Documentation ¶
Index ¶
- Variables
- func ConfigureClient(clientKeyPairName string, serverCertNames ...string) (config *tls.Config, err error)
- func ConfigureServer(serverKeyPairName string, clientCertNames ...string) (config *tls.Config, err error)
- func GenerateConfig(client bool, keyPairName string, caCertNames []string) (config *tls.Config, err error)
- func Init(certPath string, insecure bool)
- func LoadPackagedKeypair(name string) (cert tls.Certificate, certFile, keyFile string, err error)
- func LocatePackagedPEMDir() (dir string, err error)
- func LocatePackagedPEMFile(name string) (file string, err error)
- func PreferredCipherSuites() []uint16
- func SetWrapCreds(adminuser, adminpass, authrealm string)
- func WrapHandlerForAuth(h http.Handler) http.Handler
- func WrapHandlerForAuthCreds(h http.Handler, adminuser, adminpass, authrealm string) http.Handler
- func WrapHandlerFuncForAuth(h http.HandlerFunc) http.HandlerFunc
- func WrapHandlerFuncForAuthCreds(h http.HandlerFunc, adminuser, adminpass, authrealm string) http.HandlerFunc
- type AuthStatus
- type CertCreator
- type KeyPair
- type Purpose
Constants ¶
This section is empty.
Variables ¶
var ( // AuthRequest is called on handler authorizations. // An example use is setting this function to log // valid or invalid authorizations. AuthRequest func(r *http.Request, status AuthStatus) )
Functions ¶
func ConfigureClient ¶
func ConfigureClient(clientKeyPairName string, serverCertNames ...string) (config *tls.Config, err error)
ConfigureClient returns a TLS client configuration that presents clientKeyPair to the remote server. if serverCertNames is non-empty, server certificates must be signed by one of the named certs; otherwise the default system CA list will be used.
func ConfigureServer ¶
func ConfigureServer(serverKeyPairName string, clientCertNames ...string) (config *tls.Config, err error)
ConfigureServer returns a TLS server configuration that presents serverKeyPairName to clients. if clientCertNames is non-empty the server will request a client certificate and require that it be provided and signed by one of the named certs.
func GenerateConfig ¶
func GenerateConfig(client bool, keyPairName string, caCertNames []string) (config *tls.Config, err error)
GenerateConfig returns a *tls.Config for either a client if true or server if client is false, the given key pair ${name}-[cert,key].pem files and accepting the caCertNames if given.
func Init ¶
Init sets the CertPath to search for TLS certs and keys. If CertPath is empty, $BIN/../certs and $PWD/../../../../certs are searched. Insecure is a flag to ignore cert verification errors.
func LoadPackagedKeypair ¶
func LoadPackagedKeypair(name string) (cert tls.Certificate, certFile, keyFile string, err error)
LoadPackagedKeypair loads a cert/key pair from the package store It looks for the ${name}-[cert,key].pem files from either the PEM dir if just a filename is given or from the fullpath if a path is given.
func LocatePackagedPEMDir ¶
LocatePackagedPEMDir locates the path of the packaged PEM store which is the directory named "certs". functions that take a (name string) parameter look for files named ${name}-key.pem and/or ${name}-cert.pem in this directory.
func LocatePackagedPEMFile ¶
LocatePackagedPEMFile loads a single PEM file (with -cert or -key suffix) from the package store
func PreferredCipherSuites ¶
func PreferredCipherSuites() []uint16
PreferredCipherSuites returns the set of default cipher suites, minus RC4 and 3DES suites, with ECDSA preferred over RSA.
func SetWrapCreds ¶
func SetWrapCreds(adminuser, adminpass, authrealm string)
SetWrapCreds stores the adminuser, adminpass, and authrealm. These parameters will be used as the credentials and realm in calls to WrapHandleForAuth and WrapHandlerFuncForAuth.
func WrapHandlerForAuth ¶
WrapHandlerForAuth calls WrapHandlerForAuthCreds with the currently stored adminuser, adminpass, and authrealm. SetWrapCreds should be called before this function or else the HAndler will not be wrapped with basic authentication.
func WrapHandlerForAuthCreds ¶
WrapHandlerForAuthCreds returns the Handler wrapped with basic authentication requiring credentials adminuser and adminpass. The authrealm will be used for the WWW-Authenticate header's basic realm.
func WrapHandlerFuncForAuth ¶
func WrapHandlerFuncForAuth(h http.HandlerFunc) http.HandlerFunc
WrapHandlerFuncForAuth calls WrapHandlerFuncForAuthCreds with the currently stored adminuser, adminpass, and authrealm. SetWrapCreds should be called before this function or else the HandlerFunc will not be wrapped with basic authentication.
func WrapHandlerFuncForAuthCreds ¶
func WrapHandlerFuncForAuthCreds(h http.HandlerFunc, adminuser, adminpass, authrealm string) http.HandlerFunc
WrapHandlerFuncForAuth returns the HandlerFunc wrapped with basic authentication requiring credentials adminuser and adminpass. The authrealm will be used for the WWW-Authenticate header's basic realm.
Types ¶
type CertCreator ¶
type CertCreator struct { // Serial number, defaults to 1. Serial int64 // Time period in which the cert if valid, defaults to the current time // until the maximum of 2049-12-13. NotBefore, NotAfter time.Time // Key size in bytes, defaults to 4096. KeySize int // Descriptive names for the organization creating the CA. Defaults to // empty. Country, State, City, Organization string }
CertCreator generates client or server public/private RSA keypairs signed by a generated self-signed certificate authority (CA). It will reload the CA cert from disk if present, and will not overwrite a keypair if either the key or cert exists on disk, so a cert generation program can be safely re-run after adding new certs. All keys are granted the minimal set of extended key usages for their purpose.
The default values described below are not for the zero value, but rather those returned by NewCertCreator().
Example:
cc := tls.NewCertCreator() root := cc.GenerateRootKeyPair("my-ca", "My CA") host := "*.mydomain.com" cc.GenerateKeyPair(CLIENT, root, "proxy-client", host, host) cc.GenerateKeyPair(SERVER, root, "proxy-server", host, host)
func NewCertCreator ¶
func NewCertCreator() *CertCreator
NewCertCreator returns a CertCreator with default values.
func (*CertCreator) GenerateKeyPair ¶
func (cc *CertCreator) GenerateKeyPair(purpose Purpose, parent *KeyPair, name string, commonName string, hosts ...string) (*KeyPair, error)
GenerateKeyPair generates or reloads an RSA keypair with key usages determined by `purpose`. The disk files that are generated or reused are named `name`-key.pem and `name`-cert.pem for the private and public halves, respectively. `commonName` and `hosts` are the corresponding fields in the certificate.
cc.Serial is incremented for each key that is freshly generated.
func (*CertCreator) GenerateRootKeyPair ¶
func (cc *CertCreator) GenerateRootKeyPair(name string, commonName string, hosts ...string) (*KeyPair, error)
GenerateRootKeyPair creates or reloads a self-signed CA cert.
type KeyPair ¶
type KeyPair struct { Cert *x509.Certificate PrivKey *rsa.PrivateKey }
func LoadKeyPairFromDisk ¶
LoadKeyPairFromDisk returns a KeyPair from disk files based on the given name.