issuance

package
v0.20251007.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Oct 7, 2025 License: MPL-2.0 Imports: 31 Imported by: 3

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type CRLProfile 

type CRLProfile struct {
	// contains filtered or unexported fields
}

func NewCRLProfile 

func NewCRLProfile(config CRLProfileConfig) (*CRLProfile, error)

type CRLProfileConfig 

type CRLProfileConfig struct {
	ValidityInterval config.Duration
	MaxBackdate      config.Duration

	// LintConfig is a path to a zlint config file, which can be used to control
	// the behavior of zlint's "customizable lints".
	LintConfig string
	// IgnoredLints is a list of lint names that we know will fail for this
	// profile, and which we know it is safe to ignore.
	IgnoredLints []string
}

type CRLRequest 

type CRLRequest struct {
	Number *big.Int
	Shard  int64

	ThisUpdate time.Time

	Entries []x509.RevocationListEntry
}

type Certificate 

type Certificate struct {
	*x509.Certificate
	// contains filtered or unexported fields
}

Certificate embeds an *x509.Certificate and represents the added semantics that this certificate is a CA certificate.

func LoadCertificate 

func LoadCertificate(path string) (*Certificate, error)

func LoadChain 

func LoadChain(certFiles []string) ([]*Certificate, error)

LoadChain takes a list of filenames containing pem-formatted certificates, and returns a chain representing all of those certificates in order. It ensures that the resulting chain is valid. The final file is expected to be a root certificate, which the chain will be verified against, but which will not be included in the resulting chain.

func NewCertificate 

func NewCertificate(ic *x509.Certificate) (*Certificate, error)

NewCertificate wraps an in-memory cert in an issuance.Certificate, marking it as an issuer cert. It may fail if the certificate does not contain the attributes expected of an issuer certificate.

func (*Certificate) NameID 

func (ic *Certificate) NameID() NameID

NameID is equivalent to SubjectNameID(ic), but faster because it is precomputed.

type HexMarshalableBytes 

type HexMarshalableBytes []byte

func (HexMarshalableBytes) MarshalJSON 

func (h HexMarshalableBytes) MarshalJSON() ([]byte, error)

type IssuanceRequest 

type IssuanceRequest struct {
	// PublicKey is of type MarshalablePublicKey so we can log an IssuanceRequest as a JSON object.
	PublicKey    MarshalablePublicKey
	SubjectKeyId HexMarshalableBytes

	Serial HexMarshalableBytes

	NotBefore time.Time
	NotAfter  time.Time

	CommonName  string
	DNSNames    []string
	IPAddresses []net.IP

	IncludeCTPoison bool
	// contains filtered or unexported fields
}

IssuanceRequest describes a certificate issuance request

It can be marshaled as JSON for logging purposes, though note that sctList and precertDER will be omitted from the marshaled output because they are unexported.

func RequestFromPrecert 

func RequestFromPrecert(precert *x509.Certificate, scts []ct.SignedCertificateTimestamp) (*IssuanceRequest, error)

RequestFromPrecert constructs a final certificate IssuanceRequest matching the provided precertificate. It returns an error if the precertificate doesn't contain the CT poison extension.

type Issuer 

type Issuer struct {
	// TODO(#7159): make Cert, Signer, and Linter private when all signing ops
	// are handled through this package (e.g. the CA doesn't need direct access
	// while signing CRLs anymore).
	Cert   *Certificate
	Signer crypto.Signer
	Linter *linter.Linter
	// contains filtered or unexported fields
}

Issuer is capable of issuing new certificates.

func LoadIssuer 

func LoadIssuer(config IssuerConfig, clk clock.Clock) (*Issuer, error)

LoadIssuer constructs a new Issuer, loading its certificate from disk and its private key material from the indicated location. It also verifies that the issuer metadata (such as AIA URLs) is well-formed.

func (*Issuer) IsActive 

func (i *Issuer) IsActive() bool

IsActive is true if the issuer is willing to issue precertificates, and false if the issuer is only willing to issue final certificates and CRLs.

func (*Issuer) Issue 

func (i *Issuer) Issue(token *issuanceToken) ([]byte, error)

Issue performs a real issuance using an issuanceToken resulting from a previous call to Prepare(). Call this at most once per token. Calls after the first will receive an error.

func (*Issuer) IssueCRL 

func (i *Issuer) IssueCRL(prof *CRLProfile, req *CRLRequest) ([]byte, error)

func (*Issuer) KeyType 

func (i *Issuer) KeyType() x509.PublicKeyAlgorithm

KeyType returns either x509.RSA or x509.ECDSA, depending on whether the issuer has an RSA or ECDSA keypair. This is useful for determining which issuance requests should be routed to this issuer.

func (*Issuer) Name 

func (i *Issuer) Name() string

Name provides the Common Name specified in the issuer's certificate.

func (*Issuer) NameID 

func (i *Issuer) NameID() NameID

NameID provides the NameID of the issuer's certificate.

func (*Issuer) Prepare 

func (i *Issuer) Prepare(prof *Profile, req *IssuanceRequest) ([]byte, *issuanceToken, error)

Prepare combines the given profile and request with the Issuer's information to create a template certificate. It then generates a linting certificate from that template and runs the linter over it. If successful, returns both the linting certificate (which can be stored) and an issuanceToken. The issuanceToken can be used to sign a matching certificate with this Issuer's private key.

type IssuerConfig 

type IssuerConfig struct {
	// Active determines if the issuer can be used to sign precertificates. All
	// issuers, regardless of this field, can be used to sign final certificates
	// (for which an issuance token is presented) and CRLs.
	// All Active issuers of a given key type (RSA or ECDSA) are part of a pool
	// and each precertificate will be issued randomly from a selected pool.
	// The selection of which pool depends on the precertificate's key algorithm.
	Active bool

	// Profiles is the list of profiles for which this issuer is willing to issue.
	// For the moment, this does nothing, and exists only for deployability.
	// TODO(#8390): Make this field required for active issuers.
	Profiles []string `validate:"omitempty,dive,alphanum,min=1,max=32"`

	IssuerURL  string `validate:"required,url"`
	CRLURLBase string `validate:"required,url,startswith=http://,endswith=/"`

	// TODO(#8177): Remove this.
	OCSPURL string `validate:"omitempty,url"`

	// Number of CRL shards. Must be positive, but can be 1 for no sharding.
	CRLShards int `validate:"required,min=1"`

	Location IssuerLoc
}

IssuerConfig describes the constraints on and URLs used by a single issuer.

type IssuerLoc 

type IssuerLoc struct {
	// A file from which a private key will be read and parsed.
	File string `validate:"required_without_all=ConfigFile PKCS11"`
	// A file from which a pkcs11key.Config will be read and parsed, if File is not set.
	ConfigFile string `validate:"required_without_all=PKCS11 File"`
	// An in-memory pkcs11key.Config, which will be used if ConfigFile is not set.
	PKCS11 *pkcs11key.Config `validate:"required_without_all=ConfigFile File"`
	// A file from which a certificate will be read and parsed.
	CertFile string `validate:"required"`
	// Number of sessions to open with the HSM. For maximum performance,
	// this should be equal to the number of cores in the HSM. Defaults to 1.
	NumSessions int
}

IssuerLoc describes the on-disk location and parameters that an issuer should use to retrieve its certificate and private key. Only one of File, ConfigFile, or PKCS11 should be set.

type MarshalablePublicKey 

type MarshalablePublicKey struct {
	crypto.PublicKey
}

MarshalablePublicKey is a wrapper for crypto.PublicKey with a custom JSON marshaller that encodes the public key as a DER-encoded SubjectPublicKeyInfo.

func (MarshalablePublicKey) MarshalJSON 

func (pk MarshalablePublicKey) MarshalJSON() ([]byte, error)

type NameID 

type NameID int64

NameID is a statistically-unique small ID which can be computed from both CA and end-entity certs to link them together into a validation chain. It is computed as a truncated hash over the issuer Subject Name bytes, or over the end-entity's Issuer Name bytes, which are required to be equal.

func IssuerNameID 

func IssuerNameID(ee *x509.Certificate) NameID

IssuerNameID returns the IssuerNameID (a truncated hash over the raw bytes of the Issuer Distinguished Name) of the given end-entity certificate. Useful for performing lookups in contexts that don't expect hash collisions.

func SubjectNameID 

func SubjectNameID(ic *Certificate) NameID

SubjectNameID returns the NameID (a truncated hash over the raw bytes of a Distinguished Name) of this issuer certificate's Subject. Useful for storing as a lookup key in contexts that don't expect hash collisions.

type PolicyConfig 

type PolicyConfig struct {
	OID string `validate:"required"`
}

PolicyConfig describes a policy

type Profile 

type Profile struct {
	// contains filtered or unexported fields
}

Profile is the validated structure created by reading in ProfileConfigs and IssuerConfigs

func NewProfile 

func NewProfile(profileConfig *ProfileConfig) (*Profile, error)

NewProfile converts the profile config into a usable profile.

func (*Profile) GenerateValidity 

func (p *Profile) GenerateValidity(now time.Time) (time.Time, time.Time)

GenerateValidity returns a notBefore/notAfter pair bracketing the input time, based on the profile's configured backdate and validity.

type ProfileConfig 

type ProfileConfig struct {
	// AllowMustStaple, when false, causes all IssuanceRequests which specify the
	// OCSP Must Staple extension to be rejected.
	//
	// Deprecated: This has no effect, Must Staple is always omitted.
	// TODO(#8177): Remove this.
	AllowMustStaple bool

	// OmitCommonName causes the CN field to be excluded from the resulting
	// certificate, regardless of its inclusion in the IssuanceRequest.
	OmitCommonName bool
	// OmitKeyEncipherment causes the keyEncipherment bit to be omitted from the
	// Key Usage field of all certificates (instead of only from ECDSA certs).
	OmitKeyEncipherment bool
	// OmitClientAuth causes the id-kp-clientAuth OID (TLS Client Authentication)
	// to be omitted from the EKU extension.
	OmitClientAuth bool
	// OmitSKID causes the Subject Key Identifier extension to be omitted.
	OmitSKID bool
	// OmitOCSP causes the OCSP URI field to be omitted from the Authority
	// Information Access extension. This cannot be true unless
	// IncludeCRLDistributionPoints is also true, to ensure that every
	// certificate has at least one revocation mechanism included.
	//
	// Deprecated: This has no effect; OCSP is always omitted.
	// TODO(#8177): Remove this.
	OmitOCSP bool
	// IncludeCRLDistributionPoints causes the CRLDistributionPoints extension to
	// be added to all certificates issued by this profile.
	//
	// Deprecated: This has no effect; CRLDP is always included.
	// TODO(#8177): Remove this.
	IncludeCRLDistributionPoints bool

	MaxValidityPeriod   config.Duration
	MaxValidityBackdate config.Duration

	// LintConfig is a path to a zlint config file, which can be used to control
	// the behavior of zlint's "customizable lints".
	LintConfig string
	// IgnoredLints is a list of lint names that we know will fail for this
	// profile, and which we know it is safe to ignore.
	IgnoredLints []string
}

ProfileConfig describes the certificate issuance constraints for all issuers.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.