tlsutil

package
v0.74.6 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jun 7, 2026 License: MIT Imports: 18 Imported by: 3

Documentation

Index

Constants

View Source 
const (
	// X25519MLKEM768 is the hybrid X25519 + ML-KEM-768 key exchange.
	// This is the IANA-registered value (0x11ec = 4588).
	X25519MLKEM768 tls.CurveID = 0x11ec
)

PQC Curve IDs for hybrid key exchange. X25519MLKEM768 is defined in Go 1.24+ as tls.X25519MLKEM768. For compatibility with Go 1.23, we define the constant here.

Variables

View Source 
var PQSignatureOIDs = map[string]string{

	"2.16.840.1.101.3.4.3.17": "ML-DSA-44",
	"2.16.840.1.101.3.4.3.18": "ML-DSA-65",
	"2.16.840.1.101.3.4.3.19": "ML-DSA-87",

	"2.16.840.1.101.3.4.3.20": "SLH-DSA-SHA2-128s",
	"2.16.840.1.101.3.4.3.21": "SLH-DSA-SHA2-128f",
	"2.16.840.1.101.3.4.3.22": "SLH-DSA-SHA2-192s",
	"2.16.840.1.101.3.4.3.23": "SLH-DSA-SHA2-192f",
	"2.16.840.1.101.3.4.3.24": "SLH-DSA-SHA2-256s",
	"2.16.840.1.101.3.4.3.25": "SLH-DSA-SHA2-256f",
	"2.16.840.1.101.3.4.3.26": "SLH-DSA-SHAKE-128s",
	"2.16.840.1.101.3.4.3.27": "SLH-DSA-SHAKE-128f",
	"2.16.840.1.101.3.4.3.28": "SLH-DSA-SHAKE-192s",
	"2.16.840.1.101.3.4.3.29": "SLH-DSA-SHAKE-192f",
	"2.16.840.1.101.3.4.3.30": "SLH-DSA-SHAKE-256s",
	"2.16.840.1.101.3.4.3.31": "SLH-DSA-SHAKE-256f",

	"1.3.6.1.4.1.2.267.7.4.4":  "Dilithium2 (draft)",
	"1.3.6.1.4.1.2.267.7.6.5":  "Dilithium3 (draft)",
	"1.3.6.1.4.1.2.267.7.8.7":  "Dilithium5 (draft)",
	"1.3.6.1.4.1.2.267.12.4.4": "Falcon-512 (draft)",
	"1.3.6.1.4.1.2.267.12.9.9": "Falcon-1024 (draft)",

	"1.3.9999.6.4.1":  "SPHINCS+-SHA256-128f-robust (draft)",
	"1.3.9999.6.4.4":  "SPHINCS+-SHA256-128s-robust (draft)",
	"1.3.9999.6.4.10": "SPHINCS+-SHA256-192f-robust (draft)",
	"1.3.9999.6.4.13": "SPHINCS+-SHA256-192s-robust (draft)",
	"1.3.9999.6.5.1":  "SPHINCS+-SHA256-256f-robust (draft)",
	"1.3.9999.6.5.4":  "SPHINCS+-SHA256-256s-robust (draft)",
}

PQSignatureOIDs maps known post-quantum signature algorithm OIDs to names. These are NIST standardized and draft OIDs for PQ signature algorithms.

Functions

func CurveIDName added in v0.74.5 

func CurveIDName(id tls.CurveID) string

CurveIDName returns the name of a tls.CurveID.

func IsPQCCurve added in v0.74.5 

func IsPQCCurve(id tls.CurveID) bool

IsPQCCurve returns true if the curve ID is a PQC or hybrid PQC curve.

func IsPQSignatureOID added in v0.74.5 

func IsPQSignatureOID(oid asn1.ObjectIdentifier) bool

IsPQSignatureOID returns true if the OID is a known post-quantum signature algorithm.

func NewTLSConfig 

func NewTLSConfig() *tls.Config

func PQCCurvePreferences added in v0.74.5 

func PQCCurvePreferences() []tls.CurveID

PQCCurvePreferences returns curve preferences that prioritize PQC hybrid curves.

func PQSignatureOIDName added in v0.74.5 

func PQSignatureOIDName(oid asn1.ObjectIdentifier) string

PQSignatureOIDName returns the name for a PQ signature OID, or empty string if not PQ.

func SupportsTLSVersion added in v0.65.2 

func SupportsTLSVersion(ctx context.Context, tlsVersion TLSVersion, url string) (*int, error)

SupportsTLSVersion returns an error if a connection cannot be made and a nil if the connection is successful.

func TLS12CiphersStrongMap added in v0.74.5 

func TLS12CiphersStrongMap() map[uint16]string

func TLS12CiphersWeak added in v0.74.5 

func TLS12CiphersWeak() []string

func TLS12CiphersWeakMap added in v0.74.5 

func TLS12CiphersWeakMap() map[uint16]string

TLS12CiphersWeakMap returns a map of weak TLS 1.2 ciphers. Of note, some ciphers are not supported by Go and not included, such as `TLS_RSA_WITH_RC4_128_MD5`.

Types

type CertManager added in v0.70.7 

type CertManager struct {
	sync.RWMutex
	// contains filtered or unexported fields
}

func NewCertManager added in v0.70.7 

func NewCertManager(certPath, keyPath string, rootCAPaths, clientCAPaths []string, requireAndVerifyClientCert bool) (*CertManager, error)

func (*CertManager) TLSConfig added in v0.70.7 

func (cm *CertManager) TLSConfig() *tls.Config

type Checker added in v0.74.5 

type Checker struct {
	// contains filtered or unexported fields
}

Checker performs TLS checks against a host.

func NewChecker added in v0.74.5 

func NewChecker(config CheckerConfig) *Checker

NewChecker creates a new TLS checker with the given configuration.

func (*Checker) CheckAll added in v0.74.5 

func (c *Checker) CheckAll(host string) CipherCheckResult

CheckAll performs a comprehensive TLS check on the given host.

func (*Checker) CheckAllTLSVersions added in v0.74.5 

func (c *Checker) CheckAllTLSVersions(host string) []TLSVersionStatus

CheckAllTLSVersions tests all TLS versions (1.0, 1.1, 1.2, 1.3).

func (*Checker) CheckPostQuantumKeyExchange added in v0.74.5 

func (c *Checker) CheckPostQuantumKeyExchange(host string) []string

CheckPostQuantumKeyExchange tests post-quantum key exchange support.

func (*Checker) CheckPostQuantumSignatures added in v0.74.5 

func (c *Checker) CheckPostQuantumSignatures(host string) []string

CheckPostQuantumSignatures tests post-quantum signature algorithms in server certificates. It connects to the server, retrieves the certificate chain, and checks signature algorithm OIDs.

func (*Checker) CheckTLS12Cipher added in v0.74.5 

func (c *Checker) CheckTLS12Cipher(host string, cipherID uint16) bool

CheckTLS12Cipher tests if a host supports a specific TLS 1.2 cipher suite.

func (*Checker) CheckTLS12Ciphers added in v0.74.5 

func (c *Checker) CheckTLS12Ciphers(host string) (strong, weak, insecure []string)

CheckTLS12Ciphers tests all TLS 1.2 cipher suites and categorizes them.

func (*Checker) CheckTLS13Ciphers added in v0.74.5 

func (c *Checker) CheckTLS13Ciphers(host string) []string

CheckTLS13Ciphers tests TLS 1.3 cipher suites by connecting and checking what's negotiated.

func (*Checker) CheckTLSVersion added in v0.74.5 

func (c *Checker) CheckTLSVersion(host string, version TLSVersion) bool

CheckTLSVersion tests if a host supports a specific TLS version.

type CheckerConfig added in v0.74.5 

type CheckerConfig struct {
	Timeout time.Duration
}

CheckerConfig contains configuration for the TLS checker.

func DefaultCheckerConfig added in v0.74.5 

func DefaultCheckerConfig() CheckerConfig

DefaultCheckerConfig returns the default checker configuration.

type CipherCheckResult added in v0.74.5 

type CipherCheckResult struct {
	Host        string             `json:"host"`
	Time        *time.Time         `json:"time"`
	TLSVersions []TLSVersionStatus `json:"tlsVersions"`
	Strong      []string           `json:"strong"`
	Weak        []string           `json:"weak"`
	Insecure    []string           `json:"insecure"`
	TLS13       []string           `json:"tls13"`
	PostQuantum PostQuantumSupport `json:"postQuantum"`
}

CipherCheckResult contains comprehensive TLS cipher check results.

func CheckHost added in v0.74.5 

func CheckHost(host string) CipherCheckResult

CheckHost performs a comprehensive TLS check using default configuration.

func NewCipherCheckResult added in v0.74.5 

func NewCipherCheckResult(host string) CipherCheckResult

NewCipherCheckResult creates a new CipherCheckResult with initialized slices.

func (CipherCheckResult) String added in v0.74.5 

func (r CipherCheckResult) String() string

String returns a formatted text report of the check results.

type HTTPSVersionCheckResponse added in v0.67.6 

type HTTPSVersionCheckResponse struct {
	Results []URLResults `json:"results"`
}

func CheckURLs added in v0.67.6 

func CheckURLs(urls []string) HTTPSVersionCheckResponse

func NewHTTPSVersionCheckResponse added in v0.67.6 

func NewHTTPSVersionCheckResponse() HTTPSVersionCheckResponse

type PQCAlgorithm added in v0.74.5 

type PQCAlgorithm string

PQCAlgorithm represents a post-quantum cryptographic algorithm. 

const (
	// PQCAlgorithmMLKEM768 is ML-KEM-768 (formerly CRYSTALS-Kyber-768).
	PQCAlgorithmMLKEM768 PQCAlgorithm = "ML-KEM-768"
	// PQCAlgorithmMLKEM1024 is ML-KEM-1024 (formerly CRYSTALS-Kyber-1024).
	PQCAlgorithmMLKEM1024 PQCAlgorithm = "ML-KEM-1024"
	// PQCAlgorithmMLDSA is ML-DSA (formerly CRYSTALS-Dilithium).
	PQCAlgorithmMLDSA PQCAlgorithm = "ML-DSA"
	// PQCAlgorithmFalcon is the Falcon signature algorithm.
	PQCAlgorithmFalcon PQCAlgorithm = "Falcon"
	// PQCAlgorithmSLHDSA is SLH-DSA (formerly SPHINCS+).
	PQCAlgorithmSLHDSA PQCAlgorithm = "SLH-DSA"
)

func CurveIDToPQCAlgorithm added in v0.74.5 

func CurveIDToPQCAlgorithm(id tls.CurveID) (PQCAlgorithm, bool)

CurveIDToPQCAlgorithm returns the PQC algorithm for a curve ID, if any.

type PQCAlgorithmInfo added in v0.74.5 

type PQCAlgorithmInfo struct {
	Algorithm    PQCAlgorithm     `json:"algorithm"`
	Type         PQCAlgorithmType `json:"type"`
	OriginalName string           `json:"originalName"`
	NISTLevel    int              `json:"nistLevel"`
	StdlibCheck  bool             `json:"stdlibCheck"`
}

PQCAlgorithmInfo contains information about a PQC algorithm.

func PQCAlgorithms added in v0.74.5 

func PQCAlgorithms() []PQCAlgorithmInfo

PQCAlgorithms returns information about known PQC algorithms.

type PQCAlgorithmType added in v0.74.5 

type PQCAlgorithmType string

PQCAlgorithmType represents the type of PQC algorithm. 

const (
	// PQCAlgorithmTypeKEM is a key encapsulation mechanism.
	PQCAlgorithmTypeKEM PQCAlgorithmType = "KEM"
	// PQCAlgorithmTypeSignature is a digital signature algorithm.
	PQCAlgorithmTypeSignature PQCAlgorithmType = "Signature"
)

type PQCCheckResult added in v0.74.5 

type PQCCheckResult struct {
	URL            string       `json:"url"`
	TLSVersion     string       `json:"tlsVersion,omitempty"`
	CurveID        tls.CurveID  `json:"curveId,omitempty"`
	CurveName      string       `json:"curveName,omitempty"`
	PQCKeyExchange bool         `json:"pqcKeyExchange"`
	PQCAlgorithm   PQCAlgorithm `json:"pqcAlgorithm,omitempty"`
	Supported      bool         `json:"supported"`
	Error          string       `json:"error,omitempty"`
}

PQCCheckResult contains the result of a PQC support check.

func CheckPQCSupport added in v0.74.5 

func CheckPQCSupport(ctx context.Context, url string) PQCCheckResult

CheckPQCSupport tests if a URL supports PQC key exchange. This requires TLS 1.3 on the server and Go 1.23+ on the client. The check attempts to negotiate a hybrid X25519+ML-KEM-768 key exchange.

func CheckPQCURLs added in v0.74.5 

func CheckPQCURLs(ctx context.Context, urls []string) []PQCCheckResult

CheckPQCURLs checks multiple URLs for PQC support.

type PQCSupportSummary added in v0.74.5 

type PQCSupportSummary struct {
	TotalChecked int              `json:"totalChecked"`
	PQCSupported int              `json:"pqcSupported"`
	TLS13Only    int              `json:"tls13Only"`
	Failed       int              `json:"failed"`
	Results      []PQCCheckResult `json:"results"`
}

PQCSupportSummary provides a summary of PQC support checks.

func CheckPQCURLsWithSummary added in v0.74.5 

func CheckPQCURLsWithSummary(ctx context.Context, urls []string) PQCSupportSummary

CheckPQCURLsWithSummary checks multiple URLs and returns a summary.

type PostQuantumSupport added in v0.74.5 

type PostQuantumSupport struct {
	KeyExchange []string `json:"keyExchange"`
	Signatures  []string `json:"signatures"`
}

PostQuantumSupport represents post-quantum cryptography support.

type TLSConfig 

type TLSConfig struct {
	Config *tls.Config
}

func NewTLSConfigCerts added in v0.64.1 

func NewTLSConfigCerts(certFilepath, keyFilepath string, rootCACertFilepaths, clientCACertFilepaths []string, requireAndVerifyClientCert bool) (*TLSConfig, error)

func (*TLSConfig) LoadClientCACert added in v0.63.0 

func (tc *TLSConfig) LoadClientCACert(caCertFilepath string) error

func (*TLSConfig) LoadRootCACert added in v0.63.0 

func (tc *TLSConfig) LoadRootCACert(caCertFilepath string) error

func (*TLSConfig) LoadX509KeyPair 

func (tc *TLSConfig) LoadX509KeyPair(certFilepath, keyFilepath string) error

type TLSVersion added in v0.64.1 

type TLSVersion uint16
const (
	VersionTLS13 TLSVersion = tls.VersionTLS13
	VersionTLS12 TLSVersion = tls.VersionTLS12
	VersionTLS11 TLSVersion = tls.VersionTLS11
	VersionTLS10 TLSVersion = tls.VersionTLS10
	VersionSSL30 TLSVersion = tls.VersionSSL30
)

func HTTPResponseTLSVersion added in v0.65.7 

func HTTPResponseTLSVersion(r *http.Response) (TLSVersion, error)

func TLSVersions added in v0.67.6 

func TLSVersions() []TLSVersion

func (TLSVersion) String added in v0.64.1 

func (t TLSVersion) String() string

type TLSVersionCheck added in v0.67.6 

type TLSVersionCheck struct {
	TLSVersion     string `json:"tlsVersion"`
	HTTPStatusCode *int   `json:"httpStatusCode"`
	Supported      bool   `json:"supported"`
	Message        string `json:"message"`
}

type TLSVersionStatus added in v0.74.5 

type TLSVersionStatus struct {
	Version TLSVersion `json:"-"`
	Name    string     `json:"version"`
	Active  bool       `json:"active"`
}

TLSVersionStatus represents the support status of a TLS version.

type URLResults added in v0.67.6 

type URLResults struct {
	URL              string            `json:"url"`
	TLSVersionChecks []TLSVersionCheck `json:"tlsVersionChecks"`
}

func CheckURL added in v0.67.6 

func CheckURL(url string) URLResults

Source Files

View all Source files

Directories

Path Synopsis
cmd
cipherscheck command
httpsversioncheck command

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.