Documentation
¶
Overview ¶
Package edtls provides ed25519 signatures on top of TLS certificates.
There is currently no standard way to use ed25519 or curve25519 cryptographic algorithms in TLS. See drafts at http://ietfreport.isoc.org/idref/draft-josefsson-tls-curve25519/ and http://ietfreport.isoc.org/idref/draft-josefsson-eddsa-ed25519/ for standardization attempts.
The way the TLS protocol is designed, it relies on centralized registries of algorithms. We cannot easily plug in a new kind of a certificate. Instead, we abuse the extension mechanism to transmit an extra, custom, certificate.
Index ¶
- Variables
- func NewClient(rawConn net.Conn, config *tls.Config, peerPub *[ed25519.PublicKeySize]byte) (*tls.Conn, error)
- func Verify(cert *x509.Certificate) (*[ed25519.PublicKeySize]byte, bool)
- func Vouch(signPub *[ed25519.PublicKeySize]byte, signPriv *[ed25519.PrivateKeySize]byte, ...) error
- type WrongPublicKeyError
Constants ¶
This section is empty.
Variables ¶
var ( // ErrNotEdTLS is returned if the TLS peer does not support edtls. ErrNotEdTLS = errors.New("peer does not support edtls") )
Functions ¶
func Verify ¶
func Verify(cert *x509.Certificate) (*[ed25519.PublicKeySize]byte, bool)
Verify a vouch as offered by the TLS peer.
Returns the signing public key. It is up to the caller to decide whether this key is acceptable.
Does not verify cert.NotAfter against a clock, just its authenticity.
func Vouch ¶
func Vouch(signPub *[ed25519.PublicKeySize]byte, signPriv *[ed25519.PrivateKeySize]byte, cert *x509.Certificate, tlsPub interface{}) error
Vouch a self-signed certificate that is about to be created with an Ed25519 signature.
Types ¶
type WrongPublicKeyError ¶
type WrongPublicKeyError struct {
Pub *[ed25519.PublicKeySize]byte
}
WrongPublicKeyError is returned if the server public key did not match.
func (*WrongPublicKeyError) Error ¶
func (e *WrongPublicKeyError) Error() string
Source Files