Documentation
¶
Overview ¶
Package pki implements a simple Public Key Infrastructure (PKI) manager that can issue and revoke X.509 certificates.
Index ¶
- Constants
- type Options
- type PKIManager
- func (m *PKIManager) CACert() (*x509.Certificate, error)
- func (m *PKIManager) IsRevoked(serialNumber *big.Int) bool
- func (m *PKIManager) IssueCertificate(cr *x509.CertificateRequest) (cert []byte, retErr error)
- func (m *PKIManager) OCSPResponse(req *ocsp.Request) ([]byte, error)
- func (m *PKIManager) RevocationList() (cert, crl []byte, retErr error)
- func (m *PKIManager) RevocationListPEM() ([]byte, error)
- func (m *PKIManager) RevokeCertificate(serialNumber *big.Int, reasonCode int) (retErr error)
- func (m *PKIManager) ServeCACert(w http.ResponseWriter, req *http.Request)
- func (m *PKIManager) ServeCRL(w http.ResponseWriter, req *http.Request)
- func (m *PKIManager) ServeCertificateManagement(w http.ResponseWriter, req *http.Request)
- func (m *PKIManager) ServeOCSP(w http.ResponseWriter, req *http.Request)
- func (m *PKIManager) ValidateCertificateRequest(csr []byte) (*x509.CertificateRequest, error)
Constants ¶
const ( // https://www.rfc-editor.org/rfc/rfc5280.html#section-5.3.1 RevokeReasonUnspecified = 0 RevokeReasonKeyCompromise = 1 RevokeReasonCACompromise = 2 RevokeReasonAffiliationChanged = 3 RevokeReasonSuperseded = 4 RevokeReasonCessationOfOperation = 5 RevokeReasonCertificateHold = 6 // value 7 is not used RevokeReasonRemoveFromCRL = 8 RevokeReasonPriviliegeWithDrawn = 9 RevokeReasonAACompromise = 10 )
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Options ¶
type Options struct {
// Name is the names of the PKI manager.
Name string
// KeyType is one of ed25519, rsa-2048, rsa-4096, ecdsa-p256, etc.
// Defaults to ecdsa-p256.
KeyType string
// Endpoint is the URL that serves the PKI web pages.
Endpoint string
// IssuingCertificateURL is a list of URLs that serve the CA certificate.
IssuingCertificateURL []string
// CRLDistributionPoints is a list of URLs that server this CA's
// Certificate Revocation List.
CRLDistributionPoints []string
// OCSPServer is a list of URLs that serve the Online Certificate Status
// Protocol (OCSP) for this CA.
// https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol
OCSPServer []string
// Admins is the of users who are allowed to perform administrative
// tasks.
Admins []string
// TPM is used for hardware-backed keys.
TPM *tpm.TPM
// Store is used to store the PKI manager's data.
Store *storage.Storage
// EventRecorder is used to record events.
EventRecorder interface {
Record(string)
}
Logger interface {
Errorf(format string, args ...any)
}
// AdminMatcher returns true if group contains email.
AdminMatcher func(acl []string, email string) bool
}
Options are used to configure the PKI manager.
type PKIManager ¶
type PKIManager struct {
// contains filtered or unexported fields
}
PKIManager implements a simple Public Key Infrastructure (PKI) manager that can issue and revoke X.509 certificates.
func New ¶
func New(opts Options) (*PKIManager, error)
New returns a new initialized PKI manager. The Certificate Authority's key and certificate are created the first time New is called for a given name.
func (*PKIManager) CACert ¶
func (m *PKIManager) CACert() (*x509.Certificate, error)
CACert returns the CA's certificate.
func (*PKIManager) IsRevoked ¶
func (m *PKIManager) IsRevoked(serialNumber *big.Int) bool
IsRevoked returns whether the certificate with this serial number of revoked.
func (*PKIManager) IssueCertificate ¶
func (m *PKIManager) IssueCertificate(cr *x509.CertificateRequest) (cert []byte, retErr error)
IssueCertificate issues a new certificate.
func (*PKIManager) OCSPResponse ¶
func (m *PKIManager) OCSPResponse(req *ocsp.Request) ([]byte, error)
OCSPResponse creates an OCSP Response from the given request.
func (*PKIManager) RevocationList ¶
func (m *PKIManager) RevocationList() (cert, crl []byte, retErr error)
RevocationList returns the current revocation list.
func (*PKIManager) RevocationListPEM ¶
func (m *PKIManager) RevocationListPEM() ([]byte, error)
RevocationListPEM returns the current revocation list, PEM encoded.
func (*PKIManager) RevokeCertificate ¶
func (m *PKIManager) RevokeCertificate(serialNumber *big.Int, reasonCode int) (retErr error)
RevokeCertificate revokes the certificate with this serial number and set the reason code.
func (*PKIManager) ServeCACert ¶
func (m *PKIManager) ServeCACert(w http.ResponseWriter, req *http.Request)
ServeCACert sends the CA's certificate.
func (*PKIManager) ServeCRL ¶
func (m *PKIManager) ServeCRL(w http.ResponseWriter, req *http.Request)
ServeCRL sends the revocation list.
func (*PKIManager) ServeCertificateManagement ¶
func (m *PKIManager) ServeCertificateManagement(w http.ResponseWriter, req *http.Request)
func (*PKIManager) ServeOCSP ¶
func (m *PKIManager) ServeOCSP(w http.ResponseWriter, req *http.Request)
ServeOCSP implements the OCSP protocol for this CA. https://www.rfc-editor.org/rfc/rfc6960.html
func (*PKIManager) ValidateCertificateRequest ¶
func (m *PKIManager) ValidateCertificateRequest(csr []byte) (*x509.CertificateRequest, error)
ValidateCertificateRequest parses and validates a certificate signing request.
Source Files
Directories
¶
| Path | Synopsis |
|---|---|
|
clientwasm implements TLS key generation and PKCS12 packaging in a browser so that the private key is never copied over the network.
|
clientwasm implements TLS key generation and PKCS12 packaging in a browser so that the private key is never copied over the network. |