certloader

package

v1.7.3 Latest Latest Go to latest Published: Feb 11, 2024 License: Apache-2.0 Imports: 19 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/ghostunnel/ghostunnel

Links

Open Source Insights

Documentation ¶

Rendered for

Overview ¶

Package certloader provides abstractions over certificates that can be used for clients and servers to make runtime reloading easier. It supports reading certificates from PEM files, PKCS#12 keystores, PKCS#11 hardware modules and from the macOS keychain.

Index ¶

func LoadTrustStore(caBundlePath string) (*x509.CertPool, error)
func SupportsKeychain() bool
func SupportsPKCS11() bool
type ACMEConfig
type Certificate
type Dialer
- func DialerWithCertificate(config TLSClientConfig, timeout time.Duration, dialer Dialer) Dialer
type Listener
- func NewListener(listener net.Listener, config TLSServerConfig) *Listener
- func (l *Listener) Accept() (net.Conn, error)
type TLSClientConfig
type TLSConfigSource
type TLSServerConfig

Examples ¶

Certificate

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func LoadTrustStore ¶ added in v1.5.3

func LoadTrustStore(caBundlePath string) (*x509.CertPool, error)

func SupportsKeychain ¶

func SupportsKeychain() bool

SupportsKeychain returns true or false, depending on whether the binary was built with Certstore/Keychain support or not (requires CGO, recent Darwin to build).

func SupportsPKCS11 ¶

func SupportsPKCS11() bool

SupportsPKCS11 returns true or false, depending on whether the binary was built with PKCS11 support or not (requires CGO to build).

Types ¶

type ACMEConfig ¶ added in v1.6.1

type ACMEConfig struct {
	// Must be explicitly set to true by the user to indicate
	// agreement with the ACME CA's Terms of Service.
	TOSAgreed bool

	// The fully-qualified domain name being requested in the certificate.
	FQDN string

	// The email address to be associated with the ACME account used
	// to obtain a certificate from the ACME CA. This email address
	// may receive certificate lifecycle notificates from the ACME CA.
	Email string

	// The URL for the Production ACME CA to use. Defaults to the
	// Let's Encrypt production URL if not specified.
	ProdCAURL string

	// The URL for the Test/Staging ACME CA to use. Defaults to the
	// Let's Encrypt staging URL if not specified.
	TestCAURL string

	// If true, use the Test/Staging ACME CA URL. If false, use the
	// Production ACME CA URL. Defaults to false.
	UseTestCA bool
}

ACMEConfig stores the properties used for operating as an ACME client

type Certificate ¶

type Certificate interface {
	// Reload will reload the certificate and private key. Subsequent calls
	// to GetCertificate/GetClientCertificate will return the newly loaded
	// certificate, if reloading was successful. If reloading failed, the old
	// state is kept.
	Reload() error

	// GetIdentifier returns an identifier for the certificate for logging.
	GetIdentifier() string

	// GetCertificate returns the current underlying certificate.
	// Can be used for tls.Config's GetCertificate callback.
	GetCertificate(clientHello *tls.ClientHelloInfo) (*tls.Certificate, error)

	// GetClientCertificate returns the current underlying certificate.
	// Can be used for tls.Config's GetClientCertificate callback.
	GetClientCertificate(certInfo *tls.CertificateRequestInfo) (*tls.Certificate, error)

	// GetTrustStore returns the most up-to-date version of the trust store / CA bundle.
	GetTrustStore() *x509.CertPool
}

Certificate wraps a TLS certificate and supports reloading at runtime.

Example ¶

// Load a certificate from a set of PEM files.
cert, _ := CertificateFromPEMFiles("/path/to/cert.pem", "/path/to/privatekey.pem", "/path/to/cacert.pem")

// Use the certificate in a tls.Config for servers
_ = tls.Config{
	// The GetCertificate function will be called to retrieve the latest
	// certificate when receiving new connections.
	GetCertificate: cert.GetCertificate,
}

// Use the certificate in a tls.Config for clients
_ = tls.Config{
	// The GetClientCertificate function will be called to retrieve the latest
	// client certificate when making new connections.
	GetClientCertificate: cert.GetClientCertificate,
}

// Reload a certificate. Will re-read the files from disk, and update the
// certificate if there have been any changes.
cert.Reload()

Output:

func CertificateFromKeychainIdentity ¶

func CertificateFromKeychainIdentity(
	commonNameOrSerial string, issuerName string, caBundlePath string, requireToken bool,
) (Certificate, error)

CertificateFromKeychainIdentity creates a reloadable certificate from a system keychain identity.

func CertificateFromKeystore ¶

func CertificateFromKeystore(keystorePath, keystorePassword, caBundlePath string) (Certificate, error)

CertificateFromKeystore creates a reloadable certificate from a PKCS#12 keystore.

func CertificateFromPEMFiles ¶

func CertificateFromPEMFiles(certificatePath, keyPath, caBundlePath string) (Certificate, error)

CertificateFromPEMFiles creates a reloadable certificate from a set of PEM files.

func CertificateFromPKCS11Module ¶

func CertificateFromPKCS11Module(certificatePath, caBundlePath, modulePath, tokenLabel, pin string) (Certificate, error)

CertificateFromPKCS11Module creates a reloadable certificate from a PKCS#11 module.

func NoCertificate ¶ added in v1.5.3

func NoCertificate(caBundlePath string) (Certificate, error)

NoCertificate creates an empty certificate with only a trust bundle.

type Dialer ¶

type Dialer interface {
	Dial(network, address string) (net.Conn, error)
}

Dialer is an interface for dialers. Can be a net.Dialer, http_dialer.HttpTunnel, or a dialer from this package.

func DialerWithCertificate ¶

func DialerWithCertificate(config TLSClientConfig, timeout time.Duration, dialer Dialer) Dialer

DialerWithCertificate creates a dialer that reloads its certificate (if set) before dialing new connections. If the certificate is nil, the dialer will still work, but it won't supply client certificates on connections.

type Listener ¶ added in v1.5.3

type Listener struct {
	net.Listener
	// contains filtered or unexported fields
}

Listener holds a *net.Listener, wrapping incoming connections in TLS, overriding Accept() to make sure we reload the trust bundle on new incoming connections. This allows for reloading the CA bundle at runtime without restarting the listener.

func NewListener ¶ added in v1.5.3

func NewListener(listener net.Listener, config TLSServerConfig) *Listener

func (*Listener) Accept ¶ added in v1.5.3

func (l *Listener) Accept() (net.Conn, error)

type TLSClientConfig ¶ added in v1.5.3

type TLSClientConfig interface {
	// GetClientConfig returns a TLS configuration for use as a TLS client. It
	// is safe to call concurrently.
	GetClientConfig() *tls.Config
}

type TLSConfigSource ¶ added in v1.5.3

type TLSConfigSource interface {
	// Reload will reload the TLS configuration. If reloading fails, the
	// existing configuration will be used. The client and server config
	// interface returned by GetClientConfig and GetServerConfig should reflect
	// any new configuration.
	Reload() error

	// CanServe returns true if the source can return configuration appropriate
	// for server roles (see GetServerConfig)
	CanServe() bool

	// GetClientConfig returns a TLSClientConfig interface that can be used to
	// obtain TLS client configuration. The base configuration is cloned and
	// used as a base for all returned TLS configuration.
	GetClientConfig(base *tls.Config) (TLSClientConfig, error)

	// GetServerConfig returns a TLSServerConfig interface that can be used to
	// obtain TLS server configuration. The base configuration is cloned and
	// used as a base for all returned TLS configuration. If the TLSConfig is
	// not appropriate for use as a server, false is returned.
	GetServerConfig(base *tls.Config) (TLSServerConfig, error)
}

TLSConfig is used to configure client or server TLS. It supports hot reloading.

func TLSConfigSourceFromACME ¶ added in v1.6.1

func TLSConfigSourceFromACME(acme *ACMEConfig) (TLSConfigSource, error)

func TLSConfigSourceFromCertificate ¶ added in v1.5.3

func TLSConfigSourceFromCertificate(cert Certificate, logger *log.Logger) TLSConfigSource

func TLSConfigSourceFromWorkloadAPI ¶ added in v1.5.3

func TLSConfigSourceFromWorkloadAPI(addr string, clientDisableAuth bool, logger *log.Logger) (TLSConfigSource, error)

type TLSServerConfig ¶ added in v1.5.3

type TLSServerConfig interface {
	// GetServerConfig returns a TLS configuration for use as a TLS server. It
	// is safe to call concurrently.
	GetServerConfig() *tls.Config
}

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
internal
test

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL