consul/vendor/github.com/hashicorp/go-rootcerts
R.B. Boyer 796de297c8
connect: intermediate CA certs generated with the vault provider lack URI SANs (#6491)
This only affects vault versions >=1.1.1 because the prior code
accidentally relied upon a bug that was fixed in
https://github.com/hashicorp/vault/pull/6505

The existing tests should have caught this, but they were using a
vendored copy of vault version 0.10.3. This fixes the tests by running
an actual copy of vault instead of an in-process copy. This has the
added benefit of changing the dependency on vault to just vault/api.

Also update VaultProvider to use similar SetIntermediate validation code
as the ConsulProvider implementation.
2019-09-23 12:04:40 -05:00
..
.travis.yml Update vendoring from go mod. (#5566) 2019-03-26 17:50:42 -04:00
LICENSE Vendor the go-rootcerts lib for the client tls options 2017-04-14 13:46:19 -07:00
Makefile Vendor the go-rootcerts lib for the client tls options 2017-04-14 13:46:19 -07:00
README.md Vendor the go-rootcerts lib for the client tls options 2017-04-14 13:46:19 -07:00
doc.go Vendor the go-rootcerts lib for the client tls options 2017-04-14 13:46:19 -07:00
go.mod connect: intermediate CA certs generated with the vault provider lack URI SANs (#6491) 2019-09-23 12:04:40 -05:00
go.sum connect: intermediate CA certs generated with the vault provider lack URI SANs (#6491) 2019-09-23 12:04:40 -05:00
rootcerts.go Vendor the go-rootcerts lib for the client tls options 2017-04-14 13:46:19 -07:00
rootcerts_base.go Vendor the go-rootcerts lib for the client tls options 2017-04-14 13:46:19 -07:00
rootcerts_darwin.go Vendor the go-rootcerts lib for the client tls options 2017-04-14 13:46:19 -07:00

README.md

rootcerts

Functions for loading root certificates for TLS connections.


Go's standard library crypto/tls provides a common mechanism for configuring TLS connections in tls.Config. The RootCAs field on this struct is a pool of certificates for the client to use as a trust store when verifying server certificates.

This library contains utility functions for loading certificates destined for that field, as well as one other important thing:

When the RootCAs field is nil, the standard library attempts to load the host's root CA set. This behavior is OS-specific, and the Darwin implementation contains a bug that prevents trusted certificates from the System and Login keychains from being loaded. This library contains Darwin-specific behavior that works around that bug.

Example Usage

Here's a snippet demonstrating how this library is meant to be used:

func httpClient() (*http.Client, error)
	tlsConfig := &tls.Config{}
	err := rootcerts.ConfigureTLS(tlsConfig, &rootcerts.Config{
		CAFile: os.Getenv("MYAPP_CAFILE"),
		CAPath: os.Getenv("MYAPP_CAPATH"),
	})
	if err != nil {
		return nil, err
	}
	c := cleanhttp.DefaultClient()
	t := cleanhttp.DefaultTransport()
	t.TLSClientConfig = tlsConfig
	c.Transport = t
	return c, nil
}