tls

package
v0.8.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Sep 12, 2025 License: Apache-2.0 Imports: 14 Imported by: 9

Documentation

Index

Constants

View Source 
const (
	ErrCertNotFound    = utils.Error("could not load certificate file")
	ErrInvalidPEM      = utils.Error("could not parse PEM certificate")
	ErrKeyNotFound     = utils.Error("could not load private key file")
	ErrKeyError        = utils.Error("failed to decode private key")
	ErrCredentialError = utils.Error("failed to load tls key password")
	ErrMissingPassword = utils.Error("missing password for encrypted private key")
	ErrDecryptError    = utils.Error("private key decryption error")
	ErrInvalidCert     = utils.Error("failed to load cert/key pair")
)
View Source 
const (
	TLSMinVersionDefault = tls.VersionTLS13 // Use TLS 1.3 by default for better security
	ErrInvalidPeerCert   = utils.Error("invalid peer certificate")
	ErrForbiddenDNS      = utils.Error("peer certificate not allowed in DNS name list")
	ErrExpiredCert       = utils.Error("peer certificate has expired")
)
View Source 
const (
	ErrInvalidCipher     = utils.Error("non-supported cipher")
	ErrInvalidTlsVersion = utils.Error("invalid TLS version")
)

Variables

This section is empty.

Functions

func LoadTLSCertPool 

func LoadTLSCertPool(certFiles []string) (*x509.CertPool, error)

LoadTLSCertPool loads a certificate pool with the certificates from the specified files. It takes a slice of certificate file names as input.

Each certificate file is read using os.ReadFile. If there is an error reading the file, an error is returned with ErrCertNotFound.

The content of each certificate file is appended to the certificate pool using pool.AppendCertsFromPEM. If parsing the PEM certificate fails, an error is logged and the certificate

func LoadTLSCertificate 

func LoadTLSCertificate(config *tls.Config, certFile, keyFile string, pwdSrc secure.CredentialConfig) error

LoadTLSCertificate loads a TLS certificate into the provided tls.Config.

It takes the following parameters:

  • config: Pointer to a tls.Config where the certificate will be loaded.
  • certFile: Path to the certificate file.
  • keyFile: Path to the private key file.
  • pwdSrc: A C NOTE: For improved security, consider using environment variables or a secure key management system instead of passing plaintext passwords.

The function reads the certificate file and private key file using os.ReadFile. If there is an error reading any of the files, an error is returned.

The private key is then decoded using pem.Decode. If the private key is encrypted and no password is supplied, an error is returned.

Once the private key is decoded, it is used to load the certificate and private key pair using tls.X509KeyPair. If the certificate and private key pair is invalid, an error is returned.

The loaded certificate is then assigned to the config.Certificates field.

Example:

config := &tls.Config{} // Use environment variable or secrets manager for passwords keyPassword := os.Getenv("TLS_KEY_PASSWORD") err := LoadTLSCertificate(config, "path/to/cert.pem", "path/to/key.pem", keyPassword) 

if err != nil {
    log.Fatal(err)
}

// TLS configuration with loaded certificate is ready to use.

func ParseCiphers 

func ParseCiphers(ciphers []string) ([]uint16, error)

ParseCiphers returns a `[]uint16` by received `[]string` key that represents ciphers from crypto/tls.

func ParseTLSVersion 

func ParseTLSVersion(version string) (uint16, error)

ParseTLSVersion returns a `uint16` by received version string key that represents tls version from crypto/tls, or 0 if version is invalid

Types

type ClientConfig 

type ClientConfig struct {
	TLSCA                 string `json:"tlsCa"`
	TLSCert               string `json:"tlsCert"`
	TLSKey                string `json:"tlsKey"`
	TlsKeyCredential             // tls key password
	TLSEnable             bool   `json:"tlsEnable"`
	TLSInsecureSkipVerify bool   `json:"tlsInsecureSkipVerify"`
}

ClientConfig represents the configuration for a tls client configuration

func (*ClientConfig) TLSConfig 

func (c *ClientConfig) TLSConfig() (*tls.Config, error)

TLSConfig returns a tls.Config{} struct from the ClientConfig

type ServerConfig 

type ServerConfig struct {
	TLSCert            string   `json:"tlsCert"`
	TLSKey             string   `json:"tlsKey"`
	TlsKeyCredential            // TLS key password
	TLSAllowedCACerts  []string `json:"tlsAllowedCACerts"`
	TLSCipherSuites    []string `json:"tlsCipherSuites"`
	TLSMinVersion      string   `json:"tlsMinVersion"`
	TLSMaxVersion      string   `json:"tlsMaxVersion"`
	TLSAllowedDNSNames []string `json:"tlsAllowedDNSNames"`
	TLSEnable          bool     `json:"tlsEnable"`
}

ServerConfig represents the standard server TLS config.

func (*ServerConfig) TLSConfig 

func (c *ServerConfig) TLSConfig() (*tls.Config, error)

TLSConfig returns a tls.Config, may be nil without error if TLS is not configured.

type TlsKeyCredential added in v0.3.0 

type TlsKeyCredential struct {
	Password       string `json:"tlsKeyPassword"`
	PasswordEnvVar string `json:"tlsKeyPasswordEnvVar"`
	PasswordFile   string `json:"tlsKeyPasswordFile"`
}

func (TlsKeyCredential) Fetch added in v0.5.0 

func (c TlsKeyCredential) Fetch() (string, error)

Fetch retrieve the contents of the credential

func (TlsKeyCredential) IsEmpty added in v0.5.0 

func (c TlsKeyCredential) IsEmpty() bool

IsEmpty returns true if credential source is empty

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.