arrangetls

package
v0.5.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jul 19, 2023 License: Apache-2.0 Imports: 11 Imported by: 0

Documentation

Overview

Package arrangetls has basic unmarshaling and external configuration support for HTTP clients and servers created within an uber/fx App.

Index

Constants

This section is empty.

Variables

View Source 
var (
	ErrTLSCertificateRequired         = errors.New("Both a certificateFile and keyFile are required")
	ErrUnableToAddClientCACertificate = errors.New("Unable to add client CA certificate")
)

Functions

func CreateTestCertificate 

func CreateTestCertificate(template *x509.Certificate) (*tls.Certificate, error)

CreateTestCertificate creates a self-signed x509 ceritificate for use in testing TLS code. A 1024-bit RSA key pair is used, and otherwise all defaults are taken.

func CreateTestServerFiles 

func CreateTestServerFiles(certificate *tls.Certificate) (certificateFileName, keyFileName string, err error)

CreateTestServerFiles creates the certificate file and key file expected by net/http.Server, which is the basic model followed by mode golang TLS code.

The supplied certificate must have at least (1) []byte in its Certificate chain. If not, this function will panic. If it has more than (1) entry in its chain, only the first entry is written to the certificate file.

Types

type Config 

type Config struct {
	// Certificates is the set of certificates to present to a client.  This field is
	// required for servers, and optional for clients.
	Certificates ExternalCertificates

	// RootCAs is the optional certificate pool for root certificates.  By default, the golang
	// library uses the system certificate pool if this is unset.
	RootCAs ExternalCertPool

	// ClientCAs is the optional certificate pool for certificates expected from a client.  Configure
	// this as part of mTLS.
	ClientCAs ExternalCertPool

	// ServerName is used by a client to validate the server's hostname.  This field is optional
	// and has no default.
	ServerName string

	// InsecureSkipVerify indicates whether a client should validate a server's certificate(s)
	InsecureSkipVerify bool

	// NextProtos is the list of supported application protocols.  Defaults to "http/1.1" if unset.
	NextProtos []string

	// MinVersion is the minimum required TLS version.  If unset, the internal crypto/tls default is used.
	MinVersion uint16

	// MaxVersion is the maximum required TLS version.  If unset, the internal crypto/tls default is used.
	MaxVersion uint16

	// PeerVerify specifies the certificate validation done on client certificates.
	// If supplied, this verifier strategy is merged with any extra PeerVerifiers
	// supplied in application code.
	PeerVerify *PeerVerifyConfig
}

Config represents the unmarshaled tls options for either a client or a server

func (*Config) New 

func (c *Config) New(extra ...PeerVerifier) (*tls.Config, error)

New constructs a *tls.Config from this Config instance, usually unmarshaled from some external source. If this instance is nil, it returns nil with no error.

The extra PeerVerifiers, if supplied, are used to build the tls.Config.VerifyPeerCertificate strategy.

type ExternalCertPool 

type ExternalCertPool []string

ExternalCertPool is a sequence of file names containing PEM-encoded certificates or certificate bundles to be added to an x509.CertPool

func (*ExternalCertPool) Append 

func (ecp *ExternalCertPool) Append(more ...string)

Appends adds file names to this external cert pool

func (ExternalCertPool) AppendTo 

func (ecp ExternalCertPool) AppendTo(pool *x509.CertPool) (int, error)

AppendTo adds each PEM-encoded file from this external pool to the given x509.CertPool. The number of certs added is returned, and any error will short circuit subsequent loading.

func (ExternalCertPool) Len 

func (ecp ExternalCertPool) Len() int

Len returns the number of external files in this pool

type ExternalCertificate 

type ExternalCertificate struct {
	CertificateFile string
	KeyFile         string
}

ExternalCertificate represents a certificate with its key file on the filesystem. A server or client may have one or more associated external certificates.

func (ExternalCertificate) Load 

func (ec ExternalCertificate) Load() (tls.Certificate, error)

Load reads in the certificate and key files from the file system

type ExternalCertificates 

type ExternalCertificates []ExternalCertificate

ExternalCertificates is a sequence of externally available certificates

func (*ExternalCertificates) Append 

func (ecs *ExternalCertificates) Append(more ...ExternalCertificate)

Appends adds external certificates to this sequence

func (ExternalCertificates) AppendTo 

func (ecs ExternalCertificates) AppendTo(certs []tls.Certificate) ([]tls.Certificate, error)

AppendTo loads and appends each certificate in this slice. Any error short circuits and returns that error together with the slice with any successfully loaded certificates.

func (ExternalCertificates) Len 

func (ecs ExternalCertificates) Len() int

Len returns the count of externally available certificates in this slice

type PeerVerifier 

type PeerVerifier func(*x509.Certificate, [][]*x509.Certificate) error

PeerVerifier is a verification strategy for a peer certificate.

type PeerVerifiers 

type PeerVerifiers struct {
	// contains filtered or unexported fields
}

PeerVerifiers is an immutable sequence of PeerVerifiers. The zero value is an empty sequence.

func NewPeerVerifiers 

func NewPeerVerifiers(more ...PeerVerifier) PeerVerifiers

NewPeerVerifiers returns a PeerVerifiers given a sequence of strategies

func (PeerVerifiers) Append 

func (pvs PeerVerifiers) Append(more ...PeerVerifier) PeerVerifiers

Append adds more PeerVerifier strategies to this slice and returns the result. If no PeerVerifier strategies are supplied, this method returns this PeerVerifiers as is. Otherwise, the returned instance is a distinct sequence which is the concatenation of this instance with this method's arguments.

func (PeerVerifiers) Extend 

func (pvs PeerVerifiers) Extend(more PeerVerifiers) PeerVerifiers

Extend adds another sequence of PeerVerifiers to this one, and returns the result

func (PeerVerifiers) SetTo 

func (pvs PeerVerifiers) SetTo(tc *tls.Config)

SetTo conditinally configures tls.Config.VerifyPeerCertificate. If the supplied tls.Config is not nil and this sequence is not empty, tls.Config.VerifyPeerCertificate is set to this sequence's VerifyPeerCertificate method. Otherwise, this method does nothing.

Note that PeerVerifiers is immutable. Any tls.Config.VerifyPeerCertificate that is set will be unaffected by any future use of this PeerVerifiers sequence.

func (PeerVerifiers) VerifyPeerCertificate 

func (pvs PeerVerifiers) VerifyPeerCertificate(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error

VerifyPeerCertificate may be used as the closure for crypto/tls.Config.VerifyPeerCertificate. Parsing is done once, then each PeerVerifier is invoked in sequence. Any error short-circuits subsequent checks.

type PeerVerifyConfig 

type PeerVerifyConfig struct {
	// DNSSuffixes enumerates any DNS suffixes that are checked.  A DNSName field of at least (1) peer cert
	// must have one of these suffixes.  If this field is not supplied, no DNS suffix checking is performed.
	// Matching is case insensitive.
	//
	// If any DNS suffix matches, that is sufficient for the peer cert to be valid.
	// No further checking is done in that case.
	DNSSuffixes []string

	// CommonNames lists the subject common names that at least (1) peer cert must have.  If not supplied,
	// no checking is done on the common name.  Matching common names is case sensitive.
	//
	// If any common name matches, that is sufficient for the peer cert to be valid.  No further
	// checking is done in that case.
	CommonNames []string
}

PeerVerifyConfig allows common checks against a client-side certificate to be configured externally. Any constraint that matches will result in a valid peer cert.

func (*PeerVerifyConfig) AppendTo 

func (pvc *PeerVerifyConfig) AppendTo(pvs PeerVerifiers) PeerVerifiers

AppendTo adds a peer verifier to the supplied sequence if and only if this config instance is not nil and if at least one of its fields is configured.

func (PeerVerifyConfig) Verifier 

func (pvc PeerVerifyConfig) Verifier() PeerVerifier

Verifier produces a PeerVerifier strategy from these options. If nothing is configured, this method returns nil.

type PeerVerifyError 

type PeerVerifyError struct {
	Certificate *x509.Certificate
	Reason      string
}

PeerVerifyError represents a verification error for a particular certificate

func (*PeerVerifyError) Error 

func (pve *PeerVerifyError) Error() string

Error satisfies the error interface. It returns the Reason text.

type Suite added in v0.5.0 

type Suite struct {
	suite.Suite
	// contains filtered or unexported fields
}

Suite is a simple stretchr/testify suite that manages the lifecycle of a testing certificate. Useful primarily for testing TLS code.

func (*Suite) Config added in v0.5.0 

func (suite *Suite) Config() *Config

Config returns a configuration object using this suite's certificate.

func (*Suite) SetupSuite added in v0.5.0 

func (suite *Suite) SetupSuite()

SetupSuite creates a testing certificate and stores the certificate and its private key in temporary files.

func (*Suite) TLSConfig added in v0.5.0 

func (suite *Suite) TLSConfig() *tls.Config

TLSConfig creates a new *tls.Config using the certificate generated in setup.

func (*Suite) TearDownSuite added in v0.5.0 

func (suite *Suite) TearDownSuite()

TearDownSuite cleans up the temporary files created in setup.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.