libtrust

package
v2.0.0+incompatible Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 16, 2015 License: Apache-2.0, Apache-2.0 Imports: 31 Imported by: 0

README

libtrust

Libtrust is library for managing authentication and authorization using public key cryptography.

Authentication is handled using the identity attached to the public key. Libtrust provides multiple methods to prove possession of the private key associated with an identity.

  • TLS x509 certificates
  • Signature verification
  • Key Challenge

Authorization and access control is managed through a distributed trust graph. Trust servers are used as the authorities of the trust graph and allow caching portions of the graph for faster access.

Code and documentation copyright 2014 Docker, inc. Code released under the Apache 2.0 license. Docs released under Creative commons.

Documentation

Overview

Package libtrust provides an interface for managing authentication and authorization using public key cryptography. Authentication is handled using the identity attached to the public key and verified through TLS x509 certificates, a key challenge, or signature. Authorization and access control is managed through a trust graph distributed between both remote trust servers and locally cached and managed data.

Index

Constants

This section is empty.

Variables

View Source 
var (
	// ErrInvalidSignContent is used when the content to be signed is invalid.
	ErrInvalidSignContent = errors.New("invalid sign content")

	// ErrInvalidJSONContent is used when invalid json is encountered.
	ErrInvalidJSONContent = errors.New("invalid json content")

	// ErrMissingSignatureKey is used when the specified signature key
	// does not exist in the JSON content.
	ErrMissingSignatureKey = errors.New("missing signature key")
)
View Source 
var (
	// ErrKeyFileDoesNotExist indicates that the private key file does not exist.
	ErrKeyFileDoesNotExist = errors.New("key file does not exist")
)

Functions

func AddKeySetFile 

func AddKeySetFile(filename string, key PublicKey) error

AddKeySetFile adds a key to a key set

func GenerateCACert 

func GenerateCACert(signer PrivateKey, trustedKey PublicKey) (*x509.Certificate, error)

GenerateCACert creates a certificate which can be used as a trusted certificate authority.

func GenerateCACertPool 

func GenerateCACertPool(signer PrivateKey, trustedKeys []PublicKey) (*x509.CertPool, error)

GenerateCACertPool creates a certificate authority pool to be used for a TLS configuration. Any self-signed certificates issued by the specified trusted keys will be verified during a TLS handshake

func GenerateSelfSignedClientCert 

func GenerateSelfSignedClientCert(key PrivateKey) (*x509.Certificate, error)

GenerateSelfSignedClientCert creates a self-signed certificate for the given key which is to be used for TLS clients.

func GenerateSelfSignedServerCert 

func GenerateSelfSignedServerCert(key PrivateKey, domains []string, ipAddresses []net.IP) (*x509.Certificate, error)

GenerateSelfSignedServerCert creates a self-signed certificate for the given key which is to be used for TLS servers with the given domains and IP addresses.

func LoadCertificateBundle 

func LoadCertificateBundle(filename string) ([]*x509.Certificate, error)

LoadCertificateBundle loads certificates from the given file. The file should be pem encoded containing one or more certificates. The expected pem type is "CERTIFICATE".

func LoadCertificatePool 

func LoadCertificatePool(filename string) (*x509.CertPool, error)

LoadCertificatePool loads a CA pool from the given file. The file should be pem encoded containing one or more certificates. The expected pem type is "CERTIFICATE".

func NewCertAuthTLSConfig 

func NewCertAuthTLSConfig(caPath, certPath, keyPath string) (*tls.Config, error)

NewCertAuthTLSConfig creates a tls.Config for the server to use for certificate authentication

func NewIdentityAuthTLSClientConfig 

func NewIdentityAuthTLSClientConfig(dockerUrl string, trustUnknownHosts bool, rootConfigPath string, serverName string) (*tls.Config, error)

NewIdentityAuthTLSClientConfig returns a tls.Config configured to use identity based authentication from the specified dockerUrl, the rootConfigPath and the server name to which it is connecting. If trustUnknownHosts is true it will automatically add the host to the known-hosts.json in rootConfigPath.

func NewIdentityAuthTLSConfig 

func NewIdentityAuthTLSConfig(trustKey PrivateKey, clients *ClientKeyManager, addr string, domain string) (*tls.Config, error)

NewIdentityAuthTLSConfig creates a tls.Config for the server to use for libtrust identity authentication for the domain specified

func SaveKey 

func SaveKey(filename string, key PrivateKey) error

SaveKey saves the given key to a file using the provided filename. This process will overwrite any existing file at the provided location.

func SavePublicKey 

func SavePublicKey(filename