nautls

NauTLS

NauTLS is a library of utility functions and structs that make working with Transport Layer Security (TLS) in Go a bit more intuitive and flexible.

Usage

NauTLS requires a Go version with Modules support and uses import versioning so ensure you are using a version of Go that supports Modules and initialize your module.

General

One of the key features of NauTLS is the use of URLs to define resources that contain TLS cryptographic materials (i.e., certificates and keys). This choice was made as it provides a great deal of flexibility in how these resources are provided. In most cases, the cryptographic material will be on the local filesystem and can be referenced via the absolute path using the file scheme (e.g., file:///etc/tls/client.crt). This capability is derived from Hashicorp go-getter. As a result, any URL scheme supported by that library should be supported.

To support the ability to fetch cryptographic materials from environment variables, NauTLS also supports a custom scheme that allows for the resources to be defined within the URL path component directly. To utilize this scheme Base64 encode then URL path escape (e.g., url.PathEscape) the resource and append it to the a base64 schemed URL (e.g., base64:///UkFORE9NCg==).

Additionally, all NauTLS configuration structures are tagged with appropriate metadata to support direct serialization using JSON and YAML. Further, they include mapstructure tags that allow serialization and deserialization from map[string]interface{} instances in Go. While this alone can be helpful when passing configuration objects around in a type unsafe manner, it is primarily done to support definition of these configurations via configuration files using Viper and, by extension, command line options using Cobra.

Clients

NauTLS provides both configuration and builder patterns for generating http.Client instances suitable for communicating with non-TLS, TLS and mTLS servers.

Client via Configuration

The following snippet demonstrates initializing an http.Client instance directly from a JSON configuration.

package main

import (
	"encoding/json"

	"github.com/deciphernow/nautls/clients"
)

func main() {

	bytes := []byte(`
	{
		"host": "localhost",
		"port": 443,
		"security": {
			"authorities": ["file:///etc/tls/ca.crt"],
			"certificate": "file:///etc/tls/client.crt",
			"key": "file:///etc/tls/client.key",
			"server": "localhost"
	}
	`)

	var config clients.ClientConfig

	json.Unmarshal(bytes, &config)

	client, _ := config.Build()

}

Note the following behaviors of the above code snippet:

• If the authorities field is omitted or empty the system certificates returned by x509.SystemCertPool will be used to verify the server's certificate.
• If the certificate and key fields are omitted client certificates will not be provided to the server.
• If the server field is omitted the host field must match the subject or a subject alternative name of the server's certificate.

Client via Builder

The following snippet demonstrates initializing an http.Client instance directly using the builder pattern.

package main

import (
	"encoding/json"

	"github.com/deciphernow/nautls/clients"
)

func main() {

	security, _ := clients.NewSecurityBuilder().
		WithAuthorities([]string{"file:///etc/tls/ca.crt"}).
		WithCertificate("file:///etc/tls/client.crt").
		WithKey("file:///etc/tls/client.key").
		WithServer("localhost").
		Build()

	client, _ := clients.NewClientBuilder().
		WithHost("localhost").
		WithPort("443").
		WithSecurity(security).
		Build()

}

Note the following behaviors of the above code snippet:

• If WithAuthorities is not invoked or is invoked with an empty array the system certificates returned by x509.SystemCertPool will be used to verify the server's certificate.
• If WithCertificate and WithKey is not invoked client certificates will not be provided to the server.
• If WithServer is not invoked the value provided to WithHost in the client configuration must match the subject or a subject alternative name of the server's certificate.