ca

package
v0.0.0-...-667e438 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Oct 17, 2019 License: Apache-2.0 Imports: 42 Imported by: 0

Documentation

Overview

    struct of database table.
	Certificate: {
		id               VARCHAR(64),
		timestamp        INTEGER,
		usage            INTEGER,
		cert             BLOB,
		hash             BLOB,
		kdfkey           BLOB
	}
	User: {
		id               VARCHAR(64),
		enrollmentId     VARCHAR(100),
		role             INTEGER,
		metadata         VARCHAR(256),
		token            BLOB,
		state            INTEGER,
		key              BLOB
	}
	AffiliationGroup: {
		name             VARCHAR(64),
		parent           INTEGER, FOREIGN KEY(parent) REFERENCES AffiliationGroups(row)
	}
	Attribute: {
		id               VARCHAR(64),
		affiliation      VARCHAR(64),
		attributeName    VARCHAR(64),
		attributeValue   BLOB
		validFrom        DATETIME,
		validTo          DATETIME,
	}
	TCertificateSet: {
		enrollmentID     VARCHAR(64),
		timestamp        INTEGER,
		nonce            BLOB,
		kdfkey           BLOB
	}

Index

Constants

This section is empty.

Variables

View Source
var (
	// TCertEncTCertIndex is the ASN1 object identifier of the TCert index.
	TCertEncTCertIndex = asn1.ObjectIdentifier{1, 2, 3, 4, 5, 6, 7}

	// TCertEncEnrollmentID is the ASN1 object identifier of the enrollment id.
	TCertEncEnrollmentID = asn1.ObjectIdentifier{1, 2, 3, 4, 5, 6, 8}

	// TCertAttributesHeaders is the ASN1 object identifier of attributes header.
	TCertAttributesHeaders = asn1.ObjectIdentifier{1, 2, 3, 4, 5, 6, 9}

	// Padding for encryption.
	Padding = []byte{255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255}

	// RootPreKeySize for attribute encryption keys derivation
	RootPreKeySize = 48
)
View Source
var (
	//ACAAttribute is the base OID to the attributes extensions.
	ACAAttribute = asn1.ObjectIdentifier{1, 2, 3, 4, 5, 6, 10}
)
View Source
var (
	// ECertSubjectRole is the ASN1 object identifier of the subject's role.
	//
	ECertSubjectRole = asn1.ObjectIdentifier{2, 1, 3, 4, 5, 6, 7}
)

Functions

func CacheConfiguration

func CacheConfiguration()

CacheConfiguration caches the viper configuration

func GetACAClient

func GetACAClient() (*grpc.ClientConn, pb.ACAPClient, error)

GetACAClient returns a client to Attribute Certificate Authority.

func GetClientConn

func GetClientConn(address string, serverName string) (*grpc.ClientConn, error)

GetClientConn returns a connection to the server located on *address*.

func IsAttributeOID

func IsAttributeOID(oid asn1.ObjectIdentifier) bool

IsAttributeOID returns if the oid passed as parameter is or not linked with an attribute

func MemberRoleToString

func MemberRoleToString(role pb.Role) (string, error)

func NewClientTLSFromFile

func NewClientTLSFromFile(certFile, serverNameOverride string) (credentials.TransportCredentials, error)

NewClientTLSFromFile creates Client TLS connection credentials @certFile : TLS Server Certificate in PEM format @serverNameOverride : Common Name (CN) of the TLS Server Certificate returns Secure Transport Credentials

Types

type ACA

type ACA struct {
	*CA
	// contains filtered or unexported fields
}

ACA is the attribute certificate authority.

func NewACA

func NewACA() *ACA

NewACA sets up a new ACA.

func (*ACA) Start

func (aca *ACA) Start(srv *grpc.Server)

Start starts the ACA.

func (*ACA) Stop

func (aca *ACA) Stop() error

Stop stops the ACA

type ACAA

type ACAA struct {
	// contains filtered or unexported fields
}

ACAA serves the administrator GRPC interface of the ACA.

type ACAP

type ACAP struct {
	// contains filtered or unexported fields
}

ACAP serves the public GRPC interface of the ACA.

func (*ACAP) FetchAttributes

func (acap *ACAP) FetchAttributes(ctx context.Context, in *pb.ACAFetchAttrReq) (*pb.ACAFetchAttrResp, error)

FetchAttributes fetchs the attributes from the outside world and populate them into the database.

func (*ACAP) ReadCACertificate

func (acap *ACAP) ReadCACertificate(ctx context.Context, in *pb.Empty) (*pb.Cert, error)

ReadCACertificate reads the certificate of the ACA.

func (*ACAP) RequestAttributes

func (acap *ACAP) RequestAttributes(ctx context.Context, in *pb.ACAAttrReq) (*pb.ACAAttrResp, error)

RequestAttributes lookups the atributes in the database and return a certificate with attributes included in the request and found in the database.

type Admin

type Admin struct {
	*CA
	// contains filtered or unexported fields
}

func NewAdmin

func NewAdmin() *Admin

NewAdmin sets up a new ADMIN.

func (*Admin) AffiliationsAdd

func (admin *Admin) AffiliationsAdd(ctx context.Context, in *pb.AffiliationsAddReq) (*pb.Empty, error)

func (*Admin) AffiliationsDel

func (admin *Admin) AffiliationsDel(ctx context.Context, in *pb.AffiliationsDelReq) (*pb.Empty, error)

func (*Admin) AffiliationsFetch

func (admin *Admin) AffiliationsFetch(ctx context.Context, in *pb.Empty) (*pb.AffiliationsFetchResp, error)

func (*Admin) AttributesAdd

func (admin *Admin) AttributesAdd(ctx context.Context, in *pb.AttributesAddReq) (*pb.Empty, error)

func (*Admin) AttributesDel

func (admin *Admin) AttributesDel(ctx context.Context, in *pb.AttributesDelReq) (*pb.Empty, error)

func (*Admin) AttributesFetch

func (admin *Admin) AttributesFetch(ctx context.Context, in *pb.AttributesFetchReq) (*pb.AttributesFetchResp, error)

func (*Admin) Start

func (admin *Admin) Start(srv *grpc.Server)

Start starts the Admin.

func (*Admin) Stop

func (admin *Admin) Stop()

Stop stops the CA ADMIN services.

func (*Admin) UsersAdd

func (admin *Admin) UsersAdd(ctx context.Context, in *pb.UsersAddReq) (*pb.Empty, error)

func (*Admin) UsersDel

func (admin *Admin) UsersDel(ctx context.Context, in *pb.UsersDelReq) (*pb.Empty, error)

func (*Admin) UsersFetch

func (admin *Admin) UsersFetch(ctx context.Context, in *pb.UsersFetchReq) (*pb.UsersFetchResp, error)

type AffiliationGroup

type AffiliationGroup struct {
	// contains filtered or unexported fields
}

AffiliationGroup struct

type AttributeOwner

type AttributeOwner struct {
	// contains filtered or unexported fields
}

AttributeOwner is the struct that contains the data related with the user who owns the attribute.

func (*AttributeOwner) GetAffiliation

func (attrOwner *AttributeOwner) GetAffiliation() string

GetAffiliation returns the affiliation related with the owner.

func (*AttributeOwner) GetID

func (attrOwner *AttributeOwner) GetID() string

GetID returns the id of the attributeOwner.

type AttributePair

type AttributePair struct {
	// contains filtered or unexported fields
}

AttributePair is an struct that store the relation between an owner (user who owns the attribute), attributeName (name of the attribute), attributeValue (value of the attribute), validFrom (time since the attribute is valid) and validTo (time until the attribute will be valid).

func NewAttributePair

func NewAttributePair(attributeVals []string, attrOwner *AttributeOwner) (*AttributePair, error)

NewAttributePair creates a new attribute pair associated with <attrOwner>.

func (*AttributePair) GetAffiliation

func (attrPair *AttributePair) GetAffiliation() string

GetAffiliation gets the affilition of the attribute pair.

func (*AttributePair) GetAttributeName

func (attrPair *AttributePair) GetAttributeName() string

GetAttributeName gets the attribute name related with the attribute pair.

func (*AttributePair) GetAttributeValue

func (attrPair *AttributePair) GetAttributeValue() []byte

GetAttributeValue returns the value of the pair.

func (*AttributePair) GetID

func (attrPair *AttributePair) GetID() string

GetID returns the id of the attributePair.

func (*AttributePair) GetOwner

func (attrPair *AttributePair) GetOwner() *AttributeOwner

GetOwner returns the owner of the attribute pair.

func (*AttributePair) GetValidFrom

func (attrPair *AttributePair) GetValidFrom() time.Time

GetValidFrom returns time which is valid from the pair.

func (*AttributePair) GetValidTo

func (attrPair *AttributePair) GetValidTo() time.Time

GetValidTo returns time which is valid to the pair.

func (*AttributePair) IsValidFor

func (attrPair *AttributePair) IsValidFor(date time.Time) bool

IsValidFor returns if the pair is valid for date.

func (*AttributePair) SetAttributeName

func (attrPair *AttributePair) SetAttributeName(name string)

SetAttributeName sets the name related with the attribute pair.

func (*AttributePair) SetAttributeValue

func (attrPair *AttributePair) SetAttributeValue(val []byte)

SetAttributeValue sets the value of the pair.

func (*AttributePair) SetOwner

func (attrPair *AttributePair) SetOwner(owner *AttributeOwner)

SetOwner sets the owner of the attributes.

func (*AttributePair) SetValidFrom

func (attrPair *AttributePair) SetValidFrom(date time.Time)

SetValidFrom returns time which is valid from the pair.

func (*AttributePair) SetValidTo

func (attrPair *AttributePair) SetValidTo(date time.Time)

SetValidTo returns time which is valid to the pair.

func (*AttributePair) ToACAAttribute

func (attrPair *AttributePair) ToACAAttribute() *pb.ACAAttribute

ToACAAttribute converts the receiver to the protobuf format.

func (*AttributePair) ToString

func (attrPair *AttributePair) ToString() string

type CA

type CA struct {
	// contains filtered or unexported fields
}

CA is the base certificate authority.

func NewCA

func NewCA(name string, initTables TableInitializer, isNewDB bool) *CA

NewCA sets up a new CA. @parameter name is name of this CA instance @parameter initTables create table when it not exist

func (*CA) Stop

func (ca *CA) Stop() error

Stop Close closes down the CA.

type CADB

type CADB struct {
	// contains filtered or unexported fields
}

CADB is the database component for ca

func NewCADB

func NewCADB(dbpath string, initTables TableInitializer) *CADB

func (*CADB) CheckAndAddAffiliationGroup

func (cadb *CADB) CheckAndAddAffiliationGroup(name, parentName string) error

func (*CADB) InsertAttributes

func (cadb *CADB) InsertAttributes(attrs []*AttributePair) error

func (*CADB) ReadAffiliationGroups

func (cadb *CADB) ReadAffiliationGroups() ([]*AffiliationGroup, error)

type CertificateSpec

type CertificateSpec struct {
	NotBefore *time.Time
	NotAfter  *time.Time
	// contains filtered or unexported fields
}

CertificateSpec defines the parameter used to create a new certificate.

func NewCertificateSpec

func NewCertificateSpec(id string, commonName string, serialNumber *big.Int, pub interface{}, usage x509.KeyUsage, notBefore *time.Time, notAfter *time.Time, opt ...pkix.Extension) *CertificateSpec

NewCertificateSpec creates a new certificate spec

func NewDefaultCertificateSpec

func NewDefaultCertificateSpec(id string, pub interface{}, usage x509.KeyUsage, opt ...pkix.Extension) *CertificateSpec

NewDefaultCertificateSpec creates a new certificate spec with serialNumber = 1, notBefore a minute ago and not after 90 days from notBefore.

func NewDefaultCertificateSpecWithCommonName

func NewDefaultCertificateSpecWithCommonName(id string, commonName string, pub interface{}, usage x509.KeyUsage, opt ...pkix.Extension) *CertificateSpec

NewDefaultCertificateSpecWithCommonName creates a new certificate spec with serialNumber = 1, notBefore a minute ago and not after 90 days from notBefore and a specific commonName.

func NewDefaultPeriodCertificateSpec

func NewDefaultPeriodCertificateSpec(id string, serialNumber *big.Int, pub interface{}, usage x509.KeyUsage, opt ...pkix.Extension) *CertificateSpec

NewDefaultPeriodCertificateSpec creates a new certificate spec with notBefore a minute ago and not after 90 days from notBefore.

func NewDefaultPeriodCertificateSpecWithCommonName

func NewDefaultPeriodCertificateSpecWithCommonName(id string, commonName string, serialNumber *big.Int, pub interface{}, usage x509.KeyUsage, opt ...pkix.Extension) *CertificateSpec

NewDefaultPeriodCertificateSpecWithCommonName creates a new certificate spec with notBefore a minute ago and not after 90 days from notBefore and a specifc commonName.

func (*CertificateSpec) GetCommonName

func (spec *CertificateSpec) GetCommonName() string

GetCommonName returns the spec's Common Name field/value

func (*CertificateSpec) GetCountry

func (spec *CertificateSpec) GetCountry() string

GetCountry returns the spec's Country field/value

func (*CertificateSpec) GetExtensions

func (spec *CertificateSpec) GetExtensions() *[]pkix.Extension

GetExtensions returns the sepc's extensions

func (*CertificateSpec) GetID

func (spec *CertificateSpec) GetID() string

GetID returns the spec's ID field/value

func (*CertificateSpec) GetNotAfter

func (spec *CertificateSpec) GetNotAfter() *time.Time

GetNotAfter returns the spec NotAfter (time.Time) field/value

func (*CertificateSpec) GetNotBefore

func (spec *CertificateSpec) GetNotBefore() *time.Time

GetNotBefore returns the spec NotBefore (time.Time) field/value

func (*CertificateSpec) GetOrganization

func (spec *CertificateSpec) GetOrganization() string

GetOrganization returns the spec's Organization field/value

func (*CertificateSpec) GetPublicKey

func (spec *CertificateSpec) GetPublicKey() interface{}

GetPublicKey returns the spec's Public Key field/value

func (*CertificateSpec) GetSerialNumber

func (spec *CertificateSpec) GetSerialNumber() *big.Int

GetSerialNumber returns the spec's Serial Number field/value

func (*CertificateSpec) GetSignatureAlgorithm

func (spec *CertificateSpec) GetSignatureAlgorithm() x509.SignatureAlgorithm

GetSignatureAlgorithm returns the X509.SignatureAlgorithm field/value

func (*CertificateSpec) GetSubjectKeyID

func (spec *CertificateSpec) GetSubjectKeyID() *[]byte

GetSubjectKeyID returns the spec's subject KeyID

func (*CertificateSpec) GetUsage

func (spec *CertificateSpec) GetUsage() x509.KeyUsage

GetUsage returns the spec's usage (which is the x509.KeyUsage) field/value

type ECA

type ECA struct {
	*CA
	// contains filtered or unexported fields
}

ECA is the enrollment certificate authority.

func NewECA

func NewECA() *ECA

NewECA sets up a new ECA. remove aca *ACA param from NewECA

func (*ECA) Start

func (eca *ECA) Start(srv *grpc.Server)

Start starts the ECA.

func (*ECA) Stop

func (eca *ECA) Stop()

Stop stops the ECA services.

type ECAA

type ECAA struct {
	// contains filtered or unexported fields
}

ECAA serves the administrator GRPC interface of the ECA.

func (*ECAA) PublishCRL

func (ecaa *ECAA) PublishCRL(context.Context, *pb.ECertCRLReq) (*pb.CAStatus, error)

PublishCRL requests the creation of a certificate revocation list from the ECA. Not yet implemented.

func (*ECAA) ReadUserSet

func (ecaa *ECAA) ReadUserSet(ctx context.Context, in *pb.ReadUserSetReq) (*pb.UserSet, error)

ReadUserSet returns a list of users matching the parameters set in the read request.

func (*ECAA) RegisterUser

func (ecaa *ECAA) RegisterUser(ctx context.Context, in *pb.RegisterUserReq) (*pb.Token, error)

RegisterUser registers a new user with the ECA. If the user had been registered before an error is returned.

func (*ECAA) RevokeCertificate

func (ecaa *ECAA) RevokeCertificate(context.Context, *pb.ECertRevokeReq) (*pb.CAStatus, error)

RevokeCertificate revokes a certificate from the ECA. Not yet implemented.

type ECAP

type ECAP struct {
	// contains filtered or unexported fields
}

ECAP serves the public GRPC interface of the ECA.

func (*ECAP) CreateCertificatePair

func (ecap *ECAP) CreateCertificatePair(ctx context.Context, in *pb.ECertCreateReq) (*pb.ECertCreateResp, error)

CreateCertificatePair requests the creation of a new enrollment certificate pair by the ECA.

func (*ECAP) ReadCACertificate

func (ecap *ECAP) ReadCACertificate(ctx context.Context, in *pb.Empty) (*pb.Cert, error)

ReadCACertificate reads the certificate of the ECA.

func (*ECAP) ReadCertificateByHash

func (ecap *ECAP) ReadCertificateByHash(ctx context.Context, hash *pb.Hash) (*pb.Cert, error)

ReadCertificateByHash reads a single enrollment certificate by hash from the ECA.

func (*ECAP) ReadCertificatePair

func (ecap *ECAP) ReadCertificatePair(ctx context.Context, in *pb.ECertReadReq) (*pb.CertPair, error)

ReadCertificatePair reads an enrollment certificate pair from the ECA.

func (*ECAP) RevokeCertificatePair

func (ecap *ECAP) RevokeCertificatePair(context.Context, *pb.ECertRevokeReq) (*pb.CAStatus, error)

RevokeCertificatePair revokes a certificate pair from the ECA. Not yet implemented.

type MemberMetadata

type MemberMetadata struct {
	Registrar Registrar `json:"registrar"`
}

MemberMetadata Additional member metadata MemberMetadata ex: {"registrar": {"roles": ["client", "peer", "validator", "auditor"], "delegateRoles": ["client"]}}

type PKIConfig

type PKIConfig struct {
	// contains filtered or unexported fields
}

type Registrar

type Registrar struct {
	Roles         []string `json:"roles"`
	DelegateRoles []string `json:"delegateRoles"`
}

Registrar metadata

type ServerConfig

type ServerConfig struct {
	// contains filtered or unexported fields
}

type TCA

type TCA struct {
	*CA
	// contains filtered or unexported fields
}

TCA is the transaction certificate authority.

func NewTCA

func NewTCA(eca *ECA) *TCA

NewTCA sets up a new TCA.

func (*TCA) Start

func (tca *TCA) Start(srv *grpc.Server)

Start starts the TCA.

func (*TCA) Stop

func (tca *TCA) Stop() error

Stop stops the TCA services.

type TCAA

type TCAA struct {
	// contains filtered or unexported fields
}

TCAA serves the administrator GRPC interface of the TCA.

func (*TCAA) PublishCRL

func (tcaa *TCAA) PublishCRL(context.Context, *pb.TCertCRLReq) (*pb.CAStatus, error)

PublishCRL requests the creation of a certificate revocation list from the TCA. Not yet implemented.

func (*TCAA) RevokeCertificate

func (tcaa *TCAA) RevokeCertificate(context.Context, *pb.TCertRevokeReq) (*pb.CAStatus, error)

RevokeCertificate revokes a certificate from the TCA. Not yet implemented.

func (*TCAA) RevokeCertificateSet

func (tcaa *TCAA) RevokeCertificateSet(context.Context, *pb.TCertRevokeSetReq) (*pb.CAStatus, error)

RevokeCertificateSet revokes a certificate set from the TCA. Not yet implemented.

type TCAP

type TCAP struct {
	// contains filtered or unexported fields
}

TCAP serves the public GRPC interface of the TCA.

func (*TCAP) CreateCertificateSet

func (tcap *TCAP) CreateCertificateSet(ctx context.Context, in *pb.TCertCreateSetReq) (*pb.TCertCreateSetResp, error)

CreateCertificateSet requests the creation of a new transaction certificate set by the TCA.

func (*TCAP) ReadCACertificate

func (tcap *TCAP) ReadCACertificate(ctx context.Context, in *pb.Empty) (*pb.Cert, error)

ReadCACertificate reads the certificate of the TCA.

func (*TCAP) RevokeCertificate

func (tcap *TCAP) RevokeCertificate(context.Context, *pb.TCertRevokeReq) (*pb.CAStatus, error)

RevokeCertificate revokes a certificate from the TCA. Not yet implemented.

func (*TCAP) RevokeCertificateSet

func (tcap *TCAP) RevokeCertificateSet(context.Context, *pb.TCertRevokeSetReq) (*pb.CAStatus, error)

RevokeCertificateSet revokes a certificate set from the TCA. Not yet implemented.

type TCertSet

type TCertSet struct {
	Ts           int64
	EnrollmentID string
	Nonce        []byte
	Key          []byte
}

TCertSet contains relevant information of a set of tcerts

type TLSCA

type TLSCA struct {
	*CA
	// contains filtered or unexported fields
}

TLSCA is the tls certificate authority.

func NewTLSCA

func NewTLSCA(eca *ECA) *TLSCA

NewTLSCA sets up a new TLSCA.

func (*TLSCA) Start

func (tlsca *TLSCA) Start(srv *grpc.Server)

Start starts the TLSCA.

func (*TLSCA) Stop

func (tlsca *TLSCA) Stop() error

Stop stops the TCA services.

type TLSCAA

type TLSCAA struct {
	// contains filtered or unexported fields
}

TLSCAA serves the administrator GRPC interface of the TLS.

func (*TLSCAA) RevokeCertificate

func (tlscaa *TLSCAA) RevokeCertificate(context.Context, *pb.TLSCertRevokeReq) (*pb.CAStatus, error)

RevokeCertificate revokes a certificate from the TLSCA. Not yet implemented.

type TLSCAP

type TLSCAP struct {
	// contains filtered or unexported fields
}

TLSCAP serves the public GRPC interface of the TLSCA.

func (*TLSCAP) CreateCertificate

func (tlscap *TLSCAP) CreateCertificate(ctx context.Context, in *pb.TLSCertCreateReq) (*pb.TLSCertCreateResp, error)

CreateCertificate requests the creation of a new enrollment certificate by the TLSCA.

func (*TLSCAP) ReadCACertificate

func (tlscap *TLSCAP) ReadCACertificate(ctx context.Context, in *pb.Empty) (*pb.Cert, error)

ReadCACertificate reads the certificate of the TLSCA.

func (*TLSCAP) ReadCertificate

func (tlscap *TLSCAP) ReadCertificate(ctx context.Context, in *pb.TLSCertReadReq) (*pb.Cert, error)

ReadCertificate reads an enrollment certificate from the TLSCA.

func (*TLSCAP) RevokeCertificate

func (tlscap *TLSCAP) RevokeCertificate(context.Context, *pb.TLSCertRevokeReq) (*pb.CAStatus, error)

RevokeCertificate revokes a certificate from the TLSCA. Not yet implemented.

type TableInitializer

type TableInitializer func(*sql.DB) error

type User

type User struct {
	Id           string
	EnrollmentID string
	Role         int32
	Psw          string
	Affiliation  *AffiliationGroup
	Metadata     *MemberMetadata
}

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL