Documentation
¶
Overview ¶
Bifrost is an mTLS authentication toolkit.
Index ¶
- Constants
- Variables
- func FromContext(ctx context.Context) (uuid.UUID, *x509.Certificate)
- func HTTPClient(h Hosts, clientCert *tls.Certificate, rootCAs *x509.CertPool, ssllog io.Writer) *http.Client
- func Interceptor(ns uuid.UUID, next http.Handler) http.Handler
- func NewIdentity() (*ecdsa.PrivateKey, []byte, error)
- func ParseCertificate(ns uuid.UUID, der []byte) (uuid.UUID, *x509.Certificate, error)
- func RequestCertificate(ctx context.Context, url string, ns uuid.UUID, key *ecdsa.PrivateKey) (*x509.Certificate, error)
- func UUID(ns uuid.UUID, pubkey *ecdsa.PublicKey) uuid.UUID
- func X509ToTLSCertificate(crt *x509.Certificate, key *ecdsa.PrivateKey) *tls.Certificate
- type Hosts
- type Key
Examples ¶
Constants ¶
const ( SignatureAlgorithm = x509.ECDSAWithSHA256 PublicKeyAlgorithm = x509.ECDSA )
Signature and Public Key Algorithms
Variables ¶
var ( ErrInvalidPublicKey = errors.New("invalid public key") ErrUnsupportedAlgorithm = errors.New("unsupported algorithm") ErrWrongNamespace = errors.New("wrong namespace") )
Errors.
var Namespace = uuid.MustParse("1512daa4-ddc1-41d1-8673-3fd19d2f338d")
Namespace is the default UUID Namespace for Bifrost identities.
Functions ¶
func FromContext ¶ added in v0.0.10
FromContext returns the client's UUID and Certificate from the request context. The context must be from a request that has passed through Interceptor.
func HTTPClient ¶ added in v0.0.6
func HTTPClient(h Hosts, clientCert *tls.Certificate, rootCAs *x509.CertPool, ssllog io.Writer) *http.Client
HTTPClient returns a http.Client configured for mTLS with client authentication. The client will use the provided Hosts map to map hostnames to backend URLs. Client certificates are loaded from clientCert and rootCAs is used to validate the server certificate. If ssllog is not nil, the client will log TLS key material to it.
func Interceptor ¶ added in v0.0.9
Interceptor returns a HTTP Handler middleware function that reads The x-amzn-request-context header and adds the client's UUID and certificate to the request context.
func NewIdentity ¶ added in v0.0.8
func NewIdentity() (*ecdsa.PrivateKey, []byte, error)
NewIdentity generates a new ECDSA private key. The private key is also returned as a PEM encoded DER bytes in the second return value.
func ParseCertificate ¶
ParseCertificate parses a DER encoded certificate and returns the bifrost client's UUID and the certificate.
func RequestCertificate ¶
func RequestCertificate( ctx context.Context, url string, ns uuid.UUID, key *ecdsa.PrivateKey, ) (*x509.Certificate, error)
RequestCertificate sends a certificate request to url and returns the signed certificate.
Example ¶
exampleNS := uuid.MustParse("228b9676-998e-489a-8468-92d46a94a32d") ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second) defer cancel() // TODO: handle errors key, _ := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) crt, _ := RequestCertificate(ctx, "https://bifrost-ca", exampleNS, key) fmt.Println(crt.Subject)
Output:
func UUID ¶
UUID returns a unique identifier derived from the namespace and the client's public key identity. The UUID is generated by SHA-1 hashing the namesapce UUID with the big endian bytes of the X and Y curve points from the public key.
func X509ToTLSCertificate ¶
func X509ToTLSCertificate(crt *x509.Certificate, key *ecdsa.PrivateKey) *tls.Certificate
X509ToTLSCertificate puts an x509.Certificate inside a tls.Certificate.
Types ¶
Directories
¶
Path | Synopsis |
---|---|
cmd
|
|
internal
|
|
cafiles
cafiles can fetch CA certificate and private key PEM files from many storage backends.
|
cafiles can fetch CA certificate and private key PEM files from many storage backends. |
pkg
|
|
club
Package club provides middleware for use in HTTP API servers and gateways.
|
Package club provides middleware for use in HTTP API servers and gateways. |
tinyca
Package tinyca implements a Certificate Authority that issues certificates for client authentication.
|
Package tinyca implements a Certificate Authority that issues certificates for client authentication. |