ca

package
v0.15.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 13, 2026 License: Apache-2.0, Apache-2.0 Imports: 19 Imported by: 1

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type AuthToken 

type AuthToken struct {
	Provider string
	Token    string
}

AuthToken is the token passed from the plugin through to the CA (and to the ca verifier plugin matching Provider). Token is opaque and can hold whatever the plugins need it to.

type BootstrapAuth added in v0.14.0 

type BootstrapAuth struct {
	Type         string   `json:"type"`
	Issuer       string   `json:"issuer,omitempty"`
	ClientID     string   `json:"client_id,omitempty"`
	ClientSecret string   `json:"client_secret,omitempty"`
	Scopes       []string `json:"scopes,omitempty"`
	Command      string   `json:"command,omitempty"`
}

BootstrapAuth represents the auth configuration from the policy server.

type CA 

type CA struct {
	// contains filtered or unexported fields
}

CA performs CA operations.

func New 

func New(privateKey sshcert.RawPrivateKey, policyURL string, options ...Option) (*CA, error)

New creates a new CA.

func (*CA) FetchDiscovery added in v0.14.0 

func (c *CA) FetchDiscovery(ctx context.Context) (*DiscoveryResponse, error)

FetchDiscovery fetches discovery data from the policy server. Uses HTTP caching (Cache-Control headers) to avoid unnecessary requests. The request is signed with RFC 9421 HTTP Message Signatures.

The signature has a 30s expiry while the cache TTL is 300s. This is safe because httpcache serves directly from cache during max-age and creates a fresh (newly signed) request after the cache expires.

func (*CA) PolicyURL added in v0.1.0 

func (c *CA) PolicyURL() string

PolicyURL returns the URL of the policy server.

func (*CA) PublicKey 

func (c *CA) PublicKey() sshcert.RawPublicKey

PublicKey returns the ssh on-disk format public key for the CA.

func (*CA) RequestPolicy 

func (c *CA) RequestPolicy(ctx context.Context, token string, conn policy.Connection) (*PolicyResponse, error)

RequestPolicy requests policy from the policy server for a cert request. The request is signed with RFC 9421 HTTP Message Signatures.

func (*CA) SignPublicKey 

func (c *CA) SignPublicKey(rawPubKey sshcert.RawPublicKey, params *CertParams) (sshcert.RawCertificate, error)

SignPublicKey signs a key to generate a certificate.

type CertParams 

type CertParams struct {
	Identity   string            `json:"identity"`
	Names      []string          `json:"principals"`
	Expiration time.Duration     `json:"expiration"`
	Extensions map[string]string `json:"extensions"`
}

CertParams are options which can be set on a certificate.

type DiscoveryResponse added in v0.14.0 

type DiscoveryResponse struct {
	Auth              *BootstrapAuth `json:"auth"`
	MatchPatterns     []string       `json:"matchPatterns,omitempty"`
	DefaultExpiration string         `json:"defaultExpiration,omitempty"`

	// CacheControl is the Cache-Control header from the policy server response.
	// Not serialized to JSON — used by the CA server to pass through to clients.
	CacheControl string `json:"-"`
}

DiscoveryResponse is the discovery data fetched from the policy server.

type Option 

type Option interface {
	// contains filtered or unexported methods
}

Option configures the CA.

func WithHTTPClient 

func WithHTTPClient(httpClient *http.Client) Option

WithHTTPClient configures the CA to use the specified HTTP Client.

func WithLogger added in v0.3.3 

func WithLogger(logger *slog.Logger) Option

WithLogger configures the CA to use the specified logger.

func WithTLSConfig added in v0.1.4 

func WithTLSConfig(cfg tlsconfig.Config) Option

WithTLSConfig creates an HTTP client with the specified TLS configuration.

type PolicyError added in v0.1.1 

type PolicyError struct {
	StatusCode int
	Message    string
}

PolicyError represents an error from the policy server. The CA server should return the same status code to the client.

func (*PolicyError) Error added in v0.1.1 

func (e *PolicyError) Error() string

type PolicyResponse added in v0.1.1 

type PolicyResponse struct {
	CertParams CertParams    `json:"certParams"`
	Policy     policy.Policy `json:"policy"`
}

PolicyResponse is the response from the policy server, containing both the certificate parameters and the policy.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.