x509

package
v1.1.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: May 31, 2020 License: MIT Imports: 5 Imported by: 0

Documentation

Overview

Package x509 provides authentication strategy, to authenticate HTTPS requests and builds, extracts user informations from client certificates.

Example
opts := x509.VerifyOptions{}
opts.KeyUsages = []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth}
opts.Roots = x509.NewCertPool()
// Read Root Ca Certificate
opts.Roots.AddCert(readCertificates("ca")[0])

// create strategy and authenticator
strategy := New(opts)
authenticator := auth.New()
authenticator.EnableStrategy(StrategyKey, strategy)

// user request
req, _ := http.NewRequest("GET", "/", nil)
req.TLS = &tls.ConnectionState{PeerCertificates: readCertificates("client_valid")}

// validate request
info, err := authenticator.Authenticate(req)
fmt.Println(info.UserName(), err)

// validate expired client certificate
req.TLS = &tls.ConnectionState{PeerCertificates: readCertificates("client_expired")}
info, err = authenticator.Authenticate(req)
fmt.Println(info, err.(errors.MultiError)[1])
Output:

host.test.com <nil>
<nil> x509: certificate has expired or is not yet valid

Index

Examples

Constants

View Source
const StrategyKey = auth.StrategyKey("x509.Strategy")

StrategyKey export identifier for the x509 strategy, commonly used when enable/add strategy to go-guardian authenticator.

Variables

View Source
var (
	// ErrMissingCN is returned by DefaultBuilder when Certificate CommonName missing.
	ErrMissingCN = errors.New("x509.strategy: Certificate subject CN missing")
	// ErrInvalidRequest is returned by x509 strategy when a non TLS request received.
	ErrInvalidRequest = errors.New("x509.strategy: Invalid request, missing TLS parameters")
)
View Source
var Builder = InfoBuilder(func(chain [][]*x509.Certificate) (auth.Info, error) {
	subject := chain[0][0].Subject

	if len(subject.CommonName) == 0 {
		return nil, ErrMissingCN
	}

	exts := map[string][]string{
		"country":       subject.Country,
		"postalCode":    subject.PostalCode,
		"streetAddress": subject.StreetAddress,
		"locality":      subject.Locality,
		"province":      subject.Province,
	}

	return auth.NewDefaultUser(
		subject.CommonName,
		subject.SerialNumber,
		subject.Organization,
		exts,
	), nil
})

Builder define default InfoBuilder by building Info from certificate chain subject. where the subject values mapped in the following format, CommonName to UserName, SerialNumber to ID, Organization to groups and country, postalCode, streetAddress, locality, province mapped to Extensions.

Functions

func New

func New(opts x509.VerifyOptions) auth.Strategy

New returns auth.Strategy authenticate request from client certificates

Types

type InfoBuilder

type InfoBuilder func(chain [][]*x509.Certificate) (auth.Info, error)

InfoBuilder declare a function signature for building Info from certificate chain.

Example
opts := x509.VerifyOptions{}
opts.KeyUsages = []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth}
opts.Roots = x509.NewCertPool()
// Read Root Ca Certificate
opts.Roots.AddCert(readCertificates("ca")[0])

// create strategy and authenticator
strategy := New(opts)
Builder = InfoBuilder(func(chain [][]*x509.Certificate) (auth.Info, error) {
	return auth.NewDefaultUser("user-info-builder", "10", nil, nil), nil
})
authenticator := auth.New()
authenticator.EnableStrategy(StrategyKey, strategy)

// user request
req, _ := http.NewRequest("GET", "/", nil)
req.TLS = &tls.ConnectionState{PeerCertificates: readCertificates("client_valid")}

// validate request
info, err := authenticator.Authenticate(req)
fmt.Println(info.UserName(), err)
Output:

user-info-builder <nil>

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL