securelink

package module
v0.0.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Dec 4, 2018 License: Apache-2.0 Imports: 22 Imported by: 0

README

Securelink tries to provides an easy to use and efficient way to use multiple interconnected services without the need to open and to manage many open ports.

The idea is to have a secure tunnel to make all services use only one channel.

A basic use case can be an clustered service which is a RAFT protocol for consensus. The services will probably need to speak to other nodes but you can't use RAFT for this. In usual case you will need to open at least two ports on all your nodes. Maybe every connection use a different way to secure them selfs.

In this example we speak only about two service but you can have many more.

This is the purpose of the package.

status

The project is not ready and needs for now.

Documentation

Overview

Package securelink is not really for certificate management. It more a tool to make a cluster connection security easy. Build an save your CA. It will be able to generate Certificate pointers which can connect and check peer just on certificate validity.

No need to check the host, you just want to make sur client and server use your CA.

Package securelink enable caller to stream multiple connection inside a sign TLS link. The package provide CA and certificate generation to have easy management.

Index

Constants

This section is empty.

Variables

View Source 
var (
	DefaultCertLifeTime = time.Hour * 24 * 30 * 3 // 3 months
	DefaultKeyType      = KeyTypeEc
	DefaultKeyLength    = KeyLengthEc384
	DefaultRSAKeyLength = KeyLengthRsa3072
)

Defaults values for NewCertConfig

View Source 
var (
	ErrKeyConfigNotCompatible = fmt.Errorf("the key type and key size are not compatible")
)

Those variables defines the most common package errors

Functions

func GetBaseTLSConfig 

func GetBaseTLSConfig(host string, cert *Certificate) *tls.Config

GetBaseTLSConfig returns a TLS configuration with the given certificate as "Certificate" and setup the "RootCAs" with the given certificate CertPool

func GetCertTemplate 

func GetCertTemplate(names []string, ips []net.IP) *x509.Certificate

GetCertTemplate returns the base template for certification

func GetID 

func GetID(addr string, cert *Certificate) (serverID string)

GetID provides a way to get an ID which in the package can be found as the first host name from the certificate. This function contact the server at the given address with an "insecure" connection to get it's certificate. Checks that the certificate is valid for the given certificate if given. From the certificate it extract the first HostName which is return.

func GetSignatureAlgorithm 

func GetSignatureAlgorithm(keyType KeyType, keyLength KeyLength) x509.SignatureAlgorithm

GetSignatureAlgorithm returns the signature algorithm for the given key type and key size

func NewHTTPSConnector 

func NewHTTPSConnector(host string, cert *Certificate) *http.Client

NewHTTPSConnector provides a HTTP/S client with custom root CA and with the given client certificate

func NewServiceConnector 

func NewServiceConnector(addr, host string, cert *Certificate, timeout time.Duration) (net.Conn, error)

NewServiceConnector opens a new connection to the given address. Check the given hostname is the one returned by the server. The connection send the given certificate as client authentication. The timeout kill the connection after the given duration.

Types

type BaseHandler 

type BaseHandler struct {
	NameField      string
	Listener       *BaseListener
	HandleFunction FuncHandler
	MatchFunction  FuncServiceMatch
}

BaseHandler should be used as parent struct for custom services Handler

func (*BaseHandler) Handle 

func (t *BaseHandler) Handle(conn net.Conn) (err error)

Handle is called when a client connect to the server and the client point to the service.

func (*BaseHandler) Match 

func (t *BaseHandler) Match(hostName string) bool

Match returns true if the given hostname match the handler.

Implements Handler interface

func (*BaseHandler) Name 

func (t *BaseHandler) Name() string

Name returns the name of the handler. It is used manly when deregister is called.

Implements Handler interface

type BaseListener 

type BaseListener struct {
	AddrField  net.Addr
	AcceptChan chan net.Conn
}

BaseListener should be used as parent struct for custom services Listener

func NewBaseListener 

func NewBaseListener(addr net.Addr) *BaseListener

NewBaseListener returns a easy to extend struct pointer which can be used to register net.Listener interface in the package

func (*BaseListener) Accept 

func (l *BaseListener) Accept() (net.Conn, error)

Accept implements the net.Listener interface

func (*BaseListener) Addr 

func (l *BaseListener) Addr() net.Addr

Addr implements the net.Listener interface

func (*BaseListener) Close 

func (l *BaseListener) Close() error

Close implements the net.Listener interface

type Certificate 

type Certificate struct {
	Cert    *x509.Certificate
	KeyPair *KeyPair

	CACerts []*x509.Certificate
	// contains filtered or unexported fields
}

Certificate provides an easy way to use certificates with tls package

func NewCA 

func NewCA(config *NewCertConfig, names ...string) (*Certificate, error)

NewCA returns a new CA pointer which is supposed to be used as server certificate and client and server certificate for remote instances. names are used as domain names.

func ReadToken 

func ReadToken(tokenString string) (addr *common.Addr, certificate *Certificate, err error)

ReadToken returns values from the token. It gives the server address of the signer and the temporary certificate for connection. It returns error if any

func Unmarshal 

func Unmarshal(input []byte) (*Certificate, error)

Unmarshal build a new Certificate pointer with the information given by the input

func (*Certificate) GetCertPEM 

func (c *Certificate) GetCertPEM() []byte

GetCertPEM is useful to start a new client or server with tls.X509KeyPair

func (*Certificate) GetCertPool 

func (c *Certificate) GetCertPool() (pool *x509.CertPool)

GetCertPool is useful in tls.Config{RootCAs: ca.GetCertPool()}

func (*Certificate) GetTLSCertificate 

func (c *Certificate) GetTLSCertificate() tls.Certificate

GetTLSCertificate is useful in tls.Config{Certificates: []tls.Certificate{ca.GetTLSCertificate()}}

func (*Certificate) ID 

func (c *Certificate) ID() *big.Int

ID returns the id as big.Int pointer

func (*Certificate) Marshal 

func (c *Certificate) Marshal() ([]byte, error)

Marshal convert the Certificate pointer into a slice of byte for transport or future use

func (*Certificate) NewCert 

func (c *Certificate) NewCert(config *NewCertConfig, names ...string) (*Certificate, error)

NewCert returns a new certificate pointer which can be used for tls connection

type FuncGetHostNameFromAddr 

type FuncGetHostNameFromAddr func(addr string) (hostName string)

FuncGetHostNameFromAddr get the host name to check during dial from the address we try to contact

type FuncHandler 

type FuncHandler func(conn net.Conn) (err error)

FuncHandler defines the type of function the handler use when accessing to the related Handler

type FuncServiceMatch 

type FuncServiceMatch func(serverName string) (match bool)

FuncServiceMatch is a simple function type which based on a string tells if the match is true or not

type Handler 

type Handler interface {
	// Name returns a string to define the service or the group of service caller
	// regestred. Multiple services can have the same name.
	Name() string

	// Handle is called if Match returns true. Ones the service gets the
	// connection no other services will have the ability to get this connection.
	Handle(conn net.Conn) error

	// Must return true if the given host name is related to the related service.
	// If it returns true this service will be the only on to get the connection.
	Match(hostName string) bool
}

Handler provides a way to use multiple handlers inside a sign TLS listener. You specify the TLS certificate for server but the same certificate is used in case of Dial.

func NewHandler 

func NewHandler(name string, serviceMatchFunc FuncServiceMatch, handlerFunction FuncHandler) Handler

NewHandler builds a new Hanlder pointer to use in a server object

type KeyLength 

type KeyLength string

KeyLength is a simple string type to know which key size it is about 

const (
	KeyLengthRsa2048 KeyLength = "RSA 2048"
	KeyLengthRsa3072 KeyLength = "RSA 3072"
	KeyLengthRsa4096 KeyLength = "RSA 4096"
	KeyLengthRsa8192 KeyLength = "RSA 8192"

	KeyLengthEc256 KeyLength = "EC 256"
	KeyLengthEc384 KeyLength = "EC 384"
	KeyLengthEc521 KeyLength = "EC 521"
)

Defines the supported key length

type KeyPair 

type KeyPair struct {
	Type            KeyType
	Length          KeyLength
	Private, Public interface{}
}

KeyPair defines a struct to manage different type and size of keys interopeably

func NewEc 

func NewEc(keyLength KeyLength) *KeyPair

NewEc returns a new "elliptic curve" key pair of the given size

func NewKeyPair 

func NewKeyPair(keyType KeyType, keyLength KeyLength) (*KeyPair, error)

