github.com/IBM-Blockchain/fabric-operator@v1.0.4/pkg/apis/ca/v1/ca.go (about) 1 /* 2 * Copyright contributors to the Hyperledger Fabric Operator project 3 * 4 * SPDX-License-Identifier: Apache-2.0 5 * 6 * Licensed under the Apache License, Version 2.0 (the "License"); 7 * you may not use this file except in compliance with the License. 8 * You may obtain a copy of the License at: 9 * 10 * http://www.apache.org/licenses/LICENSE-2.0 11 * 12 * Unless required by applicable law or agreed to in writing, software 13 * distributed under the License is distributed on an "AS IS" BASIS, 14 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 15 * See the License for the specific language governing permissions and 16 * limitations under the License. 17 */ 18 19 package v1 20 21 import ( 22 commonapi "github.com/IBM-Blockchain/fabric-operator/pkg/apis/common" 23 ) 24 25 // ServerConfig is the fabric-ca server's config 26 type ServerConfig struct { 27 CAConfig `json:",inline"` 28 // Listening port for the server 29 Port int `json:"port,omitempty"` 30 // Bind address for the server 31 Address string `json:"address,omitempty"` 32 // Cross-Origin Resource Sharing settings for the server 33 CORS CORS `json:"cors,omitempty"` 34 // Enables debug logging 35 Debug *bool `json:"debug,omitempty"` 36 // Sets the logging level on the server 37 LogLevel string `json:"loglevel,omitempty"` 38 // TLS for the server's listening endpoint 39 TLS ServerTLSConfig `json:"tls,omitempty"` 40 // CACfg is the default CA's config 41 // The names of the CA configuration files 42 // This is empty unless there are non-default CAs served by this server 43 CAfiles []string `json:"cafiles,omitempty"` 44 // The number of non-default CAs, which is useful for a dev environment to 45 // quickly start any number of CAs in a single server 46 CAcount int `json:"cacount,omitempty"` 47 // Size limit of an acceptable CRL in bytes 48 CRLSizeLimit int `json:"crlsizelimit,omitempty"` 49 // CompMode1_3 determines if to run in comptability for version 1.3 50 CompMode1_3 *bool `json:"compmode1_3,omitempty"` 51 // Metrics contains the configuration for provider and statsd 52 Metrics MetricsOptions `json:"metrics,omitempty"` 53 // Operations contains the configuration for the operations servers 54 Operations Options `json:"operations,omitempty"` 55 } 56 57 type LDAP struct { 58 Enabled *bool `json:"enabled,omitempty"` 59 URL string `json:"url,omitempty"` 60 UserFilter string `json:"userFilter,omitempty"` 61 GroupFilter string `json:"groupFilter,omitempty"` 62 Attribute AttrConfig `json:"attribute,omitempty"` 63 TLS ClientTLSConfig `json:"tls,omitempty"` 64 } 65 66 // AttrConfig is attribute configuration information 67 type AttrConfig struct { 68 Names []string `json:"names,omitempty"` 69 Converters []NameVal `json:"converters,omitempty"` 70 Maps map[string][]NameVal `json:"maps,omitempty"` 71 } 72 73 type NameVal struct { 74 Name string `json:"name,omitempty"` 75 Value string `json:"value,omitempty"` 76 } 77 78 type CAConfig struct { 79 Version string `json:"version,omitempty"` 80 Cfg CfgOptions `json:"cfg,omitempty"` 81 CA CAInfo `json:"ca,omitempty"` 82 Signing Signing `json:"signing,omitempty"` 83 CSR CSRInfo `json:"csr,omitempty"` 84 Registry CAConfigRegistry `json:"registry,omitempty"` 85 Affiliations map[string]interface{} `json:"affiliations,omitempty"` 86 LDAP LDAP `json:"ldap,omitempty"` 87 DB *CAConfigDB `json:"db,omitempty"` 88 CSP *BCCSP `json:"bccsp,omitempty"` 89 Intermediate IntermediateCA `json:"intermediate,omitempty"` 90 CRL CRLConfig `json:"crl,omitempty"` 