 Documentation
      ¶
      Documentation
      ¶
    
    
  
    
  
    Overview ¶
Package pki implements a simple Public Key Infrastructure (PKI) manager that can issue and revoke X.509 certificates.
Index ¶
- Constants
- type Options
- type PKIManager
- func (m *PKIManager) CACert() (*x509.Certificate, error)
- func (m *PKIManager) IsRevoked(serialNumber *big.Int) bool
- func (m *PKIManager) IssueCertificate(cr *x509.CertificateRequest) (cert []byte, retErr error)
- func (m *PKIManager) OCSPResponse(req *ocsp.Request) ([]byte, error)
- func (m *PKIManager) RevocationList() (cert, crl []byte, retErr error)
- func (m *PKIManager) RevocationListPEM() ([]byte, error)
- func (m *PKIManager) RevokeCertificate(serialNumber *big.Int, reasonCode int) (retErr error)
- func (m *PKIManager) ServeCACert(w http.ResponseWriter, req *http.Request)
- func (m *PKIManager) ServeCRL(w http.ResponseWriter, req *http.Request)
- func (m *PKIManager) ServeCertificateManagement(w http.ResponseWriter, req *http.Request)
- func (m *PKIManager) ServeOCSP(w http.ResponseWriter, req *http.Request)
- func (m *PKIManager) ValidateCertificateRequest(csr []byte) (*x509.CertificateRequest, error)
 
Constants ¶
const ( // https://www.rfc-editor.org/rfc/rfc5280.html#section-5.3.1 RevokeReasonUnspecified = 0 RevokeReasonKeyCompromise = 1 RevokeReasonCACompromise = 2 RevokeReasonAffiliationChanged = 3 RevokeReasonSuperseded = 4 RevokeReasonCessationOfOperation = 5 RevokeReasonCertificateHold = 6 // value 7 is not used RevokeReasonRemoveFromCRL = 8 RevokeReasonPriviliegeWithDrawn = 9 RevokeReasonAACompromise = 10 )
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Options ¶
type Options struct {
	// Name is the names of the PKI manager.
	Name string
	// KeyType is one of ed25519, rsa-2048, rsa-4096, ecdsa-p256, etc.
	// Defaults to ecdsa-p256.
	KeyType string
	// Endpoint is the URL that serves the PKI web pages.
	Endpoint string
	// IssuingCertificateURL is a list of URLs that serve the CA certificate.
	IssuingCertificateURL []string
	// CRLDistributionPoints is a list of URLs that server this CA's
	// Certificate Revocation List.
	CRLDistributionPoints []string
	// OCSPServer is a list of URLs that serve the Online Certificate Status
	// Protocol (OCSP) for this CA.
	// https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol
	OCSPServer []string
	// Admins is the of users who are allowed to perform administrative
	// tasks.
	Admins []string
	// TPM is used for hardware-backed keys.
	TPM *tpm.TPM
	// Store is used to store the PKI manager's data.
	Store *storage.Storage
	// EventRecorder is used to record events.
	EventRecorder interface {
		Record(string)
	}
	Logger interface {
		Errorf(format string, args ...any)
	}
	// ClaimsFromCtx returns jwt claims for the current user.
	ClaimsFromCtx func(context.Context) jwt.MapClaims
}
    Options are used to configure the PKI manager.
type PKIManager ¶
type PKIManager struct {
	// contains filtered or unexported fields
}
    PKIManager implements a simple Public Key Infrastructure (PKI) manager that can issue and revoke X.509 certificates.
func New ¶
func New(opts Options) (*PKIManager, error)
New returns a new initialized PKI manager. The Certificate Authority's key and certificate are created the first time New is called for a given name.
func (*PKIManager) CACert ¶
func (m *PKIManager) CACert() (*x509.Certificate, error)
CACert returns the CA's certificate.
func (*PKIManager) IsRevoked ¶
func (m *PKIManager) IsRevoked(serialNumber *big.Int) bool
IsRevoked returns whether the certificate with this serial number of revoked.
func (*PKIManager) IssueCertificate ¶
func (m *PKIManager) IssueCertificate(cr *x509.CertificateRequest) (cert []byte, retErr error)
IssueCertificate issues a new certificate.
func (*PKIManager) OCSPResponse ¶
func (m *PKIManager) OCSPResponse(req *ocsp.Request) ([]byte, error)
OCSPResponse creates an OCSP Response from the given request.
func (*PKIManager) RevocationList ¶
func (m *PKIManager) RevocationList() (cert, crl []byte, retErr error)
RevocationList returns the current revocation list.
func (*PKIManager) RevocationListPEM ¶
func (m *PKIManager) RevocationListPEM() ([]byte, error)
RevocationListPEM returns the current revocation list, PEM encoded.
func (*PKIManager) RevokeCertificate ¶
func (m *PKIManager) RevokeCertificate(serialNumber *big.Int, reasonCode int) (retErr error)
RevokeCertificate revokes the certificate with this serial number and set the reason code.
func (*PKIManager) ServeCACert ¶
func (m *PKIManager) ServeCACert(w http.ResponseWriter, req *http.Request)
ServeCACert sends the CA's certificate.
func (*PKIManager) ServeCRL ¶
func (m *PKIManager) ServeCRL(w http.ResponseWriter, req *http.Request)
ServeCRL sends the revocation list.
func (*PKIManager) ServeCertificateManagement ¶
func (m *PKIManager) ServeCertificateManagement(w http.ResponseWriter, req *http.Request)
func (*PKIManager) ServeOCSP ¶
func (m *PKIManager) ServeOCSP(w http.ResponseWriter, req *http.Request)
ServeOCSP implements the OCSP protocol for this CA. https://www.rfc-editor.org/rfc/rfc6960.html
func (*PKIManager) ValidateCertificateRequest ¶
func (m *PKIManager) ValidateCertificateRequest(csr []byte) (*x509.CertificateRequest, error)
ValidateCertificateRequest parses and validates a certificate signing request.
       Directories
      ¶
      Directories
      ¶
    
    | Path | Synopsis | 
|---|---|
| clientwasm implements TLS key generation and PKCS12 packaging in a browser so that the private key is never copied over the network. | clientwasm implements TLS key generation and PKCS12 packaging in a browser so that the private key is never copied over the network. |