pubtkt

package module
v0.0.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jun 3, 2024 License: Apache-2.0 Imports: 30 Imported by: 0

README

Go-auth-pubtkt

Important: This repository has been archived, it does contain some security issues which has not been addressed.

This A golang implementation of mod_auth_pubtkt with some enhancements (cookie encryption, optional check options...)

Usage

This can be used in two different ways:

  • As a middleware
  • As a lib (redirect will not be used, it will only check ticket)
As a middleware
package main

import (
	"github.com/efigence/go-auth-pubtkt"
	"net/http"
)

func main() {
	finalHandler := http.HandlerFunc(func(w http.ResponseWriter, req http.Request) {
		w.WriteHeader(200)

		ticket := pubtkt.TicketRequest(req)
		w.Write([]byte("you are logged as " + ticket.Uid))
	})
	pubtktHandler, err := pubtkt.NewAuthPubTktHandler(pubtkt.AuthPubTktOptions{
		TKTAuthPublicKey: "mypublic key",
	}, finalHandler)
	// you can also see handler option in https://github.com/efigence/go-auth-pubtkt/blob/master/middleware.go#L171-L203
	if err != nil {
		panic(err)
	}
	http.HandleFunc("/", pubtktHandler)
	http.ListenAndServe(":8080", nil)
}
As a lib
package main

import (
        "github.com/efigence/go-auth-pubtkt"
)

func main() {
    auth, err := pubtkt.NewAuthPubTkt(pubtkt.AuthPubTktOptions{
        TKTAuthPublicKey: "mypublic key",
        TKTAuthPrivateKey: "my private for signing",
        TKTAuthCookieName: "auth_pubtkt",
        TKTAuthHeader: []string{"Cookie"},
    })
    if err != nil {
        panic(err)
    }
    tkt := &pubtkt.Ticket{ 
       Uid: "myuser",
       Sig: "the_signature",
    }
    err = auth.SignTicket(tkt)
    if err != nil {
        panic(err)
    }
    err = auth.VerifyTicket(tkt, "")
    if err != nil {
        panic(err)
    }
    // if no error we can continue
    // you can also use
    // Verify ticket and pre-check from a request
    // VerifyFromRequest(*http.Request) (*Ticket, error)
    // Transform a request to a ticket (if found)
    // RequestToTicket(*http.Request) (*Ticket, error)
    // Transform an encoded ticket or plain ticket as a ticket strcture
    // RawToTicket(ticketStr string) (*Ticket, error)
    // Verify a ticket with signature, expiration, token (if set) and ip (against the provided ip and if TKTCheckIpEnabled option is true)
    // VerifyTicket(ticket *Ticket, clientIp string) error
    // Place ticket in request as requested in options
    // TicketInRequest(*http.Request, *Ticket) error
    // TicketInResponse(http.ResponseWriter, *Ticket) error
    // Transform a ticket to a plain or encrypted ticket data
    // TicketToRaw(ticket *Ticket) (string, error)
    // This will add a signature to the ticket with private key set with TKTAuthPrivateKey option
    // SignTicket(ticket *Ticket) error
}

Options

This implementation use the same options as you can found on mod_auth_pubtkt doc but with new features like:

  • Ticket encryption (options: TKTCypherTicketsWithPasswd and TKTCypherTicketsMethod)
  • Enable and disable check for IP (options: TKTCheckIpEnabled and TKTCheckXForwardedIp)

Here options you can set as pubtkt.AuthPubTktOptions:

type AuthPubTktOptions struct {
	// A DSA or RSA public key in PEM format
	// This public key will be used to verify ticket signatures
	TKTAuthPublicKey string
	// A DSA or RSA private key in PEM format
    // This private key will be used to create ticket signature
    // This is optional, only needed if you want sign ticket
    TKTAuthPrivateKey string
    // Domain to use when placing ticket as a cookie
    // E.G.: .example.com
    TKTAuthDomain string
    // Set to true if all your website use https and ticket is placed in a cookie
    TKTAuthSecureCookie bool
	// String indicating what digest algorithm to use when verifying ticket signatures
	// Valid values are SHA1, DSS1, SHA224, SHA256, SHA384, and SHA512
	// If not specified, the old defaults of SHA1 (for an RSA public key) or DSS1 (for a DSA public key) will be used.
	TKTAuthDigest string
	// URL that users without a valid ticket will be redirected to
	// The originally requested URL will be appended as a GET parameter (normally named "back", but can be changed with TKTAuthBackArgName)
	TKTAuthLoginURL string
	// URL that users whose ticket has expired will be redirected to
	// If not set, TKTAuthLoginURL is used
	TKTAuthTimeoutURL string
	// Same as TKTAuthTimeoutURL, but in case the request was a POST
	// If not set, TKTAuthTimeoutURL is used (and if that is not set either, TKTAuthLoginURL)
	TKTAuthPostTimeoutURL string
	// URL that users whose ticket doesn't contain any of the required tokens (as set with TKTAuthToken) will be redirected to
	TKTAuthUnauthURL string
	// URL that users whose ticket is within the grace period (as set with the graceperiod key in the ticket) before the actual expiry will be redirected to.
	// Only GET requests are redirected; POST requests are accepted normally. The script at this URL should check the ticket and issue a new one
	// If not set, TKTAuthLoginURL is used
	TKTAuthRefreshURL string
	// A space separated list of headers to use for finding the ticket (case insensitive).
	// If this header specified is Cookie then the format of the value expects to be a valid cookie (subject to the TKTAuthCookieName directive).
	// Any other header assumes the value is a simple URL-encoded value of the ticket.
	// The first header that has content is tried and any other tickets in other header(s) are ignored.
	// example, use Cookie first, fallback to X-My-Auth: TKTAuthHeader: []string{"Cookie", "X-My-Auth"}
	// Default: Cookie
	TKTAuthHeader []string
	// Name of the authentication cookie to use
	// Default: auth_pubtkt
	TKTAuthCookieName string
	// Name of the GET argument with the originally requested URL (when redirecting to the login page)
	// Default: back
	TKTAuthBackArgName string
	// only accept tickets in HTTPS requests
	// Default: false
	TKTAuthRequireSSL bool
	// token that must be present in a ticket for access to be granted
	// Multiple tokens may be specified; only one of them needs to be present in the ticket (i.e. any token can match, not all tokens need to match)
	TKTAuthToken []string
	// if on, a fake Authorization header will be added to each request (username from ticket, fixed string "password" as the password).
	// This can be used in reverse proxy situations, and to prevent PHP from stripping username information from the request (which would then not be available for logging purposes)
	// Default: false
	TKTAuthFakeBasicAuth bool
	// if on, the value from the ticket's "bauth" field will be added to the request as a Basic Authorization header.
	// This can be used in reverse proxy situations where one needs complete control over the username and password (see also TKTAuthFakeBasicAuth, which should not be used at the same time).
	// Default: false
	TKTAuthPassthruBasicAuth bool
	// if set, the bauth value will be decrypted using the given key before it is added to the Authorization header.
	// length must be exactly 16 characters (AES 128)
	TKTAuthPassthruBasicKey string
	// If set it will crypt/encrypt the cookie or the content of the header with this passphrase (not a key but a passphrase like in openssl)
	TKTCypherTicketsWithPasswd string
	// Method of encryption under aes, it can be either cbc or ecb
	TKTCypherTicketsMethod string
	// If true it will check if ip which created the token is the correct ip who use it
	// Default: false
	TKTCheckIpEnabled bool
	// If true and TKTCheckIpEnabled is true it will check ip from header X-Forwarded-For instead client remote ip
	// default: false
	TKTCheckXForwardedIp bool
}

Note: Disclaimer about TKTCypherTicketsMethod with the ecb method, orange forked mod_auth_pubtkt to add ticket encryption and use ecb method, you must always choose to use cbc method if you want to use apache plugin from original pubtkt

Documentation

Index

Constants

View Source 
const (
	Hsha1   hashMethod = "sha1"
	Hsha224 hashMethod = "sha224"
	Hsha256 hashMethod = "sha256"
	Hsha384 hashMethod = "sha384"
	Hsha512 hashMethod = "sha512"
)
View Source 
const (
	KeyAlgoRSA      = "ssh-rsa"
	KeyAlgoDSA      = "ssh-dss"
	KeyAlgoECDSA256 = "ecdsa-sha2-nistp256"
	KeyAlgoECDSA384 = "ecdsa-sha2-nistp384"
	KeyAlgoECDSA521 = "ecdsa-sha2-nistp521"
	KeyAlgoED25519  = "ssh-ed25519"
)

These constants represent the algorithm names for key types supported by this package.

View Source 
const (
	SigAlgoRSA        = "ssh-rsa"
	SigAlgoRSASHA2256 = "rsa-sha2-256"
	SigAlgoRSASHA2512 = "rsa-sha2-512"
)

These constants represent non-default signature algorithms that are supported as algorithm parameters to AlgorithmSigner.SignWithAlgorithm methods. See [PROTOCOL.agent] section 4.5.1 and https://tools.ietf.org/html/draft-ietf-curdle-rsa-sha2-10

Variables

View Source 
var (
	// ErrInvalidBlockSize indicates hash blocksize <= 0.
	ErrInvalidBlockSize = errors.New("invalid blocksize")

	// ErrInvalidPKCS7Data indicates bad input to PKCS7 pad or unpad.
	ErrInvalidPKCS7Data = errors.New("invalid PKCS7 data (empty or not padded)")

	// ErrInvalidPKCS7Padding indicates PKCS7 unpad fails to bad input.
	ErrInvalidPKCS7Padding = errors.New("invalid padding on input")
)
View Source 
var TimeNowFunc = func() time.Time {
	return time.Now()
}

Functions

func BauthDecrypt 

func BauthDecrypt(bauth, keyStr string) (string, error)

func BauthEncrypt 

func BauthEncrypt(plainData, keyStr string) (string, error)

func FindHash 

func FindHash(hashStr string) (hash.Hash, crypto.Hash, error)

func FingerprintLegacyMD5 

func FingerprintLegacyMD5(pubKey PublicKey) string

FingerprintLegacyMD5 returns the user presentation of the key's fingerprint as described by RFC 4716 section 4.

func FingerprintSHA256 

func FingerprintSHA256(pubKey PublicKey) string

FingerprintSHA256 returns the user presentation of the key's fingerprint as unpadded base64 encoded sha256 hash. This format was introduced from OpenSSH 6.8. https://www.openssh.com/txt/release-6.8 https://tools.ietf.org/html/rfc4648#section-3.2 (unpadded base64 encoding)

func MarshalAuthorizedKey 

func MarshalAuthorizedKey(key PublicKey) []byte

MarshalAuthorizedKey serializes key for inclusion in an OpenSSH authorized_keys file. The return value ends with newline.

func NewECBDecrypter 

func NewECBDecrypter(b cipher.Block) cipher.BlockMode

func NewECBEncrypter 

func NewECBEncrypter(b cipher.Block) cipher.BlockMode

func NewErrGracePeriodExpired 

func NewErrGracePeriodExpired() error

func NewErrNoSSl 

func NewErrNoSSl() error

func NewErrNoSig 

func NewErrNoSig() error

func NewErrNoTicket 

func NewErrNoTicket() error

func NewErrNoValidToken 

func NewErrNoValidToken() error

func NewErrSigNotValid 

func NewErrSigNotValid(prevErrors ...error) error

func NewErrValidationExpired 

func NewErrValidationExpired() error

func NewErrWrongIp 

func NewErrWrongIp() error

func ParseDSAPrivateKey 

func ParseDSAPrivateKey(der []byte) (*dsa.PrivateKey, error)

ParseDSAPrivateKey returns a DSA private key from its ASN.1 DER encoding, as specified by the OpenSSL DSA man page.

func ParseRawPrivateKey 

func ParseRawPrivateKey(pemBytes []byte) (interface{}, error)

ParseRawPrivateKey returns a private key from a PEM encoded private key. It supports RSA (PKCS#1), PKCS#8, DSA (OpenSSL), and ECDSA private keys.

func ParseRawPrivateKeyWithPassphrase 

func ParseRawPrivateKeyWithPassphrase(pemBytes, passPhrase []byte) (interface{}, error)

ParseRawPrivateKeyWithPassphrase returns a private key decrypted with passphrase from a PEM encoded private key. If wrong passphrase, return x509.IncorrectPasswordError.

Types

type AlgorithmSigner 

type AlgorithmSigner interface {
	Signer

	// SignWithAlgorithm is like Signer.Sign, but allows specification of a
	// non-default signing algorithm. See the SigAlgo* constants in this
	// package for signature algorithms supported by this package. Callers may
	// pass an empty string for the algorithm in which case the AlgorithmSigner
	// will use its default algorithm.
	SignWithAlgorithm(rand io.Reader, data []byte, algorithm string) (*ssh.Signature, error)
}

A AlgorithmSigner is a Signer that also supports specifying a specific algorithm to use for signing.

type AuthPubTkt 

type AuthPubTkt interface {
	// VerifyFromRequest Verify ticket and pre-check from a request
	VerifyFromRequest(*http.Request) (*Ticket, error)
	// RequestToTicket Transform a request to a ticket (if found)
	RequestToTicket(*http.Request) (*Ticket, error)
	// TicketInRequest Place ticket in request as requested in options
	TicketInRequest(*http.Request, *Ticket) error
	// TicketInResponse Place ticket in response writer as requested in options
	TicketInResponse(http.ResponseWriter, *Ticket) error
	// TicketInHeader Place ticket in http headers as requested in options
	TicketInHeader(inHeader http.Header, ticket *Ticket) error
	// RawToTicket Transform an encoded ticket or plain ticket as a ticket structure
	RawToTicket(ticketStr string) (*Ticket, error)
	// TicketToRaw Transform a ticket to a plain or encrypted ticket data
	TicketToRaw(ticket *Ticket) (string, error)
	// VerifyTicket Verify a ticket with signature, expiration, token (if set) and ip (against the provided ip and if TKTCheckIpEnabled option is true)
	VerifyTicket(ticket *Ticket, clientIp string) error
	// SignTicket This will add a signature to the ticket with private key set with TKTAuthPrivateKey option
	SignTicket(ticket *Ticket) error
}

func NewAuthPubTkt 

func NewAuthPubTkt(options AuthPubTktOptions) (AuthPubTkt, error)

type AuthPubTktContextKey 

type AuthPubTktContextKey int

type AuthPubTktHandler 

type AuthPubTktHandler struct {
	// contains filtered or unexported fields
}

func NewAuthPubTktHandler 

func NewAuthPubTktHandler(options AuthPubTktOptions, next http.Handler, handlerOpts ...AuthPubTktHandlerOption) (*AuthPubTktHandler, error)

func (AuthPubTktHandler) ServeHTTP 

func (h AuthPubTktHandler) ServeHTTP(w http.ResponseWriter, req *http.Request)

func (AuthPubTktHandler) WriteBasicAuth 

func (h AuthPubTktHandler) WriteBasicAuth(ticket *Ticket, req *http.Request) error

type AuthPubTktHandlerOption 

type AuthPubTktHandlerOption func(*AuthPubTktHandler) error

func PanicOnError 

func PanicOnError() AuthPubTktHandlerOption

PanicOnError - If used unrecognized error send a panic instead

func SetCreateAuthPubTktFunc 

func SetCreateAuthPubTktFunc(fn func(options AuthPubTktOptions) (AuthPubTkt, error)) AuthPubTktHandlerOption

func SetStatus 

func SetStatus(statusText string, statusCode int) AuthPubTktHandlerOption

SetStatus Customize status text and status code when an unrecognized error occurred in request response

func ShowErrorDetails 

func ShowErrorDetails() AuthPubTktHandlerOption

ShowErrorDetails If used error details will be written in request response

type AuthPubTktImpl 

type AuthPubTktImpl struct {
	// contains filtered or unexported fields
}

func (AuthPubTktImpl) RawToTicket 

func (a AuthPubTktImpl) RawToTicket(ticketStr string) (*Ticket, error)

func (AuthPubTktImpl) RequestToTicket 

func (a AuthPubTktImpl) RequestToTicket(req *http.Request) (*Ticket, error)

func (AuthPubTktImpl) SignTicket 

func (a AuthPubTktImpl) SignTicket(ticket *Ticket) error

func (AuthPubTktImpl) TicketInHeader 

func (a AuthPubTktImpl) TicketInHeader(inHeader http.Header, ticket *Ticket) error

func (AuthPubTktImpl) TicketInRequest 

func (a AuthPubTktImpl) TicketInRequest(req *http.Request, ticket *Ticket) error

func (AuthPubTktImpl) TicketInResponse 

func (a AuthPubTktImpl) TicketInResponse(resp http.ResponseWriter, ticket *Ticket) error

func (AuthPubTktImpl) TicketToRaw 

func (a AuthPubTktImpl) TicketToRaw(ticket *Ticket) (string, error)

func (AuthPubTktImpl) VerifyFromRequest 

func (a AuthPubTktImpl) VerifyFromRequest(req *http.Request) (*Ticket, error)

func (AuthPubTktImpl) VerifyTicket 

func (a AuthPubTktImpl) VerifyTicket(ticket *Ticket, clientIp string) error

type AuthPubTktOptions 

type AuthPubTktOptions struct {
	// A DSA or RSA public key in PEM format
	// This public key will be used to verify ticket signatures
	TKTAuthPublicKey string
	// A DSA or RSA private key in PEM format
	// This private key will be used to create ticket signature
	// This is optional, only needed if you want sign ticket
	TKTAuthPrivateKey string
	// Domain to use when placing ticket as a cookie
	// E.G.: .example.com
	TKTAuthDomain string
	// Set to true if all your website use https and ticket is placed in a cookie
	TKTAuthSecureCookie bool
	// String indicating what digest algorithm to use when verifying ticket signatures
	// Valid values are SHA1, DSS1, SHA224, SHA256, SHA384, and SHA512
	// If not specified, the old defaults of SHA1 (for an RSA public key) or DSS1 (for a DSA public key) will be used.
	TKTAuthDigest string
	// URL that users without a valid ticket will be redirected to
	// The originally requested URL will be appended as a GET parameter (normally named "back", but can be changed with TKTAuthBackArgName)
	TKTAuthLoginURL string
	// URL that users whose ticket has expired will be redirected to
	// If not set, TKTAuthLoginURL is used
	TKTAuthTimeoutURL string
	// Same as TKTAuthTimeoutURL, but in case the request was a POST
	// If not set, TKTAuthTimeoutURL is used (and if that is not set either, TKTAuthLoginURL)
	TKTAuthPostTimeoutURL string
	// URL that users whose ticket doesn't contain any of the required tokens (as set with TKTAuthToken) will be redirected to
	TKTAuthUnauthURL string
	// URL that users whose ticket is within the grace period (as set with the `graceperiod` key in the ticket) before the actual expiry will be redirected to.
	// Only GET requests are redirected; POST requests are accepted normally. The script at this URL should check the ticket and issue a new one
	// If not set, TKTAuthLoginURL is used
	TKTAuthRefreshURL string
	// A space separated list of headers to use for finding the ticket (case-insensitive).
	// If this header specified is Cookie then the format of the value expects to be a valid cookie (subject to the TKTAuthCookieName directive).
	// Any other header assumes the value is a simple URL-encoded value of the ticket.
	// The first header that has content is tried and any other tickets in other header(s) are ignored.
	// example, use Cookie first, fallback to X-My-Auth: TKTAuthHeader: []string{"Cookie", "X-My-Auth"}
	// Default: Cookie
	TKTAuthHeader []string
	// Name of the authentication cookie to use
	// Default: auth_pubtkt
	TKTAuthCookieName string
	// Name of the GET argument with the originally requested URL (when redirecting to the login page)
	// Default: back
	TKTAuthBackArgName string
	// only accept tickets in HTTPS requests
	// Default: false
	TKTAuthRequireSSL bool
	// token that must be present in a ticket for access to be granted
	// Multiple tokens may be specified; only one of them needs to be present in the ticket (i.e. any token can match, not all tokens need to match)
	TKTAuthToken []string
	// if on, a fake Authorization header will be added to each request (username from ticket, fixed string "password" as the password).
	// This can be used in reverse proxy situations, and to prevent PHP from stripping username information from the request (which would then not be available for logging purposes)
	// Default: false
	TKTAuthFakeBasicAuth bool
	// if on, the value from the ticket's "bauth" field will be added to the request as a Basic Authorization header.
	// This can be used in reverse proxy situations where one needs complete control over the username and password (see also TKTAuthFakeBasicAuth, which should not be used at the same time).
	// Default: false
	TKTAuthPassthruBasicAuth bool
	// if set, the bauth value will be decrypted using the given key before it is added to the Authorization header.
	// length must be exactly 16 characters (AES 128)
	TKTAuthPassthruBasicKey string
	// If set it will crypt/encrypt the cookie with this passphrase (not a key but a passphrase like in openssl)
	TKTCypherTicketsWithPasswd string
	// Method of encryption under aes, it can be either cbc or ecb
	TKTCypherTicketsMethod string
	// If true it will check if ip which created the token is the correct ip who use it
	// Default: false
	TKTCheckIpEnabled bool
	// If true and TKTCheckIpEnabled is true it will check ip from header X-Forwarded-For instead client remote ip
	// default: false
	TKTCheckXForwardedIp bool
}

type EncMethod 

type EncMethod string
const (
	MethodEcb EncMethod = "ECB"
	MethodCbc EncMethod = "CBC"
)

type ErrGracePeriodExpired 

type ErrGracePeriodExpired string

func (ErrGracePeriodExpired) Error 

func (e ErrGracePeriodExpired) Error() string

type ErrNoSSl 

type ErrNoSSl string

func (ErrNoSSl) Error 

func (e ErrNoSSl) Error() string

type ErrNoSig 

type ErrNoSig string

func (ErrNoSig) Error 

func (e ErrNoSig) Error() string

type ErrNoTicket 

type ErrNoTicket string

func (ErrNoTicket) Error 

func (e ErrNoTicket) Error() string

type ErrNoValidToken 

type ErrNoValidToken string

func (ErrNoValidToken) Error 

func (e ErrNoValidToken) Error() string

type ErrSigNotValid 

type ErrSigNotValid string

func (ErrSigNotValid) Error 

func (e ErrSigNotValid) Error() string

type ErrValidationExpired 

type ErrValidationExpired string

func (ErrValidationExpired) Error 

func (e ErrValidationExpired) Error() string

type ErrWrongIp 

type ErrWrongIp string

func (ErrWrongIp) Error 

func (e ErrWrongIp) Error() string

type OpenSSL 

type OpenSSL struct {
	// contains filtered or unexported fields
}

func NewOpenSSL 

func NewOpenSSL() *OpenSSL

func (OpenSSL) DecryptString 

func (o OpenSSL) DecryptString(passphrase, encryptedBase64String string, method EncMethod) ([]byte, error)

