tls

package
v0.0.0-...-d95a457 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jul 12, 2018 License: MIT Imports: 20 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source 
var (

	// AuthRequest is called on handler authorizations.
	// An example use is setting this function to log
	// valid or invalid authorizations.
	AuthRequest func(r *http.Request, status AuthStatus)
)

Functions

func ConfigureClient 

func ConfigureClient(clientKeyPairName string, serverCertNames ...string) (config *tls.Config, err error)

ConfigureClient returns a TLS client configuration that presents clientKeyPair to the remote server. if serverCertNames is non-empty, server certificates must be signed by one of the named certs; otherwise the default system CA list will be used.

func ConfigureServer 

func ConfigureServer(serverKeyPairName string, clientCertNames ...string) (config *tls.Config, err error)

ConfigureServer returns a TLS server configuration that presents serverKeyPairName to clients. if clientCertNames is non-empty the server will request a client certificate and require that it be provided and signed by one of the named certs.

func GenerateConfig 

func GenerateConfig(client bool, keyPairName string, caCertNames []string) (config *tls.Config, err error)

GenerateConfig returns a *tls.Config for either a client if true or server if client is false, the given key pair ${name}-[cert,key].pem files and accepting the caCertNames if given.

func Init 

func Init(certPath string, insecure bool)

Init sets the CertPath to search for TLS certs and keys. If CertPath is empty, $BIN/../certs and $PWD/../../../../certs are searched. Insecure is a flag to ignore cert verification errors.

func LoadPackagedKeypair 

func LoadPackagedKeypair(name string) (cert tls.Certificate, certFile, keyFile string, err error)

LoadPackagedKeypair loads a cert/key pair from the package store It looks for the ${name}-[cert,key].pem files from either the PEM dir if just a filename is given or from the fullpath if a path is given.

func LocatePackagedPEMDir 

func LocatePackagedPEMDir() (dir string, err error)

LocatePackagedPEMDir locates the path of the packaged PEM store which is the directory named "certs". functions that take a (name string) parameter look for files named ${name}-key.pem and/or ${name}-cert.pem in this directory.

func LocatePackagedPEMFile 

func LocatePackagedPEMFile(name string) (file string, err error)

LocatePackagedPEMFile loads a single PEM file (with -cert or -key suffix) from the package store

func PreferredCipherSuites 

func PreferredCipherSuites() []uint16

PreferredCipherSuites returns the set of default cipher suites, minus RC4 and 3DES suites, with ECDSA preferred over RSA.

func SetWrapCreds 

func SetWrapCreds(adminuser, adminpass, authrealm string)

SetWrapCreds stores the adminuser, adminpass, and authrealm. These parameters will be used as the credentials and realm in calls to WrapHandleForAuth and WrapHandlerFuncForAuth.

func WrapHandlerForAuth 

func WrapHandlerForAuth(h http.Handler) http.Handler

WrapHandlerForAuth calls WrapHandlerForAuthCreds with the currently stored adminuser, adminpass, and authrealm. SetWrapCreds should be called before this function or else the HAndler will not be wrapped with basic authentication.

func WrapHandlerForAuthCreds 

func WrapHandlerForAuthCreds(h http.Handler, adminuser, adminpass, authrealm string) http.Handler

WrapHandlerForAuthCreds returns the Handler wrapped with basic authentication requiring credentials adminuser and adminpass. The authrealm will be used for the WWW-Authenticate header's basic realm.

func WrapHandlerFuncForAuth 

func WrapHandlerFuncForAuth(h http.HandlerFunc) http.HandlerFunc

WrapHandlerFuncForAuth calls WrapHandlerFuncForAuthCreds with the currently stored adminuser, adminpass, and authrealm. SetWrapCreds should be called before this function or else the HandlerFunc will not be wrapped with basic authentication.

func WrapHandlerFuncForAuthCreds 

func WrapHandlerFuncForAuthCreds(h http.HandlerFunc, adminuser, adminpass, authrealm string) http.HandlerFunc

WrapHandlerFuncForAuth returns the HandlerFunc wrapped with basic authentication requiring credentials adminuser and adminpass. The authrealm will be used for the WWW-Authenticate header's basic realm.

Types

type AuthStatus 

type AuthStatus int
const (
	AuthSuccess AuthStatus = iota
	AuthFailure
)

type CertCreator 

type CertCreator struct {
	// Serial number, defaults to 1.
	Serial int64
	// Time period in which the cert if valid, defaults to the current time
	// until the maximum of 2049-12-13.
	NotBefore, NotAfter time.Time
	// Key size in bytes, defaults to 4096.
	KeySize int
	// Descriptive names for the organization creating the CA. Defaults to
	// empty.
	Country, State, City, Organization string
}

CertCreator generates client or server public/private RSA keypairs signed by a generated self-signed certificate authority (CA). It will reload the CA cert from disk if present, and will not overwrite a keypair if either the key or cert exists on disk, so a cert generation program can be safely re-run after adding new certs. All keys are granted the minimal set of extended key usages for their purpose.

The default values described below are not for the zero value, but rather those returned by NewCertCreator().

Example: 

cc := tls.NewCertCreator()
root := cc.GenerateRootKeyPair("my-ca", "My CA")
host := "*.mydomain.com"
cc.GenerateKeyPair(CLIENT, root, "proxy-client", host, host)
cc.GenerateKeyPair(SERVER, root, "proxy-server", host, host)

func NewCertCreator 

func NewCertCreator() *CertCreator

NewCertCreator returns a CertCreator with default values.

func (*CertCreator) GenerateKeyPair 

func (cc *CertCreator) GenerateKeyPair(purpose Purpose, parent *KeyPair, name string, commonName string, hosts ...string) (*KeyPair, error)

GenerateKeyPair generates or reloads an RSA keypair with key usages determined by `purpose`. The disk files that are generated or reused are named `name`-key.pem and `name`-cert.pem for the private and public halves, respectively. `commonName` and `hosts` are the corresponding fields in the certificate.

cc.Serial is incremented for each key that is freshly generated.

func (*CertCreator) GenerateRootKeyPair 

func (cc *CertCreator) GenerateRootKeyPair(name string, commonName string, hosts ...string) (*KeyPair, error)

GenerateRootKeyPair creates or reloads a self-signed CA cert.

type KeyPair 

type KeyPair struct {
	Cert    *x509.Certificate
	PrivKey *rsa.PrivateKey
}

func LoadKeyPairFromDisk 

func LoadKeyPairFromDisk(name string) (*KeyPair, error)

LoadKeyPairFromDisk returns a KeyPair from disk files based on the given name.

type Purpose 

type Purpose int
const (
	// CA certs are used only for signing other certs.
	CA Purpose = iota
	// CLIENT certs are presented by clients which initiate TLS connections.
	CLIENT
	// SERVER certs are presented by servers which accept TLS connections.
	SERVER
)

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.