certauthority

package
v0.0.0-...-f54f16c Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 24, 2024 License: Apache-2.0 Imports: 11 Imported by: 0

Documentation

Overview

Package certauthority generates and manages x509 certificates for use in cross-service authentication.

Index

Constants

This section is empty.

Variables

View Source 
var ErrNotSignedByCA = errors.New("Certificate is not signed by Certificate Authority")

ErrNotSignedByCA is returned by validation functions when the certificate being validated is not signed by the CA doing the validation.

Functions

func BytesToCert 

func BytesToCert(bytes []byte) (*x509.Certificate, error)

BytesToCert takes an array of bytes and tries to parse it as an x509 Certificate.

func CertForLog 

func CertForLog(cert *x509.Certificate) string

func PEMToCert 

func PEMToCert(cert string) (*x509.Certificate, error)

PEMToCert converts a PEM-encoded string into an x509.Certificate

Types

type CertAuthority 

type CertAuthority struct {
	// contains filtered or unexported fields
}

A CertAuthority represents a CA certificate and key that can be used to generate per-service certificates. The certBackend is responsible for certificate generation and maintaining the CA across restarts. This type is responsible for maintaining a copy of our root cert for easy access and enforcing our naming conventions for services' common names.

func NewCertAuthority 

func NewCertAuthority(backend CertBackend, id string) *CertAuthority

NewCertAuthority creates a new CertAuthority with a name generated from id, storing certificate data in `directory`.

`id` should be unique enough to facilitate identifying certificates from the same deployment.

func NewCertstrapCertAuthority 

func NewCertstrapCertAuthority(dataDir string, id string) *CertAuthority

NewCertstrapCertAuthority is a convenience constructor for the common, non-test use case.

func (*CertAuthority) CertDataForService 

func (a *CertAuthority) CertDataForService(request CertRequest) (*ServiceCertData, error)

CertDataForService returns certificate data for the named service. The certificate is signed by our certificate authority and is appropriate for authenticating gRPC traffic between Chef Automate services.

func (*CertAuthority) InitAuthority 

func (a *CertAuthority) InitAuthority() error

InitAuthority generates the CA certificate for the given CertAuthority.

func (*CertAuthority) IsInitialized 

func (a *CertAuthority) IsInitialized() (bool, error)

IsInitialized returns true if InitAuthority() has been called in the past. Delegates to backend.

func (*CertAuthority) IsSignedBy 

func (a *CertAuthority) IsSignedBy(cert *x509.Certificate) bool

IsSignedBy returns true if the given x509 certificate was signed by the given CertAuthorities root certificate. For convenience we take a string since we tend to pass pem-encoded string versions of the certs around.

func (*CertAuthority) RegenerateRoot 

func (a *CertAuthority) RegenerateRoot() error

RegenerateRoot regenerates the root certificate for this certificate authority. As a result, all certificates issues by the previous root certificate will be invalid.

func (*CertAuthority) RootCert 

func (a *CertAuthority) RootCert() string

RootCert returns the root certificate for use

func (*CertAuthority) ValidateCA 

func (a *CertAuthority) ValidateCA() error

ValidateCA checks the CA certificate for the certificate authority against local validity rules.

func (*CertAuthority) ValidateCertificateForRequest 

func (a *CertAuthority) ValidateCertificateForRequest(cert *x509.Certificate, certRequest CertRequest) error

ValidateCertificateForRequest checks the existing certificate for common problems and whether or not it matches the passed CertRequest. If a non-nil error is returned if the certificate is not valid.

type CertBackend 

type CertBackend interface {
	// Generates the new CA, returning the root CA cert. This
	// should be safe-to-recall across reboots of the service.
	Init() (string, error)
	// Returns true if Init() has been called in the past and
	// CertForService is expected to succeed. This should work
	// across reboots of the process.
	IsInitialized() (bool, error)
	// Generate a cert for a given service, signed by the CA
	CertForService(CertRequest) (*ServiceCertData, error)

	// ReInit re-initializes the certificate authority
	ReInit() (string, error)
}

A CertBackend is used by CertAuthority to generate the CA and per-service certificates. By default, the deployment service will use the CertstrapBackend implementation of this interface found in certstrap.go

type CertExpired 

type CertExpired struct {
	// contains filtered or unexported fields
}

CertExpired is an error returned by validation functions when the certificate is expired or within our expiry window.

func NewCertExpired 

func NewCertExpired(notAfter time.Time, window time.Duration) *CertExpired

func (*CertExpired) Error 

func (c *CertExpired) Error() string

type CertNotYetValid 

type CertNotYetValid struct {
	// contains filtered or unexported fields
}

func NewCertNotYetValid 

func NewCertNotYetValid(notBefore time.Time) *CertNotYetValid

func (*CertNotYetValid) Error 

func (c *CertNotYetValid) Error() string

type CertRequest 

type CertRequest struct {
	// contains filtered or unexported fields
}

func NewCertRequest 

func NewCertRequest(name string, ips []net.IP, dnsNames []string) CertRequest

func (CertRequest) String 

func (r CertRequest) String() string

type CertstrapBackend 

type CertstrapBackend struct {
	// contains filtered or unexported fields
}

The CertstrapBackend is a CertAuthorityBackend (see certauthority.go) that uses the certstrap command line tool to produce certificates.

func NewCertstrapBackend 

func NewCertstrapBackend(dataDir string, authorityName string) *CertstrapBackend

NewCertstrapBackend returns a CertstrapBackend for the given authority name which will store its data in the given dataDir. It uses the default implementations of cmdExecutor and fileStore.

func (*CertstrapBackend) CertForService 

func (b *CertstrapBackend) CertForService(request CertRequest) (*ServiceCertData, error)

CertForService creates an x509 certificate and RSA key for the given name.

Certstrap will create these on disk, so we read them in and then try to clean them up off the disk.

func (*CertstrapBackend) Init 

func (b *CertstrapBackend) Init() (string, error)

Init initializes a new Certificate Authority using certstrap and returns the root CA certificate.

func (*CertstrapBackend) IsInitialized 

func (b *CertstrapBackend) IsInitialized() (bool, error)

IsInitialized returns a bool indicating whether the CA has been initialized. This check should succeed if we believe calls to CertForService will succeed.

func (*CertstrapBackend) ReInit 

func (b *CertstrapBackend) ReInit() (string, error)

ReInit re-initializes a new Certificate Authority using certstrap and returns the root CA certificate.

func (*CertstrapBackend) SetCmdExecutor 

func (b *CertstrapBackend) SetCmdExecutor(e command.Executor)

SetCmdExecutor sets the file store to use. Used in testing.

func (*CertstrapBackend) SetFileStore 

func (b *CertstrapBackend) SetFileStore(f FileStore)

SetFileStore sets the file store to use. Used in testing.

type CommonNameMismatchError 

type CommonNameMismatchError struct {
	// contains filtered or unexported fields
}

CommonNameMismatchError is an error returned by validation functions when the common name of the certificate subject does not match the name of the given CertRequest.

func NewCommonNameMismatchError 

func NewCommonNameMismatchError(want, have string) *CommonNameMismatchError

func (*CommonNameMismatchError) Error 

func (c *CommonNameMismatchError) Error() string

type DiskStore 

type DiskStore struct{}

A DiskStore is a FileStore that uses the local filesystem. It assumes filenames are paths on disk. This is the implementation of FileStore used by default.

func (*DiskStore) DeleteFile 

func (d *DiskStore) DeleteFile(path string) error

DeleteFile deletes the file at the named path.

func (*DiskStore) Exist 

func (d *DiskStore) Exist(path string) (bool, error)

Exist returns true if the file exists on disk. False otherwise.

func (*DiskStore) ReadFile 

func (d *DiskStore) ReadFile(path string) (string, error)

ReadFile returns the contents of the file at the named path.

type FileStore 

type FileStore interface {
	// ReadFile returns the contents of the file as a string
	ReadFile(string) (string, error)
	// DeleteFile removes the file from the store
	DeleteFile(string) error
	// Exist returns true if the file exists in the store
	Exist(string) (bool, error)
}

A FileStore manages files identified by string names.

type SANHostnameMismatch 

type SANHostnameMismatch struct {
	// contains filtered or unexported fields
}

SANHostnameMismatch is an error returned by validation functions when the Subject Alternative Name extension in the certificate does not have DNSName values for every hostname in the given CertRequest.

func NewSANHostnameMismatch 

func NewSANHostnameMismatch(want, have []string) *SANHostnameMismatch

func (*SANHostnameMismatch) Error 

func (c *SANHostnameMismatch) Error() string

type SANIPAddrMismatchError 

type SANIPAddrMismatchError struct {
	// contains filtered or unexported fields
}

SANIPAddrMismatchError is an error returned by validation functions when the Subject Alternative Name extension in the certificate does not have IP values for every IP in the given CertRequest.

func NewSANIPAddrMismatchError 

func NewSANIPAddrMismatchError(want, have []net.IP) *SANIPAddrMismatchError

func (*SANIPAddrMismatchError) Error 

func (c *SANIPAddrMismatchError) Error() string

type ServiceCertData 

type ServiceCertData struct {
	// The PEM-formated RSA key
	Key string
	// The PEM-formated x509 certificate
	Cert string
	// The root cert for our CA. Services should trust this.
	RootCert *string
}

A ServiceCertData is returned to callers of CertForService and contains all of the key data required for the service to configure mutual TLS

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.