authority

type CertificateAuthority ¶

type CertificateAuthority struct {
	// RawCert is an optional field to determine if signing cert/key pairs have changed
	RawCert []byte
	// RawKey is an optional field to determine if signing cert/key pairs have changed
	RawKey []byte

	Certificate *x509.Certificate
	PrivateKey  crypto.Signer
}

CertificateAuthority implements a certificate authority that supports policy based signing. It's used by the signing controller.

func (ca *CertificateAuthority) Sign(crDER []byte, policy SigningPolicy) ([]byte, error)

type PermissiveSigningPolicy ¶

type PermissiveSigningPolicy struct {
	// TTL is used in certificate NotAfter calculation as described above.
	TTL time.Duration

	// Usages are the allowed usages of a certificate.
	Usages []capi.KeyUsage

	// Backdate is used in certificate NotBefore calculation as described above.
	Backdate time.Duration

	// Short is the duration used to determine if the lifetime of a certificate should be considered short.
	Short time.Duration

	// Now defaults to time.Now but can be stubbed for testing
	Now func() time.Time
}

PermissiveSigningPolicy is the signing policy historically used by the local signer.

• It forwards all SANs from the original signing request.
• It sets allowed usages as configured in the policy.
• It zeros all extensions.
• It sets BasicConstraints to true.
• It sets IsCA to false.
• It validates that the signer has not expired.
• It sets NotBefore and NotAfter: All certificates set NotBefore = Now() - Backdate. Long-lived certificates set NotAfter = Now() + TTL - Backdate. Short-lived certificates set NotAfter = Now() + TTL. All certificates truncate NotAfter to the expiration date of the signer.

type SigningPolicy ¶

type SigningPolicy interface {
	// contains filtered or unexported methods
}

SigningPolicy validates a CertificateRequest before it's signed by the CertificateAuthority. It may default or otherwise mutate a certificate template.