Documentation ¶
Overview ¶
Package ops defines operations for signing and interacting with certificate authorities given the interfaces defined in sign/types.
Index ¶
- func CertPool(ctx context.Context, ca styp.CertificateAuthority, keyVersionName string) (*x509.CertPool, error)
- func CertificateX509(ctx context.Context, ca styp.CertificateAuthority, keyVersionName string) (*x509.Certificate, error)
- func CreateCertificateFromTemplate(ctx context.Context, req *CertRequest) (*x509.Certificate, error)
- func GoogleCertificate(ctx context.Context, req *GoogleCertRequest) (*x509.Certificate, error)
- func GoogleCertificateTemplate(tmpl *GoogleCertTemplate) (*x509.Certificate, error)
- func IssuerCertFromBundle(ctx context.Context, ca styp.CertificateAuthority, keyVersionName string) (*x509.Certificate, error)
- func NextSigningKeySerial(ctx context.Context) (*big.Int, error)
- func RsaPublicKey(ctx context.Context, s styp.Signer, keyVersionName string) (*rsa.PublicKey, error)
- func VerifyChain(ctx context.Context, ca styp.CertificateAuthority, keyVersionName string, ...) error
- func VerifySignature(_ context.Context, signingKeyCert *x509.Certificate, message, signature []byte) error
- func VerifySignatureFromCA(ctx context.Context, ca styp.CertificateAuthority, keyVersionName string, ...) error
- type CertRequest
- type GoogleCertRequest
- type GoogleCertTemplate
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func CertPool ¶
func CertPool(ctx context.Context, ca styp.CertificateAuthority, keyVersionName string) (*x509.CertPool, error)
CertPool returns the Signer's CABundle as an x509.CertPool.
func CertificateX509 ¶
func CertificateX509(ctx context.Context, ca styp.CertificateAuthority, keyVersionName string) (*x509.Certificate, error)
CertificateX509 returns the Signer's certificate as an x509.Certificate.
func CreateCertificateFromTemplate ¶
func CreateCertificateFromTemplate(ctx context.Context, req *CertRequest) (*x509.Certificate, error)
CreateCertificateFromTemplate returns a signed certificate of the given template by the key described by parent. The issuer's private key is keyVersionName, to be given to the given Signer instance.
func GoogleCertificate ¶
func GoogleCertificate(ctx context.Context, req *GoogleCertRequest) (*x509.Certificate, error)
GoogleCertificate returns a signed Google-templated certificate with the given serial number for the subject. The certificate's serial number is also set to the subject's serial number, since certificates are not reissued.
func GoogleCertificateTemplate ¶
func GoogleCertificateTemplate(tmpl *GoogleCertTemplate) (*x509.Certificate, error)
GoogleCertificateTemplate returns a Google Cloud Kirkland Engineering certificate template for use in the GCE TCB signing key chain.
func IssuerCertFromBundle ¶
func IssuerCertFromBundle(ctx context.Context, ca styp.CertificateAuthority, keyVersionName string) (*x509.Certificate, error)
IssuerCertFromBundle uses the provided certificate authority instance to parse out the given keyVersionName's issuer certificate.
func NextSigningKeySerial ¶
NextSigningKeySerial returns the current signing key's certificate subject serial number plus one.
func RsaPublicKey ¶
func RsaPublicKey(ctx context.Context, s styp.Signer, keyVersionName string) (*rsa.PublicKey, error)
RsaPublicKey returns s.PublicKey interpreted into an rsa.PublicKey
func VerifyChain ¶
func VerifyChain(ctx context.Context, ca styp.CertificateAuthority, keyVersionName string, now time.Time) error
VerifyChain returns whether the certificate for keyName is verified by the CABundle.
func VerifySignature ¶
func VerifySignature(_ context.Context, signingKeyCert *x509.Certificate, message, signature []byte) error
VerifySignature returns whether the given signingKeyCert verifies a message's signature.
Types ¶
type CertRequest ¶
type CertRequest struct { Issuer *x509.Certificate Template *x509.Certificate IssuerKeyVersionName string Signer styp.Signer Random io.Reader }
CertRequest represents the required components to mint a certificate from a template, provided the context contains a keys.Context.
type GoogleCertRequest ¶
type GoogleCertRequest struct { Template *GoogleCertTemplate IssuerKeyVersionName string Signer styp.Signer Random io.Reader }
GoogleCertRequest represents a request to sign a Google certificate template.
type GoogleCertTemplate ¶
type GoogleCertTemplate struct { // Serial is both the subject serial number and the cert serial number, since we don't recertify // the same key and don't want to track cert serial numbers. Serial *big.Int PublicKey any Issuer *x509.Certificate NotBefore time.Time SubjectCommonName string }
GoogleCertTemplate represents the configurable components of an x.509 certificate issued for the purposes of confidential computing TCB endorsement.