mitm

package
v0.1.7 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 17, 2026 License: Apache-2.0 Imports: 15 Imported by: 0

Documentation

Overview

Package mitm provides optional TLS interception primitives for proxykit.

The package focuses on certificate authority lifecycle, per-host certificate issuance, interception policy, and PEM helpers. It does not own transport handlers, persistence, or application-specific MITM workflows.

Example 
certPEM, keyPEM, err := GenerateDevCA("proxykit dev ca", 1)
if err != nil {
	panic(err)
}
authority, err := LoadAuthorityFromPEM(certPEM, keyPEM)
if err != nil {
	panic(err)
}

policy := Policy{
	Authority:   authority,
	AllowSuffix: []string{".example.com"},
	DenySuffix:  []string{"blocked.example.com"},
}

leaf, err := authority.IssueFor("api.example.com:443")
if err != nil {
	panic(err)
}

fmt.Println(policy.ShouldIntercept("api.example.com:443"))
fmt.Println(policy.ShouldIntercept("blocked.example.com"))
fmt.Println(len(leaf.Certificate) > 0)

Output:
true
false
true

Index

Examples

Constants

This section is empty.

Variables

This section is empty.

Functions

func EncodeCertificatePEM 

func EncodeCertificatePEM(w io.Writer, der []byte) error

EncodeCertificatePEM writes a single certificate DER block as PEM.

func GenerateDevCA 

func GenerateDevCA(commonName string, yearsValid int) (certPEM, keyPEM []byte, err error)

GenerateDevCA generates a self-signed development root CA (RSA).

Types

type Authority 

type Authority struct {
	// contains filtered or unexported fields
}

Authority encapsulates CA loading and issuing short-lived certificates for domains.

func LoadAuthority 

func LoadAuthority(certPath, keyPath string) (*Authority, error)

func LoadAuthorityFromPEM 

func LoadAuthorityFromPEM(certPEM, keyPEM []byte) (*Authority, error)

LoadAuthorityFromPEM loads a CA from PEM content without temporary files.

func (*Authority) CacheSize 

func (a *Authority) CacheSize() int

CacheSize reports the number of cached leaf certificates.

func (*Authority) HasCached 

func (a *Authority) HasCached(host string) bool

HasCached reports whether a normalized host is present in the cache.

func (*Authority) IssueFor 

func (a *Authority) IssueFor(host string) (tls.Certificate, error)

IssueFor issues or returns from cache a certificate for host.

func (*Authority) PrivateKey 

func (a *Authority) PrivateKey() *rsa.PrivateKey

PrivateKey returns the parsed RSA private key used by the authority.

func (*Authority) RootCertificate 

func (a *Authority) RootCertificate() *x509.Certificate

RootCertificate returns the parsed root certificate.

func (*Authority) TLSCertificate 

func (a *Authority) TLSCertificate() tls.Certificate

TLSCertificate returns the loaded tls.Certificate for the root CA.

type Policy 

type Policy struct {
	Authority   *Authority
	AllowSuffix []string
	DenySuffix  []string
}

Policy decides whether a host should be intercepted.

func (Policy) ShouldIntercept 

func (p Policy) ShouldIntercept(host string) bool

ShouldIntercept returns true when host is allowed by the policy and an authority exists.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.