r00t2/go_cryptparse
1
0
Fork 0
Code Activity

reflection work so far...

Browse Source
This commit is contained in:
brent saner
2025-01-25 16:11:19 -05:00
parent bf887ce948
commit 1471dc29ed
31 changed files with 2240 additions and 150 deletions
Download Patch File Download Diff File Expand all files Collapse all files

208
consts.go
View File

@@ -12,6 +12,10 @@ var (
tlsCurveNmToCurve map[string]tls.CurveID
)
const (
dfltStructTag string = "tlsUri"
)
const (
MaxTlsCipher uint16 = tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
MaxCurveId tls.CurveID = tls.X25519 // 29
@@ -20,50 +24,56 @@ const (
DefaultNetType string = "tcp"
)
// TlsUriParam* specifiy URL query parameters to parse a tls:// URI, and are used by TlsUri methods.
const (
// KeyLogEnv specifies the TLS key log file.
// !! ONLY USE THIS FOR DEBUGGING !!
KeyLogEnv string = "SSLKEYLOGFILE"
/*
KeyLogEnvVal specifies the special ParamKeylog value to use the
value of the environment variable as named in KeyLogEnv.
*/
KeyLogEnvVal string = "_env_"
// KeyLogBufVal specifies the special ParamKeylog value to use an in-memory buffer.
KeyLogBufVal string = "_buf_"
)
//go:generate go run ./internal/constmap
/*
TlsUriParam* specifiy URL query parameters to parse a tls:// URI, and are used by TlsUri methods.
NOTE: If these consts' type or "Param*" prefix changes, internal/constmap/consts.go will also need to be changed.
The above go:generate creates (within this main module namespace):
tlsUriParamStrMap (a map of string(<tlsUriParam> const name) => <parameter>)
tlsUriStrParamMap (a map of <parameter> => string(<tlsUriParam> const name))
*/
const (
/*
TlsUriParamCa specifies a path to a CA certificate PEM-encded DER file.
ParamCa specifies a path to a CA certificate PEM-encded DER file.
If not specified, the system's roots/trust anchors are used.
Files specified here will be included *in addition to* any
embedded root anchors found in the ParamCert parameter's
value, if using concatenated cert chains.
It may be specified multiple times in a TLS URI.
*/
TlsUriParamCa string = "pki_ca"
ParamCa tlsUriParam = "pki_ca"
/*
TlsUriParamCert specifies a path to a client certificate PEM-encded DER file.
ParamCert specifies a path to a leaf certificate PEM-encded DER file.
It may (and should/must) include any intermediate certificates necessary for
validation chain on the remote end.
It may include trust anchors, which will be considered *in addition to*
any ParamCa.
It may include a corresponding private key, which will be included for consideration
*in addition to* any ParamKey.
It may be specified multiple times in a TLS URI.
*/
TlsUriParamCert string = "pki_cert"
ParamCert tlsUriParam = "pki_cert"
/*
TlsUriParamKey specifies a path to a private key as a PEM-encded file.
It may be PKCS#1, PKCS#8, or PEM-encoded ASN.1 DER EC key.
Supported private key types are RSA, ED25519, ECDSA, and ECDH.
It may be specified multiple times in a TLS URI.
*/
TlsUriParamKey string = "pki_key"
/*
TlsUriParamNoVerify, if `1`, `yes`, `y`, or `true` indicate
that the TLS connection should not require verification of
the remote end (e.g. hostname matches, trusted chain, etc.).
Any other value for this parameter will be parsed as "False"
(meaning the remote end's certificate SHOULD be verified).
Only the first defined instance is parsed.
*/
TlsUriParamNoVerify string = "no_verify"
/*
TlsUriParamSni indicates that the TLS connection should expect this hostname
instead of the hostname specified in the URI itself.
Only the first defined instance is parsed.
*/
TlsUriParamSni string = "sni"
/*
TlsUriParamCipher specifies one (or more) cipher(s)
ParamCipher specifies one (or more) cipher(s)
to specify for the TLS connection cipher negotiation.
Note that TLS 1.3 has a fixed set of ciphers, and
this list may not be respected by the remote end.
@@ -74,16 +84,82 @@ const (
It may be specified multiple times in a TLS URI.
*/
TlsUriParamCipher string = "cipher"
ParamCipher tlsUriParam = "cipher"
/*
TlsUriParamCurve specifies one (or more) curve(s)
ParamCurve specifies one (or more) curve(s)
to specify for the TLS connection cipher negotiation.
It may be specified multiple times in a TLS URI.
*/
TlsUriParamCurve string = "curve"
ParamCurve tlsUriParam = "curve"
/*
TlsUriParamMinTls defines the minimum version of the
ParamIgnoreMissing, if `1`, `yes`, `y`, or `true` indicates
that missing cert/ca/key files should not return an error if they do not exist.
Only the first defined instance is parsed.
*/
ParamIgnoreMissing tlsUriParam = "ignore_missing"
/*
ParamKey specifies a path to a private key as a PEM-encded file.
It may be PKCS#1, PKCS#8, or PEM-encoded ASN.1 DER EC key.
Supported private key types are RSA, ED25519, and ECDSA.
(Technically ECDH keys are supported, but cannot be paired with certificates
so trying to use them may result in errors or undefined behavior.
Future versions may support this as a parameter for *kex* in a TLS
*connection*, but this is unplanned at the moment.)
It may be specified multiple times in a TLS URI.
*/
ParamKey tlsUriParam = "pki_key"
/*
ParamKeylog is a way to specify the SSLKEYLOGFILE.
This parameter's value can be:
* a filepath; parent directories will attempt to be created if
they do not exist, and the file will be truncated if it exists.
The consumer/downstream is responsible for calling .Close()
on it when done.
* the special string as defined by KeyLogEnvVal to use the filepath
of whatever is set in the environment variable as defined by
KeyLogEnv (which is likely the default variable name).
It is assumed to be a filepath.
The consumer/downstream is responsible for calling .Close()
on it when done.
* the special string as defined by KeyLogBufVal to use an in-memory
buffer instead
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!! DO NOT, UNDER ANY CIRCUMSTANCES, ENABLE THIS UNLESS YOU ARE !!
!! ABSOLUTELY SURE WHAT YOU ARE DOING. !!
!! IT SEVERELY COMPROMISES SECURITY !!
!! AND IS ONLY INTENDED FOR DEBUGGING PURPOSES! !!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
See https://www.ietf.org/archive/id/draft-thomson-tls-keylogfile-00.html
for details.
The exact type of the returned tls.Config.KeyLogWriter will be:
* an *os.File if a filepath or the KeyLogEnvVal value was specified
* a *bytes.Buffer if the KeyLogBufVal value was specified
Only the first defined instance is parsed.
*/
ParamKeylog tlsUriParam = "debug_keylog"
/*
ParamMaxTls defines the minimum version of the
TLS protocol to use.
See ParamMinTls for syntax of the value.
Only the first defined instance is parsed.
*/
ParamMaxTls tlsUriParam = "max_tls"
/*
ParamMinTls defines the minimum version of the
TLS protocol to use.
It is recommended to use "TLS_1.3".
@@ -101,18 +177,36 @@ const (
Only the first defined instance is parsed.
*/
TlsUriParamMinTls string = "min_tls"
ParamMinTls tlsUriParam = "min_tls"
/*
TlsUriParamMaxTls defines the minimum version of the
TLS protocol to use.
ParamMtlsCa specifies a path to a CA certificate PEM-encoded DER file.
See TlsUriParamMinTls for syntax of the value.
Unlike ParamCa, this is explicitly used to validate clients
(see ParamMtlsMode).
Only the first defined instance is parsed.
If not specified (and ParamMtlsMode is anything *but* `NoClientCert`/`0`),
the same evaluated roots/trust anchors used for ParamCa will be used.
It may be specified multiple times in a TLS URI.
*/
TlsUriParamMaxTls string = "max_tls"
ParamMtlsCa tlsUriParam = "mtls_ca"
/*
TlsUriParamNet is used by TlsUri.ToConn and TlsUri.ToTlsConn to explicitly specify a network.
ParamMtlsMode specifies if TLS client certificate auth should be used or not,
and what mode/type of requirement.
This is only useful if running a server/listener with mTLS auth.
Clients should leave it empty.
Servers/listeners should leave it empty if they do not wish to use
mTLS auth for clients.
The string may either be the name (as per
https://pkg.go.dev/crypto/tls#ClientAuthType)
or an int (normal, hex, etc. string representation) of the constant's value.
See also ParamMtlsCa.
*/
ParamMtlsMode tlsUriParam = "mtls_auth"
/*
ParamNet is used by TlsUri.ToConn and TlsUri.ToTlsConn to explicitly specify a network.
The default is "tcp".
@@ -120,15 +214,33 @@ const (
Only the first defined instance is parsed.
*/
TlsUriParamNet string = "net"
ParamNet tlsUriParam = "net"
/*
ParamNoVerify, if `1`, `yes`, `y`, or `true` indicates
that the TLS connection should not require verification of
the remote end (e.g. hostname matches, trusted chain, etc.).
Any other value for this parameter will be parsed as "False"
(meaning the remote end's certificate SHOULD be verified).
Only the first defined instance is parsed.
*/
ParamNoVerify tlsUriParam = "no_verify"
/*
ParamSni indicates that the TLS connection should expect this hostname
instead of the hostname specified in the URI itself.
Only the first defined instance is parsed.
*/
ParamSni tlsUriParam = "sni"
)
var (
paramBoolValsTrue []string = []string{
"1", "yes", "y", "true",
"true", "yes", "y", "1",
}
paramBoolValsFalse []string = []string{
"0", "no", "n", "false",
"false", "no", "n", "0",
}
validate *validator.Validate = validator.New(validator.WithRequiredStructEnabled())
)