getcert

package module
Version: v0.0.0-...-57fe970 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Oct 5, 2020 License: MIT Imports: 6 Imported by: 1

Documentation

Overview

Package getcert allows the dialing of a TLS service (http or gRPC) without possessing the public key. This is useful in situations where you don't need a preshared cert because traffic is under internal control (internal Kubernetes routing) or when you have a non self signed cert that can be verified against a chain of trust with a Certificate Authority (CA). The server already has the cert, why would you want to have a static cert to manage?

For internal traffic (where DNS is under your control), you can do:

tlsCert, xCerts, err := FromTLSServer("service.com:443", true)

For a non self signed certificate you verify with a CA:

tlsCert, xCerts, err := FromTLSServer("service.com:443", false)

You can use this in an http.Client with:

client := &http.Client{
	Transport: &http.Transport{
		TLSClientConfig: &tls.Config{
			ServerName: "service.com", Certificates: []tls.Certificate{tlsCert},
			InsecureSkipVerify: true, // Set only if you set skipVerify to true above
		},
	},
}

repsp, err := client.Get("service.com:443")

You can also use this as a gRPC DialOption:

conn, err := grpc.Dial(*serverAddr, grpc.NewServerTLSFromCert(tlsCert))
if err != nil {
    ...
}
defer conn.Close()

Note: I don't know that I believe there is something completely under internal control that is safe. I suggest always using verify and limiting this to only certain trusted CAs. But that's your call.

This library is useful where mutual authentication via certs is not needed and you do not want to use self signed certs (which gRPC seems to encourage, but this is no better than preshared secrets and rarely

rotate). If your require authentication and don't want client certs, use Oauth or some other mechanism.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func FromTLSServer

func FromTLSServer(servicePort string, skipVerify bool) (tls.Certificate, []*x509.Certificate, error)

FromTLSServer does a TLS handshake with the TLS server at servicePort and retrieves the server's public certificate. If skipVerify is set, it will not attempt to validate the server's certificate chain. All certificates in the chain are returned in the tls.Certificate (which can hold multiple certs) and also as the x509.Certificate list.

Types

This section is empty.

Source Files

Directories

Path Synopsis
Package pkcs12 allows a user to read in a PKCS12 file and return a private key and public certificates that can be used in both TLS services.
Package pkcs12 allows a user to read in a PKCS12 file and return a private key and public certificates that can be used in both TLS services.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
t or T : Toggle theme light dark auto
y or Y : Canonical URL