tls

package

v1.2.5 Latest Latest Go to latest Published: Sep 23, 2024 License: Apache-2.0 Imports: 9 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/edgexr/edge-cloud-platform

Links

Open Source Insights

README ¶

TLS certs can be generated here with certstrap.

Both client and server certs must be signed by the private Certificate Authority mex-ca.crt

Generating CA File: $ certstrap init --common-name mex-ca Enter passphrase (empty for no passphrase): Enter same passphrase again: Created out/mex-ca.key Created out/mex-ca.crt Created out/mex-ca.crl

The CA file can be re-used for every deployment. It is included for every server and client.

Generating Server Certs:

Domain based, can be wildcard or FQDN: $ certstrap request-cert --domain dme.xyz.mobiledgex.net Enter passphrase (empty for no passphrase): Enter same passphrase again:

Created out/dme.xyz.mobiledgex.net.key Created out/dme.xyz.mobiledgex.net.csr

$ certstrap sign --CA mex-ca dme.xyz.mobiledgex.net $ certstrap sign --CA mex-ca dme.xyx.mobiledgex.net

Created out/dme.xyz.mobiledgex.net.crt from out/dme.xyx.mobiledgex.net.csr signed by out/mex-ca.key

The DME can now be run with --tls ./out/dme.xyz.mobiledgex.net.crt

IP address based:

$ certstrap request-cert --ip 127.0.0.1,0.0.0.0 Enter passphrase (empty for no passphrase): Enter same passphrase again: Created out/127.0.0.1.key Created out/127.0.0.1.csr

$ certstrap sign --CA mex-ca 127.0.0.1

The DME can now be run with --tls ./out/127.0.0.1.crt

Server certs must be generated for every IP or domain through which clients will access.

Generating Client Certs:

Client certs can be shared for all clients.

$ certstrap request-cert --domain mex-client

Enter passphrase (empty for no passphrase): Enter same passphrase again:

Created out/mex-client.key Created out/mex-client.csr

$ certstrap sign --CA mex-ca mex-client Created out/mex-client.crt from out/mex-client.csr signed by out/mex-ca.key

Running DME example: dme-server --tls ./out/dme.xyz.mobiledgex.net.crt 2018-08-19T22:09:57.386-0500 INFO dme-server/dme-notify.go:36 notify client to {"addrs": "127.0.0.1:50001"} Loading certfile ./out/dme.xyz.mobiledgex.net.crt cafile out/mex-ca.crt keyfile ./out/dme.xyz.mobiledgex.net.key

Running edgectl client example: $ edgectl --addr dme.xyz.mobiledgex.net:50051 dme RegisterClient --tls ./out/mex-client.crt
using TLS credentials server dme.xyz.mobiledgex.net certfile ./out/mex-client.crt keyFile ./out/mex-client.key status: ME_SUCCESS sessioncookie: "***"

Documentation ¶

Index ¶

Constants
func GetClientCertPool(tlsCertFile string, caCertFile string) (*x509.CertPool, error)
func GetGrpcDialOption(config *tls.Config) grpc.DialOption
func GetLocalTLSConfig() (*tls.Config, error)
func GetLocalTLSData() ([]byte, []byte, error)
func GetTLSClientConfig(tlsMode TLSMode, serverAddr string, ...) (*tls.Config, error)
func GetTLSClientDialOption(tlsMode TLSMode, serverAddr string, ...) (grpc.DialOption, error)
func IsTestTls() bool
func ServerAuthServerCreds(tlsCertFile, tlsKeyFile string) (credentials.TransportCredentials, error)
type TLSMode

Constants ¶

View Source

const LocalTLSCertsDir = "/tmp/edge-cloud-test-certs/out"

LocalTLSCertsDir contains certs generated by gen-test-certs.sh for local testing use.

Variables ¶

This section is empty.

Functions ¶

func GetClientCertPool ¶

func GetClientCertPool(tlsCertFile string, caCertFile string) (*x509.CertPool, error)

GetClientCertPool gets the system cert pool for all the trusted CA certs and then appends the caCertFile. Leave caCertFile blank to use the mex-ca.crt

func GetGrpcDialOption ¶

func GetGrpcDialOption(config *tls.Config) grpc.DialOption

func GetLocalTLSConfig ¶

func GetLocalTLSConfig() (*tls.Config, error)

func GetLocalTLSData ¶

func GetLocalTLSData() ([]byte, []byte, error)

func GetTLSClientConfig ¶

func GetTLSClientConfig(tlsMode TLSMode, serverAddr string, getCertFunc func(*tls.CertificateRequestInfo) (*tls.Certificate, error), tlsCertFile string, caCertFile string, skipVerify bool) (*tls.Config, error)

GetTLSClientConfig builds client side TLS configuration. If the serverAddr is blank, no validation is done on the cert. CaCertFile is specified when communicating to exernal servers with their own privately signed certs. Leave this blank to use the mex-ca.crt. Requires either a tlsCertFile or a getCertFunc if mutualAuth

func GetTLSClientDialOption ¶

func GetTLSClientDialOption(tlsMode TLSMode, serverAddr string, getCertFunc func(*tls.CertificateRequestInfo) (*tls.Certificate, error), tlsCertFile string, skipVerify bool) (grpc.DialOption, error)

GetTLSClientDialOption gets GRPC options needed for TLS connection

func IsTestTls ¶

func IsTestTls() bool

Utility function that checks for E2ETEST_TLS env var

func ServerAuthServerCreds ¶

func ServerAuthServerCreds(tlsCertFile, tlsKeyFile string) (credentials.TransportCredentials, error)

ServerAuthServerCreds gets grpc credentials for the server for server-side authentication.

Types ¶

type TLSMode ¶

type TLSMode int

const (
	NoTLS TLSMode = iota
	ServerAuthTLS
	MutualAuthTLS
)

Source Files ¶

View all Source files

tls.go

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL