caclient

package
v0.0.0-...-2e307e8 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jul 4, 2022 License: Apache-2.0 Imports: 38 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	// CertRefreshDurationRate Certificate cycle time rate
	CertRefreshDurationRate int = 2
)

Variables

This section is empty.

Functions

func AllowOcspRequests 

func AllowOcspRequests()

AllowOcspRequests

func BlockOcspRequests 

func BlockOcspRequests()

BlockOcspRequests Blocking OCSP requests will cause the MTLs handshake to fail

func SendOcspRequest 

func SendOcspRequest(server string, req []byte, leaf, issuer *x509.Certificate) (*ocsp.Response, error)

Types

type CAInstance 

type CAInstance struct {
	Conf
}

CAInstance ...

func NewCAI 

func NewCAI(opts ...OptionFunc) *CAInstance

NewCAI ...

func (*CAInstance) NewCertManager 

func (cai *CAInstance) NewCertManager() (*CertManager, error)

NewCertManager Create certificate management Instance

func (*CAInstance) NewExchanger 

func (cai *CAInstance) NewExchanger(id *spiffe.IDGIdentity) (*Exchanger, error)

NewExchanger ...

func (*CAInstance) NewExchangerWithKeypair 

func (cai *CAInstance) NewExchangerWithKeypair(id *spiffe.IDGIdentity, keyPEM []byte, certPEM []byte) (*Exchanger, error)

NewExchangerWithKeypair ...

func (*CAInstance) NewTransport 

func (cai *CAInstance) NewTransport(id *spiffe.IDGIdentity, keyPEM []byte, certPEM []byte) (*Transport, error)

NewTransport ...

func (*CAInstance) RevokeCert 

func (cai *CAInstance) RevokeCert(priv crypto.PublicKey, cert *x509.Certificate) error

type CertManager 

type CertManager struct {
	// contains filtered or unexported fields
}

CertManager Certificate manager

func (*CertManager) CACert 

func (cm *CertManager) CACert() (*x509.Certificate, error)

CACert ...

func (*CertManager) CACertsPEM 

func (cm *CertManager) CACertsPEM() ([]byte, error)

CACertsPEM ...

func (*CertManager) RevokeByKeyPEM 

func (cm *CertManager) RevokeByKeyPEM(keyPEM, certPEM []byte) error

RevokeByKeyPEM ...

func (*CertManager) RevokeIDGRegistryCert 

func (cm *CertManager) RevokeIDGRegistryCert(certPEM []byte) error

RevokeIDGRegistryCert ...

func (*CertManager) SignPEM 

func (cm *CertManager) SignPEM(csrPEM []byte, uniqueID string) ([]byte, error)

SignPEM ...

func (*CertManager) VerifyCertDefaultIssuer 

func (cm *CertManager) VerifyCertDefaultIssuer(leafPEM []byte) error

VerifyCertDefaultIssuer ...

type Conf 

type Conf struct {
	CFIdentity  *core.Identity
	DiskStore   bool
	CaAddr      string
	OcspAddr    string
	RotateAfter time.Duration
	Logger      *zap.Logger
	CSRConf     keygen.CSRConf
}

Conf ...

type Exchanger 

type Exchanger struct {
	Transport   *Transport
	IDGIdentity *spiffe.IDGIdentity
	OcspFetcher OcspClient
	// contains filtered or unexported fields
}

Exchanger ...

func (*Exchanger) ClientTLSConfig 

func (ex *Exchanger) ClientTLSConfig(host string) (*TLSGenerator, error)

ClientTLSConfig ...

func (*Exchanger) RevokeItSelf 

func (ex *Exchanger) RevokeItSelf() error

RevokeItSelf Revoke one's own certificate

func (*Exchanger) RotateController 

func (ex *Exchanger) RotateController() *RotateController

RotateController ...

func (*Exchanger) ServerHTTPSConfig 

func (ex *Exchanger) ServerHTTPSConfig() (*TLSGenerator, error)

ServerHTTPSConfig ...

func (*Exchanger) ServerTLSConfig 

func (ex *Exchanger) ServerTLSConfig() (*TLSGenerator, error)

ServerTLSConfig ...

type ExtraValidator 

type ExtraValidator func(identity *spiffe.IDGIdentity) error

ExtraValidator User defined verification function, which is executed after the certificate is verified successfully

type OcspClient 

type OcspClient interface {
	Validate(leaf, issuer *x509.Certificate) (bool, error)
	Reset()
}

OcspClient Ocsp Client

func NewOcspMemCache 

func NewOcspMemCache(logger *zap.SugaredLogger, ocspAddr string) (OcspClient, error)

NewOcspMemCache ...

type OptionFunc 

type OptionFunc func(*Conf)

OptionFunc ...

func WithAuthKey 

func WithAuthKey(key string) OptionFunc

func WithCAServer 

func WithCAServer(role Role, addr string) OptionFunc

WithCAServer ...

func WithCSRConf 

func WithCSRConf(csrConf keygen.CSRConf) OptionFunc

func WithLogger 

func WithLogger(l *zap.Logger) OptionFunc

func WithOcspAddr 

func WithOcspAddr(ocspAttr string) OptionFunc

func WithRotateAfter 

func WithRotateAfter(du time.Duration) OptionFunc

type RevokeRequest 

type RevokeRequest struct {
	Serial  string `json:"serial"`
	AKI     string `json:"authority_key_id"`
	Reason  string `json:"reason"`
	Nonce   string `json:"nonce"`
	Sign    string `json:"sign"`
	AuthKey string `json:"auth_key"`
	Profile string `json:"profile"`
}

This type is meant to be unmarshalled from JSON

type Role 

type Role string

Role ... 

const (
	// RoleDefault ...
	RoleDefault Role = "default"
	// RoleIntermediate ...
	RoleIntermediate Role = "intermediate"
)

type RotateController 

type RotateController struct {
	// contains filtered or unexported fields
}

RotateController ...

func (*RotateController) AddCert 

func (rc *RotateController) AddCert()

func (*RotateController) Run 

func (rc *RotateController) Run()

Run ...

type TLSGenerator 

type TLSGenerator struct {
	Cfg *tls.Config
}

TLSGenerator ...

func NewTLSGenerator 

func NewTLSGenerator(cfg *tls.Config) *TLSGenerator

NewTLSGenerator ...

func (*TLSGenerator) BindExtraValidator 

func (tg *TLSGenerator) BindExtraValidator(validator ExtraValidator)

BindExtraValidator Register custom validation function

func (*TLSGenerator) TLSConfig 

func (tg *TLSGenerator) TLSConfig() *tls.Config

TLSConfig Get golang native TLS config

type Transport 

type Transport struct {
	CertRefreshDurationRate int

	// Provider contains a key management provider.
	Provider kp.KeyProvider

	// CA contains a mechanism for obtaining signed certificates.
	CA ca.CertificateAuthority

	// TrustStore contains the certificates trusted by this
	// transport.
	TrustStore *roots.TrustStore

	// ClientTrustStore contains the certificate authorities to
	// use in verifying client authentication certificates.
	ClientTrustStore *roots.TrustStore

	// Identity contains information about the entity that will be
	// used to construct certificates.
	Identity *core.Identity

	// Backoff is used to control the behaviour of a Transport
	// when it is attempting to automatically update a certificate
	// as part of AutoUpdate.
	Backoff *backoff.Backoff

	// RevokeSoftFail, if true, will cause a failure to check
	// revocation (such that the revocation status of a
	// certificate cannot be checked) to not be treated as an
	// error.
	RevokeSoftFail bool
	// contains filtered or unexported fields
}

A Transport is capable of providing transport-layer security using TLS.

func (*Transport) AsyncRefreshKeys 

func (tr *Transport) AsyncRefreshKeys() error

AsyncRefreshKeys timeout handler

func (*Transport) AutoUpdate 

func (tr *Transport) AutoUpdate() error

AutoUpdate will automatically update the listener. If a non-nil certUpdates chan is provided, it will receive timestamps for reissued certificates. If errChan is non-nil, any errors that occur in the updater will be passed along.

func (*Transport) GetCertificate 

func (tr *Transport) GetCertificate() (*tls.Certificate, error)

GetCertificate ...

func (*Transport) Lifespan 

func (tr *Transport) Lifespan() (remain time.Duration, ava time.Duration)

Lifespan Returns the remaining replacement time of a certificate. If it is less than or equal to 0, the certificate must be replaced remain Total remaining time of certificate, ava update time

func (*Transport) ManualRevoke 

func (tr *Transport) ManualRevoke()

ManualRevoke ...

func (*Transport) RefreshKeys 

func (tr *Transport) RefreshKeys() (err error)

RefreshKeys will make sure the Transport has loaded keys and has a valid certificate. It will handle any persistence, check that the certificate is valid (i.e. that its expiry date is within the Before date), and handle certificate reissuance as needed.

func (*Transport) TLSClientAuthClientConfig 

func (tr *Transport) TLSClientAuthClientConfig(host string) (*tls.Config, error)

TLSClientAuthClientConfig Client TLS configuration, changing certificate dynamically

func (*Transport) TLSClientAuthServerConfig 

func (tr *Transport) TLSClientAuthServerConfig() (*tls.Config, error)

TLSClientAuthServerConfig The server TLS configuration needs to be changed dynamically

func (*Transport) TLSServerConfig 

func (tr *Transport) TLSServerConfig() (*tls.Config, error)

TLSServerConfig is a general server configuration that should be used for non-client authentication purposes, such as HTTPS.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.