https://github.com/databus23/go-mtls-keychain
https://github.com/databus23/go-mtls-keychain
Last synced: 15 days ago
JSON representation
- Host: GitHub
- URL: https://github.com/databus23/go-mtls-keychain
- Owner: databus23
- Created: 2026-06-05T13:04:22.000Z (22 days ago)
- Default Branch: main
- Last Pushed: 2026-06-05T14:05:48.000Z (22 days ago)
- Last Synced: 2026-06-06T14:08:55.927Z (21 days ago)
- Language: Go
- Size: 15.6 KB
- Stars: 0
- Watchers: 0
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
README
# go-mtls-keychain
A Go library that creates an `*http.Transport` configured with a client certificate from the system certificate store, identified by Common Name. Zero external dependencies.
## Usage
```go
import keychain "github.com/databus23/go-mtls-keychain"
// Create a transport using a certificate from the system store
transport, close, err := keychain.Transport("MyCertCommonName")
if err != nil {
log.Fatal(err)
}
defer close()
// Use with any http.Client
client := &http.Client{Transport: transport}
resp, err := client.Get("https://mtls.example.com/api")
```
## Platform Support
| Platform | Certificate Store | Status |
|----------|------------------|--------|
| macOS | Keychain (Security framework) | ✅ Supported |
| Windows | Windows Certificate Store (CNG / CryptoAPI) | ✅ Supported |
| Linux | — | ❌ Not supported (no system certificate store) |
## Vendored certstore
This library includes a vendored copy of the [`certstore`](https://github.com/github/smimesign/tree/main/certstore) package from [github/smimesign](https://github.com/github/smimesign) with a fix for RSA-PSS signature support. The `github.com/pkg/errors` dependency has been replaced with stdlib `errors`/`fmt` to keep this library dependency-free.
**Why:** The upstream `certstore` package does not support RSA-PSS signatures (`*rsa.PSSOptions`), which are required for TLS 1.3 client authentication. Without this fix, using a system certificate for mTLS against any TLS 1.3 server results in `tls: error decrypting message`.
**Upstream PR:** https://github.com/github/smimesign/pull/173
**When this can be removed:** Once the upstream PR is merged and a new release of `github.com/github/smimesign` is published, the vendored `internal/certstore` package can be replaced with a direct import of the upstream package. At that point the only changes needed are:
1. Replace the `internal/certstore` import with `github.com/github/smimesign/certstore`
2. Remove the `internal/certstore/` directory
3. Add the upstream module to `go.mod`
## License
The vendored `internal/certstore` code is from [github/smimesign](https://github.com/github/smimesign) and is subject to its [MIT license](internal/certstore/LICENSE.md).