Documentation ¶
Overview ¶
Package sstls - TLS listener with a self-signed certificate
Index ¶
- Variables
- func DefaultCertFile() string
- func GenerateSelfSignedCertificate(subject string, dnsNames []string, ipAddresses []net.IP, ...) (certPEM, keyPEM []byte, cert tls.Certificate, err error)
- func GetCertificate(subject string, dnsNames []string, ipAddresses []net.IP, ...) (tls.Certificate, error)
- func LoadCachedCertificate(certFile string) (tls.Certificate, error)
- func PubkeyFingerprint(cert *x509.Certificate) (string, error)
- func PubkeyFingerprintTLS(cert tls.Certificate) (string, error)
- func SaveCertificate(certFile string, certPEM, keyPEM []byte) error
- type Listener
Constants ¶
This section is empty.
Variables ¶
var ( // DefaultSelfSignedCertLifespan is the amount of time self-signed // certificates. DefaultSelfSignedCertLifespan = time.Until(time.Now().AddDate(10, 0, 0)) // SelfSignedSubject is the subject name we use for self-signed // certificates. SelfSignedSubject = "sstls" // CertFileDir is the base name of the cert cache file. CertCacheDir = "sstls" // CertCacheFile is the file we stick in CertCacheDir. CertCacheFile = "cert.txtar" )
Functions ¶
func DefaultCertFile ¶
func DefaultCertFile() string
DefaultCertFile returns a path for the default cert file. It tries the system-specific user-specific cache, and failing that $HOME/ and then current directory.
func GenerateSelfSignedCertificate ¶
func GenerateSelfSignedCertificate(subject string, dnsNames []string, ipAddresses []net.IP, lifespan time.Duration) (certPEM, keyPEM []byte, cert tls.Certificate, err error)
GenerateSelfSignedCertificate generates a bare-bones self-signed certificate with the given subject, DNS and IP Address SANs, and lifespan. The certificate's Leaf will be set. The certificate is also returned in PEM form.
func GetCertificate ¶
func GetCertificate( subject string, dnsNames []string, ipAddresses []net.IP, lifespan time.Duration, certFile string, ) (tls.Certificate, error)
GetCertificate gets a cert from the given file or generates if it doesn't exist. If certFile is the empty string, a certificate will be generated and not stored. The other arguments are the same as for GenerateSelfSignedCertificate.
func LoadCachedCertificate ¶
func LoadCachedCertificate(certFile string) (tls.Certificate, error)
LoadCachedCertificate loads the certificate from the named file, which should have been created with SaveCertificate.
func PubkeyFingerprint ¶
func PubkeyFingerprint(cert *x509.Certificate) (string, error)
PubkeyFingerprint returns the SHA256 hash of the public key fingerprint for the cert. This is used for curl's --pinnedpubkey.
func PubkeyFingerprintTLS ¶
func PubkeyFingerprintTLS(cert tls.Certificate) (string, error)
PubkeyFingerprintTLS is like PubkeyFingerprint, but uses the public key of the leaf x509 certificate in cert. If the certificate's Leaf isn't set, an error is returned.
func SaveCertificate ¶
SaveCertificate saves PEM to the given file. Directories will be created as needed with 0755 permissions.
Types ¶
type Listener ¶
type Listener struct { // Wrapped net.Listener, which returns TLS'd conns. net.Listener // Base64-encoded SHA256 hash of the generated self-signed // certificate's public key, suitable for passing to curl's // --pinnedpubkey. Fingerprint string }
Listener listens for TLS connections and handshakes with a self-signed certificate.
func Listen ¶
func Listen( net string, address string, subject string, lifespan time.Duration, certFile string, ) (Listener, error)
Listen listens on the given network and address using the given cert. If it does not exist it is created with the given subject and lifespan. It will have no SANs. The certFile is used to read a previously-generated certificate; it may be the empty string to always generate a new certificate.