91 92 // Optional client config for an intermediate server which acts as a client 93 // of the root (or parent) server 94 // Client *ClientConfig `json:"client"` 95 } 96 97 // CSRInfo is Certificate Signing Request (CSR) Information 98 type CSRInfo struct { 99 CN string `json:"cn"` 100 Names []Name `json:"names,omitempty"` 101 Hosts []string `json:"hosts,omitempty"` 102 KeyRequest *KeyRequest `json:"key,omitempty"` 103 CA *CSRCAConfig `json:"ca,omitempty"` 104 SerialNumber string `json:"serial_number,omitempty"` 105 } 106 107 type CSRCAConfig struct { 108 PathLength int `json:"pathlen"` 109 PathLenZero *bool `json:"pathlenzero"` 110 Expiry string `json:"expiry"` 111 Backdate string `json:"backdate"` 112 } 113 114 // A Name contains the SubjectInfo fields. 115 type Name struct { 116 C string `json:"C,omitempty"` 117 ST string `json:"ST,omitempty"` 118 L string `json:"L,omitempty"` 119 O string `json:"O,omitempty"` 120 OU string `json:"OU,omitempty"` 121 SerialNumber string `json:"SerialNumber,omitempty"` 122 } 123 124 // KeyRequest encapsulates size and algorithm for the key to be generated 125 type KeyRequest struct { 126 Algo string `json:"algo"` 127 Size int `json:"size"` 128 } 129 130 type CORS struct { 131 Enabled *bool `json:"enabled"` 132 Origins []string `json:"origins"` 133 } 134 135 type BCCSP struct { 136 ProviderName string `json:"default,omitempty"` 137 SW *SwOpts `json:"sw,omitempty"` 138 PKCS11 *PKCS11Opts `json:"pkcs11,omitempty"` 139 } 140 141 // SwOpts contains options for the SWFactory 142 type SwOpts struct { 143 SecLevel int `json:"security,omitempty"` 144 HashFamily string `json:"hash,omitempty"` 145 FileKeyStore FileKeyStoreOpts `json:"filekeystore,omitempty"` 146 } 147 148 type PKCS11Opts struct { 149 SecLevel int `json:"security,omitempty"` 150 HashFamily string `json:"hash,omitempty"` 151 Library string `json:"library,omitempty"` 152 Label string `json:"label,omitempty"` 153 Pin string `json:"pin,omitempty"` 154 Ephemeral *bool `json:"tempkeys,omitempty"` 155 SoftVerify *bool `json:"softwareVerify,omitempty"` 156 Immutable *bool `json:"immutable,omitempty"` 157 FileKeyStore FileKeyStoreOpts `json:"filekeystore,omitempty"` 158 } 159 160 type FileKeyStoreOpts struct { 161 KeyStorePath string `json:"keystore,omitempty"` 162 } 163 164 // Signing codifies the signature configuration policy for a CA. 165 type Signing struct { 166 Profiles map[string]*SigningProfile `json:"profiles"` 167 Default *SigningProfile `json:"default"` 168 } 169 170 // A SigningProfile stores information that the CA needs to store 171 // signature policy. 172 type SigningProfile struct { 173 Usage []string `json:"usage,omitempty"` 174 IssuerURL []string `json:"issuerurl,omitempty"` 175 OCSP string `json:"ocsp,omitempty"` 176 CRL string `json:"crl,omitempty"` 177 CAConstraint CAConstraint `json:"caconstraint,omitempty"` 178 OCSPNoCheck *bool `json:"ocspnocheck,omitempty"` 179 ExpiryString string `json:"expirystring,omitempty"` 180 BackdateString string `json:"backdatestring,omitempty"` 181 AuthKeyName string `json:"authkeyname,omitempty"` 182 RemoteName string `json:"remotename,omitempty"` 183 NameWhitelistString string `json:"namewhiteliststring,omitempty"` 184 AuthRemote AuthRemote `json:"authremote,omitempty"` 185 CTLogServers []string `json:"ctlogservers,omitempty"` 186 CertStore string `json:"certstore,omitempty"` 187 Expiry commonapi.Duration `json:"expiry,omitempty"` 188 189 // TODO: Do these need to be overridable? 