Documentation
¶
Index ¶
- Constants
- Variables
- func AddDriver(name string, driver DriverFactory)
- func LogConfigForKey(key crypto.PublicKey) *siglog.LogStreamConfig
- func Names() []string
- type CA
- func CreateCA(ctx context.Context, path string, cust CertCustomiser, p prompt.PasswordPrompt) (*CA, error)
- func LoadCA(ctx context.Context, path string, auditor siglog.MessageChecker, ...) (*CA, error)
- func MaybeLoadCa(ctx context.Context, path string, isDir bool, p prompt.PasswordPrompt) (*CA, error)
- func (c *CA) Certificate() *x509.Certificate
- func (c *CA) Close() error
- func (c *CA) LogNote(note []byte) error
- func (c *CA) LogRotate(oldLog io.Writer) (err error)
- func (c *CA) NextSerialNumber() *big.Int
- func (c *CA) PublicKey() crypto.PublicKey
- func (c *CA) Sign(template *x509.Certificate, csr *x509.CertificateRequest) ([]byte, error)
- func (c *CA) String() string
- type CertCustomiser
- type CertTrace
- type Config
- type Driver
- type DriverFactory
- type LogAuditor
- type UntypedDriverConfig
Constants ¶
View Source
const ( DefaultConfigFileName = "ca.conf" DefaultCertFileName = "ca.pem" DefaultAuditLogFileName = "audit.log" DefaultAuditLogKeepCopies = 5 DefaultDriverName = "file" AuditLogRotationSuffix = ".%d" )
Variables ¶
View Source
var ( LogMessageTypeRoll = siglog.MustMessageType("roll") LogMessageTypeIssue = siglog.MustMessageType("issue") LogMessageTypeNote = siglog.MustMessageType("note") )
View Source
var ErrNoDriver = errors.New("driver not found")
Functions ¶
func AddDriver ¶
func AddDriver(name string, driver DriverFactory)
func LogConfigForKey ¶
func LogConfigForKey(key crypto.PublicKey) *siglog.LogStreamConfig
Types ¶
type CA ¶
type CA struct {
Config *Config
// contains filtered or unexported fields
}
func CreateCA ¶
func CreateCA(ctx context.Context, path string, cust CertCustomiser, p prompt.PasswordPrompt) (*CA, error)
CreateCA creates a new CA object and initializes the key, certificate and audit log on disk. If the key or certificate already exist they will be used as is. The audit log must not exist prior to this call. keyCryptOptionscan be used to customize how the key will be encrypted (if created) or decrypted (if already existing).
func LoadCA ¶
func LoadCA(ctx context.Context, path string, auditor siglog.MessageChecker, p prompt.PasswordPrompt) (*CA, error)
LoadCA loads an existing CA. The certificate and audit log must already exist and the audit log will be verified. auditor can be non-nil to perform additional verification as the log is verified. keyCryptOptions can be non-nil to customize how the key will be decrypted when/if it is loaded. The private key for the CA does not need to exist for the CA to be loaded. An attempt to load the private key will only be made if an operation which requires it is performed upon the loaded CA.
func MaybeLoadCa ¶
func MaybeLoadCa(ctx context.Context, path string, isDir bool, p prompt.PasswordPrompt) (*CA, error)
MaybeLoadCa will inspect the path and attempt to load the CA if it looks like a CA config file or directory. It will return (nil, nil) if no attempt is made to load the CA. The path should exist as either a file or a directory.
func (*CA) Certificate ¶
func (c *CA) Certificate() *x509.Certificate
func (*CA) NextSerialNumber ¶
func (*CA) Sign ¶
func (c *CA) Sign(template *x509.Certificate, csr *x509.CertificateRequest) ([]byte, error)
type CertCustomiser ¶
type CertCustomiser func(certificate *x509.Certificate) error
func JoinCustomisers ¶
func JoinCustomisers(customisers ...CertCustomiser) CertCustomiser
type CertTrace ¶
type CertTrace struct {
Description string `json:"description"`
NotAfter time.Time `json:"not_after"`
Serial []byte `json:"serial"`
Sha512_256 []byte `json:"sha512_256"`
}
CertTrace is just enough info about a certificate to tell if a CA really did issue it and when, and to generate a CRL.
