Class CertManager

Hierarchy

  • CreateDestroyStartStop
    • CertManager

Constructors

constructor

Properties

[initLock] certDuration certRenewLeadTime db dbCertsPath dbLastCertIdPath dbPath generateCertId keyRing logger renewCurrentCertHandler renewCurrentCertHandlerId renewCurrentCertTaskId? renewResetLock subjectAttrsExtra? taskManager tasksRunning workerManager?

Accessors

[destroyed] [eventHandled] [eventHandlers] [eventTarget] [handleEventError] [running] [statusP] [status]

Methods

addEventListener delCert destroy dispatchEvent gcCerts generateCertificate getCert getCertPEMs getCertPEMsChain getCertPEMsChainPEM getCerts getCertsChain getCurrentCert getCurrentCertPEM getLastCertId putCert removeEventListener renewCertWithCurrentKeyPair renewCertWithNewKeyPair resetCertWithCurrentKeyPair resetCertWithNewKeyPair setWorkerManager setupCurrentCert setupRenewCurrentCertTask start startTasks stop stopTasks unsetWorkerManager createCertManager

Constructors

constructor

Properties

Readonly [initLock]

[initLock]: RWLockWriter

Readonly certDuration

certDuration: number

Certificate duration in seconds

Readonly certRenewLeadTime

certRenewLeadTime: number

Protected db

db: DB

Protected dbCertsPath

dbCertsPath: readonly (string | Buffer)[] = ...

Certificate collection CertManager/certs/{CertId} -> {raw(CertificateASN1)}

Protected dbLastCertIdPath

dbLastCertIdPath: readonly (string | Buffer)[] = ...

Maintain last CertID to preserve monotonicity across process restarts CertManager/lastCertId -> {raw(CertId)}

Protected dbPath

dbPath: readonly (string | Buffer)[] = ...

Protected generateCertId

generateCertId: (() => CertId)

Type declaration

Protected keyRing

keyRing: KeyRing

Protected logger

logger: Logger

Protected renewCurrentCertHandler

renewCurrentCertHandler: TaskHandler = ...

Protected renewCurrentCertHandlerId

renewCurrentCertHandlerId: TaskHandlerId = ...

Protected Optional renewCurrentCertTaskId

renewCurrentCertTaskId?: TaskId

Protected renewResetLock

renewResetLock: Lock = ...

Protected Optional subjectAttrsExtra

subjectAttrsExtra?: {
    [key: string]: string[];
}[]

Type declaration

  • [key: string]: string[]

Protected taskManager

taskManager: TaskManager

Protected tasksRunning

tasksRunning: boolean = false

Protected Optional workerManager

workerManager?: PolykeyWorkerManagerInterface

Accessors

[destroyed]

  • get [destroyed](): boolean

  • Returns boolean

[eventHandled]

  • get [eventHandled](): ReadonlyWeakSet<Event>

  • Returns ReadonlyWeakSet<Event>

[eventHandlers]

  • get [eventHandlers](): ReadonlyMap<string, Set<EventHandlerInfo>>

  • Returns ReadonlyMap<string, Set<EventHandlerInfo>>

[eventTarget]

  • get [eventTarget](): EventTarget

  • Returns EventTarget

[handleEventError]

  • get [handleEventError](): ((evt) => void)

  • Returns ((evt) => void)

      • (evt): void

      • Parameters

        • evt: EventError

        Returns void

[running]

  • get [running](): boolean

  • Returns boolean

[statusP]

  • get [statusP](): Promise<Status>

  • Returns Promise<Status>

[status]

  • get [status](): Status

  • Returns Status

Methods

addEventListener

  • Parameters

    • type: string
    • callback: null | EventListenerOrEventListenerObject
    • Optional options: boolean | AddEventListenerOptions

    Returns void

Protected delCert

destroy

dispatchEvent

  • Parameters

    • event: Event

    Returns boolean

Protected gcCerts

  • Garbage collect invalid or expired certificates. Invalid certificates can happen if key rotation does not succeed. It could mean that the leaf certificate does not match the current key pair.

    Expired certificates are no longer valid and should be deleted. This will always ensure that the current certificate is kept. It will also keep the first expired certificate in the chain. All subsequent certificates will be deleted.

    Note if generating a new certificate, it may be generated with a duration of 0. When this occurs, the certificate is considered still valid for the now timestamp at generation. Therefore upon finding the current certificate we don't bother checking whether it is not expired. We can assume it is not expired. However to be absolutely robust, pass the same now between generation and this.gcCerts to prevent accidental garbage collection of a 0-duration current certificate.

    Parameters

    • force: boolean = false
    • now: Date = ...

    Returns Promise<void>

Protected generateCertificate

  • Parameters

    • __namedParameters: {
          duration: number;
          issuerAttrsExtra?: {
              [key: string]: string[];
          }[];
          issuerPrivateKey: PrivateKey;
          now?: Date;
          subjectAttrsExtra?: {
              [key: string]: string[];
          }[];
          subjectKeyPair: {
              privateKey: PrivateKey;
              publicKey: PublicKey;
          };
      }
      • duration: number
      • Optional issuerAttrsExtra?: {
            [key: string]: string[];
        }[]
      • issuerPrivateKey: PrivateKey
      • Optional now?: Date
      • Optional subjectAttrsExtra?: {
            [key: string]: string[];
        }[]
      • subjectKeyPair: {
            privateKey: PrivateKey;
            publicKey: PublicKey;
        }

    Returns Promise<Readonly<X509Certificate>>

getCert

  • Get a certificate according to the CertID

    Parameters

    • certId: CertId
    • Optional tran: DBTransaction

    Returns Promise<undefined | Readonly<X509Certificate>>

getCertPEMs

getCertPEMsChain

getCertPEMsChainPEM

getCerts

  • Get Certificate from leaf to root

    Parameters

    • Optional tran: DBTransaction

    Returns AsyncGenerator<Readonly<X509Certificate>, any, unknown>

getCertsChain

  • Gets an array of Certificate in order of leaf to root

    Parameters

    • Optional tran: DBTransaction

    Returns Promise<Readonly<X509Certificate>[]>

getCurrentCert

  • Get the current (leaf) certificate

    Parameters

    • Optional tran: DBTransaction

    Returns Promise<Readonly<X509Certificate>>

getCurrentCertPEM

getLastCertId

Protected putCert

  • Parameters

    • cert: Readonly<X509Certificate>
    • Optional tran: DBTransaction

    Returns Promise<void>

removeEventListener

  • Parameters

    • type: string
    • callback: null | EventListenerOrEventListenerObject
    • Optional options: boolean | EventListenerOptions

    Returns void

renewCertWithCurrentKeyPair

  • Generates a new leaf certificate with the current key pair. This new certificate is chained to the previous certificate. It is self-signed and also signed by the previous certificate

    The self-signed signature is encoded within the NodeSignatureExtension. The certificate signature is produced by the previous certificate's public key.

    This maintains a certificate chain that provides zero-downtime migration. The NodeId does not change.

    Garbage collection of old certificates is executed immediately afterwards. The garbage collection will be checking if the certificates are expired. It will reference the same timestamp that was used to generate the new certificate.

    Parameters

    • duration: number = ...
    • now: Date = ...

    Returns Promise<Readonly<X509Certificate>>

renewCertWithNewKeyPair

  • Generates a new leaf certificate with a new key pair. This new certificate is chained to the previous certificate.

    It is self-signed and also signed by the previous certificate

    The self-signed signature is encoded within the NodeSignatureExtension. The certificate signature is produced by the previous certificate's public key.

    Garbage collection of old certificates is executed immediately afterwards. The garbage collection will be checking if the certificates are expired. It will reference the same timestamp that was used to generate the new certificate.

