cert

package
v1.4.2 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Apr 10, 2017 License: MIT Imports: 22 Imported by: 0

Documentation

Index

Constants

View Source
const (
	DefaultCertPath     = "cert"
	DefaultClientCAPath = "clientca"
)
View Source
const MaxSize = 1 << 20 // 1MB

Variables

This section is empty.

Functions

func TLSConfig

func TLSConfig(src Source, strictMatch bool) (*tls.Config, error)

TLSConfig creates a tls.Config which sets the GetCertificate field to a certificate store which uses the given source to update the the certificates on demand.

It also sets the ClientCAs field if src.LoadClientCAs returns a non-nil value and sets ClientAuth to RequireAndVerifyClientCert.

Types

type ConsulSource

type ConsulSource struct {
	CertURL     string
	ClientCAURL string
	CAUpgradeCN string
}

ConsulSource implements a certificate source which loads TLS and client authentication certificates from the consul KV store. The CertURL/ClientCAURL must point to the base path of the certificates. The TLS certificates are updated automatically when the KV store changes.

func (ConsulSource) Certificates

func (s ConsulSource) Certificates() chan []tls.Certificate

func (ConsulSource) LoadClientCAs

func (s ConsulSource) LoadClientCAs() (*x509.CertPool, error)

type FileSource

type FileSource struct {
	CertFile       string
	KeyFile        string
	ClientAuthFile string
	CAUpgradeCN    string
}

FileSource implements a certificate source for one TLS and one client authentication certificate. The certificates are loaded during startup and are cached in memory until the program exits. It exists to support the legacy configuration only. The PathSource should be used instead.

func (FileSource) Certificates

func (s FileSource) Certificates() chan []tls.Certificate

func (FileSource) LoadClientCAs

func (s FileSource) LoadClientCAs() (*x509.CertPool, error)

type HTTPSource

type HTTPSource struct {
	CertURL     string
	ClientCAURL string
	CAUpgradeCN string
	Refresh     time.Duration
}

HTTPSource implements a certificate source which loads TLS and client authentication certificates from an HTTP/HTTPS server. The CertURL/ClientCAURL must point to a text file in the directory of the certificates. The text file contains all files that should be loaded from this directory - one filename per line. The TLS certificates are updated automatically when Refresh is not zero. Refresh cannot be less than one second to prevent busy loops.

func (HTTPSource) Certificates

func (s HTTPSource) Certificates() chan []tls.Certificate

func (HTTPSource) LoadClientCAs

func (s HTTPSource) LoadClientCAs() (*x509.CertPool, error)

type PathSource

type PathSource struct {
	Path         string
	CertPath     string
	ClientCAPath string
	CAUpgradeCN  string
	Refresh      time.Duration
}

func (PathSource) Certificates

func (s PathSource) Certificates() chan []tls.Certificate

func (PathSource) LoadClientCAs

func (s PathSource) LoadClientCAs() (*x509.CertPool, error)

type Source

type Source interface {
	// Certificates() loads certificates for TLS connections.
	// The first certificate is used as the default certificate
	// if the client does not support SNI or no matching certificate
	// could be found. TLS certificates can be updated at runtime.
	Certificates() chan []tls.Certificate

	// LoadClientCAs() provides certificates for client certificate
	// authentication.
	LoadClientCAs() (*x509.CertPool, error)
}

Source provides the interface for dynamic certificate sources.

func NewSource

func NewSource(cfg config.CertSource) (Source, error)

NewSource generates a cert source from the config options.

type Store

type Store struct {
	// contains filtered or unexported fields
}

Store provides a dynamic certificate store which can be updated at runtime and is safe for concurrent use.

func NewStore

func NewStore() *Store

NewStore creates an empty certificate store.

func (*Store) SetCertificates

func (s *Store) SetCertificates(certs []tls.Certificate)

SetCertificates replaces the certificates of the store.

type VaultSource

type VaultSource struct {
	Addr         string
	CertPath     string
	ClientCAPath string
	CAUpgradeCN  string
	Refresh      time.Duration
	// contains filtered or unexported fields
}

VaultSource implements a certificate source which loads TLS and client authorization certificates from a Vault server. The Vault token should be set through the VAULT_TOKEN environment variable.

The TLS certificates are updated automatically when Refresh is not zero. Refresh cannot be less than one second to prevent busy loops.

func (*VaultSource) Certificates

func (s *VaultSource) Certificates() chan []tls.Certificate

func (*VaultSource) LoadClientCAs

func (s *VaultSource) LoadClientCAs() (*x509.CertPool, error)

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL