go_cryptparse/types.go

package cryptparse

import (
	`crypto`
	`crypto/tls`
	`crypto/x509`
	`encoding/pem`
	`encoding/xml`
	`net/url`

	`github.com/Luzifer/go-dhparam`
)

// tlsUriParam is an unexported type used to define TlsUri parameter names (and thus tags).
type tlsUriParam string

// tlsUriParams is a collection of tlsUriParam and their value(s).
type tlsUriParams map[tlsUriParam][]string

// PemBlocks is a combined set of multiple pem.Blocks.
type PemBlocks []*pem.Block

// TlsFlat provides an easy structure to marshal/unmarshal a tls.Config and/or a TlsUri from/to a data structure (JSON, XML, etc.).
type TlsFlat struct {
	XMLName xml.Name `xml:"tlsConfig" json:"-" yaml:"-" toml:"-"`
	// Host is the host name. It may or may not be the same as SniName, and may be an empty string.
	Host string `json:"host,omitempty" toml:"Host,omitempty" yaml:"Host,omitempty" xml:"host,attr,omitempty" tlsUri:"-"` // No reflection is done as it's directly managed.
	// Port is the port number, if specified. Only relevant for listeners/clients and TlsUri.
	Port *uint16 `json:"port,omitempty" toml:"Port,omitempty" yaml:"Port,omitempty" xml:"port,attr,omitempty" tlsUri:"-"` // No reflection is done as it's directly managed.
	// CaFiles contains filepaths to CA certificates/"trust anchors" in PEM format. They may be combined. See ParamCa.
	CaFiles []string `json:"ca_files,omitempty"  toml:"CaFiles,omitempty" yaml:"CA Files,omitempty" xml:"roots>ca,omitempty" tlsUri:"ParamCa" validate:"omitempty,dive,filepath"`
	// Certs contains 0 or more TlsFlatCert certificate definitions. See ParamCert and ParamKey as well.
	Certs []*TlsFlatCert `json:"certs,omitempty" toml:"Certs,omitempty" yaml:"Certificates,omitempty" xml:"certs>cert,omitempty" validate:"omitempty,dive"`
	// CipherSuites represents desired ciphers/cipher suites for this TLS environment. See ParamCipher.
	CipherSuites []string `json:"cipher_suites,omitempty" toml:"CipherSuites,omitempty"  yaml:"Cipher Suites,omitempty" xml:"ciphers,omitempty" tlsUri:"ParamCipher" validate:"omitempty,dive"`
	// Curves specifies desired cryptographic curves to be used. See ParamCurve.
	Curves []string `json:"curves,omitempty" toml:"Curves,omitempty" yaml:"Curves,omitempty" xml:"curves>curve,omitempty" tlsUri:"ParamCurve" validate:"omitempty,dive"`
	// IgnoreMissing, if true, specifies that missing files should be ignored instead of throwing an error.
	IgnoreMissing bool `json:"ignore_missing,omitempty" toml:"IgnoreMissing,omitempty" yaml:"Ignore Missing,omitempty" xml:"ignoreMissing,attr,omitempty" tlsUri:"ParamIgnoreMissing"`
	/*
		Keylog specifies an SSLKEYLOGFILE.

		!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
		!! DO NOT, UNDER ANY CIRCUMSTANCES, ENABLE THIS UNLESS YOU ARE !!
		!! ABSOLUTELY SURE WHAT YOU ARE DOING.                         !!
		!! IT SEVERELY COMPROMISES SECURITY                            !!
		!! AND IS ONLY INTENDED FOR DEBUGGING PURPOSES!                !!
		!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

		See ParamKeylog for details and special values.
	*/
	Keylog *string `json:"keylog,omitempty" toml:"Keylog,omitempty" yaml:"Keylog,omitempty" xml:"keylog,attr,omitempty" validate:"omitempty,dive"`
	// MaxTlsProtocol specifies the maximum TLS version. See ParamMaxTls.
	MaxTlsProtocol *string `json:"max_tls_protocol,omitempty" xml:"maxTlsProtocol,attr,omitempty" yaml:"MaxTlsProtocol,omitempty" toml:"MaxTlsProtocol,omitempty" tlsUri:"ParamMaxTls"`
	// MinTlsProtocol specifies the minimum TLS version. See ParamMinTls.
	MinTlsProtocol *string `json:"min_tls_protocol,omitempty" xml:"minTlsProtocol,attr,omitempty" yaml:"MinTlsProtocol,omitempty" toml:"MinTlsProtocol,omitempty" tlsUri:"ParamMinTls"`
	// MutualTlsCAs specify path(s) to CA certificates/"trust anchors" in PEM format. See ParamMtlsCa.
	MutualTlsCAs []string `json:"mtls_ca,omitempty" toml:"mTLSRoots,omitempty" yaml:"MTLS CA Files,omitempty" xml:"mTlsRoots>ca,omitempty" tlsUri:"ParamMtlsCa"`
	// MutualTls specifies mutual TLS and, if enabled, what type/mode/level of required validation. See ParamMtlsMode.
	MutualTls *string `json:"mtls_auth" toml:"mTLS,omitempty"  yaml:"mTLS Type,omitempty"  xml:"mtlsAuth,attr,omitempty" tlsUri:"ParamMtlsMode"`
	// NetMode is the "network type" as found in e.g. net.Dial. See ParamNet for details.
	NetMode *string
	// SkipVerify, if true, will bypass certificate verification. You generally should not enable this. See ParamNoVerify.
	SkipVerify bool `json:"skip_verify,omitempty" toml:"SkipVerify,omitempty"  yaml:"Skip Verification,omitempty" xml:"skipVerify,attr,omitempty"`
	/*
		SniName represents the expected Server Name Indicator's name. If not nil, Host will be used to connect/listen
		and this name will be used for certificate validation/verification.
		See ParamSni.
	*/
	SniName *string `json:"sni_name"  toml:"SNIName"  yaml:"SNI Name" xml:"sniName,attr" tlsUri:"ParamSni" required:"true" validate:"required"`
}

// TlsFlatCert represents a certificate (and, possibly, paired key).
type TlsFlatCert struct {
	XMLName xml.Name `xml:"cert" json:"-" yaml:"-" toml:"-"`
	// KeyFile is a filepath to a PEM-encoded key file. See ParamKey.
	KeyFile *string `json:"key,omitempty" xml:"key,attr,omitempty" yaml:"Key,omitempty" toml:"Key,omitempty" tlsUri:"ParamKey" validate:"omitempty,filepath"`
	// CertFile is a filepath to a PEM-encoded certificate file. See ParamCert.
	CertFile string `json:"cert" xml:",chardata" yaml:"Certificate" toml:"Certificate" required:"true" tlsUri:"ParamCert" validate:"required,filepath"`
}

// TlsPkiChain contains a whole X.509 PKI chain -- Root CA(s) (trust anchors) which sign Intermediate(s) which sign Certificate(s).
// TODO
type TlsPkiChain struct {
	/*
		Roots are all trust anchors/root certificates.

		Roots are certificates that are self-signed and can issue certificates/sign CSRs.
	*/
	Roots []*x509.Certificate
	// RootsPool is an x509.CertPool representation of Roots.
	RootsPool *x509.CertPool
	/*
		Intermediates are signers that should not be trusted directly, but instead included in the verification/validation chain.

		Intermediates are certificates that are NOT self-signed (they should be signed by at least one Roots/RootsPool)
		but CAN issue certificates/sign CSRs.
	*/
	Intermediates []*x509.Certificate
	// IntermediatesPool is an x509.CertPool representation of Intermediates.
	IntermediatesPool *x509.CertPool
	/*
		Certificates are "leaf certificates"; typically these are the certificates used directly by servers/users.

		A certificate is considered a Certificate here if it is NOT self-signed and is NOT able to issue certificates/sign CSRs.
	*/
	Certificates []*tls.Certificate
	// CertificatesPool is an x509.CertPool representation of Certificates.
	CertificatesPool *x509.CertPool
	/*
		UnmatchedCerts contains Certificates that:
			* Do not match any of Roots/RootsPool as its signer, and/or
			* Do not match any Intermediates/IntermediatesPool as its signer, and/or
			* Does not meet requirements for Roots/RootsPool, and/or
			* Does not meet requirements for Intermediates/IntermediatesPool, and/or
			* Has no matching crypto.PrivateKey found.

		These should generally *never* be used if they were parsed in.
		They represent "stray" certificates that have no logical chain/path found
		and are likely unusable for purposes of this environment.
	*/
	UnmatchedCerts []*x509.Certificate
	// UnmatchedCertsPool is an x509.CertPool representation of UnmatchedCerts.
	UnmatchedCertsPool *x509.CertPool
	/*
		UnmatchedKeys represent parsed private keys that have no matching corresponding certifificate.

		These should generally *never* be used if they were parsed in.
		They represent "stray" keys that have no logical chain/path found
		and are likely unusable for purposes of this environment.
	*/
	UnmatchedKeys []crypto.PrivateKey
	// DhParams represent any found DH parameters. This will usually be empty.
	DhParams []*dhparam.DH
}

type TlsUri struct {
	*url.URL
}