    Parameters

    • password: string
    • duration: number = ...
    • now: Date = ...

    Returns Promise<Readonly<X509Certificate>>

resetCertWithCurrentKeyPair

  • Generates a new certificate chain starting with the current key pair. The new certificate is self-signed, and has no previous certificate. The NodeId does not change.

    The self-signed signature is encoded within the NodeSignatureExtension.

    Garbage collection of old certificates is executed immediately afterwards. The garbage collection will be checking if the certificates are expired. It will reference the same timestamp that was used to generate the new certificate.

    Parameters

    • duration: number = ...
    • now: Date = ...

    Returns Promise<Readonly<X509Certificate>>

resetCertWithNewKeyPair

  • Generates a new certificate chain starting with a new key pair. The new certificate is self-signed, and has no previous certificate. The results in a new NodeId.

    The self-signed signature is encoded within the NodeSignatureExtension.

    Garbage collection of old certificates is executed immediately afterwards. The garbage collection will be checking if the certificates are expired. It will reference the same timestamp that was used to generate the new certificate.

    Parameters

    • password: string
    • duration: number = ...
    • now: Date = ...

    Returns Promise<Readonly<X509Certificate>>

setWorkerManager

Protected setupCurrentCert

Protected setupRenewCurrentCertTask

  • Sets up the renew current certificate task. This will set the renewal of the certificate to the remaining duration minus the lead time, with the minimum delaying being 0. This task is a singleton. It must be updated when the current certificate is renewed.

    Parameters

    • now: Date = ...

    Returns Promise<void>

start

  • Parameters

    • __namedParameters: {
          fresh?: boolean;
          lazy?: boolean;
          now?: Date;
          subjectAttrsExtra?: {
              [key: string]: string[];
          }[];
      } = {}
      • Optional fresh?: boolean
      • Optional lazy?: boolean
      • Optional now?: Date
      • Optional subjectAttrsExtra?: {
            [key: string]: string[];
        }[]

    Returns Promise<void>

startTasks

  • Start background tasks. This is idempotent.

    Parameters

    • now: Date = ...

    Returns Promise<void>

stop

stopTasks

unsetWorkerManager

Static createCertManager

  • The password is needed in case there needs to be an automatic renewal. When the certificate is automatically renewed, a new key pair is generated.

    The certDuration is in seconds. This is the default duration of generated certificates. Certificates will be valid from now until inclusive of now + certDuration. Certificates only have second resolution, so now is always interpreted as truncated to the second.

    The certRenewLeadTime is in seconds. This is the amount time set before the last valid second timestamp, in which to automatically run the certificate renewal with the current key pair. This must ensure enough time for change propagation across the gestalt graph.

    Parameters

    • __namedParameters: {
          db: DB;
          fresh?: boolean;
          issuerAttrsExtra?: {
              [key: string]: string[];
          }[];
          keyRing: KeyRing;
          lazy?: boolean;
          logger?: Logger;
          now?: Date;
          options?: Partial<CertManagerOptions>;
          subjectAttrsExtra?: {
              [key: string]: string[];
          }[];
          taskManager: TaskManager;
          workerManager?: PolykeyWorkerManagerInterface;
      }
      • db: DB
      • Optional fresh?: boolean
      • Optional issuerAttrsExtra?: {
            [key: string]: string[];
        }[]
      • keyRing: KeyRing
      • Optional lazy?: boolean
      • Optional logger?: Logger
      • Optional now?: Date
      • Optional options?: Partial<CertManagerOptions>
      • Optional subjectAttrsExtra?: {
            [key: string]: string[];
        }[]
      • taskManager: TaskManager
      • Optional workerManager?: PolykeyWorkerManagerInterface

    Returns Promise<CertManager>

Settings

Member Visibility

Theme

On This Page

Generated using TypeDoc