tlscommon

package
v0.17.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Nov 1, 2024 License: Apache-2.0 Imports: 21 Imported by: 77

Documentation

Index

Constants

View Source 
const (
	TLSClientAuthNone     TLSClientAuth = TLSClientAuth(tls.NoClientCert)
	TLSClientAuthOptional               = TLSClientAuth(tls.VerifyClientCertIfGiven)
	TLSClientAuthRequired               = TLSClientAuth(tls.RequireAndVerifyClientCert)
)
View Source 
const (
	TLSVersion10 TLSVersion = tls.VersionTLS10
	TLSVersion11 TLSVersion = tls.VersionTLS11
	TLSVersion12 TLSVersion = tls.VersionTLS12
	TLSVersion13 TLSVersion = tls.VersionTLS13

	// TLSVersionMin is the min TLS version supported.
	TLSVersionMin = TLSVersion10

	// TLSVersionMax is the max TLS version supported.
	TLSVersionMax = TLSVersion13

	// TLSVersionDefaultMin is the minimal default TLS version that is
	// enabled by default. TLSVersionDefaultMin is >= TLSVersionMin
	TLSVersionDefaultMin = TLSVersion11

	// TLSVersionDefaultMax is the max default TLS version that
	// is enabled by default.
	TLSVersionDefaultMax = TLSVersionMax
)

Define all the possible TLS version.

Variables

View Source 
var (
	// ErrNotACertificate indicates a PEM file to be loaded not being a valid
	// PEM file or certificate.
	ErrNotACertificate = errors.New("file is not a certificate")

	// ErrCertificateNoKey indicate a configuration error with missing key file
	ErrKeyUnspecified = errors.New("key file not configured")

	// ErrKeyNoCertificate indicate a configuration error with missing certificate file
	ErrCertificateUnspecified = errors.New("certificate file not configured")
)
View Source 
var ErrCAPinMissmatch = errors.New("provided CA certificate pins doesn't match any of the certificate authorities used to validate the certificate")

ErrCAPinMissmatch is returned when no pin is matched in the verified chain.

View Source 
var (
	ErrMissingPeerCertificate = errors.New("missing peer certificates")
)
View Source 
var TLSDefaultVersions = []TLSVersion{
	TLSVersion11,
	TLSVersion12,
	TLSVersion13,
}

TLSDefaultVersions list of versions of TLS we should support.

Functions

func CertDiagString added in v0.9.12 

func CertDiagString(cert *x509.Certificate) string

CertDiagString returns a diagnostics string describing the passed certificate

func Fingerprint 

func Fingerprint(certificate *x509.Certificate) string

Fingerprint takes a certificate and create a hash of the DER encoded public key.

func IsPEMString 

func IsPEMString(s string) bool

IsPEMString returns true if the provided string match a PEM formatted certificate. try to pem decode to validate.

func LoadCertificate 

func LoadCertificate(config *CertificateConfig) (*tls.Certificate, error)

LoadCertificate will load a certificate from disk and return a tls.Certificate or error

func LoadCertificateAuthorities 

func LoadCertificateAuthorities(CAs []string) (*x509.CertPool, []error)

LoadCertificateAuthorities read the slice of CAcert and return a Certpool.

func ReadPEMFile 

func ReadPEMFile(log *logp.Logger, s, passphrase string) ([]byte, error)

ReadPEMFile reads a PEM formatted string either from disk or passed as a plain text starting with a "-" and decrypt it with the provided password and return the raw content.

func ResolveCipherSuite 

func ResolveCipherSuite(cipher uint16) string

ResolveCipherSuite takes the integer representation and return the cipher name.

func ResolveTLSVersion 

func ResolveTLSVersion(v uint16) string

ResolveTLSVersion takes the integer representation and return the name.

Types

type CertificateConfig 

type CertificateConfig struct {
	Certificate    string `config:"certificate" yaml:"certificate,omitempty"`
	Key            string `config:"key" yaml:"key,omitempty"`
	Passphrase     string `config:"key_passphrase" yaml:"key_passphrase,omitempty"`
	PassphrasePath string `config:"key_passphrase_path" yaml:"key_passphrase_path,omitempty"`
}

CertificateConfig define a common set of fields for a certificate.

func (*CertificateConfig) Validate 

func (c *CertificateConfig) Validate() error

Validate validates the CertificateConfig

type CipherSuite 

type CipherSuite uint16

func (CipherSuite) String 

func (cs CipherSuite) String() string

func (*CipherSuite) Unpack 

func (cs *CipherSuite) Unpack(i interface{}) error

type Config 

type Config struct {
	Enabled              *bool                   `config:"enabled" yaml:"enabled,omitempty"`
	VerificationMode     TLSVerificationMode     `config:"verification_mode" yaml:"verification_mode"` // one of 'none', 'full'
	Versions             []TLSVersion            `config:"supported_protocols" yaml:"supported_protocols,omitempty"`
	CipherSuites         []CipherSuite           `config:"cipher_suites" yaml:"cipher_suites,omitempty"`
	CAs                  []string                `config:"certificate_authorities" yaml:"certificate_authorities,omitempty"`
	Certificate          CertificateConfig       `config:",inline" yaml:",inline"`
	CurveTypes           []tlsCurveType          `config:"curve_types" yaml:"curve_types,omitempty"`
	Renegotiation        TLSRenegotiationSupport `config:"renegotiation" yaml:"renegotiation"`
	CASha256             []string                `config:"ca_sha256" yaml:"ca_sha256,omitempty"`
	CATrustedFingerprint string                  `config:"ca_trusted_fingerprint" yaml:"ca_trusted_fingerprint,omitempty"`
}

Config defines the user configurable options in the yaml file.

func (*Config) DiagCerts added in v0.9.12 

func (c *Config) DiagCerts() func() []byte

DiagCerts returns a diagnostics hook callback that will validate if the certifiactes (cert + key, and CAs) present in the config are valid.

func (*Config) IsEnabled 

func (c *Config) IsEnabled() bool

IsEnabled returns true if the `enable` field is set to true in the yaml.

func (*Config) Validate 

func (c *Config) Validate() error

Validate values the TLSConfig struct making sure certificate sure we have both a certificate and a key.

type PEMReader 

type PEMReader struct {
	// contains filtered or unexported fields
}

PEMReader allows to read a certificate in PEM format either through the disk or from a string.

func NewPEMReader 

func NewPEMReader(certificate string) (*PEMReader, error)

NewPEMReader returns a new PEMReader.

func (*PEMReader) Close 

func (p *PEMReader) Close() error

Close closes the target io.ReadCloser.

func (*PEMReader) Read 

func (p *PEMReader) Read(b []byte) (n int, err error)

Read read bytes from the io.ReadCloser.

func (*PEMReader) String 

func (p *PEMReader) String() string

type ServerConfig 

type ServerConfig struct {
	Enabled          *bool               `config:"enabled" yaml:"enabled,omitempty"`
	VerificationMode TLSVerificationMode `config:"verification_mode" yaml:"verification_mode,omitempty"` // one of 'none', 'full', 'strict', 'certificate'
	Versions         []TLSVersion        `config:"supported_protocols" yaml:"supported_protocols,omitempty"`
	CipherSuites     []CipherSuite       `config:"cipher_suites" yaml:"cipher_suites,omitempty"`
	CAs              []string            `config:"certificate_authorities" yaml:"certificate_authorities,omitempty"`
	Certificate      CertificateConfig   `config:",inline" yaml:",inline"`
	CurveTypes       []tlsCurveType      `config:"curve_types" yaml:"curve_types,omitempty"`
	ClientAuth       *TLSClientAuth      `config:"client_authentication" yaml:"client_authentication,omitempty"` //`none`, `optional` or `required`
	CASha256         []string            `config:"ca_sha256" yaml:"ca_sha256,omitempty"`
}

ServerConfig defines the user configurable tls options for any TCP based service.

func (*ServerConfig) DiagCerts added in v0.9.12 

func (c *ServerConfig) DiagCerts() func() []byte

DiagCerts returns a diagnostics hook callback that will validate if the certifiactes (cert + key, and CAs) present in the config are valid.

Implementation is mostly a copy of Config.DiagCerts

func (*ServerConfig) IsEnabled 

func (c *ServerConfig) IsEnabled() bool

IsEnabled returns true if the `enable` field is set to true in the yaml.

func (*ServerConfig) Unpack 

func (c *ServerConfig) Unpack(cfg config.C) error

Unpack unpacks the TLS Server configuration.

func (*ServerConfig) Validate 

func (c *ServerConfig) Validate() error

Validate values the TLSConfig struct making sure certificate sure we have both a certificate and a key.

type TLSClientAuth added in v0.7.4 

type TLSClientAuth int

func (TLSClientAuth) MarshalText added in v0.7.4 

func (m TLSClientAuth) MarshalText() ([]byte, error)

func (TLSClientAuth) String added in v0.7.4 

func (m TLSClientAuth) String() string

func (*TLSClientAuth) Unpack added in v0.7.4 

func (m *TLSClientAuth) Unpack(in interface{}) error

type TLSConfig 

type TLSConfig struct {

	// List of allowed SSL/TLS protocol versions. Connections might be dropped
	// after handshake succeeded, if TLS version in use is not listed.
	Versions []TLSVersion

	// Configure SSL/TLS verification mode used during handshake. By default
	// VerifyFull will be used.
	Verification TLSVerificationMode

	// List of certificate chains to present to the other side of the
	// connection.
	Certificates []tls.Certificate

	// Set of root certificate authorities use to verify server certificates.
	// If RootCAs is nil, TLS might use the system its root CA set (not supported
	// on MS Windows).
	RootCAs *x509.CertPool

	// Set of root certificate authorities use to verify client certificates.
	// If ClientCAs is nil, TLS might use the system its root CA set (not supported
	// on MS Windows).
	ClientCAs *x509.CertPool

	// List of supported cipher suites. If nil, a default list provided by the
	// implementation will be used.
	CipherSuites []CipherSuite

	// Types of elliptic curves that will be used in an ECDHE handshake. If empty,
	// the implementation will choose a default.
	CurvePreferences []tls.CurveID

	// Renegotiation controls what types of renegotiation are supported.
	// The default, never, is correct for the vast majority of applications.
	Renegotiation tls.RenegotiationSupport

	// ClientAuth controls how we want to verify certificate from a client, `none`, `optional` and
	// `required`, default to required. Do not affect TCP client.
	ClientAuth tls.ClientAuthType

	// CASha256 is the CA certificate pin, this is used to validate the CA that will be used to trust
	// the server certificate.
	CASha256 []string

	// CATrustedFingerprint is the HEX encoded fingerprint of a CA certificate. If present in the chain
	// this certificate will be added to the list of trusted CAs (RootCAs) during the handshake.
	CATrustedFingerprint string

	// ServerName is the remote server we're connecting to. It can be a hostname or IP address.
	ServerName string
	// contains filtered or unexported fields
}

TLSConfig is the interface used to configure a tcp client or server from a `Config`

func LoadTLSConfig 

func LoadTLSConfig(config *Config) (*TLSConfig, error)

LoadTLSConfig will load a certificate from config with all TLS based keys defined. If Certificate and CertificateKey are configured, client authentication will be configured. If no CAs are configured, the host CA will be used by go built-in TLS support.

func LoadTLSServerConfig 

func LoadTLSServerConfig(config *ServerConfig) (*TLSConfig, error)

LoadTLSServerConfig tranforms a ServerConfig into a `tls.Config` to be used directly with golang network types.

func (*TLSConfig) BuildModuleClientConfig 

func (c *TLSConfig) BuildModuleClientConfig(host string) *tls.Config

BuildModuleClientConfig takes the TLSConfig and transform it into a `tls.Config`.

func (*TLSConfig) BuildServerConfig 

func (c *TLSConfig) BuildServerConfig(host string) *tls.Config

BuildServerConfig takes the TLSConfig and transform it into a `tls.Config` for server side connections.

func (*TLSConfig) ToConfig 

func (c *TLSConfig) ToConfig() *tls.Config

ToConfig generates a tls.Config object. Note, you must use BuildModuleClientConfig to generate a config with ServerName set, use that method for servers with SNI. By default VerifyConnection is set to client mode.

type TLSRenegotiationSupport 

type TLSRenegotiationSupport tls.RenegotiationSupport

func (TLSRenegotiationSupport) MarshalText 

func (r TLSRenegotiationSupport) MarshalText() ([]byte, error)

func (TLSRenegotiationSupport) MarshalYAML 

func (r TLSRenegotiationSupport) MarshalYAML() (interface{}, error)

func (TLSRenegotiationSupport) String 

func (r TLSRenegotiationSupport) String() string

func (*TLSRenegotiationSupport) Unpack 

func (r *TLSRenegotiationSupport) Unpack(i interface{}) error

type TLSVerificationMode 

type TLSVerificationMode uint8

TLSVerificationMode represents the type of verification to do on the remote host: `none`, `certificate`, and `full` and we default to `full`. Internally this option is transformed into the `insecure` field in the `tls.Config` struct. 

const (
	VerifyFull TLSVerificationMode = iota
	VerifyNone
	VerifyCertificate
	VerifyStrict
)

Constants of the supported verification mode.

func (TLSVerificationMode) MarshalText 

func (m TLSVerificationMode) MarshalText() ([]byte, error)

MarshalText marshal the verification mode into a human readable value.

func (TLSVerificationMode) String 

func (m TLSVerificationMode) String() string

func (*TLSVerificationMode) Unpack 

func (m *TLSVerificationMode) Unpack(in interface{}) error

Unpack unpacks the input into a TLSVerificationMode.

func (*TLSVerificationMode) Validate added in v0.9.2 

func (m *TLSVerificationMode) Validate() error

type TLSVersion 

type TLSVersion uint16

TLSVersion type for TLS version.

func (TLSVersion) Details 

func (v TLSVersion) Details() *TLSVersionDetails

Details returns a a ProtocolAndVersions struct containing detailed version metadata.

func (TLSVersion) String 

func (v TLSVersion) String() string

func (*TLSVersion) Unpack 

func (v *TLSVersion) Unpack(i interface{}) error

Unpack transforms the string into a constant.

func (*TLSVersion) Validate added in v0.9.2 

func (v *TLSVersion) Validate() error

type TLSVersionDetails 

type TLSVersionDetails struct {
	Version  string
	Protocol string
	Combined string
}

Intended for ECS's tls.version_protocol_field, which does not include numeric version and should be lower case

func (TLSVersionDetails) String 

func (pv TLSVersionDetails) String() string

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.