dane

package module
v0.1.2 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 28, 2021 License: MIT Imports: 10 Imported by: 0

README

DANE

Go library for DANE TLSA authentication

Usage

t := &http.Transport{
    DialTLSContext: func(ctx context.Context, network, addr string) (net.Conn, error) {
        dialer := &net.Dialer{
            Timeout:   30 * time.Second,
            KeepAlive: 30 * time.Second,
        }

        conn, err := tls.DialWithDialer(dialer, network, addr, &tls.Config{
            InsecureSkipVerify: true,
            VerifyPeerCertificate: func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
                return dane.VerifyPeerCertificate(network, addr, rawCerts, nil)
            },
        })
        if err != nil {
            return conn, err
        }
        return conn, nil
    },
}
client := http.Client{Transport: t}

resp, err := client.Get("https://getfedora.org")
if err != nil {
    log.Fatal(err)
}
fmt.Println(resp)

the only requirement is to set InsecureSkipVerify to true and use dane.VerifyPeerCertificate() for custom verification. all dnssec query and validation are done transparently.

Documentation

Overview

Package dane provides functionalities to use DNS-based Authentication of Named Entities aka DANE in standard go tls connections

Example 
package main

import (
	"context"
	"crypto/tls"
	"crypto/x509"
	"fmt"
	"github.com/hawell/dane"
	"log"
	"net"
	"net/http"
	"time"
)

func main() {
	t := &http.Transport{
		DialTLSContext: func(ctx context.Context, network, addr string) (net.Conn, error) {
			dialer := &net.Dialer{
				Timeout:   30 * time.Second,
				KeepAlive: 30 * time.Second,
			}

			conn, err := tls.DialWithDialer(dialer, network, addr, &tls.Config{
				InsecureSkipVerify: true,
				VerifyPeerCertificate: func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
					return dane.VerifyPeerCertificate(network, addr, rawCerts, nil)
				},
			})
			if err != nil {
				return conn, err
			}
			return conn, nil
		},
	}
	client := http.Client{Transport: t}

	resp, err := client.Get("https://www.fedoraproject.org")
	if err != nil {
		log.Fatal(err)
	}
	fmt.Println(resp)
}

Output:

Index

Examples

Constants

This section is empty.

Variables

This section is empty.

Functions

func VerifyPeerCertificate 

func VerifyPeerCertificate(network string, addr string, rawCerts [][]byte, roots *x509.CertPool) error

VerifyPeerCertificate is a custom tls validator which uses TLSA records to verify provided certificates. InsecureSkipVerify in tls.Config has to be set to true. "network" and "addr" from DialTLS or DialTLSContext are needed to find the matching TLSA record

Types

type Resolver 

type Resolver struct {
	// contains filtered or unexported fields
}

Resolver contains cached query responses and a dns client for querying

func NewResolver 

func NewResolver() *Resolver

NewResolver creates a new dns resolver with root keys set

func (*Resolver) Get 

func (r *Resolver) Get(qname string, qtype uint16) (*dns.Msg, error)

Get starts a recursive dnssec query from root zone and verify responses along the way

func (*Resolver) GetTLSA 

func (r *Resolver) GetTLSA(network string, qname string, port string) ([]*dns.TLSA, error)

GetTLSA create a valid qname for TLSA from network, qname and port and retrieve the results using Resolver.Get() for example with network = "tcp" and port = "443" and qname = "www.example.com the resulting qname would be: "_443._tcp.www.example.com."

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.