Documentation
¶
Index ¶
- Variables
- func DefaultCertsPath() string
- type CAInitOptions
- type CRLStatus
- type CSRResult
- type CertDetails
- type CertSummary
- type ChainCert
- type CheckOptions
- type ErrCAExists
- type ErrCANotFound
- type ErrCertificateInvalid
- type ErrConnection
- type ErrFileRead
- type ErrInvalidPEM
- type ErrTLSHandshake
- type ErrUnsupportedProtocol
- type GenerateOptions
- type GenerateResult
- type Grade
- type HSTS
- type OCSPStatus
- type Protocol
- type Result
- type ResultOrError
- type SANs
- type SCTInfo
- type Subject
- type VerifyOptions
- type VerifyResult
Constants ¶
This section is empty.
Variables ¶
var DefaultPorts = map[Protocol]int{ HTTPS: 443, SMTP: 587, IMAP: 143, POP3: 110, FTP: 21, LDAP: 389, MySQL: 3306, Postgres: 5432, XMPP: 5222, Sieve: 4190, }
DefaultPorts maps each Protocol to its standard port number.
Functions ¶
func DefaultCertsPath ¶
func DefaultCertsPath() string
DefaultCertsPath returns the default output directory for generated certificates.
Types ¶
type CAInitOptions ¶
type CAInitOptions struct {
// CommonName is the CA certificate's CN field.
CommonName string `json:"commonName"`
// Organization is the CA certificate's O field.
Organization string `json:"organization"`
// Country is the optional two-letter country code.
Country string `json:"country,omitempty"`
// Validity is the CA lifetime in years.
Validity int `json:"validity"`
// KeyType selects the key algorithm ("ecdsa" or "rsa").
KeyType string `json:"keyType"`
}
CAInitOptions configures the creation of a new Certificate Authority.
func DefaultCAInitOptions ¶
func DefaultCAInitOptions() CAInitOptions
DefaultCAInitOptions returns CAInitOptions with sensible defaults (ECDSA, 10-year validity).
type CertDetails ¶
type CertDetails struct {
SignatureAlgorithm string `json:"signatureAlgorithm"`
KeyUsage []string `json:"keyUsage,omitempty"`
ExtKeyUsage []string `json:"extKeyUsage,omitempty"`
IsCA bool `json:"isCA"`
OCSPServers []string `json:"ocspServers,omitempty"`
CRLDistPoints []string `json:"crlDistributionPoints,omitempty"`
PolicyOIDs []string `json:"policyOIDs,omitempty"`
SANs *SANs `json:"sans,omitempty"`
}
CertDetails holds extended certificate metadata such as key usage, OCSP servers, and SANs.
type CertSummary ¶
type CertSummary struct {
Path string `json:"path"`
Subject string `json:"subject"`
SANs []string `json:"sans,omitempty"`
Issuer string `json:"issuer"`
DaysRemaining int `json:"daysRemaining"`
Valid bool `json:"valid"`
}
CertSummary provides a brief overview of a certificate for listing purposes.
type ChainCert ¶
type ChainCert struct {
Subject Subject `json:"subject"`
Issuer Subject `json:"issuer"`
ValidFrom string `json:"validFrom"`
ValidTo string `json:"validTo"`
Fingerprint256 string `json:"fingerprint256"`
SerialNumber string `json:"serialNumber"`
}
ChainCert represents a single certificate in the trust chain.
type CheckOptions ¶
type CheckOptions struct {
// Port overrides the default port for the protocol.
Port int
// Protocol selects the connection protocol (e.g. HTTPS, SMTP).
Protocol Protocol
// Timeout is the maximum duration for the full connection (TCP dial + TLS handshake).
Timeout time.Duration
// ServerName overrides the SNI value sent during the TLS handshake.
ServerName string
// WarnDays sets the threshold for flagging certificates as expiring soon.
WarnDays *int
// DoGrade enables TLS security grading in the result.
DoGrade bool
}
CheckOptions configures how a TLS certificate check is performed.
func DefaultCheckOptions ¶
func DefaultCheckOptions() CheckOptions
DefaultCheckOptions returns CheckOptions with sensible defaults (HTTPS, 10s timeout).
func (CheckOptions) EffectivePort ¶
func (o CheckOptions) EffectivePort() int
EffectivePort returns the configured port, falling back to the protocol's default port.
func (CheckOptions) EffectiveServerName ¶
func (o CheckOptions) EffectiveServerName(host string) string
EffectiveServerName returns the configured SNI server name, falling back to the given host.
type ErrCAExists ¶
type ErrCAExists struct {
Path string
}
ErrCAExists indicates a CA already exists at the path.
func (*ErrCAExists) Error ¶
func (e *ErrCAExists) Error() string
type ErrCANotFound ¶
type ErrCANotFound struct {
Path string
}
ErrCANotFound indicates no CA was found at the expected path.
func (*ErrCANotFound) Error ¶
func (e *ErrCANotFound) Error() string
type ErrCertificateInvalid ¶
ErrCertificateInvalid indicates the certificate failed validation.
func (*ErrCertificateInvalid) Error ¶
func (e *ErrCertificateInvalid) Error() string
type ErrConnection ¶
ErrConnection represents a failure to establish a network connection.
func (*ErrConnection) Error ¶
func (e *ErrConnection) Error() string
func (*ErrConnection) Unwrap ¶
func (e *ErrConnection) Unwrap() error
type ErrFileRead ¶
ErrFileRead represents a failure to read a file.
func (*ErrFileRead) Error ¶
func (e *ErrFileRead) Error() string
func (*ErrFileRead) Unwrap ¶
func (e *ErrFileRead) Unwrap() error
type ErrInvalidPEM ¶
type ErrInvalidPEM struct {
Path string
}
ErrInvalidPEM indicates the file is not valid PEM format.
func (*ErrInvalidPEM) Error ¶
func (e *ErrInvalidPEM) Error() string
type ErrTLSHandshake ¶
ErrTLSHandshake represents a failure during TLS negotiation.
func (*ErrTLSHandshake) Error ¶
func (e *ErrTLSHandshake) Error() string
func (*ErrTLSHandshake) Unwrap ¶
func (e *ErrTLSHandshake) Unwrap() error
type ErrUnsupportedProtocol ¶
type ErrUnsupportedProtocol struct {
Protocol Protocol
}
ErrUnsupportedProtocol indicates the STARTTLS protocol is not supported.
func (*ErrUnsupportedProtocol) Error ¶
func (e *ErrUnsupportedProtocol) Error() string
type GenerateOptions ¶
type GenerateOptions struct {
// Days is the certificate validity period in days.
Days int
// KeyType selects the key algorithm ("ecdsa" or "rsa").
KeyType string
// OutDir is the directory where generated files are written.
OutDir string
// Server enables the TLS server extended key usage.
Server bool
// Client enables the TLS client extended key usage.
Client bool
// CAPath is the path to the CA used for signing; empty means self-signed.
CAPath string
// Organization sets the O field in the certificate subject.
Organization string
// Country sets the C field in the certificate subject.
Country string
// OrgUnit sets the OU field in the certificate subject.
OrgUnit string
// Locality sets the L field in the certificate subject.
Locality string
// State sets the ST field in the certificate subject.
State string
// Bundle appends the CA certificate to the output certificate file.
Bundle bool
}
GenerateOptions configures certificate or CSR generation.
func DefaultGenerateOptions ¶
func DefaultGenerateOptions() GenerateOptions
DefaultGenerateOptions returns GenerateOptions with sensible defaults (ECDSA, 825 days, server usage).
type GenerateResult ¶
GenerateResult holds the output paths and metadata from certificate generation.
type Grade ¶
type Grade struct {
// Grade is the letter grade (e.g. "A+", "B", "F").
Grade string `json:"grade"`
// Protocols lists the TLS protocol versions supported by the server.
Protocols []string `json:"protocols"`
// WeakCiphers indicates whether any weak cipher suites were detected.
WeakCiphers bool `json:"weakCiphers"`
// Reasons lists human-readable explanations for any grade deductions.
