 Imports: 22 Imported by: 34

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/smallstep/certificates

Links

Open Source Insights

Documentation ¶

Index ¶

Variables
type AuthConfig
- func (c *AuthConfig) Validate(audiences provisioner.Audiences) error
type Authority
- func New(config *Config) (*Authority, error)
type Claims
type Config
- func LoadConfiguration(filename string) (*Config, error)
- func (c *Config) Save(filename string) error
- func (c *Config) Validate() error
type RevokeOptions

Constants ¶

This section is empty.

Variables ¶

View Source

var (
	// DefaultTLSOptions represents the default TLS version as well as the cipher
	// suites used in the TLS certificates.
	DefaultTLSOptions = tlsutil.TLSOptions{
		CipherSuites: x509util.CipherSuites{
			"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
			"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
			"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
		},
		MinVersion:    1.2,
		MaxVersion:    1.2,
		Renegotiation: false,
	}
)

Functions ¶

This section is empty.

Types ¶

type AuthConfig ¶

type AuthConfig struct {
	Provisioners         provisioner.List    `json:"provisioners"`
	Template             *x509util.ASN1DN    `json:"template,omitempty"`
	Claims               *provisioner.Claims `json:"claims,omitempty"`
	DisableIssuedAtCheck bool                `json:"disableIssuedAtCheck,omitempty"`
}

AuthConfig represents the configuration options for the authority.

func (*AuthConfig) Validate ¶

func (c *AuthConfig) Validate(audiences provisioner.Audiences) error

Validate validates the authority configuration.

type Authority ¶

type Authority struct {
	// contains filtered or unexported fields
}

Authority implements the Certificate Authority internal interface.

func New ¶

func New(config *Config) (*Authority, error)

New creates and initiates a new Authority type.

func (*Authority) Authorize ¶

func (a *Authority) Authorize(ott string) ([]provisioner.SignOption, error)

Authorize is a passthrough to AuthorizeSign. NOTE: Authorize will be deprecated in a future release. Please use the context specific Authorize[Sign|Revoke|etc.] going forwards.

func (*Authority) AuthorizeSign ¶ added in v0.10.0

func (a *Authority) AuthorizeSign(ott string) ([]provisioner.SignOption, error)

AuthorizeSign authorizes a signature request by validating and authenticating a OTT that must be sent w/ the request.

func (*Authority) GetEncryptedKey ¶

func (a *Authority) GetEncryptedKey(kid string) (string, error)

GetEncryptedKey returns the JWE key corresponding to the given kid argument.

func (*Authority) GetFederation ¶ added in v0.8.3

func (a *Authority) GetFederation() (federation []*x509.Certificate, err error)

GetFederation returns all the root certificates in the federation. This method implements the Authority interface.

func (*Authority) GetProvisioners ¶

func (a *Authority) GetProvisioners(cursor string, limit int) (provisioner.List, string, error)

GetProvisioners returns a map listing each provisioner and the JWK Key Set with their public keys.

func (*Authority) GetRootCertificate ¶

func (a *Authority) GetRootCertificate() *x509.Certificate

GetRootCertificate returns the server root certificate.

func (*Authority) GetRootCertificates ¶ added in v0.8.3

func (a *Authority) GetRootCertificates() []*x509.Certificate

GetRootCertificates returns the server root certificates.

In the Authority interface we also have a similar method, GetRoots, at the moment the functionality of these two methods are almost identical, but this method is intended to be used internally by CA HTTP server to load the roots that will be set in the tls.Config while GetRoots will be used by the Authority interface and might have extra checks in the future.

func (*Authority) GetRoots ¶ added in v0.8.3

func (a *Authority) GetRoots() ([]*x509.Certificate, error)

GetRoots returns all the root certificates for this CA. This method implements the Authority interface.

func (*Authority) GetTLSCertificate ¶

func (a *Authority) GetTLSCertificate() (*tls.Certificate, error)

GetTLSCertificate creates a new leaf certificate to be used by the CA HTTPS server.

func (*Authority) GetTLSOptions ¶

func (a *Authority) GetTLSOptions() *tlsutil.TLSOptions

GetTLSOptions returns the tls options configured.

func (*Authority) LoadProvisionerByCertificate ¶ added in v0.10.0

func (a *Authority) LoadProvisionerByCertificate(crt *x509.Certificate) (provisioner.Interface, error)

LoadProvisionerByCertificate returns an interface to the provisioner that provisioned the certificate.

func (*Authority) Renew ¶

func (a *Authority) Renew(oldCert *x509.Certificate) (*x509.Certificate, *x509.Certificate, error)

Renew creates a new Certificate identical to the old certificate, except with a validity window that begins 'now'.

func (*Authority) Revoke ¶ added in v0.10.0

func (a *Authority) Revoke(opts *RevokeOptions) error

Revoke revokes a certificate.

NOTE: Only supports passive revocation - prevent existing certificates from being renewed.

TODO: Add OCSP and CRL support.

func (*Authority) Root ¶

func (a *Authority) Root(sum string) (*x509.Certificate, error)

Root returns the certificate corresponding to the given SHA sum argument.

func (*Authority) Shutdown ¶ added in v0.10.0

func (a *Authority) Shutdown() error

Shutdown safely shuts down any clients, databases, etc. held by the Authority.

func (*Authority) Sign ¶

func (a *Authority) Sign(csr *x509.CertificateRequest, signOpts provisioner.Options, extraOpts ...provisioner.SignOption) (*x509.Certificate, *x509.Certificate, error)

Sign creates a signed certificate from a certificate signing request.

type Claims ¶ added in v0.8.4

type Claims struct {
	jose.Claims
	SANs  []string `json:"sans,omitempty"`
	Email string   `json:"email,omitempty"`
	Nonce string   `json:"nonce,omitempty"`
}

Claims extends jose.Claims with step attributes.

type Config ¶

type Config struct {
	Root             multiString         `json:"root"`
	FederatedRoots   []string            `json:"federatedRoots"`
	IntermediateCert string              `json:"crt"`
	IntermediateKey  string              `json:"key"`
	Address          string              `json:"address"`
	DNSNames         []string            `json:"dnsNames"`
	Logger           json.RawMessage     `json:"logger,omitempty"`
	DB               *db.Config          `json:"db,omitempty"`
	Monitoring       json.RawMessage     `json:"monitoring,omitempty"`
	AuthorityConfig  *AuthConfig         `json:"authority,omitempty"`
	TLS              *tlsutil.TLSOptions `json:"tls,omitempty"`
	Password         string              `json:"password,omitempty"`
}

Config represents the CA configuration and it's mapped to a JSON object.

func LoadConfiguration ¶

func LoadConfiguration(filename string) (*Config, error)

LoadConfiguration parses the given filename in JSON format and returns the configuration struct.

func (*Config) Save ¶

func (c *Config) Save(filename string) error

Save saves the configuration to the given filename.

func (*Config) Validate ¶

func (c *Config) Validate() error

Validate validates the configuration.

type RevokeOptions ¶ added in v0.10.0

type RevokeOptions struct {
	Serial      string
	Reason      string
	ReasonCode  int
	PassiveOnly bool
	MTLS        bool
	Crt         *x509.Certificate
	OTT         string
	// contains filtered or unexported fields
}

RevokeOptions are the options for the Revoke API.

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
provisioner

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL