tls

package

v6.17.0 Latest Latest Go to latest Published: Sep 26, 2025 License: Apache-2.0 Imports: 25 Imported by: 3

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/lxc/incus

Links

Open Source Insights

Documentation ¶

Rendered for

Index ¶

func CertFingerprint(cert *x509.Certificate) string
func CertFingerprintStr(c string) (string, error)
func CertificateTokenDecode(input string) (*api.CertificateAddToken, error)
func FindOrGenCert(certf string, keyf string, certtype bool, addHosts bool) error
func GenCert(certf string, keyf string, certtype bool, addHosts bool) error
func GenerateMemCert(client bool, addHosts bool) ([]byte, []byte, error)
func GenerateTrustCertificate(cert *CertInfo, name string) (*api.Certificate, error)
func GetRemoteCertificate(address string, useragent string) (*x509.Certificate, error)
func GetTLSConfig(tlsRemoteCert *x509.Certificate) (*tls.Config, error)
func GetTLSConfigMem(tlsClientCert string, tlsClientKey string, tlsClientCA string, ...) (*tls.Config, error)
func InitTLSConfig() *tls.Config
func IsConnectionError(err error) bool
func RFC3493Dialer(_ context.Context, network string, address string) (net.Conn, error)
func ReadCert(fpath string) (*x509.Certificate, error)
func TLSConfigWithTrustedCert(tlsConfig *tls.Config, tlsRemoteCert *x509.Certificate)
type CertInfo
- func KeyPairAndCA(dir, prefix string, kind CertKind, addHosts bool) (*CertInfo, error)
- func KeyPairFromRaw(certificate []byte, key []byte) (*CertInfo, error)
type CertKind

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func CertFingerprint ¶

func CertFingerprint(cert *x509.Certificate) string

CertFingerprint returns the SHA256 fingerprint string of an x509 certificate.

func CertFingerprintStr ¶

func CertFingerprintStr(c string) (string, error)

CertFingerprintStr returns the SHA256 fingerprint of a PEM encoded certificate.

func CertificateTokenDecode ¶

func CertificateTokenDecode(input string) (*api.CertificateAddToken, error)

CertificateTokenDecode decodes a base64 and JSON encoded certificate add token.

func FindOrGenCert ¶

func FindOrGenCert(certf string, keyf string, certtype bool, addHosts bool) error

FindOrGenCert generates a keypair if needed. The type argument is false for server, true for client.

func GenCert ¶

func GenCert(certf string, keyf string, certtype bool, addHosts bool) error

GenCert will create and populate a certificate file and a key file.

func GenerateMemCert ¶

func GenerateMemCert(client bool, addHosts bool) ([]byte, []byte, error)

GenerateMemCert creates client or server certificate and key pair, returning them as byte arrays in memory.

func GenerateTrustCertificate ¶

func GenerateTrustCertificate(cert *CertInfo, name string) (*api.Certificate, error)

GenerateTrustCertificate converts the specified serverCert and serverName into an api.Certificate suitable for use as a trusted cluster server certificate.

func GetRemoteCertificate ¶

func GetRemoteCertificate(address string, useragent string) (*x509.Certificate, error)

GetRemoteCertificate gets the x509 certificate from a remote HTTPS server.

func GetTLSConfig ¶

func GetTLSConfig(tlsRemoteCert *x509.Certificate) (*tls.Config, error)

GetTLSConfig returns the TLS config for the provided remote certificate.

func GetTLSConfigMem ¶

func GetTLSConfigMem(tlsClientCert string, tlsClientKey string, tlsClientCA string, tlsRemoteCertPEM string, insecureSkipVerify bool) (*tls.Config, error)

GetTLSConfigMem returns the TLS config for the provided client and server certificates.

func InitTLSConfig ¶

func InitTLSConfig() *tls.Config

InitTLSConfig returns a tls.Config populated with default encryption parameters. This is used as baseline config for both client and server certificates.

func IsConnectionError ¶

func IsConnectionError(err error) bool

IsConnectionError returns true if the given error is due to the dialer not being able to connect to the target.

func RFC3493Dialer ¶

func RFC3493Dialer(_ context.Context, network string, address string) (net.Conn, error)

RFC3493Dialer connects to the specified server and returns the connection. If the connection cannot be established then an error with the connectErrorPrefix is returned.

func ReadCert ¶

func ReadCert(fpath string) (*x509.Certificate, error)

ReadCert reads a PEM encoded certificate.

func TLSConfigWithTrustedCert ¶ added in v6.0.5

func TLSConfigWithTrustedCert(tlsConfig *tls.Config, tlsRemoteCert *x509.Certificate)

TLSConfigWithTrustedCert sets the given remote certificate as a CA and assigns the certificate's first DNS Name as the tls.Config ServerName. This lets us maintain default verification without strictly matching a request URL to the certificate SANs.

Types ¶

type CertInfo ¶

type CertInfo struct {
	// contains filtered or unexported fields
}

CertInfo captures TLS certificate information about a certain public/private keypair and an optional CA certificate and CRL.

Given support for PKI setups, these few bits of information are normally used and passed around together, so this structure helps with that (see doc/security.md for more details).

func KeyPairAndCA ¶

func KeyPairAndCA(dir, prefix string, kind CertKind, addHosts bool) (*CertInfo, error)

KeyPairAndCA returns a CertInfo object with a reference to the key pair and (optionally) CA certificate located in the given directory and having the given name prefix

The naming conversion for the various PEM encoded files is:

<prefix>.crt -> public key <prefix>.key -> private key <prefix>.ca -> CA certificate (optional) ca.crl -> CA certificate revocation list (optional)

If no public/private key files are found, a new key pair will be generated and saved on disk.

If a CA certificate is found, it will be returned as well as second return value (otherwise it will be nil).

func KeyPairFromRaw ¶

func KeyPairFromRaw(certificate []byte, key []byte) (*CertInfo, error)

KeyPairFromRaw returns a CertInfo from the raw certificate and key.

func (*CertInfo) CA ¶

func (c *CertInfo) CA() *x509.Certificate

CA returns the CA certificate.

func (*CertInfo) CRL ¶

func (c *CertInfo) CRL() *x509.RevocationList

CRL returns the certificate revocation list.

func (*CertInfo) Fingerprint ¶

func (c *CertInfo) Fingerprint() string

Fingerprint returns the fingerprint of the public key.

func (*CertInfo) KeyPair ¶

func (c *CertInfo) KeyPair() tls.Certificate

KeyPair returns the public/private key pair.

func (*CertInfo) PrivateKey ¶

func (c *CertInfo) PrivateKey() []byte

PrivateKey is a convenience to encode the underlying private key.

func (*CertInfo) PublicKey ¶

func (c *CertInfo) PublicKey() []byte

PublicKey is a convenience to encode the underlying public key to ASCII.

func (*CertInfo) PublicKeyX509 ¶

func (c *CertInfo) PublicKeyX509() (*x509.Certificate, error)

PublicKeyX509 is a convenience to return the underlying public key as an *x509.Certificate.

type CertKind ¶

type CertKind int

CertKind defines the kind of certificate to generate from scratch in KeyPairAndCA when it's not there.

The two possible kinds are client and server, and they differ in the ext-key-usage bitmaps. See GenerateMemCert for more details.

const (
	CertClient CertKind = iota
	CertServer
)

Possible kinds of certificates.

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
tlstest

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL