README
¶
This is go http transport / client that will fetch intermediate certificates as needed. Additionally, this will verify stapled OCSP responses. In the event that a certificate is marked with must staple, a missing stapled OCSP in the response will cause an error.
see https://tools.ietf.org/html/rfc7633
In order to use this, for most use cases, will be simply:
package main
import (
"fmt"
"io/ioutil"
"os"
it "github.com/nathanejohnson/intransport"
)
func main() {
c := it.NewInTransportHTTPClient(nil)
resp, err := c.Get("https://something.org")
if err != nil {
fmt.Println("boo, hiss! ", err)
os.Exit(1)
}
body, err := ioutil.ReadAll(resp.Body)
_ = resp.Body.Close()
if err != nil {
fmt.Println("ba dum, tiss! ", err)
os.Exit(1)
}
fmt.Printf("got response:\n%s", string(body))
}
Documentation
¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
var ( // MustStapleValue is the value in the MustStaple extension. MustStapleValue = []byte{0x30, 0x03, 0x02, 0x01, 0x05} //MustStapleOID is the OID of the must staple MustStapleOID = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 1, 24} )
Functions ¶
Types ¶
type InTransport ¶
type InTransport struct {
// Specify this method in the situation where you might otherwise have wanted to
// install your own VerifyPeerCertificate hook into tls.Config. If specified,
// This method will be called after a successful InTransport verification,
// and verifiedChains will contain appropriate data including any intermediates
// that needed to be downloaded.
NextVerifyPeerCertificate PeerCertVerifier
TLS *tls.Config
TLSHandshakeTimeout time.Duration
Transport *http.Transport
}
InTransport - this implements an http.RoundTripper and handles the fetching of missing intermediate certificates, and verifying OCSP stapling, and in the event there is a "must staple" set on the certificate it will fail on missing staple.
func NewInTransport ¶
func NewInTransport(tlsc *tls.Config) *InTransport
NewInTransport - create a new http transport suitable for client connections. InTransport implements http.RoundTripper, and can be used like so:
it := intransport.NewInTranport(nil)
c := &http.Client{
Transport: it,
}
func NewInTransportFromHTTPTransport ¶
func NewInTransportFromHTTPTransport(transport *http.Transport) *InTransport
NewInTransportFromHTTPTransport - this allows you to pass in an http.Transport with pre-configured timeouts. This is useful where you want to customize. Note that the transport passed in will be modified by this call. Will panic on a nil transport passed.
func (*InTransport) RoundTrip ¶
RoundTrip - this implements the http.RoundTripper interface, and makes it suitable for use as a transport.
func (*InTransport) VerifyPeerCertificate ¶
func (it *InTransport) VerifyPeerCertificate(rawCerts [][]byte, _ [][]*x509.Certificate) error
VerifyPeerCertificate - this is the method that is to be plugged into tls.Config VerifyPeerCertificate. If using this method inside of a custom built htttp.Transport, you must also set InsecureSkipVerify to true. When set to false, a certificate that isn't trusted to the root and has missing intermediate certs will prevent VerifyPeerCertificate from being called. This method will still ensure that a valid chain exists from the presented certificates(s) to a trusted root certificate. The difference between this and the default TLS verification is that missing intermediates will be fetched until either a valid path to a trusted root is found or no further intermediates can be found. If a chain cannot be established, the connection will fail . If a chain can be established, then the optional NextVerifyPeerCertificate() method will be called, if specified. If this method returns an error, it will stop the connection.
type PeerCertVerifier ¶
type PeerCertVerifier func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error
PeerCertVerifier - this is a method type that is plugged into a tls.Config.VerifyPeerCertificate, or into our NextVerifyPeerCertificate.
Source Files