ca

package
v0.0.0-...-c397b60 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: May 17, 2024 License: Apache-2.0 Imports: 71 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source 
var DisableIdentity = false

DisableIdentity is a global variable to disable the identity.

View Source 
var ErrAdminAPINotAuthorized = errors.New("admin API not authorized")
View Source 
var ErrAdminAPINotImplemented = errors.New("admin API not implemented")
View Source 
var UserAgent = "step-http-client/1.0"

UserAgent will set the User-Agent header in the client requests.

Functions

func BootstrapClient 

func BootstrapClient(ctx context.Context, token string, options ...TLSOption) (*http.Client, error)

BootstrapClient is a helper function that using the given bootstrap token return an http.Client configured with a Transport prepared to do TLS connections using the client certificate returned by the certificate authority. By default the server will kick off a routine that will renew the certificate after 2/3rd of the certificate's lifetime has expired.

Usage: 

// Default example with certificate rotation.
client, err := ca.BootstrapClient(ctx.Background(), token)

// Example canceling automatic certificate rotation.
ctx, cancel := context.WithCancel(context.Background())
defer cancel()
client, err := ca.BootstrapClient(ctx, token)
if err != nil {
  return err
}
resp, err := client.Get("https://internal.smallstep.com")

func BootstrapListener 

func BootstrapListener(ctx context.Context, token string, inner net.Listener, options ...TLSOption) (net.Listener, error)

BootstrapListener is a helper function that using the given token returns a TLS listener which accepts connections from an inner listener and wraps each connection with Server.

Without any extra option the server will be configured for mTLS, it will require and verify clients certificates, but options can be used to drop this requirement, the most common will be only verify the certs if given with ca.VerifyClientCertIfGiven(), or add extra CAs with ca.AddClientCA(*x509.Certificate).

Usage: 

inner, err := net.Listen("tcp", ":443")
if err != nil {
  return nil
}
ctx, cancel := context.WithCancel(context.Background())
defer cancel()
lis, err := ca.BootstrapListener(ctx, token, inner)
if err != nil {
    return err
}
srv := grpc.NewServer()
... // register services
srv.Serve(lis)

func BootstrapServer 

func BootstrapServer(ctx context.Context, token string, base *http.Server, options ...TLSOption) (*http.Server, error)

BootstrapServer is a helper function that using the given token returns the given http.Server configured with a TLS certificate signed by the Certificate Authority. By default the server will kick off a routine that will renew the certificate after 2/3rd of the certificate's lifetime has expired.

Without any extra option the server will be configured for mTLS, it will require and verify clients certificates, but options can be used to drop this requirement, the most common will be only verify the certs if given with ca.VerifyClientCertIfGiven(), or add extra CAs with ca.AddClientCA(*x509.Certificate).

Usage: 

// Default example with certificate rotation.
srv, err := ca.BootstrapServer(context.Background(), token, &http.Server{
    Addr: ":443",
    Handler: handler,
})

// Example canceling automatic certificate rotation.
ctx, cancel := context.WithCancel(context.Background())
defer cancel()
srv, err := ca.BootstrapServer(ctx, token, &http.Server{
    Addr: ":443",
    Handler: handler,
})
if err != nil {
    return err
}
srv.ListenAndServeTLS("", "")

func Certificate 

func Certificate(sign *api.SignResponse) (*x509.Certificate, error)

Certificate returns the server or client certificate from the sign response.

func CreateCertificateRequest 

func CreateCertificateRequest(commonName string, sans ...string) (*api.CertificateRequest, crypto.PrivateKey, error)

CreateCertificateRequest creates a new CSR with the given common name and SANs. If no san is provided the commonName will set also a SAN.

func CreateIdentityRequest 

func CreateIdentityRequest(commonName string, sans ...string) (*api.CertificateRequest, crypto.PrivateKey, error)

CreateIdentityRequest returns a new CSR to create the identity. If an identity was already present it reuses the private key.

func CreateSignRequest 

func CreateSignRequest(ott string) (*api.SignRequest, crypto.PrivateKey, error)

CreateSignRequest is a helper function that given an x509 OTT returns a simple but secure sign request as well as the private key used.

func IntermediateCertificate 

func IntermediateCertificate(sign *api.SignResponse) (*x509.Certificate, error)

IntermediateCertificate returns the CA intermediate certificate from the sign response.

func LoadDefaultIdentity 

func LoadDefaultIdentity() (*identity.Identity, error)

LoadDefaultIdentity is a wrapper for identity.LoadDefaultIdentity.

func RootCertificate 

func RootCertificate(sign *api.SignResponse) (*x509.Certificate, error)

RootCertificate returns the root certificate from the sign response.

func StopHandler 

func StopHandler(servers ...Stopper)

StopHandler watches SIGINT, SIGTERM on a list of servers implementing the Stopper interface, and when one of those signals is caught we'll run Stop (SIGINT, SIGTERM) on all servers.

func StopReloaderHandler 

func StopReloaderHandler(servers ...StopReloader)

StopReloaderHandler watches SIGINT, SIGTERM and SIGHUP on a list of servers implementing the StopReloader interface, and when one of those signals is caught we'll run Stop (SIGINT, SIGTERM) or Reload (SIGHUP) on all servers.

func TLSCertificate 

func TLSCertificate(sign *api.SignResponse, pk crypto.PrivateKey) (*tls.Certificate, error)

TLSCertificate creates a new TLS certificate from the sign response and the private key used.

func WithRenewBefore 

func WithRenewBefore(b time.Duration) func(r *TLSRenewer) error

WithRenewBefore modifies a tlsRenewer by setting the renewBefore attribute.

func WithRenewJitter 

func WithRenewJitter(j time.Duration) func(r *TLSRenewer) error

WithRenewJitter modifies a tlsRenewer by setting the renewJitter attribute.

func WriteDefaultIdentity 

func WriteDefaultIdentity(certChain []api.Certificate, key crypto.PrivateKey) error

WriteDefaultIdentity is a wrapper for identity.WriteDefaultIdentity.

Types

type ACMEClient 

type ACMEClient struct {
	Key *jose.JSONWebKey
	// contains filtered or unexported fields
}

ACMEClient implements an HTTP client to an ACME API.

func NewACMEClient 

func NewACMEClient(endpoint string, contact []string, opts ...ClientOption) (*ACMEClient, error)

NewACMEClient initializes a new ACMEClient.

func (*ACMEClient) FinalizeOrder 

func (c *ACMEClient) FinalizeOrder(url string, csr *x509.CertificateRequest) error

FinalizeOrder makes a finalize request to the ACME api.

func (*ACMEClient) GetAccountOrders 

func (c *ACMEClient) GetAccountOrders() ([]string, error)

GetAccountOrders retrieves the orders belonging to the given account.

func (*ACMEClient) GetAuthz 

func (c *ACMEClient) GetAuthz(url string) (*acme.Authorization, error)

GetAuthz returns the Authz at the given path.

func (*ACMEClient) GetCertificate 

func (c *ACMEClient) GetCertificate(url string) (*x509.Certificate, []*x509.Certificate, error)

GetCertificate retrieves the certificate along with all intermediates.

func (*ACMEClient) GetChallenge 

func (c *ACMEClient) GetChallenge(url string) (*acme.Challenge, error)

GetChallenge returns the Challenge at the given path. With the validate parameter set to True this method will attempt to validate the challenge before returning it.

func (*ACMEClient) GetDirectory 

func (c *ACMEClient) GetDirectory() (*acmeAPI.Directory, error)

GetDirectory makes a directory request to the ACME api and returns an ACME directory object.

func (*ACMEClient) GetNonce 

func (c *ACMEClient) GetNonce() (string, error)

GetNonce makes a nonce request to the ACME api and returns an ACME directory object.

func (*ACMEClient) GetOrder 

func (c *ACMEClient) GetOrder(url string) (*acme.Order, error)

GetOrder returns the Order at the given path.

func (*ACMEClient) NewOrder 

func (c *ACMEClient) NewOrder(payload []byte) (*acme.Order, error)

NewOrder creates and returns the information for a new ACME order.

func (*ACMEClient) ValidateChallenge 

func (c *ACMEClient) ValidateChallenge(url string) error

ValidateChallenge returns the Challenge at the given path. With the validate parameter set to True this method will attempt to validate the challenge before returning it.

func (*ACMEClient) ValidateWithPayload 

func (c *ACMEClient) ValidateWithPayload(url string, payload []byte) error

ValidateWithPayload will attempt to validate the challenge at the given url with the given attestation payload.

type AdminClient 

type AdminClient struct {
	// contains filtered or unexported fields
}

AdminClient implements an HTTP client for the CA server.

func NewAdminClient 

func NewAdminClient(endpoint string, opts ...ClientOption) (*AdminClient, error)

NewAdminClient creates a new AdminClient with the given endpoint and options.

func (*AdminClient) CreateACMEPolicy 

func (c *AdminClient) CreateACMEPolicy(provisionerName, reference, keyID string, p *linkedca.Policy) (*linkedca.Policy, error)

func (*AdminClient) CreateAdmin 

func (c *AdminClient) CreateAdmin(createAdminRequest *adminAPI.CreateAdminRequest) (*linkedca.Admin, error)

CreateAdmin performs the POST /admin/admins request to the CA.

func (*AdminClient) CreateAuthorityPolicy 

func (c *AdminClient) CreateAuthorityPolicy(p *linkedca.Policy) (*linkedca.Policy, error)

func (*AdminClient) CreateExternalAccountKey 

func (c *AdminClient) CreateExternalAccountKey(provisionerName string, eakRequest *adminAPI.CreateExternalAccountKeyRequest) (*linkedca.EABKey, error)

CreateExternalAccountKey performs the POST /admin/acme/eab request to the CA.

func (*AdminClient) CreateProvisioner 

func (c *AdminClient) CreateProvisioner(prov *linkedca.Provisioner) (*linkedca.Provisioner, error)

CreateProvisioner performs the POST /admin/provisioners request to the CA.

