func ContainsMustStaple(extensions []pkix.Extension) bool
Certificate embeds an *x509.Certificate and represents the added semantics that this certificate can be used for issuance.
type Certificate struct {
*x509.Certificate
// contains filtered or unexported fields
}
func LoadCertificate(path string) (*Certificate, error)
func LoadChain(certFiles []string) ([]*Certificate, error)
LoadChain takes a list of filenames containing pem-formatted certificates, and returns a chain representing all of those certificates in order. It ensures that the resulting chain is valid. The final file is expected to be a root certificate, which the chain will be verified against, but which will not be included in the resulting chain.
func LoadIssuer(location IssuerLoc) (*Certificate, crypto.Signer, error)
LoadIssuer loads a signer (private key) and certificate from the locations specified.
func NewCertificate(ic *x509.Certificate) (*Certificate, error)
NewCertificate wraps an in-memory cert in an issuance.Certificate, marking it as an issuer cert. It may fail if the certificate does not contain the attributes expected of an issuer certificate.
func (ic *Certificate) ID() IssuerID
ID returns the IssuerID (a truncated hash over the raw bytes of the whole cert) of this issuer certificate. DEPRECATED: Use .NameID() instead.
func (ic *Certificate) KeyHash() [20]byte
KeyHash returns the SHA1 hash over the issuer certificate's Subject Public Key Info. This is one of the values used to uniquely identify the issuer cert in an RFC6960 + RFC5019 OCSP request.
func (ic *Certificate) NameHash() [20]byte
NameHash returns the SHA1 hash over the issuer certificate's Subject Distinguished Name. This is one of the values used to uniquely identify the issuer cert in an RFC6960 + RFC5019 OCSP request.
func (ic *Certificate) NameID() IssuerNameID
NameID returns the IssuerNameID (a truncated hash over the raw bytes of the Subject Distinguished Name) of this issuer certificate. Useful for storing as a lookup key in contexts that don't expect hash collisions.
IssuanceRequest describes a certificate issuance request
type IssuanceRequest struct {
PublicKey crypto.PublicKey
Serial []byte
NotBefore time.Time
NotAfter time.Time
CommonName string
DNSNames []string
IncludeMustStaple bool
IncludeCTPoison bool
// contains filtered or unexported fields
}
func RequestFromPrecert(precert *x509.Certificate, scts []ct.SignedCertificateTimestamp) (*IssuanceRequest, error)
RequestFromPrecert constructs a final certificate IssuanceRequest matching the provided precertificate. It returns an error if the precertificate doesn't contain the CT poison extension.
Issuer is capable of issuing new certificates TODO(#5086): make Cert and Signer private when they're no longer needed by ca.internalIssuer
type Issuer struct {
Cert *Certificate
Signer crypto.Signer
Profile *Profile
Linter *linter.Linter
Clk clock.Clock
}
func NewIssuer(cert *Certificate, signer crypto.Signer, profile *Profile, linter *linter.Linter, clk clock.Clock) (*Issuer, error)
NewIssuer constructs an Issuer on the heap, verifying that the profile is well-formed.
func (i *Issuer) Algs() []x509.PublicKeyAlgorithm
Algs provides the list of leaf certificate public key algorithms for which this issuer is willing to issue. This is not necessarily the same as the public key algorithm or signature algorithm in this issuer's own cert.
func (i *Issuer) ID() IssuerID
ID provides a stable ID for an issuer's certificate. This is used for identifying which issuer issued a certificate in the certificateStatus table.
func (i *Issuer) Issue(token *issuanceToken) ([]byte, error)
Issue performs a real issuance using an issuanceToken resulting from a previous call to Prepare(). Call this at most once per token. Calls after the first will receive an error.
func (i *Issuer) Name() string
Name provides the Common Name specified in the issuer's certificate.
func (i *Issuer) Prepare(req *IssuanceRequest) ([]byte, *issuanceToken, error)
Prepare applies this Issuer's profile to create a template certificate. It then generates a linting certificate from that template and runs the linter over it. If successful, returns both the linting certificate (which can be stored) and an issuanceToken. The issuanceToken can be used to sign a matching certificate with this Issuer's private key.
IssuerConfig describes the constraints on and URLs used by a single issuer.
type IssuerConfig struct {
UseForRSALeaves bool
UseForECDSALeaves bool
IssuerURL string `validate:"required,url"`
OCSPURL string `validate:"required,url"`
CRLURL string `validate:"omitempty,url"`
Location IssuerLoc
}
IssuerID is a statistically-unique small ID computed from a hash over the entirety of the issuer certificate. DEPRECATED: This identifier is being phased out in favor of IssuerNameID. It exists in the database in certificateStatus rows for certs issued prior to approximately November 2021, but is not being written for new rows.
type IssuerID int64
IssuerLoc describes the on-disk location and parameters that an issuer should use to retrieve its certificate and private key. Only one of File, ConfigFile, or PKCS11 should be set.
type IssuerLoc struct {
// A file from which a private key will be read and parsed.
File string `validate:"required_without_all=ConfigFile PKCS11"`
// A file from which a pkcs11key.Config will be read and parsed, if File is not set.
ConfigFile string `validate:"required_without_all=PKCS11 File"`
// An in-memory pkcs11key.Config, which will be used if ConfigFile is not set.
PKCS11 *pkcs11key.Config `validate:"required_without_all=ConfigFile File"`
// A file from which a certificate will be read and parsed.
CertFile string `validate:"required"`
// Number of sessions to open with the HSM. For maximum performance,
// this should be equal to the number of cores in the HSM. Defaults to 1.
NumSessions int
}
IssuerNameID is a statistically-unique small ID which can be computed from both CA and end-entity certs to link them together into a validation chain. It is computed as a truncated hash over the issuer Subject Name bytes, or over the end-entity's Issuer Name bytes, which are required to be equal.
type IssuerNameID int64
func GetIssuerNameID(ee *x509.Certificate) IssuerNameID
GetIssuerNameID returns the IssuerNameID (a truncated hash over the raw bytes of the Issuer Distinguished Name) of the given end-entity certificate. Useful for performing lookups in contexts that don't expect hash collisions.
func GetOCSPIssuerNameID(resp *ocsp.Response) IssuerNameID
GetOCSPIssuerNameID returns the IssuerNameID (a truncated hash over the raw bytes of the Responder Distinguished Name) of the given OCSP Response. As per the OCSP spec, it is technically possible for this field to not be populated: the OCSP Response can instead contain a SHA-1 hash of the Issuer Public Key as the Responder ID. The Go stdlib always uses the DN, though.
PolicyConfig describes a policy
type PolicyConfig struct {
OID string `validate:"required"`
}
Profile is the validated structure created by reading in ProfileConfigs and IssuerConfigs
type Profile struct {
// contains filtered or unexported fields
}
func NewProfile(profileConfig ProfileConfig, issuerConfig IssuerConfig) (*Profile, error)
NewProfile synthesizes the profile config and issuer config into a single object, and checks various aspects for correctness.
ProfileConfig describes the certificate issuance constraints for all issuers.
type ProfileConfig struct {
AllowMustStaple bool
AllowCTPoison bool
AllowSCTList bool
AllowCommonName bool
MaxValidityPeriod config.Duration
MaxValidityBackdate config.Duration
// Deprecated: we do not respect this field.
Policies []PolicyConfig `validate:"-"`
}