getcert: github.com/johnsiilver/getcert Index | Files | Directories

package getcert

import "github.com/johnsiilver/getcert"

Package getcert allows the dialing of a TLS service (http or gRPC) without possessing the public key. This is useful in situations where you don't need a preshared cert because traffic is under internal control (internal Kubernetes routing) or when you have a non self signed cert that can be verified against a chain of trust with a Certificate Authority (CA). The server already has the cert, why would you want to have a static cert to manage?

For internal traffic (where DNS is under your control), you can do:

tlsCert, xCerts, err := FromTLSServer("service.com:443", true)

For a non self signed certificate you verify with a CA:

tlsCert, xCerts, err := FromTLSServer("service.com:443", false)

You can use this in an http.Client with:

client := &http.Client{
	Transport: &http.Transport{
		TLSClientConfig: &tls.Config{
			ServerName: "service.com", Certificates: []tls.Certificate{tlsCert},
			InsecureSkipVerify: true, // Set only if you set skipVerify to true above
		},
	},
}

repsp, err := client.Get("service.com:443")

You can also use this as a gRPC DialOption:

conn, err := grpc.Dial(*serverAddr, grpc.NewServerTLSFromCert(tlsCert))
if err != nil {
    ...
}
defer conn.Close()

Note: I don't know that I believe there is something completely under internal control that is safe. I suggest always using verify and limiting this to only certain trusted CAs. But that's your call.

This library is useful where mutual authentication via certs is not needed and you do not want to use self signed certs (which gRPC seems to encourage, but this is no better than preshared secrets and rarely

rotate). If your require authentication and don't want client certs, use Oauth or some other mechanism.

Index

Package Files

getcert.go

func FromTLSServer Uses

func FromTLSServer(servicePort string, skipVerify bool) (tls.Certificate, []*x509.Certificate, error)

FromTLSServer does a TLS handshake with the TLS server at servicePort and retrieves the server's public certificate. If skipVerify is set, it will not attempt to validate the server's certificate chain. All certificates in the chain are returned in the tls.Certificate (which can hold multiple certs) and also as the x509.Certificate list.

Directories

PathSynopsis
pkcs12Package pkcs12 allows a user to read in a PKCS12 file and return a private key and public certificates that can be used in both TLS services.

Package getcert imports 6 packages (graph). Updated 2019-08-16. Refresh now. Tools for package owners.