config

package

v0.22.2-rc10 Latest Latest Go to latest Published: Oct 1, 2022 License: Apache-2.0 Imports: 16 Imported by: 3

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/smallstep/certificates

Documentation ¶

Index ¶

Variables
type ASN1DN
type AuthConfig
- func (c *AuthConfig) Validate(audiences provisioner.Audiences) error
type Bastion
type CipherSuites
- func (c CipherSuites) Validate() error
- func (c CipherSuites) Value() []uint16
type Config
- func LoadConfiguration(filename string) (*Config, error)
- func (c *Config) Audience(path string) []string
- func (c *Config) GetAudiences() provisioner.Audiences
- func (c *Config) Init()
- func (c *Config) Save(filename string) error
- func (c *Config) Validate() error
type Host
type HostTag
type SSHConfig
- func (c *SSHConfig) Validate() error
type SSHKeys
type SSHPublicKey
- func (k *SSHPublicKey) PublicKey() ssh.PublicKey
- func (k *SSHPublicKey) Validate() error
type TLSOptions
- func (t *TLSOptions) TLSConfig() *tls.Config
type TLSVersion
- func (v TLSVersion) String() string
- func (v TLSVersion) Validate() error
- func (v TLSVersion) Value() uint16

Constants ¶

This section is empty.

Variables ¶

View Source

var (
	// DefaultBackdate length of time to backdate certificates to avoid
	// clock skew validation issues.
	DefaultBackdate = time.Minute
	// DefaultDisableRenewal disables renewals per provisioner.
	DefaultDisableRenewal = false
	// DefaultAllowRenewalAfterExpiry allows renewals even if the certificate is
	// expired.
	DefaultAllowRenewalAfterExpiry = false
	// DefaultEnableSSHCA enable SSH CA features per provisioner or globally
	// for all provisioners.
	DefaultEnableSSHCA = false
	// GlobalProvisionerClaims default claims for the Authority. Can be overridden
	// by provisioner specific claims.
	GlobalProvisionerClaims = provisioner.Claims{
		MinTLSDur:               &provisioner.Duration{Duration: 5 * time.Minute},
		MaxTLSDur:               &provisioner.Duration{Duration: 24 * time.Hour},
		DefaultTLSDur:           &provisioner.Duration{Duration: 24 * time.Hour},
		MinUserSSHDur:           &provisioner.Duration{Duration: 5 * time.Minute},
		MaxUserSSHDur:           &provisioner.Duration{Duration: 24 * time.Hour},
		DefaultUserSSHDur:       &provisioner.Duration{Duration: 16 * time.Hour},
		MinHostSSHDur:           &provisioner.Duration{Duration: 5 * time.Minute},
		MaxHostSSHDur:           &provisioner.Duration{Duration: 30 * 24 * time.Hour},
		DefaultHostSSHDur:       &provisioner.Duration{Duration: 30 * 24 * time.Hour},
		EnableSSHCA:             &DefaultEnableSSHCA,
		DisableRenewal:          &DefaultDisableRenewal,
		AllowRenewalAfterExpiry: &DefaultAllowRenewalAfterExpiry,
	}
)

View Source

var (
	// DefaultTLSMinVersion default minimum version of TLS.
	DefaultTLSMinVersion = TLSVersion(1.2)
	// DefaultTLSMaxVersion default maximum version of TLS.
	DefaultTLSMaxVersion = TLSVersion(1.3)
	// DefaultTLSRenegotiation default TLS connection renegotiation policy.
	DefaultTLSRenegotiation = false // Never regnegotiate.
	// DefaultTLSCipherSuites specifies default step ciphersuite(s).
	// These are TLS 1.0 - 1.2 cipher suites.
	DefaultTLSCipherSuites = CipherSuites{
		"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
		"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
	}
	// ApprovedTLSCipherSuites smallstep approved ciphersuites.
	ApprovedTLSCipherSuites = CipherSuites{

		"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
		"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
		"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
		"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
		"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
		"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",

		"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
		"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
		"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
		"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
	}
	// DefaultTLSOptions represents the default TLS version as well as the cipher
	// suites used in the TLS certificates.
	DefaultTLSOptions = TLSOptions{
		CipherSuites:  DefaultTLSCipherSuites,
		MinVersion:    DefaultTLSMinVersion,
		MaxVersion:    DefaultTLSMaxVersion,
		Renegotiation: DefaultTLSRenegotiation,
	}
)

Functions ¶

This section is empty.

Types ¶

type ASN1DN ¶

type ASN1DN struct {
	Country            string `json:"country,omitempty"`
	Organization       string `json:"organization,omitempty"`
	OrganizationalUnit string `json:"organizationalUnit,omitempty"`
	Locality           string `json:"locality,omitempty"`
	Province           string `json:"province,omitempty"`
	StreetAddress      string `json:"streetAddress,omitempty"`
	SerialNumber       string `json:"serialNumber,omitempty"`
	CommonName         string `json:"commonName,omitempty"`
}

ASN1DN contains ASN1.DN attributes that are used in Subject and Issuer x509 Certificate blocks.

type AuthConfig ¶

type AuthConfig struct {
	*cas.Options
	AuthorityID          string                `json:"authorityId,omitempty"`
	DeploymentType       string                `json:"deploymentType,omitempty"`
	Provisioners         provisioner.List      `json:"provisioners,omitempty"`
	Admins               []*linkedca.Admin     `json:"-"`
	Template             *ASN1DN               `json:"template,omitempty"`
	Claims               *provisioner.Claims   `json:"claims,omitempty"`
	Policy               *policy.Options       `json:"policy,omitempty"`
	DisableIssuedAtCheck bool                  `json:"disableIssuedAtCheck,omitempty"`
	Backdate             *provisioner.Duration `json:"backdate,omitempty"`
	EnableAdmin          bool                  `json:"enableAdmin,omitempty"`
	DisableGetSSHHosts   bool                  `json:"disableGetSSHHosts,omitempty"`
}

AuthConfig represents the configuration options for the authority. An underlaying registration authority can also be configured using the cas.Options.

func (*AuthConfig) Validate ¶

func (c *AuthConfig) Validate(audiences provisioner.Audiences) error

Validate validates the authority configuration.

type Bastion ¶

type Bastion struct {
	Hostname string `json:"hostname"`
	User     string `json:"user,omitempty"`
	Port     string `json:"port,omitempty"`
	Command  string `json:"cmd,omitempty"`
	Flags    string `json:"flags,omitempty"`
}

Bastion contains the custom properties used on bastion.

type CipherSuites ¶

type CipherSuites []string

CipherSuites represents an array of string codes representing the cipher suites.

func (CipherSuites) Validate ¶

func (c CipherSuites) Validate() error

Validate implements models.Validator and checks that a cipher suite is valid.

func (CipherSuites) Value ¶

func (c CipherSuites) Value() []uint16

Value returns an []uint16 for the cipher suites.

type Config ¶

type Config struct {
	Root             multiString          `json:"root"`
	FederatedRoots   []string             `json:"federatedRoots"`
	IntermediateCert string               `json:"crt"`
	IntermediateKey  string               `json:"key"`
	Address          string               `json:"address"`
	InsecureAddress  string               `json:"insecureAddress"`
	DNSNames         []string             `json:"dnsNames"`
	KMS              *kms.Options         `json:"kms,omitempty"`
	SSH              *SSHConfig           `json:"ssh,omitempty"`
	Logger           json.RawMessage      `json:"logger,omitempty"`
	DB               *db.Config           `json:"db,omitempty"`
	Monitoring       json.RawMessage      `json:"monitoring,omitempty"`
	AuthorityConfig  *AuthConfig          `json:"authority,omitempty"`
	TLS              *TLSOptions          `json:"tls,omitempty"`
	Password         string               `json:"password,omitempty"`
	Templates        *templates.Templates `json:"templates,omitempty"`
	CommonName       string               `json:"commonName,omitempty"`
	SkipValidation   bool                 `json:"-"`
}

Config represents the CA configuration and it's mapped to a JSON object.

func LoadConfiguration ¶

func LoadConfiguration(filename string) (*Config, error)

LoadConfiguration parses the given filename in JSON format and returns the configuration struct.

func (*Config) Audience ¶ added in v0.19.0

func (c *Config) Audience(path string) []string

Audience returns the list of audiences for a given path.

func (*Config) GetAudiences ¶

func (c *Config) GetAudiences() provisioner.Audiences

GetAudiences returns the legacy and possible urls without the ports that will be used as the default provisioner audiences. The CA might have proxies in front so we cannot rely on the port.

func (*Config) Init ¶

func (c *Config) Init()

Init initializes the minimal configuration required to create an authority. This is mainly used on embedded authorities.

func (*Config) Save ¶

func (c *Config) Save(filename string) error

Save saves the configuration to the given filename.

func (*Config) Validate ¶

func (c *Config) Validate() error

Validate validates the configuration.

type Host ¶

type Host struct {
	HostID   string    `json:"hid"`
	HostTags []HostTag `json:"host_tags"`
	Hostname string    `json:"hostname"`
}

Host defines expected attributes for an ssh host.

type HostTag ¶

type HostTag struct {
	ID    string
	Name  string
	Value string
}

HostTag are tagged with k,v pairs. These tags are how a user is ultimately associated with a host.

type SSHConfig ¶

type SSHConfig struct {
	HostKey          string          `json:"hostKey"`
	UserKey          string          `json:"userKey"`
	Keys             []*SSHPublicKey `json:"keys,omitempty"`
	AddUserPrincipal string          `json:"addUserPrincipal,omitempty"`
	AddUserCommand   string          `json:"addUserCommand,omitempty"`
	Bastion          *Bastion        `json:"bastion,omitempty"`
}

SSHConfig contains the user and host keys.

func (*SSHConfig) Validate ¶

func (c *SSHConfig) Validate() error

Validate checks the fields in SSHConfig.

type SSHKeys ¶

type SSHKeys struct {
	UserKeys []ssh.PublicKey
	HostKeys []ssh.PublicKey
}

SSHKeys represents the SSH User and Host public keys.

type SSHPublicKey ¶

type SSHPublicKey struct {
	Type      string          `json:"type"`
	Federated bool            `json:"federated"`
	Key       jose.JSONWebKey `json:"key"`
	// contains filtered or unexported fields
}

SSHPublicKey contains a public key used by federated CAs to keep old signing keys for this ca.

func (*SSHPublicKey) PublicKey ¶

func (k *SSHPublicKey) PublicKey() ssh.PublicKey

PublicKey returns the ssh public key.

func (*SSHPublicKey) Validate ¶

func (k *SSHPublicKey) Validate() error

Validate checks the fields in SSHPublicKey.

type TLSOptions ¶

type TLSOptions struct {
	CipherSuites  CipherSuites `json:"cipherSuites"`
	MinVersion    TLSVersion   `json:"minVersion"`
	MaxVersion    TLSVersion   `json:"maxVersion"`
	Renegotiation bool         `json:"renegotiation"`
}

TLSOptions represents the TLS options that can be specified on *tls.Config types to configure HTTPS servers and clients.

func (*TLSOptions) TLSConfig ¶

func (t *TLSOptions) TLSConfig() *tls.Config

TLSConfig returns the tls.Config equivalent of the TLSOptions.

type TLSVersion ¶

type TLSVersion float64

TLSVersion represents a TLS version number.

func (TLSVersion) String ¶

func (v TLSVersion) String() string

String returns the Go constant for the TLSVersion.

func (TLSVersion) Validate ¶

func (v TLSVersion) Validate() error

Validate implements models.Validator and checks that a cipher suite is valid.

func (TLSVersion) Value ¶

func (v TLSVersion) Value() uint16

Value returns the Go constant for the TLSVersion.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL