Documentation
¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type CDPConfig ¶
type CDPConfig struct {
// CRLFetchMode Configures how and when CRLs are downloaded for the first time
// Supported Values: 'fetch_actively', 'fetch_background'
// See: https://github.com/Gr33nbl00d/caddy-revocation-validator#crl_fetch_mode
CRLFetchMode string `json:"crl_fetch_mode,omitempty"`
// CRLCDPStrict Configures if CRL checking is mandatory to allow a connection if CDP is defined (Optional) (Default: false)
// See: https://github.com/Gr33nbl00d/caddy-revocation-validator#crl_cdp_strict
CRLCDPStrict bool `json:"crl_cdp_strict,omitempty"`
}
type CDPConfigParsed ¶ added in v1.0.6
type CDPConfigParsed struct {
CRLFetchModeParsed CRLFetchMode
CRLCDPStrict bool
}
type CRLConfig ¶
type CRLConfig struct {
// WorkDir Configures the working directory for temporary CRL downloads and for disk based persistent CRLs
WorkDir string `json:"work_dir"`
// CDPConfig Configures how CDP (Certificate Distribution Point Extension) entries in the client certificate are used
CDPConfig *CDPConfig `json:"cdp_config,omitempty"`
// StorageType Configures how to store CRLs locally (Optional)
// Supported Values: 'memory', 'disk' Default: 'disk'
// See: https://github.com/Gr33nbl00d/caddy-revocation-validator#storage_type
StorageType string `json:"storage_type,omitempty"`
// UpdateInterval The interval in which the already known CRLs will be updated. (Optional) (Default: 30 minutes)
// Valid time units are “ns”, “us” (or “µs”), “ms”, “s”, “m”, “h”
// See: https://pkg.go.dev/time#ParseDuration
UpdateInterval string `json:"update_interval,omitempty"`
// Configures the signature validation or the CRL (Optional) (Default: 'verify')
// Supported Values: 'none', 'verify', 'verify_log'
// See: https://github.com/Gr33nbl00d/caddy-revocation-validator#signature_validation_mode
SignatureValidationMode string `json:"signature_validation_mode,omitempty"`
// CRLUrls (Optional) A predefined list of http(s) urls pointing to CRLs. These lists will be checked for all client certificates.
// The predefined CRLs will be loaded on startup and updated cyclic.
// PEM and DER encoding are both supported
CRLUrls []string `json:"crl_urls,omitempty"`
// CRLFiles (Optional) A predefined list of files pointing to CRLs. These lists will be checked for all client certificates.
// The predefined CRLs will be loaded on startup
// PEM and DER encoding are both supported
CRLFiles []string `json:"crl_files,omitempty"`
// TrustedSignatureCertsFiles (Optional) A predefined list of files of CA certificates which are trusted for CRL signing.
// These certificates will be used to verify CRL signature if the CRL signature cert is not part of the client cert chain.
// If the signature cert is part of the client cert chain there is no need to configure a certificate here.
// PEM and DER encoding are both supported
TrustedSignatureCertsFiles []string `json:"trusted_signature_certs_files,omitempty"`
}
type CRLConfigParsed ¶ added in v1.0.6
type CRLConfigParsed struct {
SignatureValidationModeParsed SignatureValidationMode
StorageTypeParsed StorageType
TrustedSignatureCerts []*x509.Certificate
UpdateIntervalParsed time.Duration
CDPConfigParsed *CDPConfigParsed
WorkDir string
CRLUrls []string
CRLFiles []string
}
type CRLFetchMode ¶
type CRLFetchMode int
const ( CRLFetchModeActively CRLFetchMode = iota CRLFetchModeBackground )
type OCSPConfig ¶
type OCSPConfig struct {
// DefaultCacheDuration The default time to cache OCSP responses (Optional) (Default: 0)
// Valid time units are “ns”, “us” (or “µs”), “ms”, “s”, “m”, “h”
// If the default time is zero no caching will be performed.
DefaultCacheDuration string `json:"default_cache_duration,omitempty"`
// TrustedResponderCertsFiles (Optional) A predefined list of files of CA certificates which are trusted to verify the OCSP response signature.
// These certificates will be used to verify OCSP response signature if the ocsp response signature cert is not part of the client cert chain.
// If the signature cert is part of the client cert chain there is no need to configure a certificate here.
// PEM and DER encoding are both supported
TrustedResponderCertsFiles []string `json:"trusted_responder_certs_files,omitempty"`
// OCSPAIAStrict Configures if OCSP checking is mandatory to allow a connection if AIA is defined (Optional) (Default: false)
// In strict mode it is required that if an OCSP server is defined inside AIA extension at least
// one OCSP server defined can be contacted to check for revocation. Or a valid response of one of the OCSP server is inside the cache
// If no OCSP server can be contacted and no cached response is present or the validation of the OCSP response signature failed connection is denied.
OCSPAIAStrict bool `json:"ocsp_aia_strict,omitempty"`
}
type OCSPConfigParsed ¶ added in v1.0.6
type OCSPConfigParsed struct {
TrustedResponderCerts []*x509.Certificate
DefaultCacheDurationParsed time.Duration
OCSPAIAStrict bool
}
type RevocationCheckMode ¶
type RevocationCheckMode int
const ( RevocationCheckModePreferOCSP RevocationCheckMode = iota RevocationCheckModePreferCRL RevocationCheckModeCRLOnly RevocationCheckModeOCSPOnly RevocationCheckModeDisabled )
type SignatureValidationMode ¶
type SignatureValidationMode int
const ( SignatureValidationModeNone SignatureValidationMode = iota SignatureValidationModeVerifyLog SignatureValidationModeVerify )
Source Files
Click to show internal directories.
Click to hide internal directories.