DecryptString - Decrypt string that was encrypted using OpenSSL and AES-256-CBC or AES-256-ECB

func (OpenSSL) EncryptString 

func (o OpenSSL) EncryptString(passphrase, plainData string, method EncMethod) ([]byte, error)

EncryptString - Encrypt string that as OpenSSL like with AES-256-CBC or AES-256-ECB

func (OpenSSL) GenerateSalt 

func (o OpenSSL) GenerateSalt() ([]byte, error)

type OpenSSLCreds 

type OpenSSLCreds struct {
	// contains filtered or unexported fields
}

type PublicKey 

type PublicKey interface {
	// Type returns the key's type, e.g. "ssh-rsa".
	Type() string

	// Marshal returns the serialized key data in SSH wire format,
	// with the name prefix. To unmarshal the returned data, use
	// the ParsePublicKey function.
	Marshal() []byte

	// Verify that sig is a signature on the given data using this
	// key. This function will hash the data appropriately first.
	Verify(data []byte, sig *ssh.Signature) error
}

PublicKey is an abstraction of different types of public keys.

func NewPublicKey 

func NewPublicKey(key interface{}) (PublicKey, error)

func ParseAuthorizedKey 

func ParseAuthorizedKey(in []byte) (out PublicKey, comment string, options []string, rest []byte, err error)

ParseAuthorizedKey - parses a public key from an authorized_keys file used in OpenSSH according to the sshd(8) manual page.

type Signer 

type Signer interface {
	// PublicKey returns an associated PublicKey instance.
	PublicKey() PublicKey

	// Sign returns raw signature for the given data. This method
	// will apply the hash specified for the keytype to the data.
	Sign(rand io.Reader, data []byte) (*ssh.Signature, error)
}

A Signer can create signatures that verify against a public key.

func NewSignerFromKey 

func NewSignerFromKey(key interface{}) (Signer, error)

NewSignerFromKey takes an *rsa.PrivateKey, *dsa.PrivateKey, *ecdsa.PrivateKey or any other crypto.Signer and returns a corresponding Signer instance. ECDSA keys must use P-256, P-384 or P-521. DSA keys must use parameter size L1024N160.

func NewSignerFromSigner 

func NewSignerFromSigner(signer crypto.Signer) (Signer, error)

NewSignerFromSigner takes any crypto.Signer implementation and returns a corresponding Signer interface. This can be used, for example, with keys kept in hardware modules.

func ParsePrivateKey 

func ParsePrivateKey(pemBytes []byte) (Signer, error)

ParsePrivateKey returns a Signer from a PEM encoded private key. It supports the same keys as ParseRawPrivateKey.

func ParsePrivateKeyWithPassphrase 

func ParsePrivateKeyWithPassphrase(pemBytes, passPhrase []byte) (Signer, error)

ParsePrivateKeyWithPassphrase returns a Signer from a PEM encoded private key and passphrase. It supports the same keys as ParseRawPrivateKeyWithPassphrase.

type Ticket 

type Ticket struct {
	Uid         string    `mapstructure:"uid"`
	Cip         string    `mapstructure:"cip"`
	Bauth       string    `mapstructure:"bauth"`
	Validuntil  time.Time `mapstructure:"validuntil"`
	Graceperiod time.Time `mapstructure:"graceperiod"`
	Tokens      []string  `mapstructure:"tokens"`
	Udata       string    `mapstructure:"udata"`
	Sig         string    `mapstructure:"sig"`
	RawData     string    `mapstructure:"-"`
}

func ParseTicket 

func ParseTicket(ticketStr string) (*Ticket, error)

func TicketRequest 

func TicketRequest(req *http.Request) *Ticket

func (Ticket) DataString 

func (t Ticket) DataString() string

func (Ticket) String 

func (t Ticket) String() string

Source Files

View all Source files

Directories

Path Synopsis
Code generated by counterfeiter.
 Code generated by counterfeiter.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.