mtls

package

v1.9.1 Latest Latest Go to latest Published: Jul 12, 2022 License: Apache-2.0 Imports: 11 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/Snowflake-Labs/sansshell

Links

Open Source Insights

Documentation ¶

Overview ¶

Package mtls facilitates Mutual TLS authentication for SansShell.

Index ¶

func LoadClientCredentials(ctx context.Context, loaderName string) (credentials.TransportCredentials, error)
func LoadClientTLS(clientCertFile, clientKeyFile string, CAPool *x509.CertPool) (credentials.TransportCredentials, error)
func LoadRootOfTrust(filename string) (*x509.CertPool, error)
func LoadServerCredentials(ctx context.Context, loaderName string) (credentials.TransportCredentials, error)
func LoadServerTLS(clientCertFile, clientKeyFile string, CAPool *x509.CertPool) (credentials.TransportCredentials, error)
func Loaders() []string
func NewClientCredentials(cert tls.Certificate, CAPool *x509.CertPool) credentials.TransportCredentials
func NewServerCredentials(cert tls.Certificate, CAPool *x509.CertPool) credentials.TransportCredentials
func Register(name string, loader CredentialsLoader) error
type CredentialsLoader
- func Loader(name string) (CredentialsLoader, error)
type WrappedTransportCredentials

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func LoadClientCredentials ¶

func LoadClientCredentials(ctx context.Context, loaderName string) (credentials.TransportCredentials, error)

LoadClientCredentials returns transport credentials for SansShell clients, based on the provided `loaderName`

func LoadClientTLS ¶

func LoadClientTLS(clientCertFile, clientKeyFile string, CAPool *x509.CertPool) (credentials.TransportCredentials, error)

LoadClientTLS reads the certificates and keys from disk at the supplied paths, and assembles them into a set of TransportCredentials for the gRPC client.

func LoadRootOfTrust ¶

func LoadRootOfTrust(filename string) (*x509.CertPool, error)

LoadRootOfTrust will load an CA root of trust(s) from the given file and return a CertPool to use in validating certificates. All CA's to validate against must be presented together in the PEM file.

func LoadServerCredentials ¶

func LoadServerCredentials(ctx context.Context, loaderName string) (credentials.TransportCredentials, error)

LoadServerCredentials returns transport credentials for a SansShell server as retrieved from the specified `loaderName`. This should be the most commonly used method to generate credentials as this will support reloadable credentials as the TransportCredentials returned are a WrappedTransportCredentials which will check at call time if new certificates are available.

func LoadServerTLS ¶

func LoadServerTLS(clientCertFile, clientKeyFile string, CAPool *x509.CertPool) (credentials.TransportCredentials, error)

LoadServerTLS reads the certificates and keys from disk at the supplied paths, and assembles them into a set of TransportCredentials for the gRPC server. NOTE: This doesn't support reloadable credentials.

func Loaders ¶

func Loaders() []string

Loaders returns the names of all currently registered CredentialLoader implementations as a sorted list of strings.

func NewClientCredentials ¶

func NewClientCredentials(cert tls.Certificate, CAPool *x509.CertPool) credentials.TransportCredentials

NewClientCredentials returns transport credentials for SansShell clients.

func NewServerCredentials ¶

func NewServerCredentials(cert tls.Certificate, CAPool *x509.CertPool) credentials.TransportCredentials

NewServerCredentials creates transport credentials for a SansShell server. NOTE: This doesn't support reloadable credentials.

func Register ¶

func Register(name string, loader CredentialsLoader) error

Register associates a name with a mechanism for loading credentials. Implementations of CredentialsLoader will typically call Register during init()

Types ¶

type CredentialsLoader ¶

type CredentialsLoader interface {
	// LoadClientCA returns a CertPool which should be used by a server to
	// validate client certificates.
	// NOTE: The pool returned here will be the only pool used to validate certificates.
	//       Inclusion of system certificates should be done by copying from x509.SystemCertPool(),
	//       with any custom certificates appended.
	LoadClientCA(context.Context) (*x509.CertPool, error)

	// LoadRootCA returns a CertPool which should be used by clients to
	// validate server certificates.
	// NOTE: The pool returned here will be the only pool used to validate certificates.
	//       Inclusion of system certificates should be done by copying from x509.SystemCertPool(),
	//       with any custom certificates appended.
	LoadRootCA(context.Context) (*x509.CertPool, error)

	// LoadClientCertificates returns the certificate that should be presented
	// by the client when connecting to a server.
	LoadClientCertificate(context.Context) (tls.Certificate, error)

	// LoadServerCertificate returns the certificate that should be presented
	// by the server to incoming clients.
	LoadServerCertificate(context.Context) (tls.Certificate, error)

	// CertRefreshed indicates if internally any of the cert data has
	// been refreshed and should be reloaded. This will depend on the
	// implementation to support but allows for dynamic refresh of certificates
	// without a server restart.
	CertsRefreshed() bool
}

A CredentialsLoader loads mTLS credential data.

func Loader ¶

func Loader(name string) (CredentialsLoader, error)

Loader returns the CredentialsLoader associated with `name` or an error if no such implementation is registered.

type WrappedTransportCredentials ¶ added in v1.1.0

type WrappedTransportCredentials struct {
	// contains filtered or unexported fields
}

WrappedTransportCredentials wraps a credentials.TransportCredentials and monitors any access to the underlying credentials are up to date by calling CertsRefreshed before continuing.

func (*WrappedTransportCredentials) ClientHandshake ¶ added in v1.1.0

func (w *WrappedTransportCredentials) ClientHandshake(ctx context.Context, s string, n net.Conn) (net.Conn, credentials.AuthInfo, error)

ClientHandshake -- see credentials.ClientHandshake

func (*WrappedTransportCredentials) Clone ¶ added in v1.1.0

func (w *WrappedTransportCredentials) Clone() credentials.TransportCredentials

Clone -- see credentials.Clone

func (*WrappedTransportCredentials) Info ¶ added in v1.1.0

func (w *WrappedTransportCredentials) Info() credentials.ProtocolInfo

Info -- see credentials.Info

func (*WrappedTransportCredentials) OverrideServerName ¶ added in v1.1.0

func (w *WrappedTransportCredentials) OverrideServerName(s string) error

OverrideServerName -- see credentials.OverrideServerName

func (*WrappedTransportCredentials) ServerHandshake ¶ added in v1.1.0

func (w *WrappedTransportCredentials) ServerHandshake(n net.Conn) (net.Conn, credentials.AuthInfo, error)

ServerHandshake -- see credentials.ServerHandshake

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
flags Package flags provides flag support for loading client/server certs and CA root of trust.	Package flags provides flag support for loading client/server certs and CA root of trust.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL