Documentation
¶
Overview ¶
Package peertls manages TLS configuration for peers.
Index ¶
- Constants
- Variables
- func CATemplate() (*x509.Certificate, error)
- func ChainBytes(chain ...*x509.Certificate) ([]byte, error)
- func CreateCertificate(signee crypto.PublicKey, signer crypto.PrivateKey, ...) (*x509.Certificate, error)
- func CreateSelfSignedCertificate(key crypto.PrivateKey, template *x509.Certificate) (*x509.Certificate, error)
- func DoubleSHA256PublicKey(k crypto.PublicKey) ([sha256.Size]byte, error)
- func LeafTemplate() (*x509.Certificate, error)
- func TLSCert(chain [][]byte, leaf *x509.Certificate, key crypto.PrivateKey) (*tls.Certificate, error)
- func VerifyPeerCertChains(_ [][]byte, parsedChains [][]*x509.Certificate) error
- func WriteChain(w io.Writer, chain ...*x509.Certificate) error
- type NonTemporaryError
- type PeerCertVerificationFunc
Constants ¶
const ( // LeafIndex is the index of the leaf certificate in a cert chain (0). LeafIndex = iota // CAIndex is the index of the CA certificate in a cert chain (1). CAIndex )
Variables ¶
var ( // ErrNotExist is used when a file or directory doesn't exist. ErrNotExist = errs.Class("file or directory not found") // ErrGenerate is used when an error occurred during cert/key generation. ErrGenerate = errs.Class("tls generation") // ErrTLSTemplate is used when an error occurs during tls template generation. ErrTLSTemplate = errs.Class("tls template") // ErrVerifyPeerCert is used when an error occurs during `VerifyPeerCertificate`. ErrVerifyPeerCert = errs.Class("tls peer certificate verification") // ErrVerifyCertificateChain is used when a certificate chain can't be verified from leaf to root // (i.e.: each cert in the chain should be signed by the preceding cert and the root should be self-signed). ErrVerifyCertificateChain = errs.Class("certificate chain signature verification failed") // ErrVerifyCAWhitelist is used when a signature wasn't produced by any CA in the whitelist. ErrVerifyCAWhitelist = errs.Class("not signed by any CA in the whitelist") )
Functions ¶
func CATemplate ¶
func CATemplate() (*x509.Certificate, error)
CATemplate returns x509.Certificate template for certificate authority.
func ChainBytes ¶
func ChainBytes(chain ...*x509.Certificate) ([]byte, error)
ChainBytes returns bytes of the certificate chain (leaf-first) to the writer, PEM-encoded.
func CreateCertificate ¶
func CreateCertificate(signee crypto.PublicKey, signer crypto.PrivateKey, template, issuer *x509.Certificate) (*x509.Certificate, error)
CreateCertificate creates a new X.509v3 certificate based on a template. The new certificate:
- will have the public key given as 'signee'
- will be signed by 'signer' (which should be the private key of 'issuer')
- will be issued by 'issuer'
- will have metadata fields copied from 'template'
Returns the new Certificate object.
func CreateSelfSignedCertificate ¶
func CreateSelfSignedCertificate(key crypto.PrivateKey, template *x509.Certificate) (*x509.Certificate, error)
CreateSelfSignedCertificate creates a new self-signed X.509v3 certificate using fields from the given template.
A part of the errors that CreateCertificate can return it can return pkcrypto.ErrUnsuportedKey error.
func DoubleSHA256PublicKey ¶
DoubleSHA256PublicKey returns the hash of the hash of (double-hash, SHA226) the binary format of the given public key.
func LeafTemplate ¶
func LeafTemplate() (*x509.Certificate, error)
LeafTemplate returns x509.Certificate template for signing and encrypting.
func TLSCert ¶
func TLSCert(chain [][]byte, leaf *x509.Certificate, key crypto.PrivateKey) (*tls.Certificate, error)
TLSCert creates a tls.Certificate from chains, key and leaf.
func VerifyPeerCertChains ¶
func VerifyPeerCertChains(_ [][]byte, parsedChains [][]*x509.Certificate) error
VerifyPeerCertChains verifies that the first certificate chain contains certificates which are signed by their respective parents, ending with a self-signed root.
func WriteChain ¶
func WriteChain(w io.Writer, chain ...*x509.Certificate) error
WriteChain writes the certificate chain (leaf-first) and extensions to the writer, PEM-encoded.
Types ¶
type NonTemporaryError ¶
type NonTemporaryError struct {
// contains filtered or unexported fields
}
NonTemporaryError is an error with a `Temporary` method which always returns false. It is intended for use with grpc.
(see https://godoc.org/google.golang.org/grpc#WithDialer and https://godoc.org/google.golang.org/grpc#FailOnNonTempDialError).
func NewNonTemporaryError ¶
func NewNonTemporaryError(err error) NonTemporaryError
NewNonTemporaryError returns a new temporary error for use with grpc.
func (NonTemporaryError) Err ¶
func (nte NonTemporaryError) Err() error
Err returns the underlying error.
func (NonTemporaryError) Temporary ¶
func (nte NonTemporaryError) Temporary() bool
Temporary returns false to indicate that is is a non-temporary error.
type PeerCertVerificationFunc ¶
type PeerCertVerificationFunc func([][]byte, [][]*x509.Certificate) error
PeerCertVerificationFunc is the signature for a `*tls.Config{}`'s `VerifyPeerCertificate` function.
func VerifyCAWhitelist ¶
func VerifyCAWhitelist(cas []*x509.Certificate) PeerCertVerificationFunc
VerifyCAWhitelist verifies that the peer identity's CA was signed by any one of the (certificate authority) certificates in the provided whitelist.
func VerifyPeerFunc ¶
func VerifyPeerFunc(next ...PeerCertVerificationFunc) PeerCertVerificationFunc
VerifyPeerFunc combines multiple `*tls.Config#VerifyPeerCertificate` functions and adds certificate parsing.
Source Files
Directories
¶
| Path | Synopsis |
|---|---|
|
Package extensions contains extensions to TLS certificate handling.
|
Package extensions contains extensions to TLS certificate handling. |
|
Package testpeertls implements testing utilities for peertls.
|
Package testpeertls implements testing utilities for peertls. |
|
Package tlsopts handles TLS server options.
|
Package tlsopts handles TLS server options. |