{"id":24956834,"url":"https://github.com/andrewstuart/vpki","last_synced_at":"2025-04-10T19:04:47.842Z","repository":{"id":57480258,"uuid":"61974734","full_name":"andrewstuart/vpki","owner":"andrewstuart","description":"A Vault TLS library for more convenient use of the Vault PKI backend","archived":false,"fork":false,"pushed_at":"2021-11-06T21:53:37.000Z","size":113,"stargazers_count":6,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"master","last_synced_at":"2025-03-24T16:46:15.115Z","etag":null,"topics":["certificate","golang","https","pki","tls","vault"],"latest_commit_sha":null,"homepage":"https://godoc.org/github.com/andrewstuart/vpki","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/andrewstuart.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2016-06-26T05:14:25.000Z","updated_at":"2021-11-06T21:53:40.000Z","dependencies_parsed_at":"2022-09-26T19:11:19.720Z","dependency_job_id":null,"html_url":"https://github.com/andrewstuart/vpki","commit_stats":null,"previous_names":["andrewstuart/vtls"],"tags_count":7,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/andrewstuart%2Fvpki","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/andrewstuart%2Fvpki/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/andrewstuart%2Fvpki/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/andrewstuart%2Fvpki/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/andrewstuart","download_url":"https://codeload.github.com/andrewstuart/vpki/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248279196,"owners_count":21077406,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["certificate","golang","https","pki","tls","vault"],"created_at":"2025-02-03T06:41:20.049Z","updated_at":"2025-04-10T19:04:47.810Z","avatar_url":"https://github.com/andrewstuart.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"[![Build Status](https://travis-ci.org/andrewstuart/vpki.svg?branch=master)](https://travis-ci.org/andrewstuart/vpki) [![GoDoc](https://godoc.org/astuart.co/vpki?status.svg)](https://godoc.org/astuart.co/vpki)\n\n# vpki\n--\n    import \"astuart.co/vpki\"\n\nPackage vpki provides a layer of abstraction between the golang stdlib crypto\nprimitives and common crypto uses (e.g. serving HTTPS) and the functionality\nprovided by Vault. Internally, the library generates private keys locally and\nsends CSRs to the vault server, so that private keys are never transmitted.\n\n## Usage\n\n```go\nvar (\n\n\t//DefaultTTL is the default TTL the library will request for certificates\n\tDefaultTTL = day\n\t//DefaultStrength is the default strength of RSA keys generated\n\tDefaultStrength = 2048\n)\n```\n\n#### func  ListenAndServeTLS\n\n```go\nfunc ListenAndServeTLS(addr string, handler http.Handler, crt Certifier) error\n```\nListenAndServeTLS mostly mirrors the http.ListenAndServeTLS API, but generates\nthe certificates for the server automatically via vault, with a short TTL. The\nfunction only needs an additional Certifier parameter which can generate signed\ncertificates in order to work properly.\n\n#### type Certifier\n\n```go\ntype Certifier interface {\n\tCert(cn string) (*tls.Certificate, error)\n}\n```\n\nCertifier abstracts any object that can provide signed certificates (hopefully\nvalid for their use case). Concrete implementations ought to provide their own\nways to configure TTL, key strength, etc. The default provided implementation is\nvpki.Client.\n\n#### type Client\n\n```go\ntype Client struct {\n\tMount, Role, Addr, Email string\n\tStrength                 int\n\tTTL                      time.Duration\n\tHTTPClient               *http.Client\n}\n```\n\nClient is the abstraction for a vault client, with convenience methods for\nobtaining golang tls.Certificates with minimum risk of key disclosure (keys are\ngenerated locally then CSRs sent to Vault).\n\n#### func (*Client) Cert\n\n```go\nfunc (c *Client) Cert(cn string) (*tls.Certificate, error)\n```\nCert takes a server CommonName and retruns a tls.Certificate with a pre-parsed\nLeaf, or an error. The strength and ttl for the CSR are determined by the Client\nfields of the same names.\n\n#### func (*Client) RawCert\n\n```go\nfunc (c *Client) RawCert(cn string) (*RawPair, error)\n```\nRawCert is a very high-level method used to obtain the raw certificate data.\n\n#### func (*Client) RawSignCSR\n\n```go\nfunc (c *Client) RawSignCSR(csr *x509.CertificateRequest, k *rsa.PrivateKey, ttl time.Duration) (*RawPair, error)\n```\nRawSignCSR takes a certificate request template, private keye, and ttl, and\nreturns the private/public keypair, unparsed, for any applications which may\nneed to consume the certificates directly in their PEM form. The RawPair struct\nis used to help prevent transposition errors by explicitly naming the\npublic/private pairs rather than returning two byte slices.\n\n#### func (*Client) SetToken\n\n```go\nfunc (c *Client) SetToken(t string)\n```\nSetToken sets the Vault token for the Client.\n\n#### func (*Client) SignCSR\n\n```go\nfunc (c *Client) SignCSR(csr *x509.CertificateRequest, k *rsa.PrivateKey, ttl time.Duration) (*tls.Certificate, error)\n```\nSignCSR takes an CertificateRequest template and ttl, and returns a\ntls.Certificate with a pre-parsed leaf, or an error.\n\n#### type RawPair\n\n```go\ntype RawPair struct {\n\tPrivate, Public []byte\n}\n```\n\nRawPair is a simple explicitly-named pair of byte slices returned by the RawPair\nfunction.\n\n#### func  RawCert\n\n```go\nfunc RawCert(c Certifier, cn string) (*RawPair, error)\n```\nRawCert is a more-generic function that can take any certifier and return the\nPEM-encoded bytes for a requested common_name.\n\n#### type SNICertifier\n\n```go\ntype SNICertifier interface {\n\tGetCertificate(*tls.ClientHelloInfo) (*tls.Certificate, error)\n}\n```\n\nSNICertifier abstracts the basic GetCertificate method used in TLSOpts, and also\nimplemented by libraries like rsc.io/letsencrypt\n\n#### type ValidationError\n\n```go\ntype ValidationError struct {\n\tDomain   string\n\tOriginal error\n}\n```\n\n\n#### func (*ValidationError) Error\n\n```go\nfunc (ve *ValidationError) Error() string\n```\n\n#### type VaultError\n\n```go\ntype VaultError struct {\n\tClient Client\n\tOrig   error\n}\n```\n\nVaultError is an error originating from a vault client. Errors coming from the\nvpki library should be type checked against this error (use a type switch)\n\n#### func (*VaultError) Error\n\n```go\nfunc (ve *VaultError) Error() string\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fandrewstuart%2Fvpki","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fandrewstuart%2Fvpki","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fandrewstuart%2Fvpki/lists"}