190 // AllowedExtensions []cfconfig.OID `json:"allowedextensions,omitempty"` 191 // Policies []CertificatePolicy 192 // Backdate time.Duration 193 // Provider auth.Provider 194 // RemoteProvider auth.Provider 195 // RemoteServer string 196 // RemoteCAs *x509.CertPool 197 // ClientCert *tls.Certificate 198 // CSRWhitelist *CSRWhitelist 199 // NameWhitelist *regexp.Regexp 200 // ExtensionWhitelist map[string]bool 201 // ClientProvidesSerialNumbers bool 202 // NotBefore time.Time `json:"notbefore,omitempty"` 203 // NotAfter time.Time `json:"notafter,omitempty"` 204 } 205 206 // CAConstraint specifies various CA constraints on the signed certificate. 207 // CAConstraint would verify against (and override) the CA 208 // extensions in the given CSR. 209 type CAConstraint struct { 210 IsCA *bool `json:"isca,omitempty"` 211 MaxPathLen int `json:"maxpathlen,omitempty"` 212 MaxPathLenZero *bool `json:"maxpathlenzero,omitempty"` 213 } 214 215 // AuthRemote is an authenticated remote signer. 216 type AuthRemote struct { 217 RemoteName string `json:"remote,omitempty"` 218 AuthKeyName string `json:"authkey,omitempty"` 219 } 220 221 // CfgOptions is a CA configuration that allows for setting different options 222 type CfgOptions struct { 223 Identities IdentitiesOptions `json:"identities,omitempty"` 224 Affiliations AffiliationsOptions `json:"affiliations,omitempty"` 225 } 226 227 // IdentitiesOptions are options that are related to identities 228 type IdentitiesOptions struct { 229 PasswordAttempts int `json:"passwordattempts,omitempty"` 230 AllowRemove *bool `json:"allowremove,omitempty"` 231 } 232 233 // AffiliationsOptions are options that are related to affiliations 234 type AffiliationsOptions struct { 235 AllowRemove *bool `json:"allowremove,omitempty"` 236 } 237 238 // CAInfo is the CA information on a fabric-ca-server 239 type CAInfo struct { 240 Name string `json:"name,omitempty"` 241 Keyfile string `json:"keyfile,omitempty"` 242 Certfile string `json:"certfile,omitempty"` 243 Chainfile string `json:"chainfile,omitempty"` 244 ReenrollIgnoreCertExpiry *bool `json:"reenrollignorecertexpiry,omitempty"` 245 } 246 247 // CAConfigDB is the database part of the server's config 248 type CAConfigDB struct { 249 Type string `json:"type,omitempty"` 250 Datasource string `json:"datasource,omitempty"` 251 TLS ClientTLSConfig `json:"tls,omitempty,omitempty"` 252 } 253 254 // CAConfigRegistry is the registry part of the server's config 255 type CAConfigRegistry struct { 256 MaxEnrollments int `json:"maxenrollments,omitempty"` 257 Identities []CAConfigIdentity `json:"identities,omitempty"` 258 } 259 260 // CAConfigIdentity is identity information in the server's config 261 type CAConfigIdentity struct { 262 Name string `json:"name,omitempty"` 263 Pass string `json:"pass,omitempty"` 264 Type string `json:"type,omitempty"` 265 Affiliation string `json:"affiliation,omitempty"` 266 MaxEnrollments int `json:"maxenrollments,omitempty"` 267 Attrs map[string]interface{} `json:"attrs,omitempty"` 268 } 269 270 // ParentServer contains URL for the parent server and the name of CA inside 271 // the server to connect to 272 type ParentServer struct { 273 URL string `json:"url,omitempty"` 274 CAName string `json:"caname,omitempty"` 275 } 276 277 // IntermediateCA contains parent server information, TLS configuration, and 278 // enrollment request for an intermetiate CA 279 type IntermediateCA struct { 280 ParentServer ParentServer `json:"parentserver,omitempty"` 281 TLS ClientTLSConfig `json:"tls,omitempty"` 282 Enrollment EnrollmentRequest `json:"enrollment,omitempty"` 283 } 284 285 // EnrollmentRequest is a request to enroll an identity 286 type EnrollmentRequest struct { 287 // The identity name to enroll 288 Name string `json:"name"` 289 // The secret returned via Register 290 Secret string `json:"secret,omitempty"` 291 // CAName is the name of the CA to connect to 292 CAName string `json:"caname,omitempty"` 293 // AttrReqs are requests for attributes to add to the certificate. 