Class CertManager

Hierarchy

  • CreateDestroyStartStop
    • CertManager

Constructors

Properties

[initLock]: RWLockWriter
certDuration: number

Certificate duration in seconds

certRenewLeadTime: number
db: DB
dbCertsPath: readonly (string | Buffer)[] = ...

Certificate collection CertManager/certs/{CertId} -> {raw(CertificateASN1)}

dbLastCertIdPath: readonly (string | Buffer)[] = ...

Maintain last CertID to preserve monotonicity across process restarts CertManager/lastCertId -> {raw(CertId)}

dbPath: readonly (string | Buffer)[] = ...
generateCertId: (() => CertId)

Type declaration

keyRing: KeyRing
logger: Logger
renewCurrentCertHandler: TaskHandler = ...
renewCurrentCertHandlerId: TaskHandlerId = ...
renewCurrentCertTaskId?: TaskId
renewResetLock: Lock = ...
subjectAttrsExtra?: {
    [key: string]: string[];
}[]

Type declaration

  • [key: string]: string[]
taskManager: TaskManager
tasksRunning: boolean = false

Accessors

  • get [destroyed](): boolean
  • Returns boolean

  • get [eventHandled](): ReadonlyWeakSet<Event>
  • Returns ReadonlyWeakSet<Event>

  • get [eventHandlers](): ReadonlyMap<string, Set<EventHandlerInfo>>
  • Returns ReadonlyMap<string, Set<EventHandlerInfo>>

  • get [eventTarget](): EventTarget
  • Returns EventTarget

  • get [handleEventError](): ((evt) => void)
  • Returns ((evt) => void)

      • (evt): void
      • Parameters

        • evt: EventError

        Returns void

  • get [running](): boolean
  • Returns boolean

  • get [statusP](): Promise<Status>
  • Returns Promise<Status>

  • get [status](): Status
  • Returns Status

Methods

  • Parameters

    • type: string
    • callback: null | EventListenerOrEventListenerObject
    • Optional options: boolean | AddEventListenerOptions

    Returns void

  • Parameters

    • event: Event

    Returns boolean

  • Garbage collect invalid or expired certificates. Invalid certificates can happen if key rotation does not succeed. It could mean that the leaf certificate does not match the current key pair.

    Expired certificates are no longer valid and should be deleted. This will always ensure that the current certificate is kept. It will also keep the first expired certificate in the chain. All subsequent certificates will be deleted.

    Note if generating a new certificate, it may be generated with a duration of 0. When this occurs, the certificate is considered still valid for the now timestamp at generation. Therefore upon finding the current certificate we don't bother checking whether it is not expired. We can assume it is not expired. However to be absolutely robust, pass the same now between generation and this.gcCerts to prevent accidental garbage collection of a 0-duration current certificate.

    Parameters

    • force: boolean = false
    • now: Date = ...

    Returns Promise<void>

  • Parameters

    • __namedParameters: {
          duration: number;
          issuerAttrsExtra?: {
              [key: string]: string[];
          }[];
          issuerPrivateKey: PrivateKey;
          now?: Date;
          subjectAttrsExtra?: {
              [key: string]: string[];
          }[];
          subjectKeyPair: {
              privateKey: PrivateKey;
              publicKey: PublicKey;
          };
      }
      • duration: number
      • Optional issuerAttrsExtra?: {
            [key: string]: string[];
        }[]
      • issuerPrivateKey: PrivateKey
      • Optional now?: Date
      • Optional subjectAttrsExtra?: {
            [key: string]: string[];
        }[]
      • subjectKeyPair: {
            privateKey: PrivateKey;
            publicKey: PublicKey;
        }

    Returns Promise<Readonly<X509Certificate>>

  • Get a certificate according to the CertID

    Parameters

    • certId: CertId
    • Optional tran: DBTransaction

    Returns Promise<undefined | Readonly<X509Certificate>>

  • Get Certificate from leaf to root

    Parameters

    • Optional tran: DBTransaction

    Returns AsyncGenerator<Readonly<X509Certificate>, any, unknown>

  • Gets an array of Certificate in order of leaf to root

    Parameters

    • Optional tran: DBTransaction

    Returns Promise<Readonly<X509Certificate>[]>

  • Get the current (leaf) certificate

    Parameters

    • Optional tran: DBTransaction

    Returns Promise<Readonly<X509Certificate>>

  • Parameters

    • cert: Readonly<X509Certificate>
    • Optional tran: DBTransaction

    Returns Promise<void>

  • Parameters

    • type: string
    • callback: null | EventListenerOrEventListenerObject
    • Optional options: boolean | EventListenerOptions

    Returns void

  • Generates a new leaf certificate with the current key pair. This new certificate is chained to the previous certificate. It is self-signed and also signed by the previous certificate

    The self-signed signature is encoded within the NodeSignatureExtension. The certificate signature is produced by the previous certificate's public key.

