tlsconfig

package
v2.2.2 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jul 29, 2024 License: Apache-2.0 Imports: 5 Imported by: 5

Documentation

Index

Examples

Constants

This section is empty.

Variables

This section is empty.

Functions

func GetCertificate 

func GetCertificate(svid x509svid.Source, opts ...Option) func(*tls.ClientHelloInfo) (*tls.Certificate, error)

GetCertificate returns a GetCertificate callback for tls.Config. It uses the given X509-SVID getter to obtain a server X509-SVID for the TLS handshake.

func GetClientCertificate 

func GetClientCertificate(svid x509svid.Source, opts ...Option) func(*tls.CertificateRequestInfo) (*tls.Certificate, error)

GetClientCertificate returns a GetClientCertificate callback for tls.Config. It uses the given X509-SVID getter to obtain a client X509-SVID for the TLS handshake.

func HookMTLSClientConfig 

func HookMTLSClientConfig(config *tls.Config, svid x509svid.Source, bundle x509bundle.Source, authorizer Authorizer, opts ...Option)

HookMTLSClientConfig sets up the TLS configuration to present an X509-SVID to the server and verify and authorize the server X509-SVID. If there is an existing callback set for VerifyPeerCertificate it will be wrapped by this package and invoked after SPIFFE authentication has completed.

func HookMTLSServerConfig 

func HookMTLSServerConfig(config *tls.Config, svid x509svid.Source, bundle x509bundle.Source, authorizer Authorizer, opts ...Option)

HookMTLSServerConfig sets up the TLS configuration to present an X509-SVID to the client and require, verify, and authorize the client X509-SVID. If there is an existing callback set for VerifyPeerCertificate it will be wrapped by this package and invoked after SPIFFE authentication has completed.

func HookMTLSWebClientConfig 

func HookMTLSWebClientConfig(config *tls.Config, svid x509svid.Source, roots *x509.CertPool, opts ...Option)

HookMTLSWebClientConfig sets up the TLS configuration to present an X509-SVID to the server and verifies the server certificate using the provided roots (or the system roots if nil).

func HookMTLSWebServerConfig 

func HookMTLSWebServerConfig(config *tls.Config, cert *tls.Certificate, bundle x509bundle.Source, authorizer Authorizer, opts ...Option)

HookMTLSWebServerConfig sets up the TLS configuration to presents a web server certificate to the client and require, verify, and authorize client X509-SVIDs. If there is an existing callback set for VerifyPeerCertificate it will be wrapped by this package and invoked after SPIFFE authentication has completed.

func HookTLSClientConfig 

func HookTLSClientConfig(config *tls.Config, bundle x509bundle.Source, authorizer Authorizer, opts ...Option)

HookTLSClientConfig sets up the TLS configuration to verify and authorize the server X509-SVID. If there is an existing callback set for VerifyPeerCertificate it will be wrapped by this package and invoked after SPIFFE authentication has completed.

func HookTLSServerConfig 

func HookTLSServerConfig(config *tls.Config, svid x509svid.Source, opts ...Option)

HookTLSServerConfig sets up the TLS configuration to present an X509-SVID to the client and to not require or verify client certificates.

func MTLSClientConfig 

func MTLSClientConfig(svid x509svid.Source, bundle x509bundle.Source, authorizer Authorizer, opts ...Option) *tls.Config

MTLSClientConfig returns a TLS configuration which presents an X509-SVID to the server and verifies and authorizes the server X509-SVID.

func MTLSServerConfig 

func MTLSServerConfig(svid x509svid.Source, bundle x509bundle.Source, authorizer Authorizer, opts ...Option) *tls.Config

MTLSServerConfig returns a TLS configuration which presents an X509-SVID to the client and requires, verifies, and authorizes client X509-SVIDs.

Example (FileSource) 
package main

import (
	"github.com/accuknox/go-spiffe/v2/bundle/x509bundle"
	"github.com/accuknox/go-spiffe/v2/spiffeid"
	"github.com/accuknox/go-spiffe/v2/spiffetls/tlsconfig"
	"github.com/accuknox/go-spiffe/v2/svid/x509svid"
)

func main() {
	td, err := spiffeid.TrustDomainFromString("example.org")
	if err != nil {
		// TODO: error handling
	}

	svid, err := x509svid.Load("svid.pem", "key.pem")
	if err != nil {
		// TODO: handle error
	}

	bundle, err := x509bundle.Load(td, "cacert.pem")
	if err != nil {
		// TODO: handle error
	}

	config := tlsconfig.MTLSServerConfig(svid, bundle, tlsconfig.AuthorizeMemberOf(td))
	// TODO: use the config
	config = config
}

Output:
Example (WorkloadAPISource) 
package main

import (
	"context"

	"github.com/accuknox/go-spiffe/v2/spiffeid"
	"github.com/accuknox/go-spiffe/v2/spiffetls/tlsconfig"
	"github.com/accuknox/go-spiffe/v2/workloadapi"
)

func main() {
	td, err := spiffeid.TrustDomainFromString("example.org")
	if err != nil {
		// TODO: error handling
	}

	source, err := workloadapi.NewX509Source(context.Background(), nil)
	if err != nil {
		// TODO: handle error
	}
	defer source.Close()

	config := tlsconfig.MTLSServerConfig(source, source, tlsconfig.AuthorizeMemberOf(td))
	// TODO: use the config
	config = config
}

Output:

func MTLSWebClientConfig 

func MTLSWebClientConfig(svid x509svid.Source, roots *x509.CertPool, opts ...Option) *tls.Config

MTLSWebClientConfig returns a TLS configuration which presents an X509-SVID to the server and verifies the server certificate using provided roots (or the system roots if nil).

func MTLSWebServerConfig 

func MTLSWebServerConfig(cert *tls.Certificate, bundle x509bundle.Source, authorizer Authorizer, opts ...Option) *tls.Config

MTLSWebServerConfig returns a TLS configuration which presents a web server certificate to the client and requires, verifies, and authorizes client X509-SVIDs.

func TLSClientConfig 

func TLSClientConfig(bundle x509bundle.Source, authorizer Authorizer, opts ...Option) *tls.Config

TLSClientConfig returns a TLS configuration which verifies and authorizes the server X509-SVID.

func TLSServerConfig 

func TLSServerConfig(svid x509svid.Source, opts ...Option) *tls.Config

TLSServerConfig returns a TLS configuration which presents an X509-SVID to the client and does not require or verify client certificates.

func VerifyPeerCertificate 

func VerifyPeerCertificate(bundle x509bundle.Source, authorizer Authorizer, opts ...Option) func([][]byte, [][]*x509.Certificate) error

VerifyPeerCertificate returns a VerifyPeerCertificate callback for tls.Config. It uses the given bundle source and authorizer to verify and authorize X509-SVIDs provided by peers during the TLS handshake.

func WrapVerifyPeerCertificate 

func WrapVerifyPeerCertificate(wrapped func([][]byte, [][]*x509.Certificate) error, bundle x509bundle.Source, authorizer Authorizer, opts ...Option) func([][]byte, [][]*x509.Certificate) error

WrapVerifyPeerCertificate wraps a VerifyPeerCertificate callback, performing SPIFFE authentication against the peer certificates using the given bundle and authorizer. The wrapped callback will be passed the verified chains. Note: TLS clients must set `InsecureSkipVerify` when doing SPIFFE authentication to disable hostname verification.

Types

type Authorizer 

type Authorizer func(id spiffeid.ID, verifiedChains [][]*x509.Certificate) error

Authorizer authorizes an X509-SVID given the SPIFFE ID and the chain of trust. The certificate chain starts with the X509-SVID certificate back to an X.509 root for the trust domain.

func AdaptMatcher 

func AdaptMatcher(matcher spiffeid.Matcher) Authorizer

AdaptMatcher adapts any spiffeid.Matcher for use as an Authorizer which only authorizes the SPIFFE ID but otherwise ignores the verified chains.

func AuthorizeAny 

func AuthorizeAny() Authorizer

AuthorizeAny allows any SPIFFE ID.

func AuthorizeID 

func AuthorizeID(allowed spiffeid.ID) Authorizer

AuthorizeID allows a specific SPIFFE ID.

func AuthorizeMemberOf 

func AuthorizeMemberOf(allowed spiffeid.TrustDomain) Authorizer

AuthorizeMemberOf allows any SPIFFE ID in the given trust domain.

func AuthorizeOneOf 

func AuthorizeOneOf(allowed ...spiffeid.ID) Authorizer

AuthorizeOneOf allows any SPIFFE ID in the given list of IDs.

type GetCertificateInfo 

type GetCertificateInfo struct {
}

GetCertificateInfo is an empty placeholder for future expansion

type GotCertificateInfo 

type GotCertificateInfo struct {
	Cert *tls.Certificate
	Err  error
}

GotCertificateInfo provides err and TLS certificate info to Trace

type Option 

type Option interface {
	// contains filtered or unexported methods
}

A Option changes the defaults used to by mTLS ClientConfig functions.

func WithTrace 

func WithTrace(trace Trace) Option

WithTrace will use the provided tracing callbacks when various TLS config functions gets invoked.

type Trace 

type Trace struct {
	GetCertificate func(GetCertificateInfo) interface{}
	GotCertificate func(GotCertificateInfo, interface{})
}

Trace is the interface to define what functions are triggered when functions in tlsconfig are called

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.