certs

package
v0.0.0-...-0039fe4 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Nov 26, 2024 License: Apache-2.0 Imports: 13 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func GetRootCAs

func GetRootCAs(certsCAsDir string) (*x509.CertPool, error)

GetRootCAs - returns all the root CAs into certPool at the input certsCADir

Types

type GetCertificateFunc

type GetCertificateFunc func(hello *tls.ClientHelloInfo) (*tls.Certificate, error)

GetCertificateFunc is a callback that allows a TLS stack deliver different certificates based on the client trying to establish a TLS connection.

For example, a GetCertificateFunc can return different TLS certificates depending upon the TLS SNI sent by the client.

type LoadX509KeyPairFunc

type LoadX509KeyPairFunc func(certFile, keyFile string) (tls.Certificate, error)

LoadX509KeyPairFunc is a function that parses a private key and certificate file and returns a TLS certificate on success.

type Manager

type Manager struct {
	// contains filtered or unexported fields
}

Manager is a TLS certificate manager that can handle multiple certificates. When a client tries to establish a TLS connection, Manager will try to pick a certificate that can be validated by the client.

For instance, if the client specifies a TLS SNI then Manager will try to find the corresponding certificate. If there is no such certificate it will fallback to the certificate named public.crt.

Manager will automatically reload certificates if the corresponding file changes.

func NewManager

func NewManager(ctx context.Context, certFile, keyFile string, loadX509KeyPair LoadX509KeyPairFunc) (manager *Manager, err error)

NewManager returns a new Manager that handles one certificate specified via the certFile and keyFile. It will use the loadX509KeyPair function to (re)load certificates.

The certificate loaded from certFile is considered the default certificate. If a client does not send the TLS SNI extension then Manager will return this certificate.

func (*Manager) AddCertificate

func (m *Manager) AddCertificate(certFile, keyFile string) (err error)

AddCertificate adds the TLS certificate in certFile resp. keyFile to the Manager.

If there is already a certificate with the same base name it will be replaced by the newly added one.

func (*Manager) GetCertificate

func (m *Manager) GetCertificate(hello *tls.ClientHelloInfo) (*tls.Certificate, error)

GetCertificate returns a TLS certificate based on the client hello.

It tries to find a certificate that would be accepted by the client according to the client hello. However, if no certificate can be found GetCertificate returns the certificate loaded from the Public file.

func (*Manager) GetClientCertificate

func (m *Manager) GetClientCertificate(reqInfo *tls.CertificateRequestInfo) (*tls.Certificate, error)

GetClientCertificate returns a TLS certificate for mTLS based on the certificate request.

It tries to find a certificate that would be accepted by the server according to the certificate request. However, if no certificate can be found GetClientCertificate returns the certificate loaded from the Public file.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL