juju: github.com/wallyworld/juju/pki Index | Files | Directories

package pki

import "github.com/wallyworld/juju/pki"

Index

Package Files

authority.go certificate.go leaf.go pem.go request.go signer.go

Constants

const (
    PEMTypeCertificate = "CERTIFICATE"
    PEMTypePKCS1       = "RSA PRIVATE KEY"
    PEMTypePKCS8       = "PRIVATE KEY"
)
const (
    DefaultLeafGroup = "controller"
)
const (
    // DefaultValidityYears is the max age a certificate is signed for using the
    // DefaultRequestSigner
    DefaultValidityYears = 10
)

Variables

var (
    DefaultPemHeaders = map[string]string{}
)
var (
    HeaderLeafGroup = "leaf.pki.juju.is/group"
)
var LeafSubjectTemplate = pkix.Name{
    Organization: Organisation,
    CommonName:   "Juju server certificate",
}

LeafSubjectTemplate is the default pkix.Name used for all leaf certificates made from a DefaultAuthority

var (
    // NotBeforeJitter is the amount of time before now that a certificate is
    // valid for
    NotBeforeJitter = time.Minute * -5
)
var Organisation = []string{"Juju"}

Organisation default organisation set on all certificates

func CSRToCertificate Uses

func CSRToCertificate(csr *x509.CertificateRequest) *x509.Certificate

CSRToCertificate copies all fields from a CertificateRequest into a new x509 Certificate. No policy check is performed this is just a straight 1 to 1 copy.

func CertificateToPemString Uses

func CertificateToPemString(headers map[string]string,
    cert *x509.Certificate, chain ...*x509.Certificate) (string, error)

CertificateToPemString transforms an x509 certificate to a pem string

func CertificateToPemWriter Uses

func CertificateToPemWriter(writer io.Writer, headers map[string]string,
    cert *x509.Certificate, chain ...*x509.Certificate) error

CertificateToPemWriter transforms an x509 certificate to pem format on the supplied writer

func ECDSAP224 Uses

func ECDSAP224() (crypto.Signer, error)

ECDSAP224 returns a ECDSA 224 private key

func ECDSAP256 Uses

func ECDSAP256() (crypto.Signer, error)

ECDSAP224 returns a ECDSA 256 private key

func ECDSAP384 Uses

func ECDSAP384() (crypto.Signer, error)

ECDSA384 returns a ECDSA 384 private key

func Fingerprint Uses

func Fingerprint(pemData []byte) (string, []byte, error)

Fingerprint returns a human-readable SHA-256 fingerprint for a certificate stored in the PEM format. The returned fingerprint matches the output of: openssl x509 -noout -fingerprint -sha256 -inform pem -in cert.pem. Also returns the remainder of the input for the next blocks.

func IsPemCA Uses

func IsPemCA(pemData []byte) (bool, error)

IsPemCA returns true if the supplied pem certificate is a CA

func LeafHasDNSNames Uses

func LeafHasDNSNames(leaf Leaf, dnsNames []string) bool

LeafHasDNSNames tests a diven Leaf to see if it contains the supplied DNS names

func MakeX509NameFromDefaults Uses

func MakeX509NameFromDefaults(template, request *pkix.Name) pkix.Name

MakeX509NameFromDefaults constructs a new x509 name from the merging of a default and request name. Fields not set in the request name will be copied from the default name.

func NewCA Uses

func NewCA(commonName string, signer crypto.Signer) (*x509.Certificate, error)

Helper method to generate a new certificate authority using the provided common name and signer.

func PublicKeysEqual Uses

func PublicKeysEqual(key1, key2 interface{}) bool

func RSA2048 Uses

func RSA2048() (crypto.Signer, error)

RSA2048 returns a RSA 2048 private key

func RSA3072 Uses

func RSA3072() (crypto.Signer, error)

RSA3072 returns a RSA 3072 private key

func SignerToPemString Uses

func SignerToPemString(signer crypto.Signer) (string, error)

SignerToPemString transforms a crypto signer to PKCS8 pem string

func SignerToPemWriter Uses

func SignerToPemWriter(writer io.Writer, signer crypto.Signer) error

SignerToPemWriter transforms a crypto signer to PKCS8 pem using the supplied writer

func UnmarshalPemData Uses

func UnmarshalPemData(pemData []byte) ([]*x509.Certificate, []crypto.Signer, error)

UnmarshalPemData unmarshals a set of pem data into certificates and signers

func UnmarshalSignerFromPemBlock Uses

func UnmarshalSignerFromPemBlock(block *pem.Block) (crypto.Signer, error)

UnmarshalSignerFromPemBlock transforms a given pem block to a crypto signer

type Authority Uses

type Authority interface {
    // Leaf Authority implements the Leaf interface
    Leaf

    // LeafForGroup returns the leaf associated with the given group. Returns
    // error if no leaf exists for the given group.
    LeafForGroup(string) (Leaf, error)

    // LeafGroupFromPemCertKey loads an already existing certificate key pair as
    // a new leaf at the given group. Returns error if a leaf for the given
    // group already exists or an error occurred loading the pem data.
    LeafGroupFromPemCertKey(group string, certPem, key []byte) (Leaf, error)

    // LeafRequestForGroup starts a new leaf request for the given group. If a
    // leaf already exists it will be overwritten with this request when
    // committed.
    LeafRequestForGroup(string) LeafRequest

    // LeafRange is a method for safely iterating over all the leafs for the
    // given Authority. Supplied function should return false to stop iteration
    // early.
    LeafRange(func(leaf Leaf) bool)
}

Authority represents a secure means of issuing groups of common interest certificates that share a certificate authority. Authority should only be shared around between trusted parties. Authority should be considered thread safe.

type CertificateRequestSigner Uses

type CertificateRequestSigner interface {
    SignCSR(*x509.CertificateRequest) (*x509.Certificate, []*x509.Certificate, error)
}

CertificateRequestSigner is an interface for signing CSR's under a CA

type CertificateRequestSignerFn Uses

type CertificateRequestSignerFn func(*x509.CertificateRequest) (*x509.Certificate, []*x509.Certificate, error)

CertificateRequestSignerFn implements CertificateRequestSigner

func (CertificateRequestSignerFn) SignCSR Uses

func (c CertificateRequestSignerFn) SignCSR(r *x509.CertificateRequest) (*x509.Certificate, []*x509.Certificate, error)

SignCSR implements CertificateRequestSigner SignCSR

type DefaultAuthority Uses

type DefaultAuthority struct {
    // contains filtered or unexported fields
}

DefaultAuthority is a juju implementation of the Authority interface. It's main difference is the ability to set a common leaf private key so all leafs use the same key.

func NewDefaultAuthority Uses

func NewDefaultAuthority(authority *x509.Certificate, signer crypto.Signer,
    chain ...*x509.Certificate) (*DefaultAuthority, error)

NewDefaultAuthority generates a new DefaultAuthority for the supplied CA cert and keys. Error is returned when the supplied certificate is not a CA.

func NewDefaultAuthorityPem Uses

func NewDefaultAuthorityPem(pemBlock []byte) (*DefaultAuthority, error)

NewDefaultAuthorityPem generates a new DefaultAuthority for the supplied pem block. The pem block must contain a valid CA certificate and associated private key.

func NewDefaultAuthorityPemCAKey Uses

func NewDefaultAuthorityPemCAKey(caPem, keyPem []byte) (*DefaultAuthority, error)

NewDefaultAuthorityPemCAKey generates a new DefaultAuthority for the supplied pem ca and key. Returns error if the supplied cert is not a ca or passing of the pem data fails.

func (*DefaultAuthority) Certificate Uses

func (a *DefaultAuthority) Certificate() *x509.Certificate

Certificate implements Leaf interface method. Returns the CA's certificate

func (*DefaultAuthority) Chain Uses

func (a *DefaultAuthority) Chain() []*x509.Certificate

Chain implements Leaf interface method. Returns the CA's chain if it is an intermediate.

func (*DefaultAuthority) LeafForGroup Uses

func (a *DefaultAuthority) LeafForGroup(group string) (Leaf, error)

LeafForGroup implements Authority interface method.

func (*DefaultAuthority) LeafGroupFromPemCertKey Uses

func (a *DefaultAuthority) LeafGroupFromPemCertKey(group string,
    certPem, key []byte) (Leaf, error)

LeafGroupFromPemCertKey implements Authority interface method.

func (*DefaultAuthority) LeafRange Uses

func (a *DefaultAuthority) LeafRange(ranger func(leaf Leaf) bool)

LeafRange implements Authority interface method.

func (*DefaultAuthority) LeafRequestForGroup Uses

func (a *DefaultAuthority) LeafRequestForGroup(group string) LeafRequest

LeafRequestForGroup implements Authority interface method. Starts a new leaf request for the given group overwritting any existing leaf when the request is committed.

func (*DefaultAuthority) SetLeafSigner Uses

func (a *DefaultAuthority) SetLeafSigner(signer crypto.Signer)

SetLeafSigner sets a default signer to use for all new created leafs on this authority.

func (*DefaultAuthority) Signer Uses

func (a *DefaultAuthority) Signer() crypto.Signer

Signer implements Leaf interface method. Returns the signer used for this authority.

func (*DefaultAuthority) TLSCertificate Uses

func (a *DefaultAuthority) TLSCertificate() *tls.Certificate

TLSCertificate implements Leaf interface method. Returns a tls certificate that can be used in tls connections.

func (*DefaultAuthority) ToPemParts Uses

func (a *DefaultAuthority) ToPemParts() (cert, key []byte, err error)

ToPemParts implements the Leaf interface method. Returns this authority split into certificate and key pem components.

type DefaultLeaf Uses

type DefaultLeaf struct {
    // contains filtered or unexported fields
}

DefaultLeaf is a default implementation of the Leaf interface

func NewDefaultLeaf Uses

func NewDefaultLeaf(group string, cert *x509.Certificate,
    chain []*x509.Certificate, signer crypto.Signer) *DefaultLeaf

NewDefaultLeaf constructs a new DefaultLeaf for the supplied certificate and key

func NewDefaultLeafPem Uses

func NewDefaultLeafPem(group string, pemBlock []byte) (*DefaultLeaf, error)

NewDefaultLeafPem constructs a new DefaultLeaf from the supplied PEM data

func (*DefaultLeaf) Certificate Uses

func (d *DefaultLeaf) Certificate() *x509.Certificate

Certificate implements Leaf Certificate

func (*DefaultLeaf) Chain Uses

func (d *DefaultLeaf) Chain() []*x509.Certificate

Chain implements Leaf Chain

func (*DefaultLeaf) Signer Uses

func (d *DefaultLeaf) Signer() crypto.Signer

Signer implements Leaf interface Signer

func (*DefaultLeaf) TLSCertificate Uses

func (d *DefaultLeaf) TLSCertificate() *tls.Certificate

TLSCertificate implements Leaf interface TLSCertificate

func (*DefaultLeaf) ToPemParts Uses

func (d *DefaultLeaf) ToPemParts() ([]byte, []byte, error)

ToPemParts implements Leaf interface ToPemParts

type DefaultLeafRequest Uses

type DefaultLeafRequest struct {
    // contains filtered or unexported fields
}

DefaultLeafRequest is a default implementation of the LeafRequest interface

func NewDefaultLeafRequest Uses

func NewDefaultLeafRequest(subject pkix.Name,
    requestSigner CertificateRequestSigner, maker LeafMaker) *DefaultLeafRequest

NewDefaultLeafRequest create a DefaultLeafRequest object that implements LeafRequest

func NewDefaultLeafRequestWithSigner Uses

func NewDefaultLeafRequestWithSigner(subject pkix.Name, signer crypto.Signer,
    requestSigner CertificateRequestSigner,
    maker LeafMaker) *DefaultLeafRequest

NewDefaultLeafRequestWithSigner create a DefaultLeafRequest object that implements LeafRequest. Takes a default signer to use for all certificate creation instead of generating a new one.

func (*DefaultLeafRequest) AddDNSNames Uses

func (d *DefaultLeafRequest) AddDNSNames(dnsNames ...string) LeafRequest

AddDNSNames implements LeafRequest AddDNSNames

func (*DefaultLeafRequest) AddIPAddresses Uses

func (d *DefaultLeafRequest) AddIPAddresses(ipAddresses ...net.IP) LeafRequest

AddIPAddresses implements LeafRequest AddIPAddresses

func (*DefaultLeafRequest) Commit Uses

func (d *DefaultLeafRequest) Commit() (Leaf, error)

Commit implements Leaf Commit

type DefaultRequestSigner Uses

type DefaultRequestSigner struct {
    // contains filtered or unexported fields
}

DefaultRequestSigner is a default implementation of CertificateRequestSigner

func NewDefaultRequestSigner Uses

func NewDefaultRequestSigner(
    authority *x509.Certificate,
    chain []*x509.Certificate,
    privKey interface{}) *DefaultRequestSigner

NewDefaultRequestSigner creates a new DefaultRequestSigner for the supplied CA and key

func (*DefaultRequestSigner) SignCSR Uses

func (d *DefaultRequestSigner) SignCSR(csr *x509.CertificateRequest) (*x509.Certificate, []*x509.Certificate, error)

SignCSR implements CertificateRequestSigner SignCSR

type KeyProfile Uses

type KeyProfile func() (crypto.Signer, error)

KeyProfile is a convience way of getting a crypto private key with a default set of attributes

var (
    //DefaultKeyProfile KeyProfile = RSA3072
    DefaultKeyProfile KeyProfile = RSA3072
)

type Leaf Uses

type Leaf interface {
    // Certificate returns the x509 certificate of this leaf. May be nil if no
    // certificate exists yet. Call Commit to sign the leaf.
    Certificate() *x509.Certificate

    // Chain is the certificate signing chain for this leaf in the case of
    // intermediate CA's
    Chain() []*x509.Certificate

    // Signer is the crypto key used for signing operations on this leaf.
    Signer() crypto.Signer

    // Convenience method for generating a tls certificate for use in tls
    // transport.
    TLSCertificate() *tls.Certificate

    // Convenience method for converting this leaf to pem parts of
    // certificate/chain and private key
    ToPemParts() (cert, key []byte, err error)
}

Leaf represents a certificate and is associated key for signing operations.

type LeafMaker Uses

type LeafMaker func(*x509.Certificate, []*x509.Certificate, crypto.Signer) (Leaf, error)

LeafMaker describes a function that can construct new Leaf's from the supplied certificate and crypto signer

type LeafRequest Uses

type LeafRequest interface {
    // AddDNSNames adds the specificed dns names to the LeafRequest
    AddDNSNames(...string) LeafRequest

    // AddIPAddresses adds the specificed ip addresses to the LeafRequest
    AddIPAddresses(...net.IP) LeafRequest

    // Commit transforms the LeafRequest to a new Leaf
    Commit() (Leaf, error)
}

LeafRequest is an intermediate unit for requesting new leafs with specific attributes.

Directories

PathSynopsis
test

Package pki imports 23 packages (graph). Updated 2020-08-06. Refresh now. Tools for package owners.