mtls

package
v1.20.1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: May 16, 2023 License: Apache-2.0 Imports: 13 Imported by: 0

Documentation

Overview

Package mtls facilitates Mutual TLS authentication for SansShell.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func LoadClientCredentials

func LoadClientCredentials(ctx context.Context, loaderName string) (credentials.TransportCredentials, error)

LoadClientCredentials returns transport credentials for SansShell clients, based on the provided `loaderName`

func LoadClientTLS

func LoadClientTLS(clientCertFile, clientKeyFile string, CAPool *x509.CertPool) (credentials.TransportCredentials, error)

LoadClientTLS reads the certificates and keys from disk at the supplied paths, and assembles them into a set of TransportCredentials for the gRPC client.

func LoadRootOfTrust

func LoadRootOfTrust(path string) (*x509.CertPool, error)

LoadRootOfTrust will load an CA root of trust(s) from the given file and return a CertPool to use in validating certificates. All CA's to validate against must be presented together in the PEM file. If the file is a directory, LoadRootOfTrust will load all files in that directory.

func LoadServerCredentials

func LoadServerCredentials(ctx context.Context, loaderName string) (credentials.TransportCredentials, error)

LoadServerCredentials returns transport credentials for a SansShell server as retrieved from the specified `loaderName`. This should be the most commonly used method to generate credentials as this will support reloadable credentials as the TransportCredentials returned are a WrappedTransportCredentials which will check at call time if new certificates are available.

func LoadServerTLS

func LoadServerTLS(clientCertFile, clientKeyFile string, CAPool *x509.CertPool) (credentials.TransportCredentials, error)

LoadServerTLS reads the certificates and keys from disk at the supplied paths, and assembles them into a set of TransportCredentials for the gRPC server. NOTE: This doesn't support reloadable credentials.

func Loaders

func Loaders() []string

Loaders returns the names of all currently registered CredentialLoader implementations as a sorted list of strings.

func NewClientCredentials

func NewClientCredentials(cert tls.Certificate, CAPool *x509.CertPool) credentials.TransportCredentials

NewClientCredentials returns transport credentials for SansShell clients.

func NewServerCredentials

func NewServerCredentials(cert tls.Certificate, CAPool *x509.CertPool) credentials.TransportCredentials

NewServerCredentials creates transport credentials for a SansShell server. NOTE: This doesn't support reloadable credentials.

func Register

func Register(name string, loader CredentialsLoader) error

Register associates a name with a mechanism for loading credentials. Implementations of CredentialsLoader will typically call Register during init()

Types

type CredentialsLoader

type CredentialsLoader interface {
	// LoadClientCA returns a CertPool which should be used by a server to
	// validate client certificates.
	// NOTE: The pool returned here will be the only pool used to validate certificates.
	//       Inclusion of system certificates should be done by copying from x509.SystemCertPool(),
	//       with any custom certificates appended.
	LoadClientCA(context.Context) (*x509.CertPool, error)

	// LoadRootCA returns a CertPool which should be used by clients to
	// validate server certificates.
	// NOTE: The pool returned here will be the only pool used to validate certificates.
	//       Inclusion of system certificates should be done by copying from x509.SystemCertPool(),
	//       with any custom certificates appended.
	LoadRootCA(context.Context) (*x509.CertPool, error)

	// LoadClientCertificates returns the certificate that should be presented
	// by the client when connecting to a server.
	LoadClientCertificate(context.Context) (tls.Certificate, error)

	// LoadServerCertificate returns the certificate that should be presented
	// by the server to incoming clients.
	LoadServerCertificate(context.Context) (tls.Certificate, error)

	// CertRefreshed indicates if internally any of the cert data has
	// been refreshed and should be reloaded. This will depend on the
	// implementation to support but allows for dynamic refresh of certificates
	// without a server restart.
	CertsRefreshed() bool
}

A CredentialsLoader loads mTLS credential data.

func Loader

func Loader(name string) (CredentialsLoader, error)

Loader returns the CredentialsLoader associated with `name` or an error if no such implementation is registered.

type WrappedTransportCredentials added in v1.1.0

type WrappedTransportCredentials struct {
	// contains filtered or unexported fields
}

WrappedTransportCredentials wraps a credentials.TransportCredentials and monitors any access to the underlying credentials are up to date by calling CertsRefreshed before continuing.

func (*WrappedTransportCredentials) ClientHandshake added in v1.1.0

ClientHandshake -- see credentials.ClientHandshake

func (*WrappedTransportCredentials) Clone added in v1.1.0

Clone -- see credentials.Clone

func (*WrappedTransportCredentials) Info added in v1.1.0

Info -- see credentials.Info

func (*WrappedTransportCredentials) OverrideServerName added in v1.1.0

func (w *WrappedTransportCredentials) OverrideServerName(s string) error

OverrideServerName -- see credentials.OverrideServerName

func (*WrappedTransportCredentials) ServerHandshake added in v1.1.0

ServerHandshake -- see credentials.ServerHandshake

Directories

Path Synopsis
Package flags provides flag support for loading client/server certs and CA root of trust.
Package flags provides flag support for loading client/server certs and CA root of trust.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL