README
¶
Unfortunately the golang.org/x/crypto/acme/autocert caching strategy is not compatible with the SPIRE server KeyManager interface. As such, golang.org/x/crypto/acme/autocert has been forked and modified to facilitate key management via the KeyManager while still using the Cache to store certificates. The specific changes are documented below the copyright in autocert/autocert.go. The golang.org/x/crypto/acme/autocert/acmetest package has also been forked for use in unit-testing. It has been enhanced to provide some extra features for deeper test coverage. The specific changes are documented below the copyright in acmetest/ca.go. Both packages were forked from the following go module: golang.org/x/crypto v0.0.0-20200220183623-bac4c82f6975 An additional consequence of using the KeyManager to back the ACME key is that it imposes algorithmic restrictions. For example, AWS KMS only supports a limited set of signature algorithms for each key size (e.g. SHA256 for ECP256 keys). Ideally the KeyManager plugin would be able to advertise the supported key algorithms, but until that is in place, we restrict the signature algorithms supported by the key during the TLS handshake (see issue #2302).
Directories
Click to show internal directories.
Click to hide internal directories.