package libp2ptls

import "github.com/libp2p/go-libp2p/p2p/security/tls"

Index

Constants 

const ID = "/tls/1.0.0"

ID is the protocol ID (used when negotiating with multistream)

Functions

func GenerateSignedExtension 

func GenerateSignedExtension(sk ic.PrivKey, pubKey crypto.PublicKey) (pkix.Extension, error)

GenerateSignedExtension uses the provided private key to sign the public key, and returns the signature within a pkix.Extension. This extension is included in a certificate to cryptographically tie it to the libp2p private key.

func PubKeyFromCertChain 

func PubKeyFromCertChain(chain []*x509.Certificate) (ic.PubKey, error)

PubKeyFromCertChain verifies the certificate chain and extract the remote's public key.

Types

type Identity 

type Identity struct {
	// contains filtered or unexported fields
}

Identity is used to secure connections

func NewIdentity 

func NewIdentity(privKey ic.PrivKey, opts ...IdentityOption) (*Identity, error)

NewIdentity creates a new identity

func (*Identity) ConfigForPeer 

func (i *Identity) ConfigForPeer(remote peer.ID) (*tls.Config, <-chan ic.PubKey)

ConfigForPeer creates a new single-use tls.Config that verifies the peer's certificate chain and returns the peer's public key via the channel. If the peer ID is empty, the returned config will accept any peer.

It should be used to create a new tls.Config before securing either an incoming or outgoing connection.

type IdentityConfig 

type IdentityConfig struct {
	CertTemplate *x509.Certificate
	KeyLogWriter io.Writer
}

IdentityConfig is used to configure an Identity

type IdentityOption 

type IdentityOption func(r *IdentityConfig)

IdentityOption transforms an IdentityConfig to apply optional settings.

func WithCertTemplate 

func WithCertTemplate(template *x509.Certificate) IdentityOption

WithCertTemplate specifies the template to use when generating a new certificate.

func WithKeyLogWriter 

func WithKeyLogWriter(w io.Writer) IdentityOption

WithKeyLogWriter optionally specifies a destination for TLS master secrets in NSS key log format that can be used to allow external programs such as Wireshark to decrypt TLS connections. See https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/Key_Log_Format. Use of KeyLogWriter compromises security and should only be used for debugging.

type Transport 

type Transport struct {
	// contains filtered or unexported fields
}

Transport constructs secure communication sessions for a peer.

func New 

func New(id protocol.ID, key ci.PrivKey, muxers []tptu.StreamMuxer) (*Transport, error)

New creates a TLS encrypted transport

func (*Transport) ID 

func (t *Transport) ID() protocol.ID

func (*Transport) SecureInbound 

func (t *Transport) SecureInbound(ctx context.Context, insecure net.Conn, p peer.ID) (sec.SecureConn, error)

SecureInbound runs the TLS handshake as a server. If p is empty, connections from any peer are accepted.

func (*Transport) SecureOutbound 

func (t *Transport) SecureOutbound(ctx context.Context, insecure net.Conn, p peer.ID) (sec.SecureConn, error)

SecureOutbound runs the TLS handshake as a client. Note that SecureOutbound will not return an error if the server doesn't accept the certificate. This is due to the fact that in TLS 1.3, the client sends its certificate and the ClientFinished in the same flight, and can send application data immediately afterwards. If the handshake fails, the server will close the connection. The client will notice this after 1 RTT when calling Read.

Source Files

conn.go crypto.go extension.go transport.go

Directories

PathSynopsis
p2p/security/tls/cmd
p2p/security/tls/cmd/tlsdiag
Version
v0.42.0 (latest)
Published
Jun 18, 2025
Platform
linux/amd64
Imports
25 packages
Last checked
4 weeks ago

Tools for package owners.