NewKeyPair builds a new key pair with the given options

func NewRSA 

func NewRSA(keyLength KeyLength) *KeyPair

NewRSA returns a new RSA key pair of the given size

func UnmarshalKeyPair 

func UnmarshalKeyPair(input []byte) (*KeyPair, error)

UnmarshalKeyPair rebuilds an existing KeyPair pointer marshaled with *KeyPair.Marshal function

func (*KeyPair) GetPrivateDER 

func (k *KeyPair) GetPrivateDER() []byte

GetPrivateDER returns a slice of bytes which represent the private key as DER encoded

func (*KeyPair) GetPrivatePEM 

func (k *KeyPair) GetPrivatePEM() []byte

GetPrivatePEM returns a slice of bytes which represent the private key as PEM encode

func (*KeyPair) Marshal 

func (k *KeyPair) Marshal() []byte

Marshal marshal the actual KeyPair pointer to a slice of bytes

type KeyType 

type KeyType string

KeyType is a simple string type to know which type of key it is about 

const (
	KeyTypeRSA KeyType = "RSA"
	KeyTypeEc  KeyType = "Elliptic Curve"
)

Defines the supported key type

type NewCertConfig 

type NewCertConfig struct {
	IsCA       bool
	IsWaldcard bool

	CertTemplate *x509.Certificate
	Parent       *Certificate

	LifeTime time.Duration

	PublicKey *KeyPair
}

NewCertConfig is used to build a new certificate

func NewDefaultCertificationConfig 

func NewDefaultCertificationConfig(parent *Certificate) *NewCertConfig

NewDefaultCertificationConfig builds a new NewCertConfig pointer with the default values

func NewDefaultCertificationConfigWithDefaultTemplate 

func NewDefaultCertificationConfigWithDefaultTemplate(parent *Certificate, names ...string) *NewCertConfig

NewDefaultCertificationConfigWithDefaultTemplate does the same ase above but with a default template

func (*NewCertConfig) Valid 

func (ncc *NewCertConfig) Valid() (err error)

Valid checks if the caller has specified the minimum needed to have a valid certificate request

type Server 

type Server struct {
	Echo        *echo.Echo
	AddrStruct  *common.Addr
	TLSListener net.Listener
	Certificate *Certificate
	TLSConfig   *tls.Config
	Handlers    []Handler
	// contains filtered or unexported fields
}

Server provides a good way to have many services on one sign open port. Regester services which are selected with a tls host name prefix.

func NewServer 

func NewServer(port uint16, tlsConfig *tls.Config, cert *Certificate, getHostNameFromAddr FuncGetHostNameFromAddr) (*Server, error)

NewServer builds a new server. Provide the port you want the server to listen on. The TLS configuration you want to use with a certificate pointer. getHostNameFromAddr is a function which gets the remote server hostname. This will be used to check the certificate name the server is giving.

func (*Server) Accept 

func (s *Server) Accept() (net.Conn, error)

Accept implements the net.Listener interface

func (*Server) Addr 

func (s *Server) Addr() net.Addr

Addr implements the net.Listener interface

func (*Server) Close 

func (s *Server) Close() error

Close implements the net.Listener interface

func (*Server) DeregisterService 

func (s *Server) DeregisterService(name string)

DeregisterService removes a service base on the index

func (*Server) Dial 

func (s *Server) Dial(addr, hostNamePrefix string, timeout time.Duration) (net.Conn, error)

Dial is used to connect to on other server and set a prefix to access specific registered service

func (*Server) GetErrorChan 

func (s *Server) GetErrorChan() chan error

GetErrorChan returns a error channel which pipe error from the server

func (*Server) GetToken 

func (s *Server) GetToken() (string, error)

GetToken returns a string representation of a temporary token (10 minutes validity)

func (*Server) RegisterService 

func (s *Server) RegisterService(handler Handler)

RegisterService adds a new service with it's associated math function

type TransportConn 

type TransportConn struct {
	*tls.Conn
	Server bool
}

TransportConn is an interface to

Source Files

View all Source files

Directories

Path Synopsis
handlers
echohandler

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.