signer

package
v1.0.2 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jan 7, 2026 License: Apache-2.0 Imports: 14 Imported by: 0

Documentation

Index

Constants

View Source 
const CertificateSignerNameCtxKey ctxKey = "certificate_signer"
View Source 
const DefaultDeviceEnrollmentExpirySeconds int32 = 60 * 60 * 24 * 365 // 1 year

Variables

View Source 
var (
	NullOrgID            = org.DefaultID
	OIDSignerName        = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 99999, 1, 1}
	OIDOrgID             = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 99999, 1, 2}
	OIDDeviceFingerprint = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 99999, 1, 3}
)

Functions

func BootstrapCNFromName 

func BootstrapCNFromName(cfg *ca.Config, name string) string

func CNFromDeviceFingerprint 

func CNFromDeviceFingerprint(cfg *ca.Config, fingerprint string) (string, error)

func DeviceFingerprintFromCN 

func DeviceFingerprintFromCN(cfg *ca.Config, commonName string) (string, error)

func GetDeviceFingerprintExtension added in v0.10.0 

func GetDeviceFingerprintExtension(cert *x509.Certificate) (string, error)

func GetOrgIDExtensionFromCSR added in v0.10.0 

func GetOrgIDExtensionFromCSR(cert *x509.CertificateRequest) (uuid.UUID, bool, error)

GetOrgIDExtensionFromCSR extracts the organization ID (UUID) from the CSR's OIDOrgID extension. It returns (id, true, nil) if present and valid; (uuid.Nil, false, nil) if the extension is absent; and (uuid.Nil, present, err) if retrieval fails or the value cannot be parsed as a UUID.

func GetOrgIDExtensionFromCert added in v0.10.0 

func GetOrgIDExtensionFromCert(cert *x509.Certificate) (uuid.UUID, bool, error)

GetOrgIDExtensionFromCert extracts the organization ID (UUID) from the certificate's OIDOrgID extension. It returns (id, true, nil) if present and valid; (uuid.Nil, false, nil) if the extension is absent; and (uuid.Nil, present, err) if retrieval fails or the value cannot be parsed as a UUID.

func GetSignerNameExtension 

func GetSignerNameExtension(cert *x509.Certificate) (string, error)

func PeerCertificateFromCtx 

func PeerCertificateFromCtx(ctx context.Context) (*x509.Certificate, error)

func Sign added in v0.10.0 

func Sign(ctx context.Context, ca CA, req SignRequest) (*x509.Certificate, error)

Sign signs the request using the requested signer (without verification) and returns the signed certificate.

func SignAsPEM added in v0.10.0 

func SignAsPEM(ctx context.Context, ca CA, req SignRequest) ([]byte, error)

SignAsPEM signs the request and returns the signed certificate in PEM format.

func SignVerified added in v0.10.0 

func SignVerified(ctx context.Context, ca CA, req SignRequest) (*x509.Certificate, error)

SignVerified verifies the request and then signs it, returning the signed certificate.

func SignVerifiedAsPEM added in v0.10.0 

func SignVerifiedAsPEM(ctx context.Context, ca CA, req SignRequest) ([]byte, error)

SignVerifiedAsPEM verifies, signs, and returns the signed certificate in PEM format.

func Verify added in v0.10.0 

func Verify(ctx context.Context, ca CA, req SignRequest) error

Verify verifies the request using the requested signer.

func WithExtension 

func WithExtension(oid asn1.ObjectIdentifier, value string) certOption

func WithOrgIDExtension added in v0.10.0 

func WithOrgIDExtension(s func(CA) Signer) func(CA) Signer

WithOrgIDExtension Injects OrgID extension (from CSR or context) when issuing client certificates via CA. Rules: - If both CSR and context contain OrgID and they differ: fail verification/issuance. - If CSR is missing OrgID and context has one: use context OrgID. - If CSR has OrgID: use it. - If neither has OrgID: do not include OrgID in the certificate.

func WithSignerNameExtension 

func WithSignerNameExtension(s func(CA) Signer) func(CA) Signer

Types

type CA 

type CA interface {
	Config() *ca.Config
	GetSigner(name string) Signer
	PeerCertificateSignerFromCtx(ctx context.Context) Signer
	IssueRequestedClientCertificate(ctx context.Context, csr *x509.CertificateRequest, expirySeconds int, opts ...certOption) (*x509.Certificate, error)
	IssueRequestedServerCertificate(ctx context.Context, csr *x509.CertificateRequest, expirySeconds int, opts ...certOption) (*x509.Certificate, error)
}

type CASigners 

type CASigners struct {
	// contains filtered or unexported fields
}

func NewCASigners 

func NewCASigners(ca CA) *CASigners

func (*CASigners) GetSigner 

func (s *CASigners) GetSigner(name string) Signer

type RestrictedSigner 

type RestrictedSigner interface {
	RestrictedPrefix() string
}

type SignRequest added in v0.10.0 

type SignRequest interface {
	SignerName() string
	ResourceName() *string
	X509() x509.CertificateRequest
	ExpirationSeconds() *int32
	IssuedCertificate() (*x509.Certificate, bool)
}

SignRequest represents the minimal interface needed for certificate signing operations.

func NewSignRequest added in v0.10.0 

func NewSignRequest(signerName string, csr x509.CertificateRequest, opts ...SignRequestOption) (SignRequest, error)

NewSignRequest constructs a new SignRequest using the provided signer name and CSR. Additional attributes can be supplied via functional options.

func NewSignRequestFromBytes added in v0.10.0 

func NewSignRequestFromBytes(signerName string, csrBytes []byte, opts ...SignRequestOption) (SignRequest, error)

type SignRequestOption added in v0.10.0 

type SignRequestOption func(*basicSignRequest) error

func WithExpirationSeconds added in v0.10.0 

func WithExpirationSeconds(expiry int32) SignRequestOption

WithExpirationSeconds sets the certificate expiry (in seconds) for the sign request.

func WithIssuedCertificate added in v0.10.0 

func WithIssuedCertificate(cert *x509.Certificate) SignRequestOption

WithIssuedCertificate attaches an already-issued certificate to the request

func WithIssuedCertificateBytes added in v0.10.0 

func WithIssuedCertificateBytes(certBytes []byte) SignRequestOption

func WithResourceName added in v0.10.0 

func WithResourceName(name string) SignRequestOption

WithResourceName sets the original resource name for the sign request.

type Signer 

type Signer interface {
	Name() string
	Verify(ctx context.Context, request SignRequest) error
	Sign(ctx context.Context, request SignRequest) (*x509.Certificate, error)
}

func NewDeviceEnrollment added in v1.0.0 

func NewDeviceEnrollment(CAClient CA) Signer

func NewSignerDeviceManagement added in v1.0.0 

func NewSignerDeviceManagement(CAClient CA) Signer

func NewSignerDeviceSvcClient 

func NewSignerDeviceSvcClient(CAClient CA) Signer

func NewSignerServerSvc 

func NewSignerServerSvc(CAClient CA) Signer

func WithCSRValidation 

func WithCSRValidation(s Signer) Signer

func WithCertificateReuse 

func WithCertificateReuse(s Signer) Signer

func WithSignerNameValidation 

func WithSignerNameValidation(s Signer) Signer

func WithSignerRestrictedPrefixes 

func WithSignerRestrictedPrefixes(restrictedPrefixes map[string]Signer, s Signer) Signer

type SignerDeviceEnrollment 

type SignerDeviceEnrollment struct {
	// contains filtered or unexported fields
}

func (*SignerDeviceEnrollment) Name 

func (s *SignerDeviceEnrollment) Name() string

func (*SignerDeviceEnrollment) Sign 

func (s *SignerDeviceEnrollment) Sign(ctx context.Context, request SignRequest) (*x509.Certificate, error)

func (*SignerDeviceEnrollment) Verify 

func (s *SignerDeviceEnrollment) Verify(ctx context.Context, request SignRequest) error

type SignerDeviceManagement added in v1.0.0 

type SignerDeviceManagement struct {
	// contains filtered or unexported fields
}

func (*SignerDeviceManagement) Name added in v1.0.0 

func (s *SignerDeviceManagement) Name() string

func (*SignerDeviceManagement) RestrictedPrefix added in v1.0.0 

func (s *SignerDeviceManagement) RestrictedPrefix() string

func (*SignerDeviceManagement) Sign added in v1.0.0 

func (s *SignerDeviceManagement) Sign(ctx context.Context, request SignRequest) (*x509.Certificate, error)

func (*SignerDeviceManagement) Verify added in v1.0.0 

func (s *SignerDeviceManagement) Verify(ctx context.Context, request SignRequest) error

type SignerDeviceSvcClient 

type SignerDeviceSvcClient struct {
	// contains filtered or unexported fields
}

func (*SignerDeviceSvcClient) Name 

func (s *SignerDeviceSvcClient) Name() string

func (*SignerDeviceSvcClient) Sign 

func (s *SignerDeviceSvcClient) Sign(ctx context.Context, request SignRequest) (*x509.Certificate, error)

func (*SignerDeviceSvcClient) Verify 

func (s *SignerDeviceSvcClient) Verify(ctx context.Context, request SignRequest) error

type SignerServerSvc 

type SignerServerSvc struct {
	// contains filtered or unexported fields
}

func (*SignerServerSvc) Name 

func (s *SignerServerSvc) Name() string

func (*SignerServerSvc) Sign 

func (s *SignerServerSvc) Sign(ctx context.Context, request SignRequest) (*x509.Certificate, error)

func (*SignerServerSvc) Verify 

func (s *SignerServerSvc) Verify(ctx context.Context, request SignRequest) error

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.