Documentation
¶
Overview ¶
Package certloader provides abstractions over certificates that can be used for clients and servers to make runtime reloading easier. It supports reading certificates from PEM files, PKCS#12 keystores, PKCS#11 hardware modules and from the macOS keychain.
Index ¶
- func SupportsKeychain() bool
- func SupportsPKCS11() bool
- type Certificate
- func CertificateFromKeychainIdentity(commonName string) (Certificate, error)
- func CertificateFromKeystore(keystorePath, keystorePassword string) (Certificate, error)
- func CertificateFromPEMFiles(certificatePath, keyPath string) (Certificate, error)
- func CertificateFromPKCS11Module(certificatePath, modulePath, tokenLabel, pin string) (Certificate, error)
- type Dialer
Examples ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func SupportsKeychain ¶
func SupportsKeychain() bool
SupportsKeychain returns true or false, depending on whether the binary was built with Certstore/Keychain support or not (requires CGO, recent Darwin to build).
func SupportsPKCS11 ¶
func SupportsPKCS11() bool
SupportsPKCS11 returns true or false, depending on whether the binary was built with PKCS11 support or not (requires CGO to build).
Types ¶
type Certificate ¶
type Certificate interface {
// Reload will reload the certificate and private key. Subsequent calls
// to GetCertificate/GetClientCertificate will return the newly loaded
// certificate, if reloading was successful. If reloading failed, the old
// state is kept.
Reload() error
// GetCertificate returns the current underlying certificate.
// Can be used for tls.Config's GetCertificate callback.
GetCertificate(clientHello *tls.ClientHelloInfo) (*tls.Certificate, error)
// GetClientCertificate returns the current underlying certificate.
// Can be used for tls.Config's GetClientCertificate callback.
GetClientCertificate(certInfo *tls.CertificateRequestInfo) (*tls.Certificate, error)
}
Certificate wraps a TLS certificate and supports reloading at runtime.
Example ¶
// Load a certificate from a set of PEM files.
cert, _ := CertificateFromPEMFiles("/path/to/cert.pem", "/path/to/privatekey.pem")
// Use the certificate in a tls.Config for servers
_ = tls.Config{
// The GetCertificate function will be called to retrieve the latest
// certificate when receiving new connections.
GetCertificate: cert.GetCertificate,
}
// Use the certificate in a tls.Config for clients
_ = tls.Config{
// The GetClientCertificate function will be called to retrieve the latest
// client certificate when making new connections.
GetClientCertificate: cert.GetClientCertificate,
}
// Reload a certificate. Will re-read the files from disk, and update the
// certificate if there have been any changes.
cert.Reload()
Output:
func CertificateFromKeychainIdentity ¶
func CertificateFromKeychainIdentity(commonName string) (Certificate, error)
CertificateFromKeychainIdentity creates a reloadable certificate from a system keychain identity.
func CertificateFromKeystore ¶
func CertificateFromKeystore(keystorePath, keystorePassword string) (Certificate, error)
CertificateFromKeystore creates a reloadable certificate from a PKCS#12 keystore.
func CertificateFromPEMFiles ¶
func CertificateFromPEMFiles(certificatePath, keyPath string) (Certificate, error)
CertificateFromPEMFiles creates a reloadable certificate from a set of PEM files.
func CertificateFromPKCS11Module ¶
func CertificateFromPKCS11Module(certificatePath, modulePath, tokenLabel, pin string) (Certificate, error)
CertificateFromPKCS11Module creates a reloadable certificate from a PKCS#11 module.
type Dialer ¶
Dialer is an interface for dialers. Can be a net.Dialer, http_dialer.HttpTunnel, or a dialer from this package.
func DialerWithCertificate ¶
func DialerWithCertificate(cert Certificate, config *tls.Config, timeout time.Duration, dialer Dialer) Dialer
DialerWithCertificate creates a dialer that reloads its certificate (if set) before dialing new connections. If the certificate is nil, the dialer will still work, but it won't supply client certificates on connections.
Source Files