294 // Each attribute is added only if the requestor owns the attribute. 295 AttrReqs []*AttributeRequest `json:"attr_reqs,omitempty"` 296 // Profile is the name of the signing profile to use in issuing the X509 certificate 297 Profile string `json:"profile,omitempty"` 298 // Label is the label to use in HSM operations 299 Label string `json:"label,omitempty"` 300 // CSR is Certificate Signing Request info 301 CSR *CSRInfo `json:"csr,omitempty"` // Skipping this because we pull the CSR from the CSR flags 302 // The type of the enrollment request: x509 or idemix 303 // The default is a request for an X509 enrollment certificate 304 Type string `def:"x509"` 305 } 306 307 type AttributeRequest struct { 308 Name string `json:"name"` 309 Optional *bool `json:"optional,omitempty"` 310 } 311 312 // ClientTLSConfig defines the key material for a TLS client 313 type ClientTLSConfig struct { 314 Enabled *bool `json:"enabled,omitempty"` 315 CertFiles []string `json:"certfiles,omitempty"` 316 Client KeyCertFiles `json:"client,omitempty"` 317 } 318 319 type ServerTLSConfig struct { 320 Enabled *bool `json:"enabled,omitempty"` 321 CertFile string `json:"certfile,omitempty"` 322 KeyFile string `json:"keyfile,omitempty"` 323 ClientAuth ClientAuth `json:"clientauth,omitempty"` 324 } 325 326 // ClientAuth defines the key material needed to verify client certificates 327 type ClientAuth struct { 328 Type string `json:"type,omitempty"` 329 CertFiles []string `json:"certfiles,omitempty"` 330 } 331 332 // KeyCertFiles defines the files need for client on TLS 333 type KeyCertFiles struct { 334 KeyFile string `json:"keyfile,omitempty"` 335 CertFile string `json:"certfile,omitempty"` 336 } 337 338 // CRLConfig contains configuration options used by the gencrl request handler 339 type CRLConfig struct { 340 // Specifies expiration for the CRL generated by the gencrl request 341 // The number of hours specified by this property is added to the UTC time, resulting time 342 // is used to set the 'Next Update' date of the CRL 343 Expiry commonapi.Duration `json:"expiry,omitempty"` 344 } 345 346 // Options contains configuration for the operations system 347 type Options struct { 348 ListenAddress string `json:"listenaddress,omitempty"` 349 Metrics MetricsOptions `json:"metrics,omitempty"` 350 TLS TLS `json:"tls,omitempty"` 351 } 352 353 // MetricsOptions contains the information on providers 354 type MetricsOptions struct { 355 Provider string `json:"provider,omitempty"` 356 Statsd *Statsd `json:"statsd,omitempty"` 357 } 358 359 // TLS contains the TLS configuration for the operations system serve 360 type TLS struct { 361 Enabled *bool `json:"enabled,omitempty"` 362 CertFile string `json:"certfile,omitempty"` 363 KeyFile string `json:"keyfile,omitempty"` 364 ClientCertRequired *bool `json:"clientcerrequired,omitempty"` 365 ClientCACertFiles []string `json:"clientcacertfiles,omitempty"` 366 } 367 368 // Statsd contains configuration of statsd 369 type Statsd struct { 370 Network string `json:"network,omitempty"` 371 Address string `json:"address,omitempty"` 372 WriteInterval commonapi.Duration `json:"writeinterval,omitempty"` 373 Prefix string `json:"prefix,omitempty"` 374 }