Reasons []string `json:"reasons"`
}
Grade represents the overall TLS security grade and associated findings.
type HSTS ¶
type HSTS struct {
Enabled bool `json:"enabled"`
MaxAge int `json:"maxAge,omitempty"`
IncludeSubDomains bool `json:"includeSubDomains,omitempty"`
Preload bool `json:"preload,omitempty"`
}
HSTS holds HTTP Strict Transport Security header information for a host.
type OCSPStatus ¶
type OCSPStatus struct {
Status string `json:"status"`
Stapled bool `json:"stapled"`
Error string `json:"error,omitempty"`
}
OCSPStatus holds the OCSP revocation check result for a certificate.
type Protocol ¶
type Protocol string
Protocol represents a connection protocol used for TLS certificate checks.
const ( // HTTPS is the HTTPS protocol (default port 443). HTTPS Protocol = "https" // SMTP is the SMTP protocol with STARTTLS (default port 587). SMTP Protocol = "smtp" // IMAP is the IMAP protocol with STARTTLS (default port 143). IMAP Protocol = "imap" // POP3 is the POP3 protocol with STARTTLS (default port 110). POP3 Protocol = "pop3" // FTP is the FTP protocol with explicit TLS (default port 21). FTP Protocol = "ftp" // LDAP is the LDAP protocol with STARTTLS (default port 389). LDAP Protocol = "ldap" // MySQL is the MySQL protocol with TLS negotiation (default port 3306). MySQL Protocol = "mysql" // Postgres is the PostgreSQL protocol with TLS negotiation (default port 5432). Postgres Protocol = "postgres" // XMPP is the XMPP protocol with STARTTLS (default port 5222). XMPP Protocol = "xmpp" // Sieve is the ManageSieve protocol with STARTTLS (default port 4190). Sieve Protocol = "sieve" )
type Result ¶
type Result struct {
// Valid indicates whether the certificate passed validation. For remote checks
// (Check/CheckBatch), this reflects full chain and hostname verification. For
// local file inspection (InspectFile), this only checks that the certificate
// has not expired. For CSR inspection, this checks the request signature.
Valid bool `json:"valid"`
ValidationError string `json:"validationError,omitempty"`
ValidFrom string `json:"validFrom"`
ValidTo string `json:"validTo"`
DaysRemaining int `json:"daysRemaining"`
ExpiringSoon *bool `json:"expiringSoon,omitempty"`
ValidFor []string `json:"validFor,omitempty"`
Issuer Subject `json:"issuer"`
Subject Subject `json:"subject"`
Fingerprint256 string `json:"fingerprint256"`
SerialNumber string `json:"serialNumber"`
Protocol string `json:"protocol"`
Cipher string `json:"cipher"`
Bits int `json:"bits"`
Chain []ChainCert `json:"chain"`
ChainComplete bool `json:"chainComplete"`
HSTS *HSTS `json:"hsts"`
Grade *Grade `json:"grade,omitempty"`
OCSP *OCSPStatus `json:"ocsp,omitempty"`
CRL *CRLStatus `json:"crl,omitempty"`
SCT *SCTInfo `json:"sct,omitempty"`
Details *CertDetails `json:"details,omitempty"`
}
Result holds the full inspection outcome for a single TLS certificate.
type ResultOrError ¶
ResultOrError pairs a Result with an optional error, used in batch operations.
type SANs ¶
type SANs struct {
DNSNames []string `json:"dnsNames,omitempty"`
IPAddresses []string `json:"ipAddresses,omitempty"`
Emails []string `json:"emails,omitempty"`
URIs []string `json:"uris,omitempty"`
}
SANs holds the Subject Alternative Names from a certificate.
type SCTInfo ¶
type SCTInfo struct {
Count int `json:"count"`
}
SCTInfo holds Signed Certificate Timestamp information from Certificate Transparency logs.
type Subject ¶
type Subject struct {
// CN is the Common Name.
CN string `json:"CN"`
// O is the Organization.
O string `json:"O,omitempty"`
// C is the Country code.
C string `json:"C,omitempty"`
}
Subject holds the distinguished name fields of a certificate subject or issuer.
type VerifyOptions ¶
VerifyOptions configures certificate verification against a CA and optional private key.
type VerifyResult ¶
type VerifyResult struct {
Valid bool `json:"valid"`
Chain bool `json:"chain"`
KeyMatch bool `json:"keyMatch,omitempty"`
Errors []string `json:"errors,omitempty"`
Subject string `json:"subject"`
Issuer string `json:"issuer"`
}
VerifyResult holds the outcome of a certificate verification check.
Source Files