    This maintains a certificate chain that provides zero-downtime migration. The NodeId does not change.

    Garbage collection of old certificates is executed immediately afterwards. The garbage collection will be checking if the certificates are expired. It will reference the same timestamp that was used to generate the new certificate.

    Parameters

    • duration: number = ...
    • now: Date = ...

    Returns Promise<Readonly<X509Certificate>>

  • Generates a new leaf certificate with a new key pair. This new certificate is chained to the previous certificate.

    It is self-signed and also signed by the previous certificate

    The self-signed signature is encoded within the NodeSignatureExtension. The certificate signature is produced by the previous certificate's public key.

    Garbage collection of old certificates is executed immediately afterwards. The garbage collection will be checking if the certificates are expired. It will reference the same timestamp that was used to generate the new certificate.

    Parameters

    • password: string
    • duration: number = ...
    • now: Date = ...

    Returns Promise<Readonly<X509Certificate>>

  • Generates a new certificate chain starting with the current key pair. The new certificate is self-signed, and has no previous certificate. The NodeId does not change.

    The self-signed signature is encoded within the NodeSignatureExtension.

    Garbage collection of old certificates is executed immediately afterwards. The garbage collection will be checking if the certificates are expired. It will reference the same timestamp that was used to generate the new certificate.

    Parameters

    • duration: number = ...
    • now: Date = ...

    Returns Promise<Readonly<X509Certificate>>

  • Generates a new certificate chain starting with a new key pair. The new certificate is self-signed, and has no previous certificate. The results in a new NodeId.

    The self-signed signature is encoded within the NodeSignatureExtension.

    Garbage collection of old certificates is executed immediately afterwards. The garbage collection will be checking if the certificates are expired. It will reference the same timestamp that was used to generate the new certificate.

    Parameters

    • password: string
    • duration: number = ...
    • now: Date = ...

    Returns Promise<Readonly<X509Certificate>>

  • Sets up the renew current certificate task. This will set the renewal of the certificate to the remaining duration minus the lead time, with the minimum delaying being 0. This task is a singleton. It must be updated when the current certificate is renewed.

    Parameters

    • now: Date = ...

    Returns Promise<void>

  • Parameters

    • __namedParameters: {
          fresh?: boolean;
          lazy?: boolean;
          now?: Date;
          subjectAttrsExtra?: {
              [key: string]: string[];
          }[];
      } = {}
      • Optional fresh?: boolean
      • Optional lazy?: boolean
      • Optional now?: Date
      • Optional subjectAttrsExtra?: {
            [key: string]: string[];
        }[]

    Returns Promise<void>

  • Start background tasks. This is idempotent.

    Parameters

    • now: Date = ...

    Returns Promise<void>

  • The password is needed in case there needs to be an automatic renewal. When the certificate is automatically renewed, a new key pair is generated.

    The certDuration is in seconds. This is the default duration of generated certificates. Certificates will be valid from now until inclusive of now + certDuration. Certificates only have second resolution, so now is always interpreted as truncated to the second.

    The certRenewLeadTime is in seconds. This is the amount time set before the last valid second timestamp, in which to automatically run the certificate renewal with the current key pair. This must ensure enough time for change propagation across the gestalt graph.

    Parameters

    • __namedParameters: {
          db: DB;
          fresh?: boolean;
          issuerAttrsExtra?: {
              [key: string]: string[];
          }[];
          keyRing: KeyRing;
          lazy?: boolean;
          logger?: Logger;
          now?: Date;
          options?: Partial<CertManagerOptions>;
          subjectAttrsExtra?: {
              [key: string]: string[];
          }[];
          taskManager: TaskManager;
          workerManager?: PolykeyWorkerManagerInterface;
      }
      • db: DB
      • Optional fresh?: boolean
      • Optional issuerAttrsExtra?: {
            [key: string]: string[];
        }[]
      • keyRing: KeyRing
      • Optional lazy?: boolean
      • Optional logger?: Logger
      • Optional now?: Date
      • Optional options?: Partial<CertManagerOptions>
      • Optional subjectAttrsExtra?: {
            [key: string]: string[];
        }[]
      • taskManager: TaskManager
      • Optional workerManager?: PolykeyWorkerManagerInterface

    Returns Promise<CertManager>

Generated using TypeDoc