hpkp: github.com/tam7t/hpkp Index | Examples | Files

package hpkp

import "github.com/tam7t/hpkp"


s := hpkp.NewMemStorage()

s.Add("github.com", &hpkp.Header{
    Permanent: true,
    Sha256Pins: []string{

client := &http.Client{}
dialConf := &hpkp.DialerConfig{
    Storage:   s,
    PinOnly:   true,
    TLSConfig: nil,
    Reporter: func(p *hpkp.PinFailure, reportUri string) {
        // TODO: report on PIN failure
client.Transport = &http.Transport{
    DialTLS: dialConf.NewDialer(),

resp, err := client.Get("https://github.com")
if err != nil {






Package Files

dialer.go fingerprint.go header.go report.go storage.go

func Fingerprint Uses

func Fingerprint(c *x509.Certificate) string

Fingerprint returns the hpkp signature of an x509 certificate

type DialerConfig Uses

type DialerConfig struct {
    Storage   StorageReader
    PinOnly   bool
    TLSConfig *tls.Config
    Reporter  PinFailureReporter

DialerConfig describes how to verify hpkp info and report failures

func (*DialerConfig) NewDialer Uses

func (c *DialerConfig) NewDialer() func(network, addr string) (net.Conn, error)

NewDialer returns a dialer for making TLS connections with hpkp support

type Header struct {
    Created           int64
    MaxAge            int64
    IncludeSubDomains bool
    Permanent         bool
    Sha256Pins        []string
    ReportURI         string

Header holds a domain's hpkp information

func ParseHeader Uses

func ParseHeader(resp *http.Response) *Header

ParseHeader parses the hpkp information from an http.Response.

func ParseReportOnlyHeader Uses

func ParseReportOnlyHeader(resp *http.Response) *Header

ParseReportOnlyHeader parses the hpkp information from an http.Response. The resulting header information should not be cached as max_age is ignored on HPKP-RO headers per the RFC.

func (*Header) Matches Uses

func (h *Header) Matches(pin string) bool

Matches checks whether the provided pin is in the header list

type MemStorage Uses

type MemStorage struct {
    // contains filtered or unexported fields

MemStorage is threadsafe hpkp host storage backed by an in-memory map

func NewMemStorage Uses

func NewMemStorage() *MemStorage

NewMemStorage initializes hpkp in-memory datastructure

func (*MemStorage) Add Uses

func (s *MemStorage) Add(host string, d *Header)

Add a domain to hpkp storage

func (*MemStorage) Lookup Uses

func (s *MemStorage) Lookup(host string) *Header

Lookup returns the corresponding hpkp header information for a given host

type PinFailure Uses

type PinFailure struct {
    DateTime                  string   `json:"date-time"`
    Hostname                  string   `json:"hostname"`
    Port                      int      `json:"port"`
    EffectiveExpirationDate   string   `json:"effective-expiration-date"`
    IncludeSubdomains         bool     `json:"include-subdomains"`
    NotedHostname             string   `json:"noted-hostname"`
    ServedCertificateChain    []string `json:"served-certificate-chain"`
    ValidatedCertificateChain []string `json:"validated-certificate-chain"`
    KnownPins                 []string `json:"known-pins"`

PinFailure hold fields required for POSTing a pin validation failure JSON message to a host's report-uri.

func NewPinFailure Uses

func NewPinFailure(host string, port int, h *Header, c tls.ConnectionState) (*PinFailure, string)

NewPinFailure creates a struct to report information on failed hpkp connections

type PinFailureReporter Uses

type PinFailureReporter func(p *PinFailure, reportUri string)

PinFailureReporter callback function to keep track and report on PIN failures

type Storage Uses

type Storage interface {
    Lookup(host string) *Header
    Add(host string, d *Header)

Storage is threadsafe hpkp storage interface

type StorageReader Uses

type StorageReader interface {
    Lookup(host string) *Header

StorageReader is threadsafe hpkp storage interface

Package hpkp imports 13 packages (graph) and is imported by 1 packages. Updated 2017-06-15. Refresh now. Tools for package owners. This is an inactive package (no imports and no commits in at least two years).