Documentation ¶
Index ¶
- Constants
- Variables
- func BauthDecrypt(bauth, keyStr string) (string, error)
- func BauthEncrypt(plainData, keyStr string) (string, error)
- func FindHash(hashStr string) (hash.Hash, crypto.Hash, error)
- func FingerprintLegacyMD5(pubKey PublicKey) string
- func FingerprintSHA256(pubKey PublicKey) string
- func MarshalAuthorizedKey(key PublicKey) []byte
- func NewECBDecrypter(b cipher.Block) cipher.BlockMode
- func NewECBEncrypter(b cipher.Block) cipher.BlockMode
- func NewErrGracePeriodExpired() error
- func NewErrNoSSl() error
- func NewErrNoSig() error
- func NewErrNoTicket() error
- func NewErrNoValidToken() error
- func NewErrSigNotValid(prevErrors ...error) error
- func NewErrValidationExpired() error
- func NewErrWrongIp() error
- func ParseDSAPrivateKey(der []byte) (*dsa.PrivateKey, error)
- func ParseRawPrivateKey(pemBytes []byte) (interface{}, error)
- func ParseRawPrivateKeyWithPassphrase(pemBytes, passPhrase []byte) (interface{}, error)
- type AlgorithmSigner
- type AuthPubTkt
- type AuthPubTktContextKey
- type AuthPubTktHandler
- type AuthPubTktHandlerOption
- type AuthPubTktImpl
- func (a AuthPubTktImpl) RawToTicket(ticketStr string) (*Ticket, error)
- func (a AuthPubTktImpl) RequestToTicket(req *http.Request) (*Ticket, error)
- func (a AuthPubTktImpl) SignTicket(ticket *Ticket) error
- func (a AuthPubTktImpl) TicketInHeader(inHeader http.Header, ticket *Ticket) error
- func (a AuthPubTktImpl) TicketInRequest(req *http.Request, ticket *Ticket) error
- func (a AuthPubTktImpl) TicketInResponse(resp http.ResponseWriter, ticket *Ticket) error
- func (a AuthPubTktImpl) TicketToRaw(ticket *Ticket) (string, error)
- func (a AuthPubTktImpl) VerifyFromRequest(req *http.Request) (*Ticket, error)
- func (a AuthPubTktImpl) VerifyTicket(ticket *Ticket, clientIp string) error
- type AuthPubTktOptions
- type EncMethod
- type ErrGracePeriodExpired
- type ErrNoSSl
- type ErrNoSig
- type ErrNoTicket
- type ErrNoValidToken
- type ErrSigNotValid
- type ErrValidationExpired
- type ErrWrongIp
- type OpenSSL
- type OpenSSLCreds
- type PublicKey
- type Signer
- type Ticket
Constants ¶
const ( Hsha1 hashMethod = "sha1" Hsha224 hashMethod = "sha224" Hsha256 hashMethod = "sha256" Hsha384 hashMethod = "sha384" Hsha512 hashMethod = "sha512" )
const ( KeyAlgoRSA = "ssh-rsa" KeyAlgoDSA = "ssh-dss" KeyAlgoECDSA256 = "ecdsa-sha2-nistp256" KeyAlgoECDSA384 = "ecdsa-sha2-nistp384" KeyAlgoECDSA521 = "ecdsa-sha2-nistp521" KeyAlgoED25519 = "ssh-ed25519" )
These constants represent the algorithm names for key types supported by this package.
const ( SigAlgoRSA = "ssh-rsa" SigAlgoRSASHA2256 = "rsa-sha2-256" SigAlgoRSASHA2512 = "rsa-sha2-512" )
These constants represent non-default signature algorithms that are supported as algorithm parameters to AlgorithmSigner.SignWithAlgorithm methods. See [PROTOCOL.agent] section 4.5.1 and https://tools.ietf.org/html/draft-ietf-curdle-rsa-sha2-10
Variables ¶
var ( // ErrInvalidBlockSize indicates hash blocksize <= 0. ErrInvalidBlockSize = errors.New("invalid blocksize") // ErrInvalidPKCS7Data indicates bad input to PKCS7 pad or unpad. ErrInvalidPKCS7Data = errors.New("invalid PKCS7 data (empty or not padded)") // ErrInvalidPKCS7Padding indicates PKCS7 unpad fails to bad input. ErrInvalidPKCS7Padding = errors.New("invalid padding on input") )
var TimeNowFunc = func() time.Time { return time.Now() }
Functions ¶
func BauthDecrypt ¶
func BauthEncrypt ¶
func FingerprintLegacyMD5 ¶
FingerprintLegacyMD5 returns the user presentation of the key's fingerprint as described by RFC 4716 section 4.
func FingerprintSHA256 ¶
FingerprintSHA256 returns the user presentation of the key's fingerprint as unpadded base64 encoded sha256 hash. This format was introduced from OpenSSH 6.8. https://www.openssh.com/txt/release-6.8 https://tools.ietf.org/html/rfc4648#section-3.2 (unpadded base64 encoding)
func MarshalAuthorizedKey ¶
MarshalAuthorizedKey serializes key for inclusion in an OpenSSH authorized_keys file. The return value ends with newline.
func NewErrGracePeriodExpired ¶
func NewErrGracePeriodExpired() error
func NewErrNoSSl ¶
func NewErrNoSSl() error
func NewErrNoSig ¶
func NewErrNoSig() error
func NewErrNoTicket ¶
func NewErrNoTicket() error
func NewErrNoValidToken ¶
func NewErrNoValidToken() error
func NewErrSigNotValid ¶
func NewErrValidationExpired ¶
func NewErrValidationExpired() error
func NewErrWrongIp ¶
func NewErrWrongIp() error
func ParseDSAPrivateKey ¶
func ParseDSAPrivateKey(der []byte) (*dsa.PrivateKey, error)
ParseDSAPrivateKey returns a DSA private key from its ASN.1 DER encoding, as specified by the OpenSSL DSA man page.
func ParseRawPrivateKey ¶
ParseRawPrivateKey returns a private key from a PEM encoded private key. It supports RSA (PKCS#1), PKCS#8, DSA (OpenSSL), and ECDSA private keys.
func ParseRawPrivateKeyWithPassphrase ¶
ParseRawPrivateKeyWithPassphrase returns a private key decrypted with passphrase from a PEM encoded private key. If wrong passphrase, return x509.IncorrectPasswordError.
Types ¶
type AlgorithmSigner ¶
type AlgorithmSigner interface { Signer // SignWithAlgorithm is like Signer.Sign, but allows specification of a // non-default signing algorithm. See the SigAlgo* constants in this // package for signature algorithms supported by this package. Callers may // pass an empty string for the algorithm in which case the AlgorithmSigner // will use its default algorithm. SignWithAlgorithm(rand io.Reader, data []byte, algorithm string) (*ssh.Signature, error) }
A AlgorithmSigner is a Signer that also supports specifying a specific algorithm to use for signing.
type AuthPubTkt ¶
type AuthPubTkt interface { // VerifyFromRequest Verify ticket and pre-check from a request VerifyFromRequest(*http.Request) (*Ticket, error) // RequestToTicket Transform a request to a ticket (if found) RequestToTicket(*http.Request) (*Ticket, error) // TicketInRequest Place ticket in request as requested in options TicketInRequest(*http.Request, *Ticket) error // TicketInResponse Place ticket in response writer as requested in options TicketInResponse(http.ResponseWriter, *Ticket) error // TicketInHeader Place ticket in http headers as requested in options TicketInHeader(inHeader http.Header, ticket *Ticket) error // RawToTicket Transform an encoded ticket or plain ticket as a ticket structure RawToTicket(ticketStr string) (*Ticket, error) // TicketToRaw Transform a ticket to a plain or encrypted ticket data TicketToRaw(ticket *Ticket) (string, error) // VerifyTicket Verify a ticket with signature, expiration, token (if set) and ip (against the provided ip and if TKTCheckIpEnabled option is true) VerifyTicket(ticket *Ticket, clientIp string) error // SignTicket This will add a signature to the ticket with private key set with TKTAuthPrivateKey option SignTicket(ticket *Ticket) error }
func NewAuthPubTkt ¶
func NewAuthPubTkt(options AuthPubTktOptions) (AuthPubTkt, error)
type AuthPubTktContextKey ¶
type AuthPubTktContextKey int
type AuthPubTktHandler ¶
type AuthPubTktHandler struct {
// contains filtered or unexported fields
}
func NewAuthPubTktHandler ¶
func NewAuthPubTktHandler(options AuthPubTktOptions, next http.Handler, handlerOpts ...AuthPubTktHandlerOption) (*AuthPubTktHandler, error)
func (AuthPubTktHandler) ServeHTTP ¶
func (h AuthPubTktHandler) ServeHTTP(w http.ResponseWriter, req *http.Request)
func (AuthPubTktHandler) WriteBasicAuth ¶
func (h AuthPubTktHandler) WriteBasicAuth(ticket *Ticket, req *http.Request) error
type AuthPubTktHandlerOption ¶
type AuthPubTktHandlerOption func(*AuthPubTktHandler) error
func PanicOnError ¶
func PanicOnError() AuthPubTktHandlerOption
PanicOnError - If used unrecognized error send a panic instead
func SetCreateAuthPubTktFunc ¶
func SetCreateAuthPubTktFunc(fn func(options AuthPubTktOptions) (AuthPubTkt, error)) AuthPubTktHandlerOption
func SetStatus ¶
func SetStatus(statusText string, statusCode int) AuthPubTktHandlerOption
SetStatus Customize status text and status code when an unrecognized error occurred in request response
func ShowErrorDetails ¶
func ShowErrorDetails() AuthPubTktHandlerOption
ShowErrorDetails If used error details will be written in request response
type AuthPubTktImpl ¶
type AuthPubTktImpl struct {
// contains filtered or unexported fields
}
func (AuthPubTktImpl) RawToTicket ¶
func (a AuthPubTktImpl) RawToTicket(ticketStr string) (*Ticket, error)
func (AuthPubTktImpl) RequestToTicket ¶
func (a AuthPubTktImpl) RequestToTicket(req *http.Request) (*Ticket, error)
func (AuthPubTktImpl) SignTicket ¶
func (a AuthPubTktImpl) SignTicket(ticket *Ticket) error
func (AuthPubTktImpl) TicketInHeader ¶
func (a AuthPubTktImpl) TicketInHeader(inHeader http.Header, ticket *Ticket) error
func (AuthPubTktImpl) TicketInRequest ¶
func (a AuthPubTktImpl) TicketInRequest(req *http.Request, ticket *Ticket) error
func (AuthPubTktImpl) TicketInResponse ¶
func (a AuthPubTktImpl) TicketInResponse(resp http.ResponseWriter, ticket *Ticket) error
func (AuthPubTktImpl) TicketToRaw ¶
func (a AuthPubTktImpl) TicketToRaw(ticket *Ticket) (string, error)
func (AuthPubTktImpl) VerifyFromRequest ¶
func (a AuthPubTktImpl) VerifyFromRequest(req *http.Request) (*Ticket, error)
func (AuthPubTktImpl) VerifyTicket ¶
func (a AuthPubTktImpl) VerifyTicket(ticket *Ticket, clientIp string) error
type AuthPubTktOptions ¶
type AuthPubTktOptions struct { // A DSA or RSA public key in PEM format // This public key will be used to verify ticket signatures TKTAuthPublicKey string // A DSA or RSA private key in PEM format // This private key will be used to create ticket signature // This is optional, only needed if you want sign ticket TKTAuthPrivateKey string // Domain to use when placing ticket as a cookie // E.G.: .example.com TKTAuthDomain string // Set to true if all your website use https and ticket is placed in a cookie TKTAuthSecureCookie bool // String indicating what digest algorithm to use when verifying ticket signatures // Valid values are SHA1, DSS1, SHA224, SHA256, SHA384, and SHA512 // If not specified, the old defaults of SHA1 (for an RSA public key) or DSS1 (for a DSA public key) will be used. TKTAuthDigest string // URL that users without a valid ticket will be redirected to // The originally requested URL will be appended as a GET parameter (normally named "back", but can be changed with TKTAuthBackArgName) TKTAuthLoginURL string // URL that users whose ticket has expired will be redirected to // If not set, TKTAuthLoginURL is used TKTAuthTimeoutURL string // Same as TKTAuthTimeoutURL, but in case the request was a POST // If not set, TKTAuthTimeoutURL is used (and if that is not set either, TKTAuthLoginURL) TKTAuthPostTimeoutURL string // URL that users whose ticket doesn't contain any of the required tokens (as set with TKTAuthToken) will be redirected to TKTAuthUnauthURL string // URL that users whose ticket is within the grace period (as set with the `graceperiod` key in the ticket) before the actual expiry will be redirected to. // Only GET requests are redirected; POST requests are accepted normally. The script at this URL should check the ticket and issue a new one // If not set, TKTAuthLoginURL is used TKTAuthRefreshURL string // A space separated list of headers to use for finding the ticket (case-insensitive). // If this header specified is Cookie then the format of the value expects to be a valid cookie (subject to the TKTAuthCookieName directive). // Any other header assumes the value is a simple URL-encoded value of the ticket. // The first header that has content is tried and any other tickets in other header(s) are ignored. // example, use Cookie first, fallback to X-My-Auth: TKTAuthHeader: []string{"Cookie", "X-My-Auth"} // Default: Cookie TKTAuthHeader []string // Name of the authentication cookie to use // Default: auth_pubtkt TKTAuthCookieName string // Name of the GET argument with the originally requested URL (when redirecting to the login page) // Default: back TKTAuthBackArgName string // only accept tickets in HTTPS requests // Default: false TKTAuthRequireSSL bool // token that must be present in a ticket for access to be granted // Multiple tokens may be specified; only one of them needs to be present in the ticket (i.e. any token can match, not all tokens need to match) TKTAuthToken []string // if on, a fake Authorization header will be added to each request (username from ticket, fixed string "password" as the password). // This can be used in reverse proxy situations, and to prevent PHP from stripping username information from the request (which would then not be available for logging