Documentation
¶
Overview ¶
Package tlsca provides internal TLS certificate authority used for mutual TLS authentication with the auth server and internal teleport components and external clients
Index ¶
- Variables
- func ClusterName(subject pkix.Name) (string, error)
- func GenerateRSAPrivateKeyPEM() ([]byte, error)
- func GenerateSelfSignedCA(entity pkix.Name, dnsNames []string, ttl time.Duration) ([]byte, []byte, error)
- func GenerateSelfSignedCAWithPrivateKey(priv *rsa.PrivateKey, entity pkix.Name, dnsNames []string, ttl time.Duration) ([]byte, []byte, error)
- func MarshalCertificatePEM(cert *x509.Certificate) ([]byte, error)
- func MarshalPublicKeyFromPrivateKeyPEM(privateKey crypto.PrivateKey) ([]byte, error)
- func ParseCertificatePEM(bytes []byte) (*x509.Certificate, error)
- func ParseCertificateRequestPEM(bytes []byte) (*x509.CertificateRequest, error)
- func ParsePrivateKeyDER(der []byte) (crypto.Signer, error)
- func ParsePrivateKeyPEM(bytes []byte) (crypto.Signer, error)
- func ParsePublicKeyDER(der []byte) (crypto.PublicKey, error)
- func ParsePublicKeyPEM(bytes []byte) (interface{}, error)
- type CertAuthority
- type CertificateRequest
- type Identity
Constants ¶
This section is empty.
Variables ¶
var KubeGroupsASN1ExtensionOID = asn1.ObjectIdentifier{1, 3, 9999, 1, 2}
KubeGroupsASN1ExtensionOID is an extension ID used when encoding/decoding license payload into certificates
var KubeUsersASN1ExtensionOID = asn1.ObjectIdentifier{1, 3, 9999, 1, 1}
KubeUsersASN1ExtensionOID is an extension ID used when encoding/decoding license payload into certificates
Functions ¶
func ClusterName ¶
ClusterName returns cluster name from organization
func GenerateRSAPrivateKeyPEM ¶
GenerateRSAPrivateKeyPEM generates new RSA private key and returns PEM encoded bytes
func GenerateSelfSignedCA ¶
func GenerateSelfSignedCA(entity pkix.Name, dnsNames []string, ttl time.Duration) ([]byte, []byte, error)
GenerateSelfSignedCA generates self-signed certificate authority used for internal inter-node communications
func GenerateSelfSignedCAWithPrivateKey ¶
func GenerateSelfSignedCAWithPrivateKey(priv *rsa.PrivateKey, entity pkix.Name, dnsNames []string, ttl time.Duration) ([]byte, []byte, error)
GenerateSelfSignedCA generates self-signed certificate authority used for internal inter-node communications
func MarshalCertificatePEM ¶
func MarshalCertificatePEM(cert *x509.Certificate) ([]byte, error)
MarshalCertificatePEM takes a *x509.Certificate and returns the PEM encoded bytes.
func MarshalPublicKeyFromPrivateKeyPEM ¶
func MarshalPublicKeyFromPrivateKeyPEM(privateKey crypto.PrivateKey) ([]byte, error)
MarshalPublicKeyFromPrivateKeyPEM extracts public key from private key and returns PEM marshalled key
func ParseCertificatePEM ¶
func ParseCertificatePEM(bytes []byte) (*x509.Certificate, error)
ParseCertificatePEM parses PEM-encoded certificate
func ParseCertificateRequestPEM ¶
func ParseCertificateRequestPEM(bytes []byte) (*x509.CertificateRequest, error)
ParseCertificateRequestPEM parses PEM-encoded certificate signing request
func ParsePrivateKeyDER ¶
ParsePrivateKeyDER parses unencrypted DER-encoded private key
func ParsePrivateKeyPEM ¶
ParsePrivateKeyPEM parses PEM-encoded private key
func ParsePublicKeyDER ¶
ParsePublicKeyDER parses unencrypted DER-encoded publice key
func ParsePublicKeyPEM ¶
ParsePublicKeyPEM parses public key PEM
Types ¶
type CertAuthority ¶
type CertAuthority struct {
// Cert is a CA certificate
Cert *x509.Certificate
// Signer is a private key based signer
Signer crypto.Signer
}
CertAuthority is X.509 certificate authority
func New ¶
func New(certPEM, keyPEM []byte) (*CertAuthority, error)
New returns new CA from PEM encoded certificate and private key. Private Key is optional, if omitted CA won't be able to issue new certificates, only verify them
func (*CertAuthority) GenerateCertificate ¶
func (ca *CertAuthority) GenerateCertificate(req CertificateRequest) ([]byte, error)
GenerateCertificate generates certificate from request
type CertificateRequest ¶
type CertificateRequest struct {
// Clock is a clock used to get current or test time
Clock clockwork.Clock
// PublicKey is a public key to sign
PublicKey crypto.PublicKey
// Subject is a subject to include in certificate
Subject pkix.Name
// NotAfter is a time after which the issued certificate
// will be no longer valid
NotAfter time.Time
// DNSNames is a list of DNS names to add to certificate
DNSNames []string
}
CertificateRequest is a X.509 signing certificate request
func (*CertificateRequest) CheckAndSetDefaults ¶
func (c *CertificateRequest) CheckAndSetDefaults() error
CheckAndSetDefaults checks and sets default values
type Identity ¶
type Identity struct {
// Username is a username or name of the node connection
Username string
// Groups is a list of groups (Teleport roles) encoded in the identity
Groups []string
// Usage is a list of usage restrictions encoded in the identity
Usage []string
// Principals is a list of Unix logins allowed.
Principals []string
// KubernetesGroups is a list of Kubernetes groups allowed
KubernetesGroups []string
// KubernetesUsers is a list of Kubernetes users allowed
KubernetesUsers []string
// Expires specifies whenever the session will expire
Expires time.Time
// RouteToCluster specifies the target cluster
// if present in the session
RouteToCluster string
// Traits hold claim data used to populate a role at runtime.
Traits wrappers.Traits
}
Identity is an identity of the user or service, e.g. Proxy or Node
func FromSubject ¶
FromSubject returns identity from subject name
func (*Identity) CheckAndSetDefaults ¶
CheckAndSetDefaults checks and sets default values
Source Files