func MakeTrace ¶
func MakeTrace(cert *x509.Certificate) *CertTrace
func ParseLogRollMessage ¶
func ParseLogRollMessage(payload []byte) (cert *x509.Certificate, traces []*CertTrace, err error)
func ParseTrace ¶
func ParseTraces ¶
type Config ¶
type Config struct {
Log struct {
Path string
/*
KeepCopies is the number of past audit logs to keep for the CA.
Use an integer value here, 0 for the default number, or -1 to not
keep any copies.
*/
KeepCopies int `yaml:"keep_copies"`
} `yaml:"log"`
Certificate struct {
Path string `yaml:"path"`
} `yaml:"certificate"`
Driver string `yaml:"driver"`
DriverConfig UntypedDriverConfig `yaml:"driver_config"`
// contains filtered or unexported fields
}
func (*Config) CertificateFilePath ¶
func (*Config) DriverName ¶
func (*Config) LogFilePath ¶
func (*Config) LogFilesToKeep ¶
func (*Config) MakeDriver ¶
func (*Config) RelConfigPath ¶
type Driver ¶
type Driver interface {
io.Closer
// InitPrivateKey should create a new private key only if one does not
// already exist. If one does exist it should return the public part and
// a signer. This will be called once when a CA is created.
InitPrivateKey(prompt prompt.PasswordPrompt) (publicKey crypto.PublicKey, certCustomiser CertCustomiser, signer crypto.Signer, err error)
// GetSigner returns the signer that this driver stores. It may use the prompt
// to get a pin or passphrase during the call to GetSigner, or after it has
// returned during a call to methods on the returned signer.
GetSigner(certificate *x509.Certificate, prompt prompt.PasswordPrompt) (crypto.Signer, error)
// SetCertificate is called a single time on completion of the CA's
// initialisation. If the driver stores certificates then this is the time
// to save it. It does not need to store the certificate.
SetCertificate(certificate *x509.Certificate, prompt prompt.PasswordPrompt) error
}
type DriverFactory ¶
type DriverFactory interface {
String() string
NewDriverConfig() any
NewDriver(caConfig *Config, driverConfig any) (Driver, error)
}
func GetDriverFactory ¶
func GetDriverFactory(name string) DriverFactory
type LogAuditor ¶
type LogAuditor struct {
CaCert *x509.Certificate
CertsIssued []*CertTrace
// contains filtered or unexported fields
}
LogAuditor checks a CA log to ensure it is in the correct format. Things that are checked:
- Message sequence: The first message must be a roll message, and if there is a second, then it must be the last in the sequence.
- A closing roll message must contain all the certificates that the opening roll message contains and additionally all the certificate issued since the opening roll message.
- This auditor is shown more than one log stream, the opening roll message must match the closing roll message of the previous stream.
- Issue messages must contain a certificate followed by a CSR. The certificate must have been issued by the CA, and the key in the CSR matches the key in the certificate.
func (*LogAuditor) CheckMessage ¶
func (a *LogAuditor) CheckMessage(seq int, m *siglog.Message) error
func (LogAuditor) InitCA ¶
func (a LogAuditor) InitCA(ca *CA) error
type UntypedDriverConfig ¶
type UntypedDriverConfig struct {
// contains filtered or unexported fields
}
func (*UntypedDriverConfig) UnmarshalDriverConfig ¶
func (dc *UntypedDriverConfig) UnmarshalDriverConfig(v interface{}) error
func (*UntypedDriverConfig) UnmarshalYAML ¶
func (dc *UntypedDriverConfig) UnmarshalYAML(unmarshal func(interface{}) error) error
Source Files
¶
Directories
Click to show internal directories.
Click to hide internal directories.