2018-05-23 14:43:40 -07:00
|
|
|
package ca
|
2018-04-08 21:56:11 -07:00
|
|
|
|
|
|
|
import (
|
|
|
|
"crypto/x509"
|
|
|
|
)
|
|
|
|
|
2018-05-03 12:50:45 -07:00
|
|
|
// Provider is the interface for Consul to interact with
|
2018-04-08 21:56:11 -07:00
|
|
|
// an external CA that provides leaf certificate signing for
|
|
|
|
// given SpiffeIDServices.
|
2018-05-03 12:50:45 -07:00
|
|
|
type Provider interface {
|
2018-04-20 20:39:51 -07:00
|
|
|
// Active root returns the currently active root CA for this
|
|
|
|
// provider. This should be a parent of the certificate returned by
|
|
|
|
// ActiveIntermediate()
|
2018-04-24 16:16:37 -07:00
|
|
|
ActiveRoot() (string, error)
|
2018-04-20 20:39:51 -07:00
|
|
|
|
|
|
|
// ActiveIntermediate returns the current signing cert used by this
|
|
|
|
// provider for generating SPIFFE leaf certs.
|
2018-04-24 16:16:37 -07:00
|
|
|
ActiveIntermediate() (string, error)
|
2018-04-20 20:39:51 -07:00
|
|
|
|
2018-04-24 16:16:37 -07:00
|
|
|
// GenerateIntermediate returns a new intermediate signing cert and
|
|
|
|
// sets it to the active intermediate.
|
|
|
|
GenerateIntermediate() (string, error)
|
2018-04-20 20:39:51 -07:00
|
|
|
|
|
|
|
// Sign signs a leaf certificate used by Connect proxies from a CSR.
|
2018-04-24 16:31:42 -07:00
|
|
|
Sign(*x509.CertificateRequest) (string, error)
|
2018-04-24 16:16:37 -07:00
|
|
|
|
|
|
|
// CrossSignCA must accept a CA certificate signed by another CA's key
|
|
|
|
// and cross sign it exactly as it is such that it forms a chain back the the
|
|
|
|
// CAProvider's current root. Specifically, the Distinguished Name, Subject
|
|
|
|
// Alternative Name, SubjectKeyID and other relevant extensions must be kept.
|
|
|
|
// The resulting certificate must have a distinct Serial Number and the
|
|
|
|
// AuthorityKeyID set to the CAProvider's current signing key as well as the
|
|
|
|
// Issuer related fields changed as necessary. The resulting certificate is
|
|
|
|
// returned as a PEM formatted string.
|
|
|
|
CrossSignCA(*x509.Certificate) (string, error)
|
2018-04-20 20:39:51 -07:00
|
|
|
|
2018-04-24 11:50:31 -07:00
|
|
|
// Cleanup performs any necessary cleanup that should happen when the provider
|
2018-04-20 20:39:51 -07:00
|
|
|
// is shut down permanently, such as removing a temporary PKI backend in Vault
|
|
|
|
// created for an intermediate CA.
|
2018-04-24 11:50:31 -07:00
|
|
|
Cleanup() error
|
2018-04-08 21:56:11 -07:00
|
|
|
}
|