Back to

Package hpkp

Latest Go to latest

The highest tagged major version is .

Published: Aug 21, 2016 | License: MIT | Module:




package main

import (

func main() {
	s := hpkp.NewMemStorage()

	s.Add("", &hpkp.Header{
		Permanent: true,
		Sha256Pins: []string{

	client := &http.Client{}
	dialConf := &hpkp.DialerConfig{
		Storage:   s,
		PinOnly:   true,
		TLSConfig: nil,
		Reporter: func(p *hpkp.PinFailure, reportUri string) {
			// TODO: report on PIN failure
	client.Transport = &http.Transport{
		DialTLS: dialConf.NewDialer(),

	resp, err := client.Get("")
	if err != nil {




func Fingerprint

func Fingerprint(c *x509.Certificate) string

Fingerprint returns the hpkp signature of an x509 certificate

type DialerConfig

type DialerConfig struct {
	Storage   StorageReader
	PinOnly   bool
	TLSConfig *tls.Config
	Reporter  PinFailureReporter

DialerConfig describes how to verify hpkp info and report failures

func (*DialerConfig) NewDialer

func (c *DialerConfig) NewDialer() func(network, addr string) (net.Conn, error)

NewDialer returns a dialer for making TLS connections with hpkp support

type Header struct {
	Created           int64
	MaxAge            int64
	IncludeSubDomains bool
	Permanent         bool
	Sha256Pins        []string
	ReportURI         string

Header holds a domain's hpkp information

func ParseHeader

func ParseHeader(resp *http.Response) *Header

ParseHeader parses the hpkp information from an http.Response.

func ParseReportOnlyHeader

func ParseReportOnlyHeader(resp *http.Response) *Header

ParseReportOnlyHeader parses the hpkp information from an http.Response. The resulting header information should not be cached as max_age is ignored on HPKP-RO headers per the RFC.

func (*Header) Matches

func (h *Header) Matches(pin string) bool

Matches checks whether the provided pin is in the header list

type MemStorage

type MemStorage struct {
	// contains filtered or unexported fields

MemStorage is threadsafe hpkp host storage backed by an in-memory map

func NewMemStorage

func NewMemStorage() *MemStorage

NewMemStorage initializes hpkp in-memory datastructure

func (*MemStorage) Add

func (s *MemStorage) Add(host string, d *Header)

Add a domain to hpkp storage

func (*MemStorage) Lookup

func (s *MemStorage) Lookup(host string) *Header

Lookup returns the corresponding hpkp header information for a given host

type PinFailure

type PinFailure struct {
	DateTime                  string   `json:"date-time"`
	Hostname                  string   `json:"hostname"`
	Port                      int      `json:"port"`
	EffectiveExpirationDate   string   `json:"effective-expiration-date"`
	IncludeSubdomains         bool     `json:"include-subdomains"`
	NotedHostname             string   `json:"noted-hostname"`
	ServedCertificateChain    []string `json:"served-certificate-chain"`
	ValidatedCertificateChain []string `json:"validated-certificate-chain"`
	KnownPins                 []string `json:"known-pins"`

PinFailure hold fields required for POSTing a pin validation failure JSON message to a host's report-uri.

func NewPinFailure

func NewPinFailure(host string, port int, h *Header, c tls.ConnectionState) (*PinFailure, string)

NewPinFailure creates a struct to report information on failed hpkp connections

type PinFailureReporter

type PinFailureReporter func(p *PinFailure, reportUri string)

PinFailureReporter callback function to keep track and report on PIN failures

type Storage

type Storage interface {
	Lookup(host string) *Header
	Add(host string, d *Header)

Storage is threadsafe hpkp storage interface

type StorageReader

type StorageReader interface {
	Lookup(host string) *Header

StorageReader is threadsafe hpkp storage interface

Package Files

Documentation was rendered with GOOS=linux and GOARCH=amd64.

Jump to identifier

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to identifier