func (*AdminClient) CreateProvisionerPolicy 

func (c *AdminClient) CreateProvisionerPolicy(provisionerName string, p *linkedca.Policy) (*linkedca.Policy, error)

func (*AdminClient) CreateProvisionerWebhook 

func (c *AdminClient) CreateProvisionerWebhook(provisionerName string, wh *linkedca.Webhook) (*linkedca.Webhook, error)

func (*AdminClient) DeleteProvisionerWebhook 

func (c *AdminClient) DeleteProvisionerWebhook(provisionerName, webhookName string) error

func (*AdminClient) GetACMEPolicy 

func (c *AdminClient) GetACMEPolicy(provisionerName, reference, keyID string) (*linkedca.Policy, error)

func (*AdminClient) GetAdmin 

func (c *AdminClient) GetAdmin(id string) (*linkedca.Admin, error)

GetAdmin performs the GET /admin/admin/{id} request to the CA.

func (*AdminClient) GetAdmins 

func (c *AdminClient) GetAdmins(...AdminOption) ([]*linkedca.Admin, error)

GetAdmins returns all admins from the GET /admin/admins request to the CA.

func (*AdminClient) GetAdminsPaginate 

func (c *AdminClient) GetAdminsPaginate(opts ...AdminOption) (*adminAPI.GetAdminsResponse, error)

GetAdminsPaginate returns a page from the the GET /admin/admins request to the CA.

func (*AdminClient) GetAuthorityPolicy 

func (c *AdminClient) GetAuthorityPolicy() (*linkedca.Policy, error)

func (*AdminClient) GetExternalAccountKeysPaginate 

func (c *AdminClient) GetExternalAccountKeysPaginate(provisionerName, reference string, opts ...AdminOption) (*adminAPI.GetExternalAccountKeysResponse, error)

GetExternalAccountKeysPaginate returns a page from the GET /admin/acme/eab request to the CA.

func (*AdminClient) GetProvisioner 

func (c *AdminClient) GetProvisioner(opts ...ProvisionerOption) (*linkedca.Provisioner, error)

GetProvisioner performs the GET /admin/provisioners/{name} request to the CA.

func (*AdminClient) GetProvisionerPolicy 

func (c *AdminClient) GetProvisionerPolicy(provisionerName string) (*linkedca.Policy, error)

func (*AdminClient) GetProvisioners 

func (c *AdminClient) GetProvisioners(...AdminOption) (provisioner.List, error)

GetProvisioners returns all admins from the GET /admin/admins request to the CA.

func (*AdminClient) GetProvisionersPaginate 

func (c *AdminClient) GetProvisionersPaginate(opts ...ProvisionerOption) (*adminAPI.GetProvisionersResponse, error)

GetProvisionersPaginate performs the GET /admin/provisioners request to the CA.

func (*AdminClient) IsEnabled 

func (c *AdminClient) IsEnabled() error

IsEnabled checks if the admin API is enabled.

func (*AdminClient) RemoveACMEPolicy 

func (c *AdminClient) RemoveACMEPolicy(provisionerName, reference, keyID string) error

func (*AdminClient) RemoveAdmin 

func (c *AdminClient) RemoveAdmin(id string) error

RemoveAdmin performs the DELETE /admin/admins/{id} request to the CA.

func (*AdminClient) RemoveAuthorityPolicy 

func (c *AdminClient) RemoveAuthorityPolicy() error

func (*AdminClient) RemoveExternalAccountKey 

func (c *AdminClient) RemoveExternalAccountKey(provisionerName, keyID string) error

RemoveExternalAccountKey performs the DELETE /admin/acme/eab/{prov}/{key_id} request to the CA.

func (*AdminClient) RemoveProvisioner 

func (c *AdminClient) RemoveProvisioner(opts ...ProvisionerOption) error

RemoveProvisioner performs the DELETE /admin/provisioners/{name} request to the CA.

func (*AdminClient) RemoveProvisionerPolicy 

func (c *AdminClient) RemoveProvisionerPolicy(provisionerName string) error

func (*AdminClient) UpdateACMEPolicy 

func (c *AdminClient) UpdateACMEPolicy(provisionerName, reference, keyID string, p *linkedca.Policy) (*linkedca.Policy, error)

func (*AdminClient) UpdateAdmin 

func (c *AdminClient) UpdateAdmin(id string, uar *adminAPI.UpdateAdminRequest) (*linkedca.Admin, error)

UpdateAdmin performs the PUT /admin/admins/{id} request to the CA.

func (*AdminClient) UpdateAuthorityPolicy 

func (c *AdminClient) UpdateAuthorityPolicy(p *linkedca.Policy) (*linkedca.Policy, error)

func (*AdminClient) UpdateProvisioner 

func (c *AdminClient) UpdateProvisioner(name string, prov *linkedca.Provisioner) error

UpdateProvisioner performs the PUT /admin/provisioners/{name} request to the CA.

func (*AdminClient) UpdateProvisionerPolicy 

func (c *AdminClient) UpdateProvisionerPolicy(provisionerName string, p *linkedca.Policy) (*linkedca.Policy, error)

func (*AdminClient) UpdateProvisionerWebhook 

func (c *AdminClient) UpdateProvisionerWebhook(provisionerName string, wh *linkedca.Webhook) (*linkedca.Webhook, error)

type AdminClientError 

type AdminClientError struct {
	Type    string `json:"type"`
	Detail  string `json:"detail"`
	Message string `json:"message"`
}

AdminClientError is the client side representation of an AdminError returned by the CA.

func (*AdminClientError) Error 

func (e *AdminClientError) Error() string

Error returns the AdminClientError message as the error message

type AdminOption 

type AdminOption func(o *adminOptions) error

AdminOption is the type of options passed to the Admin method.

func WithAdminCursor 

func WithAdminCursor(cursor string) AdminOption

WithAdminCursor will request the admins starting with the given cursor.

func WithAdminLimit 

func WithAdminLimit(limit int) AdminOption

WithAdminLimit will request the given number of admins.

type CA 

type CA struct {
	// contains filtered or unexported fields
}

CA is the type used to build the complete certificate authority. It builds the HTTP server, set ups the middlewares and the HTTP handlers.

func New 

func New(cfg *config.Config, opts ...Option) (*CA, error)

New creates and initializes the CA with the given configuration and options.

func (*CA) Init 

func (ca *CA) Init(cfg *config.Config) (*CA, error)

Init initializes the CA with the given configuration.

func (*CA) Reload 

func (ca *CA) Reload() error

Reload reloads the configuration of the CA and calls to the server Reload method.

func (*CA) Run 

func (ca *CA) Run() error

Run starts the CA calling to the server ListenAndServe method.

func (*CA) Stop 

func (ca *CA) Stop() error

Stop stops the CA calling to the server Shutdown method.

type Client 

type Client struct {
	// contains filtered or unexported fields
}

Client implements an HTTP client for the CA server.

func Bootstrap 

func Bootstrap(token string) (*Client, error)

Bootstrap is a helper function that initializes a client with the configuration in the bootstrap token.

func NewClient 

func NewClient(endpoint string, opts ...ClientOption) (*Client, error)

NewClient creates a new Client with the given endpoint and options.

func (*Client) Federation 

func (c *Client) Federation() (*api.FederationResponse, error)

Federation performs the get federation request to the CA with an empty context and returns the api.FederationResponse struct.

func (*Client) FederationWithContext 

func (c *Client) FederationWithContext(ctx context.Context) (*api.FederationResponse, error)

FederationWithContext performs the get federation request to the CA with the provided context and returns the api.FederationResponse struct.

func (*Client) GetCaURL 

func (c *Client) GetCaURL() string

GetCaURL returns the configured CA url.

func (*Client) GetClientTLSConfig 

func (c *Client) GetClientTLSConfig(ctx context.Context, sign *api.SignResponse, pk crypto.PrivateKey, options ...TLSOption) (*tls.Config, error)

GetClientTLSConfig returns a tls.Config for client use configured with the sign certificate, and a new certificate pool with the sign root certificate. The client certificate will automatically rotate before expiring.

func (*Client) GetRootCAs 

func (c *Client) GetRootCAs() *x509.CertPool

GetRootCAs returns the RootCAs certificate pool from the configured transport.

func (*Client) GetServerTLSConfig 

func (c *Client) GetServerTLSConfig(ctx context.Context, sign *api.SignResponse, pk crypto.PrivateKey, options ...TLSOption) (*tls.Config, error)

GetServerTLSConfig returns a tls.Config for server use configured with the sign certificate, and a new certificate pool with the sign root certificate. The returned tls.Config will only verify the client certificate if provided. The server certificate will automatically rotate before expiring.

func (*Client) Health 

func (c *Client) Health() (*api.HealthResponse, error)

Health performs the health request to the CA with an empty context and returns the api.HealthResponse struct.

func (*Client) HealthWithContext 

func (c *Client) HealthWithContext(ctx context.Context) (*api.HealthResponse, error)

HealthWithContext performs the health request to the CA with the provided context and returns the api.HealthResponse struct.

func (*Client) ProvisionerKey 

func (c *Client) ProvisionerKey(kid string) (*api.ProvisionerKeyResponse, error)

ProvisionerKey performs the request to the CA with an empty context to get the encrypted key for the given provisioner kid and returns the api.ProvisionerKeyResponse struct with the encrypted key.

func (*Client) ProvisionerKeyWithContext 

func (c *Client) ProvisionerKeyWithContext(ctx context.Context, kid string) (*api.ProvisionerKeyResponse, error)

ProvisionerKeyWithContext performs the request to the CA with the provided context to get the encrypted key for the given provisioner kid and returns the api.ProvisionerKeyResponse struct with the encrypted key.

func (*Client) Provisioners 

func (c *Client) Provisioners(opts ...ProvisionerOption) (*api.ProvisionersResponse, error)

Provisioners performs the provisioners request to the CA with an empty context and returns the api.ProvisionersResponse struct with a map of provisioners.

ProvisionerOption WithProvisionerCursor and WithProvisionLimit can be used to paginate the provisioners.

func (*Client) ProvisionersWithContext 

func (c *Client) ProvisionersWithContext(ctx context.Context, opts ...ProvisionerOption) (*api.ProvisionersResponse, error)

ProvisionersWithContext performs the provisioners request to the CA with the provided context and returns the api.ProvisionersResponse struct with a map of provisioners.

ProvisionerOption WithProvisionerCursor and WithProvisionLimit can be used to paginate the provisioners.

func (*Client) Rekey 

func (c *Client) Rekey(req *api.RekeyRequest, tr http.RoundTripper) (*api.SignResponse, error)

Rekey performs the rekey request to the CA with an empty context and returns the api.SignResponse struct.

func (*Client) RekeyWithContext 

func (c *Client) RekeyWithContext(ctx context.Context, req *api.RekeyRequest, tr http.RoundTripper) (*api.SignResponse, error)

RekeyWithContext performs the rekey request to the CA with the provided context and returns the api.SignResponse struct.

func (*Client) Renew 

func (c *Client) Renew(tr http.RoundTripper) (*api.SignResponse, error)

Renew performs the renew request to the CA with an empty context and returns the api.SignResponse struct.

func (*Client) RenewWithContext 

func (c *Client) RenewWithContext(ctx context.Context, tr http.RoundTripper) (*api.SignResponse, error)

RenewWithContext performs the renew request to the CA with the provided context and returns the api.SignResponse struct.

func (*Client) RenewWithToken 

func (c *Client) RenewWithToken(token string) (*api.SignResponse, error)

RenewWithToken performs the renew request to the CA with the given authorization token and and empty context and returns the api.SignResponse struct. This method is generally used to renew an expired certificate.

func (*Client) RenewWithTokenAndContext 

func (c *Client) RenewWithTokenAndContext(ctx context.Context, token string) (*api.SignResponse, error)

RenewWithTokenAndContext performs the renew request to the CA with the given authorization token and context and returns the api.SignResponse struct. This method is generally used to renew an expired certificate.

func (*Client) Revoke 

func (c *Client) Revoke(req *api.RevokeRequest, tr http.RoundTripper) (*api.RevokeResponse, error)

Revoke performs the revoke request to the CA with an empty context and returns the api.RevokeResponse struct.

func (*Client) RevokeWithContext 

func (c *Client) RevokeWithContext(ctx context.Context, req *api.RevokeRequest, tr http.RoundTripper) (*api.RevokeResponse, error)

RevokeWithContext performs the revoke request to the CA with the provided context and returns the api.RevokeResponse struct.

func (*Client) Root 

func (c *Client) Root(sha256Sum string) (*api.RootResponse, error)

Root performs the root request to the CA with an empty context and the provided SHA256 and returns the api.RootResponse struct. It uses an insecure client, but it checks the resulting root certificate with the given SHA256, returning an error if they do not match.

func (*Client) RootFingerprint 

func (c *Client) RootFingerprint() (string, error)

RootFingerprint is a helper method that returns the current root fingerprint. It does an health connection and gets the fingerprint from the TLS verified chains.

func (*Client) RootFingerprintWithContext 

func (c *Client) RootFingerprintWithContext(ctx context.Context) (string, error)

RootFingerprintWithContext is a helper method that returns the current root fingerprint. It does an health connection and gets the fingerprint from the TLS verified chains.

func (*Client) RootWithContext 

func (c *Client) RootWithContext(ctx context.Context, sha256Sum string) (*api.RootResponse, error)

RootWithContext performs the root request to the CA with an empty context and the provided SHA256 and returns the api.RootResponse struct. It uses an insecure client, but it checks the resulting root certificate with the given SHA256, returning an error if they do not match.

func (*Client) Roots 

func (c *Client) Roots() (*api.RootsResponse, error)

Roots performs the get roots request to the CA with an empty context and returns the api.RootsResponse struct.

func (*Client) RootsWithContext 

func (c *Client) RootsWithContext(ctx context.Context) (*api.RootsResponse, error)

RootsWithContext performs the get roots request to the CA with the provided context and returns the api.RootsResponse struct.

func (*Client) SSHBastion 

func (c *Client) SSHBastion(req *api.SSHBastionRequest) (*api.SSHBastionResponse, error)

SSHBastion performs the POST /ssh/bastion request to the CA with an empty context.

func (*Client) SSHBastionWithContext 

func (c *Client) SSHBastionWithContext(ctx context.Context, req *api.SSHBastionRequest) (*api.SSHBastionResponse, error)

SSHBastionWithContext performs the POST /ssh/bastion request to the CA with the provided context.

func (*Client) SSHCheckHost 

func (c *Client) SSHCheckHost(principal, token string) (*api.SSHCheckPrincipalResponse, error)

SSHCheckHost performs the POST /ssh/check-host request to the CA with an empty context, the principal and a token and returns the api.SSHCheckPrincipalResponse.

func (*Client) SSHCheckHostWithContext 

func (c *Client) SSHCheckHostWithContext(ctx context.Context, principal, token string) (*api.SSHCheckPrincipalResponse, error)

SSHCheckHostWithContext performs the POST /ssh/check-host request to the CA with the provided context, principal and token and returns the api.SSHCheckPrincipalResponse.

func (*Client) SSHConfig 

func (c *Client) SSHConfig(req *api.SSHConfigRequest) (*api.SSHConfigResponse, error)

SSHConfig performs the POST /ssh/config request to the CA with an empty context to get the ssh configuration templates.

func (*Client) SSHConfigWithContext 

func (c *Client) SSHConfigWithContext(ctx context.Context, req *api.SSHConfigRequest) (*api.SSHConfigResponse, error)

SSHConfigWithContext performs the POST /ssh/config request to the CA with the provided context to get the ssh configuration templates.

func (*Client) SSHFederation 

func (c *Client) SSHFederation() (*api.SSHRootsResponse, error)

SSHFederation performs the get /ssh/federation request to the CA with an empty context and returns the api.SSHRootsResponse struct.

func (*Client) SSHFederationWithContext 

func (c *Client) SSHFederationWithContext(ctx context.Context) (*api.SSHRootsResponse, error)

SSHFederationWithContext performs the get /ssh/federation request to the CA with the provided context and returns the api.SSHRootsResponse struct.

func (*Client) SSHGetHosts 

func (c *Client) SSHGetHosts() (*api.SSHGetHostsResponse, error)

SSHGetHosts performs the GET /ssh/get-hosts request to the CA with an empty context.

func (*Client) SSHGetHostsWithContext 

func (c *Client) SSHGetHostsWithContext(ctx context.Context) (*api.SSHGetHostsResponse, error)

SSHGetHostsWithContext performs the GET /ssh/get-hosts request to the CA with the provided context.

func (*Client) SSHRekey 

func (c *Client) SSHRekey(req *api.SSHRekeyRequest) (*api.SSHRekeyResponse, error)

SSHRekey performs the POST /ssh/rekey request to the CA with an empty context and returns the api.SSHRekeyResponse struct.

func (*Client) SSHRekeyWithContext 

func (c *Client) SSHRekeyWithContext(ctx context.Context, req *api.SSHRekeyRequest) (*api.SSHRekeyResponse, error)

SSHRekeyWithContext performs the POST /ssh/rekey request to the CA with the provided context and returns the api.SSHRekeyResponse struct.

func (*Client) SSHRenew 

func (c *Client) SSHRenew(req *api.SSHRenewRequest) (*api.SSHRenewResponse, error)

SSHRenew performs the POST /ssh/renew request to the CA with an empty context and returns the api.SSHRenewResponse struct.

func (*Client) SSHRenewWithContext 

func (c *Client) SSHRenewWithContext(ctx context.Context, req *api.SSHRenewRequest) (*api.SSHRenewResponse, error)

SSHRenewWithContext performs the POST /ssh/renew request to the CA with the provided context and returns the api.SSHRenewResponse struct.

func (*Client) SSHRevoke 

func (c *Client) SSHRevoke(req *api.SSHRevokeRequest) (*api.SSHRevokeResponse, error)

SSHRevoke performs the POST /ssh/revoke request to the CA with an empty context and returns the api.SSHRevokeResponse struct.

func (*Client) SSHRevokeWithContext 

func (c *Client) SSHRevokeWithContext(ctx context.Context, req *api.SSHRevokeRequest) (*api.SSHRevokeResponse, error)

SSHRevokeWithContext performs the POST /ssh/revoke request to the CA with the provided context and returns the api.SSHRevokeResponse struct.

func (*Client) SSHRoots 

func (c *Client) SSHRoots() (*api.SSHRootsResponse, error)

SSHRoots performs the GET /ssh/roots request to the CA with an empty context and returns the api.SSHRootsResponse struct.

func (*Client) SSHRootsWithContext 

func (c *Client) SSHRootsWithContext(ctx context.Context) (*api.SSHRootsResponse, error)

SSHRootsWithContext performs the GET /ssh/roots request to the CA with the provided context and returns the api.SSHRootsResponse struct.

func (*Client) SSHSign 

func (c *Client) SSHSign(req *api.SSHSignRequest) (*api.SSHSignResponse, error)

SSHSign performs the POST /ssh/sign request to the CA with an empty context and returns the api.SSHSignResponse struct.

func (*Client) SSHSignWithContext 

func (c *Client) SSHSignWithContext(ctx context.Context, req *api.SSHSignRequest) (*api.SSHSignResponse, error)

SSHSignWithContext performs the POST /ssh/sign request to the CA with the provided context and returns the api.SSHSignResponse struct.

func (*Client) SetTransport 

func (c *Client) SetTransport(tr http.RoundTripper)

SetTransport updates the transport of the internal HTTP client.

func (*Client) Sign 

func (c *Client) Sign(req *api.SignRequest) (*api.SignResponse, error)

Sign performs the sign request to the CA with an empty context and returns the api.SignResponse struct.

func (*Client) SignWithContext 

func (c *Client) SignWithContext(ctx context.Context, req *api.SignRequest) (*api.SignResponse, error)

SignWithContext performs the sign request to the CA with the provided context and returns the api.SignResponse struct.

func (*Client) Transport 

func (c *Client) Transport(ctx context.Context, sign *api.SignResponse, pk crypto.PrivateKey, options ...TLSOption) (*http.Transport, error)

Transport returns an http.Transport configured to use the client certificate from the sign response.

func (*Client) Version 

func (c *Client) Version() (*api.VersionResponse, error)

Version performs the version request to the CA with an empty context and returns the api.VersionResponse struct.

func (*Client) VersionWithContext 

func (c *Client) VersionWithContext(ctx context.Context) (*api.VersionResponse, error)

VersionWithContext performs the version request to the CA with the provided context and returns the api.VersionResponse struct.

type ClientOption 

type ClientOption func(o *clientOptions) error

ClientOption is the type of options passed to the Client constructor.

func WithAdminX5C 

func WithAdminX5C(certs []*x509.Certificate, key interface{}, passwordFile string) ClientOption

WithAdminX5C will set the given file as the X5C certificate for use by the client.

func WithCABundle 

func WithCABundle(bundle []byte) ClientOption

WithCABundle will create the transport using the given root certificates. It will fail if a previous option to create the transport has been configured.

func WithCertificate 

func WithCertificate(cert tls.Certificate) ClientOption

WithCertificate will set the given certificate as the TLS client certificate in the client.

func WithInsecure 

func WithInsecure() ClientOption

WithInsecure adds a insecure transport that bypasses TLS verification.

func WithRetryFunc 

func WithRetryFunc(fn RetryFunc) ClientOption

WithRetryFunc defines a method used to retry a request.

func WithRootFile 

func WithRootFile(filename string) ClientOption

WithRootFile will create the transport using the given root certificate. It will fail if a previous option to create the transport has been configured.

func WithRootSHA256 

func WithRootSHA256(sum string) ClientOption

WithRootSHA256 will create the transport using an insecure client to retrieve the root certificate using its fingerprint. It will fail if a previous option to create the transport has been configured.

func WithTransport 

func WithTransport(tr http.RoundTripper) ClientOption

WithTransport adds a custom transport to the Client. It will fail if a previous option to create the transport has been configured.

type Option 

type Option func(o *options)

Option is the type of options passed to the CA constructor.

func WithConfigFile 

func WithConfigFile(name string) Option

WithConfigFile sets the given name as the configuration file name in the CA options.

func WithDatabase 

func WithDatabase(d db.AuthDB) Option

WithDatabase sets the given authority database to the CA options.

func WithIssuerPassword 

func WithIssuerPassword(password []byte) Option

WithIssuerPassword sets the given password as the configured certificate issuer password in the CA options.

func WithLinkedCAToken 

func WithLinkedCAToken(token string) Option

WithLinkedCAToken sets the token used to authenticate with the linkedca.

func WithPassword 

func WithPassword(password []byte) Option

WithPassword sets the given password as the configured password in the CA options.

func WithQuiet 

func WithQuiet(quiet bool) Option

WithQuiet sets the quiet flag.

func WithSSHHostPassword 

func WithSSHHostPassword(password []byte) Option

WithSSHHostPassword sets the given password to decrypt the key used to sign ssh host certificates.

func WithSSHUserPassword 

func WithSSHUserPassword(password []byte) Option

WithSSHUserPassword sets the given password to decrypt the key used to sign ssh user certificates.

func WithTLSConfig 

func WithTLSConfig(t *tls.Config) Option

WithTLSConfig sets the TLS configuration to be used by the HTTP(s) server spun by step-ca.

func WithX509CAService 

func WithX509CAService(svc apiv1.CertificateAuthorityService) Option

WithX509CAService provides the x509CAService to be used for signing x509 requests

type Provisioner 

type Provisioner struct {
	*Client
	// contains filtered or unexported fields
}

Provisioner is an authorized entity that can sign tokens necessary for signature requests.

func NewProvisioner 

func NewProvisioner(name, kid, caURL string, password []byte, opts ...ClientOption) (*Provisioner, error)

NewProvisioner loads and decrypts key material from the CA for the named provisioner. The key identified by `kid` will be used if specified. If `kid` is the empty string we'll use the first key for the named provisioner that decrypts using `password`.

func (*Provisioner) Kid 

func (p *Provisioner) Kid() string

Kid returns the provisioners key ID.

func (*Provisioner) Name 

func (p *Provisioner) Name() string

Name returns the provisioner's name.

func (*Provisioner) SSHToken 

func (p *Provisioner) SSHToken(certType, keyID string, principals []string) (string, error)

SSHToken generates a SSH token.

func (*Provisioner) SetFingerprint 

func (p *Provisioner) SetFingerprint(sum string)

SetFingerprint overwrites the default fingerprint used.

func (*Provisioner) Token 

func (p *Provisioner) Token(subject string, sans ...string) (string, error)

Token generates a bootstrap token for a subject.

type ProvisionerOption 

type ProvisionerOption func(o *ProvisionerOptions) error

ProvisionerOption is the type of options passed to the Provisioner method.

func WithProvisionerCursor 

func WithProvisionerCursor(cursor string) ProvisionerOption

WithProvisionerCursor will request the provisioners starting with the given cursor.

func WithProvisionerID 

func WithProvisionerID(id string) ProvisionerOption

WithProvisionerID will request the given provisioner.

func WithProvisionerLimit 

func WithProvisionerLimit(limit int) ProvisionerOption

WithProvisionerLimit will request the given number of provisioners.

func WithProvisionerName 

func WithProvisionerName(name string) ProvisionerOption

WithProvisionerName will request the given provisioner.

type ProvisionerOptions 

type ProvisionerOptions struct {
	Cursor string
	Limit  int
	ID     string
	Name   string
}

ProvisionerOptions stores options for the provisioner CRUD API.

func (*ProvisionerOptions) Apply 

func (o *ProvisionerOptions) Apply(opts []ProvisionerOption) (err error)

Apply caches provisioner options on a struct for later use.

type RenewFunc 

type RenewFunc func() (*tls.Certificate, error)

RenewFunc defines the type of the functions used to get a new tls certificate.

type RetryFunc 

type RetryFunc func(code int) bool

RetryFunc defines the method used to retry a request. If it returns true, the request will be retried once.

type StopReloader 

type StopReloader interface {
	Stop() error
	Reload() error
}

StopReloader is the interface that external commands can implement to stop the server and reload the configuration while running.

type Stopper 

type Stopper interface {
	Stop() error
}

Stopper is the interface that external commands can implement to stop the server.

type TLSOption 

type TLSOption func(ctx *TLSOptionCtx) error

TLSOption defines the type of a function that modifies a tls.Config.

func AddClientCA 

func AddClientCA(cert *x509.Certificate) TLSOption

AddClientCA adds to the tls.Config ClientCAs the given certificate. ClientCAs defines the set of root certificate authorities that servers use if required to verify a client certificate by the policy in ClientAuth.

func AddFederationToCAs 

func AddFederationToCAs() TLSOption

AddFederationToCAs does a federation request and adds the resulting certs to the tls.Config RootCAs and ClientCAs. Combines the functionality of AddFederationToRootCAs and AddFederationToClientCAs.

func AddFederationToClientCAs 

func AddFederationToClientCAs() TLSOption

AddFederationToClientCAs does a federation request and adds to the tls.Config ClientCAs all the certificates in the response. ClientCAs defines the set of root certificate authorities that servers use if required to verify a client certificate by the policy in ClientAuth.

func AddFederationToRootCAs 

func AddFederationToRootCAs() TLSOption

AddFederationToRootCAs does a federation request and adds to the tls.Config RootCAs all the certificates in the response. RootCAs defines the set of root certificate authorities that clients use when verifying server certificates.

func AddRootCA 

func AddRootCA(cert *x509.Certificate) TLSOption

AddRootCA adds to the tls.Config RootCAs the given certificate. RootCAs defines the set of root certificate authorities that clients use when verifying server certificates.

func AddRootsToCAs 

func AddRootsToCAs() TLSOption

AddRootsToCAs does a roots request and adds the resulting certs to the tls.Config RootCAs and ClientCAs. Combines the functionality of AddRootsToRootCAs and AddRootsToClientCAs.

func AddRootsToClientCAs 

func AddRootsToClientCAs() TLSOption

AddRootsToClientCAs does a roots request and adds to the tls.Config ClientCAs all the certificates in the response. ClientCAs defines the set of root certificate authorities that servers use if required to verify a client certificate by the policy in ClientAuth.

BootstrapServer method includes this option by default.

func AddRootsToRootCAs 

func AddRootsToRootCAs() TLSOption

AddRootsToRootCAs does a roots request and adds to the tls.Config RootCAs all the certificates in the response. RootCAs defines the set of root certificate authorities that clients use when verifying server certificates.

BootstrapServer and BootstrapClient methods include this option by default.

func RequireAndVerifyClientCert 

func RequireAndVerifyClientCert() TLSOption

RequireAndVerifyClientCert is a tls.Config option used on servers to enforce a valid TLS client certificate. This is the default option for mTLS servers.

func VerifyClientCertIfGiven 

func VerifyClientCertIfGiven() TLSOption

VerifyClientCertIfGiven is a tls.Config option used on on servers to validate a TLS client certificate if it is provided. It does not requires a certificate.

type TLSOptionCtx 

type TLSOptionCtx struct {
	Client      *Client
	Config      *tls.Config
	Sign        *api.SignResponse
	OnRenewFunc []TLSOption
	// contains filtered or unexported fields
}

TLSOptionCtx is the context modified on TLSOption methods.

type TLSRenewer 

type TLSRenewer struct {
	RenewCertificate RenewFunc
	// contains filtered or unexported fields
}

TLSRenewer automatically renews a tls certificate using a RenewFunc.

func NewTLSRenewer 

func NewTLSRenewer(cert *tls.Certificate, fn RenewFunc, opts ...tlsRenewerOptions) (*TLSRenewer, error)

NewTLSRenewer creates a TLSRenewer for the given cert. It will use the given RenewFunc to get a new certificate when required.

func (*TLSRenewer) GetCertificate 

func (r *TLSRenewer) GetCertificate(*tls.ClientHelloInfo) (*tls.Certificate, error)

GetCertificate returns the current server certificate.

This method is set in the tls.Config GetCertificate property.

func (*TLSRenewer) GetCertificateForCA 

func (r *TLSRenewer) GetCertificateForCA(*tls.ClientHelloInfo) (*tls.Certificate, error)

GetCertificateForCA returns the current server certificate. It can only be used if the renew function creates the new certificate and do not uses a TLS request. It's intended to be use by the certificate authority server.

This method is set in the tls.Config GetCertificate property.

func (*TLSRenewer) GetClientCertificate 

func (r *TLSRenewer) GetClientCertificate(*tls.CertificateRequestInfo) (*tls.Certificate, error)

GetClientCertificate returns the current client certificate.

This method is set in the tls.Config GetClientCertificate property.

func (*TLSRenewer) Run 

func (r *TLSRenewer) Run()

Run starts the certificate renewer for the given certificate.

func (*TLSRenewer) RunContext 

func (r *TLSRenewer) RunContext(ctx context.Context)

RunContext starts the certificate renewer for the given certificate.

func (*TLSRenewer) Stop 

func (r *TLSRenewer) Stop() bool

Stop prevents the renew timer from firing.

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.