purposes) // Default: false TKTAuthFakeBasicAuth bool // if on, the value from the ticket's "bauth" field will be added to the request as a Basic Authorization header. // This can be used in reverse proxy situations where one needs complete control over the username and password (see also TKTAuthFakeBasicAuth, which should not be used at the same time). // Default: false TKTAuthPassthruBasicAuth bool // if set, the bauth value will be decrypted using the given key before it is added to the Authorization header. // length must be exactly 16 characters (AES 128) TKTAuthPassthruBasicKey string // If set it will crypt/encrypt the cookie with this passphrase (not a key but a passphrase like in openssl) TKTCypherTicketsWithPasswd string // Method of encryption under aes, it can be either cbc or ecb TKTCypherTicketsMethod string // If true it will check if ip which created the token is the correct ip who use it // Default: false TKTCheckIpEnabled bool // If true and TKTCheckIpEnabled is true it will check ip from header X-Forwarded-For instead client remote ip // default: false TKTCheckXForwardedIp bool }
type ErrGracePeriodExpired ¶
type ErrGracePeriodExpired string
func (ErrGracePeriodExpired) Error ¶
func (e ErrGracePeriodExpired) Error() string
type ErrNoTicket ¶
type ErrNoTicket string
func (ErrNoTicket) Error ¶
func (e ErrNoTicket) Error() string
type ErrNoValidToken ¶
type ErrNoValidToken string
func (ErrNoValidToken) Error ¶
func (e ErrNoValidToken) Error() string
type ErrSigNotValid ¶
type ErrSigNotValid string
func (ErrSigNotValid) Error ¶
func (e ErrSigNotValid) Error() string
type ErrValidationExpired ¶
type ErrValidationExpired string
func (ErrValidationExpired) Error ¶
func (e ErrValidationExpired) Error() string
type ErrWrongIp ¶
type ErrWrongIp string
func (ErrWrongIp) Error ¶
func (e ErrWrongIp) Error() string
type OpenSSL ¶
type OpenSSL struct {
// contains filtered or unexported fields
}
func NewOpenSSL ¶
func NewOpenSSL() *OpenSSL
func (OpenSSL) DecryptString ¶
func (o OpenSSL) DecryptString(passphrase, encryptedBase64String string, method EncMethod) ([]byte, error)
DecryptString - Decrypt string that was encrypted using OpenSSL and AES-256-CBC or AES-256-ECB
func (OpenSSL) EncryptString ¶
EncryptString - Encrypt string that as OpenSSL like with AES-256-CBC or AES-256-ECB
func (OpenSSL) GenerateSalt ¶
type OpenSSLCreds ¶
type OpenSSLCreds struct {
// contains filtered or unexported fields
}
type PublicKey ¶
type PublicKey interface { // Type returns the key's type, e.g. "ssh-rsa". Type() string // Marshal returns the serialized key data in SSH wire format, // with the name prefix. To unmarshal the returned data, use // the ParsePublicKey function. Marshal() []byte // Verify that sig is a signature on the given data using this // key. This function will hash the data appropriately first. Verify(data []byte, sig *ssh.Signature) error }
PublicKey is an abstraction of different types of public keys.
func NewPublicKey ¶
type Signer ¶
type Signer interface { // PublicKey returns an associated PublicKey instance. PublicKey() PublicKey // Sign returns raw signature for the given data. This method // will apply the hash specified for the keytype to the data. Sign(rand io.Reader, data []byte) (*ssh.Signature, error) }
A Signer can create signatures that verify against a public key.
func NewSignerFromKey ¶
NewSignerFromKey takes an *rsa.PrivateKey, *dsa.PrivateKey, *ecdsa.PrivateKey or any other crypto.Signer and returns a corresponding Signer instance. ECDSA keys must use P-256, P-384 or P-521. DSA keys must use parameter size L1024N160.
func NewSignerFromSigner ¶
NewSignerFromSigner takes any crypto.Signer implementation and returns a corresponding Signer interface. This can be used, for example, with keys kept in hardware modules.
func ParsePrivateKey ¶
ParsePrivateKey returns a Signer from a PEM encoded private key. It supports the same keys as ParseRawPrivateKey.
func ParsePrivateKeyWithPassphrase ¶
ParsePrivateKeyWithPassphrase returns a Signer from a PEM encoded private key and passphrase. It supports the same keys as ParseRawPrivateKeyWithPassphrase.
type Ticket ¶
type Ticket struct { Uid string `mapstructure:"uid"` Cip string `mapstructure:"cip"` Bauth string `mapstructure:"bauth"` Validuntil time.Time `mapstructure:"validuntil"` Graceperiod time.Time `mapstructure:"graceperiod"` Tokens []string `mapstructure:"tokens"` Udata string `mapstructure:"udata"` Sig string `mapstructure:"sig"` RawData string `mapstructure:"-"` }