certificate

package
v0.8.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 5, 2025 License: MIT Imports: 25 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type Details 

type Details struct {
	Issuer      string `json:"issuer"`
	PrivateKey  string `json:"privateKey"`
	Certificate string `json:"certificate"`

	Subject  string    `json:"subject"`
	AltNames []string  `json:"altNames"`
	NotAfter time.Time `json:"notAfter"`

	OcspResponse   []byte    `json:"ocspResponse"`
	NextOcspUpdate time.Time `json:"nextOcspUpdate"`
	// contains filtered or unexported fields
}

Details contains the details of a certificate we've previously obtained and saved for future use.

func (*Details) HasStapleFor 

func (s *Details) HasStapleFor(period time.Duration) bool

HasStapleFor indicates whether the OCSP staple covers the entirety of the given period.

func (*Details) IsFor 

func (s *Details) IsFor(subject string, altNames []string) bool

IsFor determines whether this certificate covers the given subject and altNames (and no more).

func (*Details) RequiresStaple added in v0.8.0 

func (s *Details) RequiresStaple() bool

RequiresStaple indicates whether this certificate has the `must-staple` extension enabled.

func (*Details) ValidFor 

func (s *Details) ValidFor(period time.Duration) bool

ValidFor indicates whether the certificate will be valid for the entirety of the given period.

type JsonStore 

type JsonStore struct {
	// contains filtered or unexported fields
}

JsonStore is responsible for storing and managing certificates. It can save and load data to/from a JSON file.

func NewStore 

func NewStore(path string) (*JsonStore, error)

NewStore creates a new certificate store using the specified path for storage, and tries to load any saved data.

func (*JsonStore) GetCertificate 

func (j *JsonStore) GetCertificate(subjectName string, altNames []string) *Details

GetCertificate returns a previously stored certificate with the given subject and alt names, or `nil` if none exists.

Returned certificates are not guaranteed to be valid.

func (*JsonStore) LockCertificate added in v0.3.0 

func (j *JsonStore) LockCertificate(subjectName string, altNames []string)

LockCertificate acquires a lock over the writing of the given certificate. All calls to LockCertificate should be followed by calls to UnlockCertificate.

func (*JsonStore) SaveCertificate 

func (j *JsonStore) SaveCertificate(certificate *Details) error

SaveCertificate adds the given certificate to the store. Any previously saved certificates for the same subject and alt names will be removed. The store will be saved to disk after the certificate is added.

Callers should acquire a lock on the certificate by calling LockCertificate before saving it.

func (*JsonStore) UnlockCertificate added in v0.3.0 

func (j *JsonStore) UnlockCertificate(subjectName string, altNames []string)

UnlockCertificate releases a previously acquired lock over the writing of the given certificate.

type LegoSupplier 

type LegoSupplier struct {
	// contains filtered or unexported fields
}

LegoSupplier uses a lego client to obtain certificates from an ACME endpoint.

func NewLegoSupplier added in v0.2.0 

func NewLegoSupplier(config *LegoSupplierConfig) (*LegoSupplier, error)

NewLegoSupplier creates a new supplier, registering or retrieving an account with the ACME server as necessary.

func (*LegoSupplier) GetCertificate 

func (s *LegoSupplier) GetCertificate(subject string, altNames []string, shouldStaple bool) (*Details, error)

GetCertificate obtains a new certificate for the given names, and immediately requests a new OCSP staple.

func (*LegoSupplier) MinCertificateValidity added in v0.2.0 

func (s *LegoSupplier) MinCertificateValidity() time.Duration

func (*LegoSupplier) MinStapleValidity added in v0.2.0 

func (s *LegoSupplier) MinStapleValidity() time.Duration

func (*LegoSupplier) UpdateStaple 

func (s *LegoSupplier) UpdateStaple(cert *Details) error

UpdateStaple requests a new OCSP staple for the given certificate.

type LegoSupplierConfig 

type LegoSupplierConfig struct {
	// Path is the path to a file on disk where registration data may be cached.
	Path string
	// Email is the contact address to supply to the ACME endpoint
	Email string
	// DirUrl is the URL of the ACME endpoint.
	DirUrl string
	// KeyType is the type of key to use when generating a certificate.
	KeyType certcrypto.KeyType
	// DnsProvider is the DNS-01 challenge provider that will verify domain ownership.
	DnsProvider challenge.Provider
}

LegoSupplierConfig contains the configuration used to create a new LegoSupplier.

type Manager 

type Manager struct {
	// contains filtered or unexported fields
}

Manager is responsible for co-ordinating a certificate store and supplier, providing a means to obtain a valid certificate with an OCSP staple.

func NewManager 

func NewManager(store Store, suppliers map[string]Supplier, supplierPreference []string, shouldStaple bool) *Manager

NewManager returns a new certificate manager backed by the given store and supplier.

func (*Manager) GetCertificate 

func (m *Manager) GetCertificate(preferredSupplier string, subject string, altNames []string) (*tls.Certificate, error)

GetCertificate returns a certificate for the given subject and alternate names. This may take some time if a new certificate needs to be obtained, or the OCSP staple needs to be updated.

func (*Manager) GetExistingCertificate added in v0.3.0 

func (m *Manager) GetExistingCertificate(preferredSupplier string, subject string, altNames []string) (*tls.Certificate, bool, error)

GetExistingCertificate returns a previously saved certificate with the given subject and alternate names if it is still valid. It also indicates whether the certificate is in need of renewal or not. Certificates should be renewed by calling GetCertificate, which will block and return the new certificate.

type Provider added in v0.2.0 

type Provider interface {
	GetCertificate(preferredSupplier string, subject string, altNames []string) (*tls.Certificate, error)
	GetExistingCertificate(preferredSupplier string, subject string, altNames []string) (*tls.Certificate, bool, error)
}

Provider defines the interface for providing certificates to a WildcardResolver.

type SelfSignedSupplier added in v0.2.0 

type SelfSignedSupplier struct {
}

func NewSelfSignedSupplier added in v0.2.0 

func NewSelfSignedSupplier() *SelfSignedSupplier

func (*SelfSignedSupplier) GetCertificate added in v0.2.0 

func (s *SelfSignedSupplier) GetCertificate(subject string, altNames []string, shouldStaple bool) (*Details, error)

func (*SelfSignedSupplier) MinCertificateValidity added in v0.2.0 

func (s *SelfSignedSupplier) MinCertificateValidity() time.Duration

func (*SelfSignedSupplier) MinStapleValidity added in v0.2.0 

func (s *SelfSignedSupplier) MinStapleValidity() time.Duration

func (*SelfSignedSupplier) UpdateStaple added in v0.2.0 

func (s *SelfSignedSupplier) UpdateStaple(_ *Details) error

type Store 

type Store interface {
	GetCertificate(subject string, altNames []string) *Details
	SaveCertificate(cert *Details) error
	LockCertificate(subjectName string, altNames []string)
	UnlockCertificate(subjectName string, altNames []string)
}

Store provides functions to get and store certificates.

type Supplier 

type Supplier interface {
	GetCertificate(subject string, altNames []string, shouldStaple bool) (*Details, error)
	UpdateStaple(cert *Details) error
	MinCertificateValidity() time.Duration
	MinStapleValidity() time.Duration
}

Supplier provides new certificates and OCSP staples.

type WildcardResolver added in v0.2.0 

type WildcardResolver struct {
	// contains filtered or unexported fields
}

WildcardResolver wraps around a certificate provider and modifies the domain and altNames of any request according to set of wildcard rules.

For example if the domain ".example.com" is treated as a wildcard domain, any certificate requests for "foo.example.com", "bar.example.com", etc, will be converted to "*.example.com". Requests for "example.com" or "a.b.example.com" will not be modified.

func NewWildcardResolver added in v0.2.0 

func NewWildcardResolver(upstream Provider, domains []string) *WildcardResolver

NewWildcardResolver creates a new WildcardResolver that will modify any domain in the given list to be wildcards.

func (*WildcardResolver) GetCertificate added in v0.2.0 

func (w *WildcardResolver) GetCertificate(preferredSupplier string, subject string, altNames []string) (*tls.Certificate, error)

GetCertificate returns a certificate from the upstream provider that will cover the given subject and altNames, taking into account the configured wildcard domains.

func (*WildcardResolver) GetExistingCertificate added in v0.3.0 

func (w *WildcardResolver) GetExistingCertificate(preferredSupplier string, subject string, altNames []string) (*tls.Certificate, bool, error)

GetExistingCertificate returns an existing, saved certificate from the upstream provider that will cover the given subject and altNames, taking into account the configured wildcard domains.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.