open-consul/agent/connect/ca/provider.go

package ca

import (
	"crypto/x509"
)

// Provider is the interface for Consul to interact with
// an external CA that provides leaf certificate signing for
// given SpiffeIDServices.
type Provider interface {
	// Configure initializes the provider based on the given cluster ID, root status
	// and configuration values.
	Configure(clusterId string, isRoot bool, rawConfig map[string]interface{}) error

	// GenerateRoot causes the creation of a new root certificate for this provider.
	// This can also be a no-op if a root certificate already exists for the given
	// config. If isRoot is false, calling this method is an error.
	GenerateRoot() error

	// ActiveRoot returns the currently active root CA for this
	// provider. This should be a parent of the certificate returned by
	// ActiveIntermediate()
	ActiveRoot() (string, error)

	// GenerateIntermediateCSR generates a CSR for an intermediate CA
	// certificate, to be signed by the root of another datacenter. If isRoot is
	// true, calling this is an error.
	GenerateIntermediateCSR() (string, error)

	// SetIntermediate sets the provider to use the given intermediate certificate
	// as well as the root it was signed by.
	SetIntermediate(intermediatePEM, rootPEM string) error

	// ActiveIntermediate returns the current signing cert used by this provider
	// for generating SPIFFE leaf certs. Note that this must not change except
	// when Consul requests the change via GenerateIntermediate. Changing the
	// signing cert will break Consul's assumptions about which validation paths
	// are active.
	ActiveIntermediate() (string, error)

	// GenerateIntermediate returns a new intermediate signing cert and sets it to
	// the active intermediate. If multiple intermediates are needed to complete
	// the chain from the signing certificate back to the active root, they should
	// all by bundled here.
	GenerateIntermediate() (string, error)

	// Sign signs a leaf certificate used by Connect proxies from a CSR. The PEM
	// returned should include only the leaf certificate as all Intermediates
	// needed to validate it will be added by Consul based on the active
	// intemediate and any cross-signed intermediates managed by Consul.
	Sign(*x509.CertificateRequest) (string, error)

	// SignIntermediate will validate the CSR to ensure the trust domain in the
	// URI SAN matches the local one and that basic constraints for a CA certificate
	// are met. It should return a signed CA certificate with a path length constraint
	// of 0 to ensure that the certificate cannot be used to generate further CA certs.
	SignIntermediate(*x509.CertificateRequest) (string, error)

	// CrossSignCA must accept a CA certificate from another CA provider
	// and cross sign it exactly as it is such that it forms a chain back the the
	// CAProvider's current root. Specifically, the Distinguished Name, Subject
	// Alternative Name, SubjectKeyID and other relevant extensions must be kept.
	// The resulting certificate must have a distinct Serial Number and the
	// AuthorityKeyID set to the CAProvider's current signing key as well as the
	// Issuer related fields changed as necessary. The resulting certificate is
	// returned as a PEM formatted string.
	CrossSignCA(*x509.Certificate) (string, error)

	// Cleanup performs any necessary cleanup that should happen when the provider
	// is shut down permanently, such as removing a temporary PKI backend in Vault
	// created for an intermediate CA.
	Cleanup() error
}
Support giving the duration as a string in CA config 2018-05-23 21:43:40 +00:00			`package ca`
Add the CA provider interface and built-in provider 2018-04-09 04:56:11 +00:00
			`import (`
			`"crypto/x509"`
			`)`

Move connect CA provider to separate package 2018-05-03 19:50:45 +00:00			`// Provider is the interface for Consul to interact with`
Add the CA provider interface and built-in provider 2018-04-09 04:56:11 +00:00			`// an external CA that provides leaf certificate signing for`
			`// given SpiffeIDServices.`
Move connect CA provider to separate package 2018-05-03 19:50:45 +00:00			`type Provider interface {`
connect/ca: add Configure/GenerateRoot to provider interface 2018-09-07 02:18:54 +00:00			`// Configure initializes the provider based on the given cluster ID, root status`
			`// and configuration values.`
			`Configure(clusterId string, isRoot bool, rawConfig map[string]interface{}) error`

			`// GenerateRoot causes the creation of a new root certificate for this provider.`
			`// This can also be a no-op if a root certificate already exists for the given`
			`// config. If isRoot is false, calling this method is an error.`
			`GenerateRoot() error`

			`// ActiveRoot returns the currently active root CA for this`
Add cross-signing mechanism to root rotation 2018-04-21 03:39:51 +00:00			`// provider. This should be a parent of the certificate returned by`
			`// ActiveIntermediate()`
Simplify the CA provider interface by moving some logic out 2018-04-24 23:16:37 +00:00			`ActiveRoot() (string, error)`
Add cross-signing mechanism to root rotation 2018-04-21 03:39:51 +00:00
connect/ca: add intermediate functions to Consul CA provider 2018-09-13 02:52:24 +00:00			`// GenerateIntermediateCSR generates a CSR for an intermediate CA`
			`// certificate, to be signed by the root of another datacenter. If isRoot is`
			`// true, calling this is an error.`
			`GenerateIntermediateCSR() (string, error)`

connect/ca: add intermediate functions to Vault ca provider 2018-09-13 20:09:07 +00:00			`// SetIntermediate sets the provider to use the given intermediate certificate`
			`// as well as the root it was signed by.`
connect/ca: add intermediate functions to Consul CA provider 2018-09-13 02:52:24 +00:00			`SetIntermediate(intermediatePEM, rootPEM string) error`

Actually return Intermediate certificates bundled with a leaf! 2018-06-20 11:37:36 +00:00			`// ActiveIntermediate returns the current signing cert used by this provider`
			`// for generating SPIFFE leaf certs. Note that this must not change except`
			`// when Consul requests the change via GenerateIntermediate. Changing the`
			`// signing cert will break Consul's assumptions about which validation paths`
			`// are active.`
Simplify the CA provider interface by moving some logic out 2018-04-24 23:16:37 +00:00			`ActiveIntermediate() (string, error)`
Add cross-signing mechanism to root rotation 2018-04-21 03:39:51 +00:00
Actually return Intermediate certificates bundled with a leaf! 2018-06-20 11:37:36 +00:00			`// GenerateIntermediate returns a new intermediate signing cert and sets it to`
			`// the active intermediate. If multiple intermediates are needed to complete`
			`// the chain from the signing certificate back to the active root, they should`
			`// all by bundled here.`
Simplify the CA provider interface by moving some logic out 2018-04-24 23:16:37 +00:00			`GenerateIntermediate() (string, error)`
Add cross-signing mechanism to root rotation 2018-04-21 03:39:51 +00:00
Actually return Intermediate certificates bundled with a leaf! 2018-06-20 11:37:36 +00:00			`// Sign signs a leaf certificate used by Connect proxies from a CSR. The PEM`
			`// returned should include only the leaf certificate as all Intermediates`
			`// needed to validate it will be added by Consul based on the active`
			`// intemediate and any cross-signed intermediates managed by Consul.`
Simplify the CAProvider.Sign method 2018-04-24 23:31:42 +00:00			`Sign(*x509.CertificateRequest) (string, error)`
Simplify the CA provider interface by moving some logic out 2018-04-24 23:16:37 +00:00
connect/ca: add intermediate functions to Consul CA provider 2018-09-13 02:52:24 +00:00			`// SignIntermediate will validate the CSR to ensure the trust domain in the`
			`// URI SAN matches the local one and that basic constraints for a CA certificate`
			`// are met. It should return a signed CA certificate with a path length constraint`
			`// of 0 to ensure that the certificate cannot be used to generate further CA certs.`
			`SignIntermediate(*x509.CertificateRequest) (string, error)`

connect/ca: undo the interface changes and use sign-self-issued in Vault 2018-06-19 23:46:18 +00:00			`// CrossSignCA must accept a CA certificate from another CA provider`
Simplify the CA provider interface by moving some logic out 2018-04-24 23:16:37 +00:00			`// and cross sign it exactly as it is such that it forms a chain back the the`
			`// CAProvider's current root. Specifically, the Distinguished Name, Subject`
			`// Alternative Name, SubjectKeyID and other relevant extensions must be kept.`
			`// The resulting certificate must have a distinct Serial Number and the`
			`// AuthorityKeyID set to the CAProvider's current signing key as well as the`
			`// Issuer related fields changed as necessary. The resulting certificate is`
			`// returned as a PEM formatted string.`
connect/ca: undo the interface changes and use sign-self-issued in Vault 2018-06-19 23:46:18 +00:00			`CrossSignCA(*x509.Certificate) (string, error)`
Add cross-signing mechanism to root rotation 2018-04-21 03:39:51 +00:00
Clarify some comments and names around CA bootstrapping 2018-04-24 18:50:31 +00:00			`// Cleanup performs any necessary cleanup that should happen when the provider`
Add cross-signing mechanism to root rotation 2018-04-21 03:39:51 +00:00			`// is shut down permanently, such as removing a temporary PKI backend in Vault`
			`// created for an intermediate CA.`
Clarify some comments and names around CA bootstrapping 2018-04-24 18:50:31 +00:00			`Cleanup() error`
Add the CA provider interface and built-in provider 2018-04-09 04:56:11 +00:00			`}`