WIP: initial mtls package #133
247
mtls/mtls.go
Normal file
247
mtls/mtls.go
Normal file
@@ -0,0 +1,247 @@
|
|||||||
|
|
|||||||
|
package mtls // import "go.unistack.org/micro/v3/mtls"
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
import (
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
"bytes"
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
"crypto"
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
"crypto/ed25519"
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
"crypto/rand"
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
"crypto/tls"
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
"crypto/x509"
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
"crypto/x509/pkix"
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
"encoding/pem"
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
"sync"
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
)
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
var bp = newBPool()
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
type bpool struct {
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
pool sync.Pool
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
}
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
func newBPool() *bpool {
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
var bp bpool
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
bp.pool.New = alloc
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
return &bp
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
}
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
func alloc() interface{} {
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
return &bytes.Buffer{}
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
}
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
func (bp *bpool) Get() *bytes.Buffer {
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
return bp.pool.Get().(*bytes.Buffer)
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
}
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
func (bp *bpool) Put(buf *bytes.Buffer) {
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
buf.Reset()
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
bp.pool.Put(buf)
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
}
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
// NewCA creates new CA keypair
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
func NewCA(opts ...CertificateOption) ([]byte, crypto.PrivateKey, error) {
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
options := NewCertificateOptions(opts...)
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
crtreq := &x509.CertificateRequest{
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
Subject: pkix.Name{
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
Organization: options.Organization,
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
OrganizationalUnit: options.OrganizationalUnit,
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
CommonName: options.CommonName,
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
},
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
SignatureAlgorithm: options.SignatureAlgorithm,
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
}
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
pemcsr, pemkey, err := newCsr(crtreq)
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
if err != nil {
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
return nil, nil, err
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
}
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
pemcrt, err := SignCSR(pemcsr, nil, pemkey, opts...)
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
if err != nil {
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
return nil, nil, err
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
}
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
return pemcrt, pemkey, nil
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
}
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
func NewIntermediate(cacrt *x509.Certificate, cakey crypto.PrivateKey, opts ...CertificateOption) ([]byte, crypto.PrivateKey, error) {
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
options := &CertificateOptions{}
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
for _, o := range opts {
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
o(options)
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
}
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
crtreq := &x509.CertificateRequest{
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
Subject: pkix.Name{
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
Organization: options.Organization,
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
OrganizationalUnit: options.OrganizationalUnit,
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
CommonName: options.CommonName,
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
},
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
SignatureAlgorithm: options.SignatureAlgorithm,
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
}
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
pemcsr, pemkey, err := newCsr(crtreq)
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
if err != nil {
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
return nil, nil, err
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
}
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
pemcrt, err := SignCSR(pemcsr, cacrt, cakey)
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
if err != nil {
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
return nil, nil, err
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
}
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
return pemcrt, pemkey, nil
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
}
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
// SignCSR sign certificate request and return signed pubkey
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
func SignCSR(rawcsr []byte, cacrt *x509.Certificate, cakey crypto.PrivateKey, opts ...CertificateOption) ([]byte, error) {
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
if cacrt == nil {
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
opts = append(opts, CertificateIsCA(true))
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
}
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
options := NewCertificateOptions(opts...)
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
csr, err := x509.ParseCertificateRequest(rawcsr)
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
if err == nil {
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
err = csr.CheckSignature()
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
}
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
if err != nil {
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
return nil, err
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
}
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
tpl := &x509.Certificate{
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
Signature: csr.Signature,
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
SignatureAlgorithm: csr.SignatureAlgorithm,
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
PublicKeyAlgorithm: csr.PublicKeyAlgorithm,
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
PublicKey: csr.PublicKey,
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
SerialNumber: options.SerialNumber,
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
OCSPServer: options.OCSPServer,
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
IssuingCertificateURL: options.IssuingCertificateURL,
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
Subject: csr.Subject,
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
NotBefore: options.NotBefore,
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
NotAfter: options.NotAfter,
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
KeyUsage: options.KeyUsage,
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
ExtKeyUsage: options.ExtKeyUsage,
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
BasicConstraintsValid: true,
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
IsCA: options.IsCA,
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
}
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
if options.IsCA {
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
cacrt = tpl
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
} else {
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
tpl.Issuer = cacrt.Subject
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
}
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
crt, err := x509.CreateCertificate(rand.Reader, tpl, cacrt, csr.PublicKey, cakey)
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
if err != nil {
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
return nil, err
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
}
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
return crt, nil
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
}
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
// NewCertificateRequest create new certificate signing request and return key, csr in byte slice and err
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
func NewCertificateRequest(opts ...CertificateOption) ([]byte, crypto.PrivateKey, error) {
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
options := NewCertificateOptions(opts...)
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
crtreq := &x509.CertificateRequest{
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
Subject: pkix.Name{
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
Organization: options.Organization,
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
OrganizationalUnit: options.OrganizationalUnit,
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
CommonName: options.CommonName,
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
},
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
SignatureAlgorithm: options.SignatureAlgorithm,
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
}
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
return newCsr(crtreq)
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
}
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
// newCsr returns CSR and private key
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
func newCsr(crtreq *x509.CertificateRequest) ([]byte, crypto.PrivateKey, error) {
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
_, key, err := ed25519.GenerateKey(rand.Reader)
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
if err != nil {
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
return nil, nil, err
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
}
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
csr, err := x509.CreateCertificateRequest(rand.Reader, crtreq, key)
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
if err != nil {
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
return nil, nil, err
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
}
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
return csr, key, nil
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
}
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
// ServerOptions holds server specific options
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
type ServerOptions struct {
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
ServerName string
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
RootCAs []string
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
ClientCAs []string
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
}
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
// ServerOption func signature
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
type ServerOption func(*ServerOptions)
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
func NewServerConfig(src *tls.Config) *tls.Config {
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
dst := src.Clone()
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
// dst.InsecureSkipVerify = true
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
dst.MinVersion = tls.VersionTLS13
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
dst.ClientAuth = tls.VerifyClientCertIfGiven
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
return dst
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
}
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
func DecodeCrtKey(rawcrt []byte, rawkey []byte) (*x509.Certificate, crypto.PrivateKey, error) {
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
var crt *x509.Certificate
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
var key crypto.PrivateKey
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
var err error
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
crt, err = DecodeCrt(rawcrt)
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
if err == nil {
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
key, err = DecodeKey(rawkey)
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
}
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
if err != nil {
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
return nil, nil, err
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
}
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
return crt, key, nil
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
}
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
func DecodeCrt(rawcrt []byte) (*x509.Certificate, error) {
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
pemcrt, _ := pem.Decode(rawcrt)
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
return x509.ParseCertificate(pemcrt.Bytes)
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
}
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
func EncodeCrt(crts ...*x509.Certificate) ([]byte, error) {
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
var err error
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
buf := bp.Get()
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
defer bp.Put(buf)
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
for _, crt := range crts {
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
if err = pem.Encode(buf, &pem.Block{Type: "CERTIFICATE", Bytes: crt.Raw}); err != nil {
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
return nil, err
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
}
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
}
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
return buf.Bytes(), nil
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
}
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
func EncodeCsr(csr *x509.Certificate) ([]byte, error) {
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
buf := bp.Get()
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
defer bp.Put(buf)
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
if err := pem.Encode(buf, &pem.Block{Type: "CERTIFICATE REQUEST", Bytes: csr.Raw}); err != nil {
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
return nil, err
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
}
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
return buf.Bytes(), nil
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
}
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
func DecodeKey(rawkey []byte) (crypto.PrivateKey, error) {
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
pemkey, _ := pem.Decode(rawkey)
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
return x509.ParsePKCS8PrivateKey(pemkey.Bytes)
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
}
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
func EncodeKey(privkey crypto.PrivateKey) ([]byte, error) {
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
buf := bp.Get()
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
defer bp.Put(buf)
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
enckey, err := x509.MarshalPKCS8PrivateKey(privkey)
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
if err == nil {
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
err = pem.Encode(buf, &pem.Block{Type: "PRIVATE KEY", Bytes: enckey})
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
}
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
if err != nil {
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
return nil, err
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
}
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
return buf.Bytes(), nil
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
|
}
|
||||||
Disabled TLS certificate checkInsecureSkipVerify should not be used in production code. ## Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
[Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
|
|||||||
73
mtls/mtls_test.go
Normal file
73
mtls/mtls_test.go
Normal file
@@ -0,0 +1,73 @@
|
|||||||
|
package mtls
|
||||||
|
|
||||||
|
import (
|
||||||
|
"crypto/ed25519"
|
||||||
|
"crypto/x509"
|
||||||
|
"testing"
|
||||||
|
)
|
||||||
|
|
||||||
|
func TestNewCa(t *testing.T) {
|
||||||
|
bcrt, key, err := NewCA(
|
||||||
|
CertificateOrganization("test_org"),
|
||||||
|
CertificateOrganizationalUnit("test_unit"),
|
||||||
|
CertificateIsCA(true),
|
||||||
|
)
|
||||||
|
if err != nil {
|
||||||
|
t.Fatal(err)
|
||||||
|
}
|
||||||
|
|
||||||
|
if _, ok := key.(ed25519.PrivateKey); !ok {
|
||||||
|
t.Fatalf("key is not ed25519")
|
||||||
|
}
|
||||||
|
|
||||||
|
crt, err := x509.ParseCertificate(bcrt)
|
||||||
|
if err != nil {
|
||||||
|
t.Fatal(err)
|
||||||
|
}
|
||||||
|
if !crt.IsCA {
|
||||||
|
t.Fatalf("crt IsCA invalid %v", crt)
|
||||||
|
}
|
||||||
|
if crt.Subject.Organization[0] != "test_org" {
|
||||||
|
t.Fatalf("crt subject invalid %v", crt.Subject)
|
||||||
|
}
|
||||||
|
if crt.Subject.OrganizationalUnit[0] != "test_unit" {
|
||||||
|
t.Fatalf("crt subject invalid %v", crt.Subject)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func TestNewIntermediate(t *testing.T) {
|
||||||
|
bcrt, cakey, err := NewCA(
|
||||||
|
CertificateOrganization("test_org"),
|
||||||
|
CertificateOrganizationalUnit("test_unit"),
|
||||||
|
)
|
||||||
|
if err != nil {
|
||||||
|
t.Fatal(err)
|
||||||
|
}
|
||||||
|
cacrt, err := x509.ParseCertificate(bcrt)
|
||||||
|
if err != nil {
|
||||||
|
t.Fatal(err)
|
||||||
|
}
|
||||||
|
|
||||||
|
bcrt, ikey, err := NewIntermediate(cacrt, cakey,
|
||||||
|
CertificateOrganization("test_org"),
|
||||||
|
CertificateOrganizationalUnit("test_unit"),
|
||||||
|
)
|
||||||
|
if err != nil {
|
||||||
|
t.Fatal(err)
|
||||||
|
}
|
||||||
|
_ = ikey
|
||||||
|
icrt, err := x509.ParseCertificate(bcrt)
|
||||||
|
if err != nil {
|
||||||
|
t.Fatal(err)
|
||||||
|
}
|
||||||
|
|
||||||
|
if icrt.IsCA {
|
||||||
|
t.Fatalf("crt IsCA invalid %v", icrt)
|
||||||
|
}
|
||||||
|
if icrt.Subject.Organization[0] != "test_org" {
|
||||||
|
t.Fatalf("crt subject invalid %v", icrt.Subject)
|
||||||
|
}
|
||||||
|
if icrt.Subject.OrganizationalUnit[0] != "test_unit" {
|
||||||
|
t.Fatalf("crt subject invalid %v", icrt.Subject)
|
||||||
|
}
|
||||||
|
}
|
||||||
155
mtls/options.go
Normal file
155
mtls/options.go
Normal file
@@ -0,0 +1,155 @@
|
|||||||
|
package mtls
|
||||||
|
|
||||||
|
import (
|
||||||
|
"crypto/x509"
|
||||||
|
"math/big"
|
||||||
|
"time"
|
||||||
|
)
|
||||||
|
|
||||||
|
// CertificateOptions holds options for x509.CreateCertificate
|
||||||
|
type CertificateOptions struct {
|
||||||
|
Organization []string
|
||||||
|
OrganizationalUnit []string
|
||||||
|
CommonName string
|
||||||
|
OCSPServer []string
|
||||||
|
IssuingCertificateURL []string
|
||||||
|
SerialNumber *big.Int
|
||||||
|
NotAfter time.Time
|
||||||
|
NotBefore time.Time
|
||||||
|
SignatureAlgorithm x509.SignatureAlgorithm
|
||||||
|
PublicKeyAlgorithm x509.PublicKeyAlgorithm
|
||||||
|
ExtKeyUsage []x509.ExtKeyUsage
|
||||||
|
KeyUsage x509.KeyUsage
|
||||||
|
IsCA bool
|
||||||
|
}
|
||||||
|
|
||||||
|
// CertificateOrganizationalUnit set OrganizationalUnit in certificate subject
|
||||||
|
func CertificateOrganizationalUnit(s ...string) CertificateOption {
|
||||||
|
return func(o *CertificateOptions) {
|
||||||
|
o.OrganizationalUnit = s
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// CertificateOrganization set Organization in certificate subject
|
||||||
|
func CertificateOrganization(s ...string) CertificateOption {
|
||||||
|
return func(o *CertificateOptions) {
|
||||||
|
o.Organization = s
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// CertificateCommonName set CommonName in certificate subject
|
||||||
|
func CertificateCommonName(s string) CertificateOption {
|
||||||
|
return func(o *CertificateOptions) {
|
||||||
|
o.CommonName = s
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// CertificateOCSPServer set OCSPServer in certificate
|
||||||
|
func CertificateOCSPServer(s ...string) CertificateOption {
|
||||||
|
return func(o *CertificateOptions) {
|
||||||
|
o.OCSPServer = s
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// CertificateIssuingCertificateURL set IssuingCertificateURL in certificate
|
||||||
|
func CertificateIssuingCertificateURL(s ...string) CertificateOption {
|
||||||
|
return func(o *CertificateOptions) {
|
||||||
|
o.IssuingCertificateURL = s
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// CertificateSerialNumber set SerialNumber in certificate
|
||||||
|
func CertificateSerialNumber(n *big.Int) CertificateOption {
|
||||||
|
return func(o *CertificateOptions) {
|
||||||
|
o.SerialNumber = n
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// CertificateNotAfter set NotAfter in certificate
|
||||||
|
func CertificateNotAfter(t time.Time) CertificateOption {
|
||||||
|
return func(o *CertificateOptions) {
|
||||||
|
o.NotAfter = t
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// CertificateNotBefore set SerialNumber in certificate
|
||||||
|
func CertificateNotBefore(t time.Time) CertificateOption {
|
||||||
|
return func(o *CertificateOptions) {
|
||||||
|
o.NotBefore = t
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// CertificateExtKeyUsage set ExtKeyUsage in certificate
|
||||||
|
func CertificateExtKeyUsage(x ...x509.ExtKeyUsage) CertificateOption {
|
||||||
|
return func(o *CertificateOptions) {
|
||||||
|
o.ExtKeyUsage = x
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// CertificateSignatureAlgorithm set SignatureAlgorithm in certificate
|
||||||
|
func CertificateSignatureAlgorithm(alg x509.SignatureAlgorithm) CertificateOption {
|
||||||
|
return func(o *CertificateOptions) {
|
||||||
|
o.SignatureAlgorithm = alg
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// CertificatePublicKeyAlgorithm set PublicKeyAlgorithm in certificate
|
||||||
|
func CertificatePublicKeyAlgorithm(alg x509.PublicKeyAlgorithm) CertificateOption {
|
||||||
|
return func(o *CertificateOptions) {
|
||||||
|
o.PublicKeyAlgorithm = alg
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// CertificateKeyUsage set KeyUsage in certificate
|
||||||
|
func CertificateKeyUsage(u x509.KeyUsage) CertificateOption {
|
||||||
|
return func(o *CertificateOptions) {
|
||||||
|
o.KeyUsage = u
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// CertificateIsCA set IsCA in certificate
|
||||||
|
func CertificateIsCA(b bool) CertificateOption {
|
||||||
|
return func(o *CertificateOptions) {
|
||||||
|
o.IsCA = b
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// CertificateOption func signature
|
||||||
|
type CertificateOption func(*CertificateOptions)
|
||||||
|
|
||||||
|
func NewCertificateOptions(opts ...CertificateOption) CertificateOptions {
|
||||||
|
options := CertificateOptions{}
|
||||||
|
for _, o := range opts {
|
||||||
|
o(&options)
|
||||||
|
}
|
||||||
|
if options.SerialNumber == nil {
|
||||||
|
options.SerialNumber = big.NewInt(time.Now().UnixNano())
|
||||||
|
}
|
||||||
|
if options.NotBefore.IsZero() {
|
||||||
|
options.NotBefore = time.Now()
|
||||||
|
}
|
||||||
|
if options.NotAfter.IsZero() {
|
||||||
|
options.NotAfter = time.Now().Add(10 * time.Minute)
|
||||||
|
}
|
||||||
|
if options.SignatureAlgorithm == x509.UnknownSignatureAlgorithm {
|
||||||
|
options.SignatureAlgorithm = x509.PureEd25519
|
||||||
|
}
|
||||||
|
if options.PublicKeyAlgorithm == x509.UnknownPublicKeyAlgorithm {
|
||||||
|
options.PublicKeyAlgorithm = x509.Ed25519
|
||||||
|
}
|
||||||
|
if options.ExtKeyUsage == nil {
|
||||||
|
options.ExtKeyUsage = []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth}
|
||||||
|
if options.IsCA {
|
||||||
|
options.ExtKeyUsage = append(options.ExtKeyUsage, x509.ExtKeyUsageOCSPSigning, x509.ExtKeyUsageTimeStamping)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if options.KeyUsage == 0 {
|
||||||
|
options.KeyUsage = x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature
|
||||||
|
if options.IsCA {
|
||||||
|
options.KeyUsage = x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageDataEncipherment | x509.KeyUsageCertSign
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return options
|
||||||
|
}
|
||||||
Reference in New Issue
Block a user
Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
Show more details
Disabled TLS certificate check
InsecureSkipVerify should not be used in production code.
Show more details