Code Samples ◦ Brief explanation of security concepts • Liveblog of the Presentation: https://about.sourcegraph.com/go/gophercon-2019-pki-for-gophers • Video will be posted in the future (along with all the other talks at GopherCon 2019): https://www.youtube.com/channel/UCx9QVEApa5BKLw9r8cnOFEA/feed Original Presentation
to load certificate and private key as TLS certificate ◦ Pass TLS certificate into TLSConfig when creating server ◦ Configure Client to trust server ▪ add certificate into pool • Client Certificates: ◦ Same process ▪ Generate certificate ▪ Create TLS certificate ▪ Pass TLS certificate into client config when creating client ▪ Configure server to authenticate clients • Also add client CA into pool Serving Certificates and Client Certificates
◦ Pass a function with a switch statement for each domain ◦ Return the corresponding certificate for each domain • Go does not support encrypted SNIs Server Name Identification (SNIs)
called PrivateKey ◦ Use manufacturer libraries to pass the interface into the CreateCertificateRequest method ▪ Example: YubiKey • pault.ag/go/ykpiv • yk.GenerateECWithPolicies • Pass into x509.CreateCertificateRequest • Or, pass into field PrivateKey when creating tls.Certificate Hardware Keys
a request to CT endpoint ◦ https://ct.googleapis.com/pilot • Use CT Client to make request ◦ Client Package type LogClient func New(uri string, hc *http.Client, opts jsonclient.Options) (*LogClient, error) func (c *LogClient) GetEntries(ctx context.Context, start, end int64) ([]ct.LogEntry, error) func (c *LogClient) GetSTH(ctx context.Context) (*ct.SignedTreeHead, error) ◦ Make new Client → Get STH → Get Entries Certificate Transparency