Affected by 
Documentation
¶
Overview ¶
Package scep implements Simple Certificate Enrollment Protocol related functionality.
Index ¶
- Constants
- type Authority
- func (a *Authority) CreateFailureResponse(ctx context.Context, csr *x509.CertificateRequest, msg *PKIMessage, ...) (*PKIMessage, error)
- func (a *Authority) DecryptPKIEnvelope(ctx context.Context, msg *PKIMessage) error
- func (a *Authority) GetCACaps(ctx context.Context) []string
- func (a *Authority) GetCACertificates(ctx context.Context) ([]*x509.Certificate, error)
- func (a *Authority) GetLinkExplicit(provName string, abs bool, baseURL *url.URL, inputs ...string) string
- func (a *Authority) LoadProvisionerByName(name string) (provisioner.Interface, error)
- func (a *Authority) MatchChallengePassword(ctx context.Context, password string) (bool, error)
- func (a *Authority) SignCSR(ctx context.Context, csr *x509.CertificateRequest, msg *PKIMessage) (*PKIMessage, error)
- type AuthorityOptions
- type CertRepMessage
- type ContextKey
- type DB
- type FailInfo
- type FailInfoName
- type Options
- type PKIMessage
- type Provisioner
- type Service
- type SignAuthority
Constants ¶
const ( // ProvisionerContextKey provisioner key ProvisionerContextKey = ContextKey("provisioner") )
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Authority ¶
type Authority struct {
// contains filtered or unexported fields
}
Authority is the layer that handles all SCEP interactions.
func New ¶
func New(signAuth SignAuthority, ops AuthorityOptions) (*Authority, error)
New returns a new Authority that implements the SCEP interface.
func (*Authority) CreateFailureResponse ¶
func (a *Authority) CreateFailureResponse(ctx context.Context, csr *x509.CertificateRequest, msg *PKIMessage, info FailInfoName, infoText string) (*PKIMessage, error)
CreateFailureResponse creates an appropriately signed reply for PKI operations
func (*Authority) DecryptPKIEnvelope ¶
func (a *Authority) DecryptPKIEnvelope(ctx context.Context, msg *PKIMessage) error
DecryptPKIEnvelope decrypts an enveloped message
func (*Authority) GetCACertificates ¶
GetCACertificates returns the certificate (chain) for the CA
func (*Authority) GetLinkExplicit ¶
func (a *Authority) GetLinkExplicit(provName string, abs bool, baseURL *url.URL, inputs ...string) string
GetLinkExplicit returns the requested link from the directory.
func (*Authority) LoadProvisionerByName ¶ added in v0.18.1
func (a *Authority) LoadProvisionerByName(name string) (provisioner.Interface, error)
LoadProvisionerByName calls out to the SignAuthority interface to load a provisioner by name.
func (*Authority) MatchChallengePassword ¶
MatchChallengePassword verifies a SCEP challenge password
func (*Authority) SignCSR ¶
func (a *Authority) SignCSR(ctx context.Context, csr *x509.CertificateRequest, msg *PKIMessage) (*PKIMessage, error)
SignCSR creates an x509.Certificate based on a CSR template and Cert Authority credentials returns a new PKIMessage with CertRep data
type AuthorityOptions ¶
type AuthorityOptions struct {
// Service provides the certificate chain, the signer and the decrypter to the Authority
Service *Service
// DNS is the host used to generate accurate SCEP links. By default the authority
// will use the Host from the request, so this value will only be used if
// request.Host is empty.
DNS string
// Prefix is a URL path prefix under which the SCEP api is served. This
// prefix is required to generate accurate SCEP links.
Prefix string
}
AuthorityOptions required to create a new SCEP Authority.
type CertRepMessage ¶
type CertRepMessage struct {
microscep.PKIStatus
microscep.RecipientNonce
microscep.FailInfo
Certificate *x509.Certificate
// contains filtered or unexported fields
}
CertRepMessage is a type of PKIMessage
type ContextKey ¶
type ContextKey string
ContextKey is the key type for storing and searching for SCEP request essentials in the context of a request.
type DB ¶
type DB interface {
StoreCertificate(crt *x509.Certificate) error
}
type FailInfo ¶
type FailInfo struct {
Name FailInfoName
Text string
}
FailInfo models a failInfo object consisting of a name/identifier and a failInfoText, the latter of which can be more descriptive and is intended to be read by humans.
type FailInfoName ¶
FailInfoName models the name/value of failInfo
type Options ¶
type Options struct {
// CertificateChain is the issuer certificate, along with any other bundled certificates
// to be returned in the chain for consumers. Configured in the ca.json crt property.
CertificateChain []*x509.Certificate
// Signer signs CSRs in SCEP. Configured in the ca.json key property.
Signer crypto.Signer `json:"-"`
// Decrypter decrypts encrypted SCEP messages. Configured in the ca.json key property.
Decrypter crypto.Decrypter `json:"-"`
}
type PKIMessage ¶
type PKIMessage struct {
microscep.TransactionID
microscep.MessageType
microscep.SenderNonce
*microscep.CSRReqMessage
*CertRepMessage
// DER Encoded PKIMessage
Raw []byte
// parsed
P7 *pkcs7.PKCS7
// Used to sign message
Recipients []*x509.Certificate
// contains filtered or unexported fields
}
PKIMessage defines the possible SCEP message types
type Provisioner ¶
type Provisioner interface {
AuthorizeSign(ctx context.Context, token string) ([]provisioner.SignOption, error)
GetName() string
DefaultTLSCertDuration() time.Duration
GetOptions() *provisioner.Options
GetChallengePassword() string
GetCapabilities() []string
ShouldIncludeRootInChain() bool
GetContentEncryptionAlgorithm() int
}
Provisioner is an interface that implements a subset of the provisioner.Interface -- only those methods required by the SCEP api/authority.
type Service ¶
type Service struct {
// contains filtered or unexported fields
}
Service is a wrapper for crypto.Signer and crypto.Decrypter
type SignAuthority ¶
type SignAuthority interface {
Sign(cr *x509.CertificateRequest, opts provisioner.SignOptions, signOpts ...provisioner.SignOption) ([]*x509.Certificate, error)
LoadProvisionerByName(string) (provisioner.Interface, error)
}
SignAuthority is the interface for a signing authority
Source Files
Directories