Documentation ¶
Overview ¶
Package certloader provides abstractions over certificates that can be used for clients and servers to make runtime reloading easier. It supports reading certificates from PEM files, PKCS#12 keystores, PKCS#11 hardware modules and from the macOS keychain.
Index ¶
- func LoadTrustStore(caBundlePath string) (*x509.CertPool, error)
- func SupportsKeychain() bool
- func SupportsPKCS11() bool
- type ACMEConfig
- type Certificate
- func CertificateFromKeychainIdentity(commonNameOrSerial string, issuerName string, caBundlePath string, ...) (Certificate, error)
- func CertificateFromKeystore(keystorePath, keystorePassword, caBundlePath string) (Certificate, error)
- func CertificateFromPEMFiles(certificatePath, keyPath, caBundlePath string) (Certificate, error)
- func CertificateFromPKCS11Module(certificatePath, caBundlePath, modulePath, tokenLabel, pin string) (Certificate, error)
- func NoCertificate(caBundlePath string) (Certificate, error)
- type Dialer
- type Listener
- type TLSClientConfig
- type TLSConfigSource
- type TLSServerConfig
Examples ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func LoadTrustStore ¶ added in v1.5.3
func SupportsKeychain ¶
func SupportsKeychain() bool
SupportsKeychain returns true or false, depending on whether the binary was built with Certstore/Keychain support or not (requires CGO, recent Darwin to build).
func SupportsPKCS11 ¶
func SupportsPKCS11() bool
SupportsPKCS11 returns true or false, depending on whether the binary was built with PKCS11 support or not (requires CGO to build).
Types ¶
type ACMEConfig ¶ added in v1.6.1
type ACMEConfig struct { // Must be explicitly set to true by the user to indicate // agreement with the ACME CA's Terms of Service. TOSAgreed bool // The fully-qualified domain name being requested in the certificate. FQDN string // The email address to be associated with the ACME account used // to obtain a certificate from the ACME CA. This email address // may receive certificate lifecycle notificates from the ACME CA. Email string // The URL for the Production ACME CA to use. Defaults to the // Let's Encrypt production URL if not specified. ProdCAURL string // The URL for the Test/Staging ACME CA to use. Defaults to the // Let's Encrypt staging URL if not specified. TestCAURL string // If true, use the Test/Staging ACME CA URL. If false, use the // Production ACME CA URL. Defaults to false. UseTestCA bool }
ACMEConfig stores the properties used for operating as an ACME client
type Certificate ¶
type Certificate interface { // Reload will reload the certificate and private key. Subsequent calls // to GetCertificate/GetClientCertificate will return the newly loaded // certificate, if reloading was successful. If reloading failed, the old // state is kept. Reload() error // GetIdentifier returns an identifier for the certificate for logging. GetIdentifier() string // GetCertificate returns the current underlying certificate. // Can be used for tls.Config's GetCertificate callback. GetCertificate(clientHello *tls.ClientHelloInfo) (*tls.Certificate, error) // GetClientCertificate returns the current underlying certificate. // Can be used for tls.Config's GetClientCertificate callback. GetClientCertificate(certInfo *tls.CertificateRequestInfo) (*tls.Certificate, error) // GetTrustStore returns the most up-to-date version of the trust store / CA bundle. GetTrustStore() *x509.CertPool }
Certificate wraps a TLS certificate and supports reloading at runtime.
Example ¶
// Load a certificate from a set of PEM files. cert, _ := CertificateFromPEMFiles("/path/to/cert.pem", "/path/to/privatekey.pem", "/path/to/cacert.pem") // Use the certificate in a tls.Config for servers _ = tls.Config{ // The GetCertificate function will be called to retrieve the latest // certificate when receiving new connections. GetCertificate: cert.GetCertificate, } // Use the certificate in a tls.Config for clients _ = tls.Config{ // The GetClientCertificate function will be called to retrieve the latest // client certificate when making new connections. GetClientCertificate: cert.GetClientCertificate, } // Reload a certificate. Will re-read the files from disk, and update the // certificate if there have been any changes. cert.Reload()
Output:
func CertificateFromKeychainIdentity ¶
func CertificateFromKeychainIdentity( commonNameOrSerial string, issuerName string, caBundlePath string, requireToken bool, ) (Certificate, error)
CertificateFromKeychainIdentity creates a reloadable certificate from a system keychain identity.
func CertificateFromKeystore ¶
func CertificateFromKeystore(keystorePath, keystorePassword, caBundlePath string) (Certificate, error)
CertificateFromKeystore creates a reloadable certificate from a PKCS#12 keystore.
func CertificateFromPEMFiles ¶
func CertificateFromPEMFiles(certificatePath, keyPath, caBundlePath string) (Certificate, error)
CertificateFromPEMFiles creates a reloadable certificate from a set of PEM files.
func CertificateFromPKCS11Module ¶
func CertificateFromPKCS11Module(certificatePath, caBundlePath, modulePath, tokenLabel, pin string) (Certificate, error)
CertificateFromPKCS11Module creates a reloadable certificate from a PKCS#11 module.
func NoCertificate ¶ added in v1.5.3
func NoCertificate(caBundlePath string) (Certificate, error)
NoCertificate creates an empty certificate with only a trust bundle.
type Dialer ¶
Dialer is an interface for dialers. Can be a net.Dialer, http_dialer.HttpTunnel, or a dialer from this package.
func DialerWithCertificate ¶
func DialerWithCertificate(config TLSClientConfig, timeout time.Duration, dialer Dialer) Dialer
DialerWithCertificate creates a dialer that reloads its certificate (if set) before dialing new connections. If the certificate is nil, the dialer will still work, but it won't supply client certificates on connections.
type Listener ¶ added in v1.5.3
Listener holds a *net.Listener, wrapping incoming connections in TLS, overriding Accept() to make sure we reload the trust bundle on new incoming connections. This allows for reloading the CA bundle at runtime without restarting the listener.
func NewListener ¶ added in v1.5.3
func NewListener(listener net.Listener, config TLSServerConfig) *Listener
type TLSClientConfig ¶ added in v1.5.3
type TLSConfigSource ¶ added in v1.5.3
type TLSConfigSource interface { // Reload will reload the TLS configuration. If reloading fails, the // existing configuration will be used. The client and server config // interface returned by GetClientConfig and GetServerConfig should reflect // any new configuration. Reload() error // CanServe returns true if the source can return configuration appropriate // for server roles (see GetServerConfig) CanServe() bool // GetClientConfig returns a TLSClientConfig interface that can be used to // obtain TLS client configuration. The base configuration is cloned and // used as a base for all returned TLS configuration. GetClientConfig(base *tls.Config) (TLSClientConfig, error) // GetServerConfig returns a TLSServerConfig interface that can be used to // obtain TLS server configuration. The base configuration is cloned and // used as a base for all returned TLS configuration. If the TLSConfig is // not appropriate for use as a server, false is returned. GetServerConfig(base *tls.Config) (TLSServerConfig, error) }
TLSConfig is used to configure client or server TLS. It supports hot reloading.
func TLSConfigSourceFromACME ¶ added in v1.6.1
func TLSConfigSourceFromACME(acme *ACMEConfig) (TLSConfigSource, error)
func TLSConfigSourceFromCertificate ¶ added in v1.5.3
func TLSConfigSourceFromCertificate(cert Certificate, logger *log.Logger) TLSConfigSource