github.com/outbrain/consul@v1.4.5/agent/connect/ca/provider.go (about) 1 package ca 2 3 import ( 4 "crypto/x509" 5 ) 6 7 //go:generate mockery -name Provider -inpkg 8 9 // Provider is the interface for Consul to interact with 10 // an external CA that provides leaf certificate signing for 11 // given SpiffeIDServices. 12 type Provider interface { 13 // Configure initializes the provider based on the given cluster ID, root status 14 // and configuration values. 15 Configure(clusterId string, isRoot bool, rawConfig map[string]interface{}) error 16 17 // GenerateRoot causes the creation of a new root certificate for this provider. 18 // This can also be a no-op if a root certificate already exists for the given 19 // config. If isRoot is false, calling this method is an error. 20 GenerateRoot() error 21 22 // ActiveRoot returns the currently active root CA for this 23 // provider. This should be a parent of the certificate returned by 24 // ActiveIntermediate() 25 ActiveRoot() (string, error) 26 27 // GenerateIntermediateCSR generates a CSR for an intermediate CA 28 // certificate, to be signed by the root of another datacenter. If isRoot was 29 // set to true with Configure(), calling this is an error. 30 GenerateIntermediateCSR() (string, error) 31 32 // SetIntermediate sets the provider to use the given intermediate certificate 33 // as well as the root it was signed by. This completes the initialization for 34 // a provider where isRoot was set to false in Configure(). 35 SetIntermediate(intermediatePEM, rootPEM string) error 36 37 // ActiveIntermediate returns the current signing cert used by this provider 38 // for generating SPIFFE leaf certs. Note that this must not change except 39 // when Consul requests the change via GenerateIntermediate. Changing the 40 // signing cert will break Consul's assumptions about which validation paths 41 // are active. 42 ActiveIntermediate() (string, error) 43 44 // GenerateIntermediate returns a new intermediate signing cert and sets it to 45 // the active intermediate. If multiple intermediates are needed to complete 46 // the chain from the signing certificate back to the active root, they should 47 // all by bundled here. 48 GenerateIntermediate() (string, error) 49 50 // Sign signs a leaf certificate used by Connect proxies from a CSR. The PEM 51 // returned should include only the leaf certificate as all Intermediates 52 // needed to validate it will be added by Consul based on the active 53 // intemediate and any cross-signed intermediates managed by Consul. 54 Sign(*x509.CertificateRequest) (string, error) 55 56 // SignIntermediate will validate the CSR to ensure the trust domain in the 57 // URI SAN matches the local one and that basic constraints for a CA certificate 58 // are met. It should return a signed CA certificate with a path length constraint 59 // of 0 to ensure that the certificate cannot be used to generate further CA certs. 60 SignIntermediate(*x509.CertificateRequest) (string, error) 61 62 // CrossSignCA must accept a CA certificate from another CA provider 63 // and cross sign it exactly as it is such that it forms a chain back the the 64 // CAProvider's current root. Specifically, the Distinguished Name, Subject 65 // Alternative Name, SubjectKeyID and other relevant extensions must be kept. 66 // The resulting certificate must have a distinct Serial Number and the 67 // AuthorityKeyID set to the CAProvider's current signing key as well as the 68 // Issuer related fields changed as necessary. The resulting certificate is 69 // returned as a PEM formatted string. 70 CrossSignCA(*x509.Certificate) (string, error) 71 72 // Cleanup performs any necessary cleanup that should happen when the provider 73 // is shut down permanently, such as removing a temporary PKI backend in Vault 74 // created for an intermediate CA. 75 Cleanup() error 76 }