Documentation ¶
Overview ¶
Package arrangetls has basic unmarshaling and external configuration support for HTTP clients and servers created within an uber/fx App.
Index ¶
- Variables
- func CreateTestCertificate(template *x509.Certificate) (*tls.Certificate, error)
- func CreateTestServerFiles(certificate *tls.Certificate) (certificateFileName, keyFileName string, err error)
- type Config
- type ExternalCertPool
- type ExternalCertificate
- type ExternalCertificates
- type PeerVerifier
- type PeerVerifiers
- type PeerVerifyConfig
- type PeerVerifyError
- type Suite
Constants ¶
This section is empty.
Variables ¶
var ( ErrTLSCertificateRequired = errors.New("Both a certificateFile and keyFile are required") ErrUnableToAddClientCACertificate = errors.New("Unable to add client CA certificate") )
Functions ¶
func CreateTestCertificate ¶
func CreateTestCertificate(template *x509.Certificate) (*tls.Certificate, error)
CreateTestCertificate creates a self-signed x509 ceritificate for use in testing TLS code. A 1024-bit RSA key pair is used, and otherwise all defaults are taken.
func CreateTestServerFiles ¶
func CreateTestServerFiles(certificate *tls.Certificate) (certificateFileName, keyFileName string, err error)
CreateTestServerFiles creates the certificate file and key file expected by net/http.Server, which is the basic model followed by mode golang TLS code.
The supplied certificate must have at least (1) []byte in its Certificate chain. If not, this function will panic. If it has more than (1) entry in its chain, only the first entry is written to the certificate file.
Types ¶
type Config ¶
type Config struct { // Certificates is the set of certificates to present to a client. This field is // required for servers, and optional for clients. Certificates ExternalCertificates // RootCAs is the optional certificate pool for root certificates. By default, the golang // library uses the system certificate pool if this is unset. RootCAs ExternalCertPool // ClientCAs is the optional certificate pool for certificates expected from a client. Configure // this as part of mTLS. ClientCAs ExternalCertPool // ServerName is used by a client to validate the server's hostname. This field is optional // and has no default. ServerName string // InsecureSkipVerify indicates whether a client should validate a server's certificate(s) InsecureSkipVerify bool // NextProtos is the list of supported application protocols. Defaults to "http/1.1" if unset. NextProtos []string // MinVersion is the minimum required TLS version. If unset, the internal crypto/tls default is used. MinVersion uint16 // MaxVersion is the maximum required TLS version. If unset, the internal crypto/tls default is used. MaxVersion uint16 // PeerVerify specifies the certificate validation done on client certificates. // If supplied, this verifier strategy is merged with any extra PeerVerifiers // supplied in application code. PeerVerify *PeerVerifyConfig }
Config represents the unmarshaled tls options for either a client or a server
func (*Config) New ¶
func (c *Config) New(extra ...PeerVerifier) (*tls.Config, error)
New constructs a *tls.Config from this Config instance, usually unmarshaled from some external source. If this instance is nil, it returns nil with no error.
The extra PeerVerifiers, if supplied, are used to build the tls.Config.VerifyPeerCertificate strategy.
type ExternalCertPool ¶
type ExternalCertPool []string
ExternalCertPool is a sequence of file names containing PEM-encoded certificates or certificate bundles to be added to an x509.CertPool
func (*ExternalCertPool) Append ¶
func (ecp *ExternalCertPool) Append(more ...string)
Appends adds file names to this external cert pool
func (ExternalCertPool) AppendTo ¶
func (ecp ExternalCertPool) AppendTo(pool *x509.CertPool) (int, error)
AppendTo adds each PEM-encoded file from this external pool to the given x509.CertPool. The number of certs added is returned, and any error will short circuit subsequent loading.
func (ExternalCertPool) Len ¶
func (ecp ExternalCertPool) Len() int
Len returns the number of external files in this pool
type ExternalCertificate ¶
ExternalCertificate represents a certificate with its key file on the filesystem. A server or client may have one or more associated external certificates.
func (ExternalCertificate) Load ¶
func (ec ExternalCertificate) Load() (tls.Certificate, error)
Load reads in the certificate and key files from the file system
type ExternalCertificates ¶
type ExternalCertificates []ExternalCertificate
ExternalCertificates is a sequence of externally available certificates
func (*ExternalCertificates) Append ¶
func (ecs *ExternalCertificates) Append(more ...ExternalCertificate)
Appends adds external certificates to this sequence
func (ExternalCertificates) AppendTo ¶
func (ecs ExternalCertificates) AppendTo(certs []tls.Certificate) ([]tls.Certificate, error)
AppendTo loads and appends each certificate in this slice. Any error short circuits and returns that error together with the slice with any successfully loaded certificates.
func (ExternalCertificates) Len ¶
func (ecs ExternalCertificates) Len() int
Len returns the count of externally available certificates in this slice
type PeerVerifier ¶
type PeerVerifier func(*x509.Certificate, [][]*x509.Certificate) error
PeerVerifier is a verification strategy for a peer certificate.
type PeerVerifiers ¶
type PeerVerifiers struct {
// contains filtered or unexported fields
}
PeerVerifiers is an immutable sequence of PeerVerifiers. The zero value is an empty sequence.
func NewPeerVerifiers ¶
func NewPeerVerifiers(more ...PeerVerifier) PeerVerifiers
NewPeerVerifiers returns a PeerVerifiers given a sequence of strategies
func (PeerVerifiers) Append ¶
func (pvs PeerVerifiers) Append(more ...PeerVerifier) PeerVerifiers
Append adds more PeerVerifier strategies to this slice and returns the result. If no PeerVerifier strategies are supplied, this method returns this PeerVerifiers as is. Otherwise, the returned instance is a distinct sequence which is the concatenation of this instance with this method's arguments.
func (PeerVerifiers) Extend ¶
func (pvs PeerVerifiers) Extend(more PeerVerifiers) PeerVerifiers
Extend adds another sequence of PeerVerifiers to this one, and returns the result
func (PeerVerifiers) SetTo ¶
func (pvs PeerVerifiers) SetTo(tc *tls.Config)
SetTo conditinally configures tls.Config.VerifyPeerCertificate. If the supplied tls.Config is not nil and this sequence is not empty, tls.Config.VerifyPeerCertificate is set to this sequence's VerifyPeerCertificate method. Otherwise, this method does nothing.
Note that PeerVerifiers is immutable. Any tls.Config.VerifyPeerCertificate that is set will be unaffected by any future use of this PeerVerifiers sequence.
func (PeerVerifiers) VerifyPeerCertificate ¶
func (pvs PeerVerifiers) VerifyPeerCertificate(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error
VerifyPeerCertificate may be used as the closure for crypto/tls.Config.VerifyPeerCertificate. Parsing is done once, then each PeerVerifier is invoked in sequence. Any error short-circuits subsequent checks.
type PeerVerifyConfig ¶
type PeerVerifyConfig struct { // DNSSuffixes enumerates any DNS suffixes that are checked. A DNSName field of at least (1) peer cert // must have one of these suffixes. If this field is not supplied, no DNS suffix checking is performed. // Matching is case insensitive. // // If any DNS suffix matches, that is sufficient for the peer cert to be valid. // No further checking is done in that case. DNSSuffixes []string // CommonNames lists the subject common names that at least (1) peer cert must have. If not supplied, // no checking is done on the common name. Matching common names is case sensitive. // // If any common name matches, that is sufficient for the peer cert to be valid. No further // checking is done in that case. CommonNames []string }
PeerVerifyConfig allows common checks against a client-side certificate to be configured externally. Any constraint that matches will result in a valid peer cert.
func (*PeerVerifyConfig) AppendTo ¶
func (pvc *PeerVerifyConfig) AppendTo(pvs PeerVerifiers) PeerVerifiers
AppendTo adds a peer verifier to the supplied sequence if and only if this config instance is not nil and if at least one of its fields is configured.
func (PeerVerifyConfig) Verifier ¶
func (pvc PeerVerifyConfig) Verifier() PeerVerifier
Verifier produces a PeerVerifier strategy from these options. If nothing is configured, this method returns nil.
type PeerVerifyError ¶
type PeerVerifyError struct { Certificate *x509.Certificate Reason string }
PeerVerifyError represents a verification error for a particular certificate
func (*PeerVerifyError) Error ¶
func (pve *PeerVerifyError) Error() string
Error satisfies the error interface. It returns the Reason text.
type Suite ¶ added in v0.5.0
Suite is a simple stretchr/testify suite that manages the lifecycle of a testing certificate. Useful primarily for testing TLS code.
func (*Suite) Config ¶ added in v0.5.0
Config returns a configuration object using this suite's certificate.
func (*Suite) SetupSuite ¶ added in v0.5.0
func (suite *Suite) SetupSuite()
SetupSuite creates a testing certificate and stores the certificate and its private key in temporary files.
func (*Suite) TLSConfig ¶ added in v0.5.0
TLSConfig creates a new *tls.Config using the certificate generated in setup.
func (*Suite) TearDownSuite ¶ added in v0.5.0
func (suite *Suite) TearDownSuite()
TearDownSuite cleans up the temporary files created in setup.