darvaza.org/x/tls
Dynamic TLS certificate management — runtime store, SNI routing, chain bundling.
TLS certificate management utilities extending Go's crypto/tls.
Defines Store, StoreReader, StoreWriter, and StoreX509Writer
interfaces that decouple certificate lookup from storage backend.
The Bundler builds
verified certificate chains from a set of roots and intermediates,
selecting the shortest (or custom-ranked) chain and returning a
ready-to-use tls.Certificate.
Verify validates a
tls.Certificate end-to-end — leaf parsing, validity period,
key-pair match, and optional chain verification against roots.
The sni sub-package parses raw ClientHello packets to extract the server name without a full TLS handshake. A Dispatcher routes incoming connections by SNI to per-host handlers, with graceful shutdown and structured logging.
Three store backends live
under store:
basic (simple programmatic store), buffer (PEM file/directory
decoder that collects keys and certificates), and config
(path-based loading helpers for certs, keys, and CA roots).
The x509utils sub-package
adds PrivateKey and PublicKey interfaces, PEM read/write,
PKCS#1/PKCS#8 key parsing, SPKI hashing (SHA-1/SHA-256), name
sanitisation, and wildcard-pattern extraction. Its certpool
sub-package provides a thread-safe, BLAKE3-deduplicated certificate
pool with name/pattern indexing and system root loading.
See also§
- Network helpers — darvaza.org/x/net
- HTTP handler utilities — darvaza.org/x/web