gmtlssupport

package

v0.0.5 Latest Latest Go to latest Published: Sep 22, 2021 License: Apache-2.0 Imports: 13 Imported by: 1

Documentation ¶

Index ¶

func AppendNewCertsToTrustRoots(tlsTrustRoots *ChainTrustRoots, chainId string, certPemBytes []byte) (bool, error)
func GenerateGMTlsServerConfigWithDualCerts(encryptCert *gmtls.Certificate, signKeyBytes, signCertBytes []byte, ...) (*gmtls.Config, bool, error)
func GenerateSignCertificateWithEncryptCertificate(encryptCert *x509.Certificate) (*gmtls.Certificate, error)
func GetCertAndPeerIdWithKeyPair(certPEMBlock []byte, keyPEMBlock []byte) (*gmtls.Certificate, string, error)
func NewTlsClientConfig(certificate gmtls.Certificate, certValidator *CertValidator, dualCert bool) (*gmtls.Config, error)
func NewTlsServerConfigDualCertMode(signCertificate gmtls.Certificate, certificate gmtls.Certificate, ...) (*gmtls.Config, error)
func NewTlsServerConfigSingleCertMode(certificate gmtls.Certificate, certValidator *CertValidator) (*gmtls.Config, error)
type CertValidator
- func NewCertValidator(tlsTrustRoots *ChainTrustRoots, ...) *CertValidator
type ChainTrustRoots
- func BuildTlsTrustRoots(chainTrustRoots map[string][][]byte) (*ChainTrustRoots, error)
- func NewChainTrustRoots() *ChainTrustRoots
type DerivedInfoWithCert

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func AppendNewCertsToTrustRoots ¶

func AppendNewCertsToTrustRoots(tlsTrustRoots *ChainTrustRoots, chainId string, certPemBytes []byte) (bool, error)

AppendNewCertsToTrustRoots will load all cert from cert pem bytes, then append them to chain trust roots.

func GenerateGMTlsServerConfigWithDualCerts ¶

func GenerateGMTlsServerConfigWithDualCerts(encryptCert *gmtls.Certificate, signKeyBytes, signCertBytes []byte, certValidator *CertValidator) (*gmtls.Config, bool, error)

GenerateGMTlsServerConfigWithDualCerts will generate a gm tls config for server on dual certs mode. If sign key or sign cert bytes is empty, random sign cert will be created with the encrypt cert, and second value returned will be true, otherwise be false.

func GenerateSignCertificateWithEncryptCertificate ¶

func GenerateSignCertificateWithEncryptCertificate(encryptCert *x509.Certificate) (*gmtls.Certificate, error)

GenerateSignCertificateWithEncryptCertificate will create a new random sign cert with the encrypt cert given.

func GetCertAndPeerIdWithKeyPair ¶

func GetCertAndPeerIdWithKeyPair(certPEMBlock []byte, keyPEMBlock []byte) (*gmtls.Certificate, string, error)

GetCertAndPeerIdWithKeyPair will create a gmtls cert with gmx509 key pair and load the peer id from cert.

func NewTlsClientConfig ¶

func NewTlsClientConfig(
	certificate gmtls.Certificate,
	certValidator *CertValidator,
	dualCert bool,
) (*gmtls.Config, error)

NewTlsClientConfig create a new gm tls config for client.

func NewTlsServerConfigDualCertMode ¶

func NewTlsServerConfigDualCertMode(
	signCertificate gmtls.Certificate,
	certificate gmtls.Certificate,
	certValidator *CertValidator,
) (*gmtls.Config, error)

NewTlsServerConfigDualCertMode create a new gm tls config for server with dual cert mode.

func NewTlsServerConfigSingleCertMode ¶

func NewTlsServerConfigSingleCertMode(
	certificate gmtls.Certificate,
	certValidator *CertValidator,
) (*gmtls.Config, error)

NewTlsServerConfigSingleCertMode create a new gm tls config for server with single cert mode.

Types ¶

type CertValidator ¶

type CertValidator struct {
	// contains filtered or unexported fields
}

CertValidator wraps a ChainTrustRoots instance and a common.MemberStatusValidator. It provides a function for verifying peer certificate when tls handshaking. In handshaking process, the function will load remote tls certificate and verify it by chain trust roots, also load remote peer id and cert id. All these infos will stored in validator. These infos could be queried with QueryDerivedInfoWithPeerId function. And could be removed with CleanDerivedInfoWithPeerId function.

func NewCertValidator ¶

func NewCertValidator(tlsTrustRoots *ChainTrustRoots, memberStatusValidator *common.MemberStatusValidator) *CertValidator

NewCertValidator create a new CertValidator instance.

func (*CertValidator) CleanDerivedInfoWithPeerId ¶

func (v *CertValidator) CleanDerivedInfoWithPeerId(peerId string)

CleanDerivedInfoWithPeerId remove all infos of peer if exist.

func (*CertValidator) QueryDerivedInfoWithPeerId ¶

func (v *CertValidator) QueryDerivedInfoWithPeerId(peerId string) *DerivedInfoWithCert

QueryDerivedInfoWithPeerId return all infos that loaded with VerifyPeerCertificateFunc and stored in validator.

func (*CertValidator) VerifyPeerCertificateFunc ¶

func (v *CertValidator) VerifyPeerCertificateFunc(dualCert bool) func(rawCerts [][]byte, _ [][]*x509.Certificate) error

VerifyPeerCertificateFunc provides a function for verify peer certificate in tls config. In handshaking process, the function will load remote tls certificate and verify it by chain trust roots, also load remote peer id and cert id. All these infos will stored in validator.

type ChainTrustRoots ¶

type ChainTrustRoots struct {
	// contains filtered or unexported fields
}

ChainTrustRoots keep the trust root cert pools and the trust intermediates cert pools of all chains.

func BuildTlsTrustRoots ¶

func BuildTlsTrustRoots(chainTrustRoots map[string][][]byte) (*ChainTrustRoots, error)

BuildTlsTrustRoots build the cert pool with cert bytes of chain.

func NewChainTrustRoots ¶

func NewChainTrustRoots() *ChainTrustRoots

NewChainTrustRoots create a new ChainTrustRoots instance.

func (*ChainTrustRoots) AddIntermediates ¶

func (ctr *ChainTrustRoots) AddIntermediates(chainId string, intermediates *x509.Certificate)

AddIntermediates add a trust intermediates cert to cert pool.

func (*ChainTrustRoots) AddRoot ¶

func (ctr *ChainTrustRoots) AddRoot(chainId string, root *x509.Certificate)

AddRoot add a trust root cert to cert pool.

func (*ChainTrustRoots) AppendIntermediatesFromPem ¶

func (ctr *ChainTrustRoots) AppendIntermediatesFromPem(chainId string, intermediatesPem []byte) bool

AppendIntermediatesFromPem append trust intermediates certs from pem bytes to cert pool.

func (*ChainTrustRoots) AppendRootsFromPem ¶

func (ctr *ChainTrustRoots) AppendRootsFromPem(chainId string, rootPem []byte) bool

AppendRootsFromPem append trust root certs from pem bytes to cert pool.

func (*ChainTrustRoots) IntermediatesPool ¶

func (ctr *ChainTrustRoots) IntermediatesPool(chainId string) (*x509.CertPool, bool)

IntermediatesPool return the trust intermediates cert pool of the chain which id is the id given.

func (*ChainTrustRoots) RefreshIntermediatesFromPem ¶

func (ctr *ChainTrustRoots) RefreshIntermediatesFromPem(chainId string, intermediatesPem [][]byte) bool

RefreshIntermediatesFromPem reset all trust intermediates certs from pem bytes array to cert pool.

func (*ChainTrustRoots) RefreshRootsFromPem ¶

func (ctr *ChainTrustRoots) RefreshRootsFromPem(chainId string, rootsPem [][]byte) bool

RefreshRootsFromPem reset all trust root certs from pem bytes array to cert pool.

func (*ChainTrustRoots) RootsPool ¶

func (ctr *ChainTrustRoots) RootsPool(chainId string) (*x509.CertPool, bool)

RootsPool return the trust root cert pool of the chain which id is the id given.

func (*ChainTrustRoots) VerifyCert ¶

func (ctr *ChainTrustRoots) VerifyCert(cert *x509.Certificate) ([]string, error)

VerifyCert verify the cert given. If ok, return chain id list.

func (*ChainTrustRoots) VerifyCertOfChain ¶

func (ctr *ChainTrustRoots) VerifyCertOfChain(chainId string, cert *x509.Certificate) bool

VerifyCertOfChain verify the cert given with chainId. If ok, return true.

type DerivedInfoWithCert ¶

type DerivedInfoWithCert struct {
	TlsCertBytes []byte
	ChainIds     []string
	PeerId       string
	CertId       string
}

DerivedInfoWithCert contains infos loaded from tls cert when verifying peer certificate.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL