tlsutil

package
v1.16.4 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Nov 29, 2024 License: MPL-2.0 Imports: 26 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func CipherString

func CipherString(ciphers []types.TLSCipherSuite) (string, error)

CipherString performs the inverse operation of types.ParseCiphers

func GenerateCA

func GenerateCA(opts CAOpts) (string, string, error)

GenerateCA generates a new CA for agent TLS (not to be confused with Connect TLS)

func GenerateCert

func GenerateCert(opts CertOpts) (string, string, error)

GenerateCert generates a new certificate for agent TLS (not to be confused with Connect TLS)

func GeneratePrivateKey

func GeneratePrivateKey() (crypto.Signer, string, error)

GeneratePrivateKey generates a new ecdsa private key

func GenerateSerialNumber

func GenerateSerialNumber() (*big.Int, error)

GenerateSerialNumber returns random bigint generated with crypto/rand

func LoadCAs

func LoadCAs(caFile, caPath string) ([]string, error)

func ParseSigner

func ParseSigner(pemValue string) (crypto.Signer, error)

ParseSigner parses a crypto.Signer from a PEM-encoded key. The private key is expected to be the first block in the PEM value.

func Verify

func Verify(caString, certString, dns string) error

Types

type ALPNWrapper

type ALPNWrapper func(dc, nodeName, alpnProto string, conn net.Conn) (net.Conn, error)

ALPNWrapper is a function that is used to wrap a non-TLS connection and returns an appropriate TLS connection or error. This taks a datacenter and node name as argument to configure the desired SNI value and the desired next proto for configuring ALPN.

type CAOpts

type CAOpts struct {
	Signer              crypto.Signer
	Serial              *big.Int
	ClusterID           string
	Days                int
	PermittedDNSDomains []string
	Domain              string
	Name                string
}

type CertOpts

type CertOpts struct {
	Signer      crypto.Signer
	CA          string
	Serial      *big.Int
	Name        string
	Days        int
	DNSNames    []string
	IPAddresses []net.IP
	ExtKeyUsage []x509.ExtKeyUsage
	IsCA        bool
}

type Config

type Config struct {
	// ServerMode indicates whether the configurator is attached to a server
	// or client agent.
	ServerMode bool

	// InternalRPC is used to configure the internal multiplexed RPC protocol.
	InternalRPC ProtocolConfig

	// GRPC is used to configure the external (e.g. xDS) gRPC protocol.
	GRPC ProtocolConfig

	// HTTPS is used to configure the external HTTPS protocol.
	HTTPS ProtocolConfig

	// Node name is the name we use to advertise. Defaults to hostname.
	NodeName string

	// ServerName is used with the TLS certificate to ensure the name we
	// provide matches the certificate
	ServerName string

	// Domain is the Consul TLD being used. Defaults to "consul."
	Domain string

	// EnableAgentTLSForChecks is used to apply the agent's TLS settings in
	// order to configure the HTTP client used for health checks. Enabling
	// this allows HTTP checks to present a client certificate and verify
	// the server using the same TLS configuration as the agent (CA, cert,
	// and key).
	EnableAgentTLSForChecks bool

	// AutoTLS opts the agent into provisioning agent
	// TLS certificates.
	AutoTLS bool
}

Config configures the Configurator.

type Configurator

type Configurator struct {
	// contains filtered or unexported fields
}

Configurator provides tls.Config and net.Dial wrappers to enable TLS for clients and servers, for internal RPC, and external gRPC and HTTPS connections.

Configurator receives an initial TLS configuration from agent configuration, and receives updates from config reloads, auto-encrypt, and auto-config.

func NewConfigurator

func NewConfigurator(config Config, logger hclog.Logger) (*Configurator, error)

NewConfigurator creates a new Configurator and sets the provided configuration.

func (*Configurator) AuthorizeServerConn

func (c *Configurator) AuthorizeServerConn(dc string, conn TLSConn) error

AuthorizeServerConn is used to validate that the connection is being established by a Consul server in the same datacenter.

The identity of the connection is checked by verifying that the certificate presented is signed by the Agent TLS CA, and has a DNSName that matches the local ServerSNI name.

Note this check is only performed if VerifyServerHostname and VerifyIncomingRPC are both enabled, otherwise it does no authorization.

func (*Configurator) AutoConfigTLSSettings

func (c *Configurator) AutoConfigTLSSettings() (*pbconfig.TLS, error)

AutoConfigTLSSettings constructs the pbconfig.TLS that will be returned by servers in the auto-config endpoint.

func (*Configurator) AutoEncryptCert

func (c *Configurator) AutoEncryptCert() *x509.Certificate

AutoEncryptCert returns the TLS certificate received from auto-encrypt.

func (*Configurator) Base

func (c *Configurator) Base() Config

func (*Configurator) Cert

func (c *Configurator) Cert() *tls.Certificate

Cert returns the certificate used for connections on the internal RPC protocol.

This function acquires a read lock because it reads from the config.

func (*Configurator) GRPCManualCAPems

func (c *Configurator) GRPCManualCAPems() []string

GRPCManualCAPems returns the currently loaded CAs for the gRPC in PEM format.

func (*Configurator) GRPCServerUseTLS

func (c *Configurator) GRPCServerUseTLS() bool

GRPCServerUseTLS returns whether there's a TLS certificate configured for (external) gRPC (either manually or by auto-config/auto-encrypt), and use of TLS for gRPC has not been explicitly disabled at auto-encrypt.

This function acquires a read lock because it reads from the config.

func (*Configurator) IncomingALPNRPCConfig

func (c *Configurator) IncomingALPNRPCConfig(alpnProtos []string) *tls.Config

IncomingALPNRPCConfig generates a *tls.Config for incoming RPC connections directly using TLS with ALPN instead of the older byte-prefixed protocol.

func (*Configurator) IncomingGRPCConfig

func (c *Configurator) IncomingGRPCConfig() *tls.Config

IncomingGRPCConfig generates a *tls.Config for incoming external (e.g. xDS) GRPC connections.

This function acquires a read lock because it reads from the config.

func (*Configurator) IncomingHTTPSConfig

func (c *Configurator) IncomingHTTPSConfig() *tls.Config

IncomingHTTPSConfig generates a *tls.Config for incoming HTTPS connections.

func (*Configurator) IncomingInsecureRPCConfig

func (c *Configurator) IncomingInsecureRPCConfig() *tls.Config

IncomingInsecureRPCConfig means that it doesn't verify incoming even thought it might have been configured. This is only supposed to be used by the servers for the insecure RPC server. At the time of writing only the AutoEncrypt.Sign call is supported on that server. And it might be the only usecase ever.

func (*Configurator) IncomingRPCConfig

func (c *Configurator) IncomingRPCConfig() *tls.Config

IncomingRPCConfig generates a *tls.Config for incoming RPC connections.

func (*Configurator) ManualCAPems

func (c *Configurator) ManualCAPems() []string

ManualCAPems returns the currently loaded CAs for the internal RPC protocol in PEM format. It is used in the auto-config/auto-encrypt endpoints.

func (*Configurator) MutualTLSCapable

func (c *Configurator) MutualTLSCapable() bool

MutualTLSCapable returns true if Configurator has a CA and a local TL certificate configured on the internal RPC protocol.

func (*Configurator) OutgoingALPNRPCWrapper

func (c *Configurator) OutgoingALPNRPCWrapper() ALPNWrapper

OutgoingALPNRPCWrapper wraps the result of outgoingALPNRPCConfig in an ALPNWrapper. It configures all of the negotiation plumbing.

func (*Configurator) OutgoingRPCConfig

func (c *Configurator) OutgoingRPCConfig() *tls.Config

OutgoingRPCConfig generates a *tls.Config for outgoing internal RPC connections. If there is a CA or VerifyOutgoing is set, a *tls.Config will be provided, otherwise we assume that no TLS should be used.

func (*Configurator) OutgoingRPCWrapper

func (c *Configurator) OutgoingRPCWrapper() DCWrapper

OutgoingRPCWrapper wraps the result of OutgoingRPCConfig in a DCWrapper. It decides if verify server hostname should be used.

func (*Configurator) OutgoingTLSConfigForCheck

func (c *Configurator) OutgoingTLSConfigForCheck(skipVerify bool, serverName string) *tls.Config

OutgoingTLSConfigForCheck generates a *tls.Config for outgoing TLS connections for checks. This function is separated because there is an extra flag to consider for checks. EnableAgentTLSForChecks and InsecureSkipVerify has to be checked for checks.

func (*Configurator) PeeringServerName

func (c *Configurator) PeeringServerName() string

func (*Configurator) ServerSNI

func (c *Configurator) ServerSNI(dc, nodeName string) string

This function acquires a read lock because it reads from the config.

func (*Configurator) Update

func (c *Configurator) Update(config Config) error

Update updates the internal configuration which is used to generate *tls.Config. This function acquires a write lock because it writes the new config.

func (*Configurator) UpdateAreaPeerDatacenterUseTLS

func (c *Configurator) UpdateAreaPeerDatacenterUseTLS(peerDatacenter string, useTLS bool)

func (*Configurator) UpdateAutoTLS

func (c *Configurator) UpdateAutoTLS(manualCAPems, connectCAPems []string, pub, priv string, verifyServerHostname bool) error

UpdateAutoTLS receives updates from Auto-Config, only expected to be called on client agents.

func (*Configurator) UpdateAutoTLSCA

func (c *Configurator) UpdateAutoTLSCA(connectCAPems []string) error

UpdateAutoTLSCA updates the autoEncrypt.caPems. This is supposed to be called from the server in order to be able to accept TLS connections with TLS certificates. Or it is being called on the client side when CA changes are detected.

func (*Configurator) UpdateAutoTLSCert

func (c *Configurator) UpdateAutoTLSCert(pub, priv string) error

UpdateAutoTLSCert receives the updated automatically-provisioned certificate.

func (*Configurator) UpdateAutoTLSPeeringServerName

func (c *Configurator) UpdateAutoTLSPeeringServerName(name string)

UpdateAutoTLSPeeringServerName receives the updated automatically-provisioned certificate.

func (*Configurator) UseTLS

func (c *Configurator) UseTLS(dc string) bool

UseTLS returns true if the outgoing RPC requests have been explicitly configured to use TLS (via VerifyOutgoing or AutoTLS, and the target DC supports TLS.

func (*Configurator) VerifyIncomingRPC

func (c *Configurator) VerifyIncomingRPC() bool

VerifyIncomingRPC returns true if we should verify incoming connnections to the internal RPC protocol.

func (*Configurator) VerifyServerHostname

func (c *Configurator) VerifyServerHostname() bool

This function acquires a read lock because it reads from the config.

type ConfiguratorIface

type ConfiguratorIface interface {
	Base() Config
	Cert() *tls.Certificate
	ManualCAPems() []string

	VerifyIncomingRPC() bool
	VerifyServerHostname() bool
}

ConfiguratorIface is the interface for the Configurator

type DCWrapper

type DCWrapper func(dc string, conn net.Conn) (net.Conn, error)

DCWrapper is a function that is used to wrap a non-TLS connection and returns an appropriate TLS connection or error. This takes a datacenter as an argument.

type MockConfigurator

type MockConfigurator struct {
	BaseConfig               Config
	TlsCert                  *tls.Certificate
	ManualCAPemsArr          []string
	VerifyIncomingRPCBool    bool
	VerifyServerHostnameBool bool
}

MockConfigurator is used for mocking the ConfiguratorIface in testing

func (MockConfigurator) Base

func (m MockConfigurator) Base() Config

func (MockConfigurator) Cert

func (m MockConfigurator) Cert() *tls.Certificate

func (MockConfigurator) ManualCAPems

func (m MockConfigurator) ManualCAPems() []string

func (MockConfigurator) VerifyIncomingRPC

func (m MockConfigurator) VerifyIncomingRPC() bool

func (MockConfigurator) VerifyServerHostname

func (m MockConfigurator) VerifyServerHostname() bool

type ProtocolConfig

type ProtocolConfig struct {
	// VerifyIncoming is used to verify the authenticity of incoming
	// connections.  This means that TCP requests are forbidden, only
	// allowing for TLS. TLS connections must match a provided certificate
	// authority. This can be used to force client auth.
	VerifyIncoming bool

	// CAFile is a path to a certificate authority file. This is used with
	// VerifyIncoming or VerifyOutgoing to verify the TLS connection.
	CAFile string

	// CAPath is a path to a directory containing certificate authority
	// files. This is used with VerifyIncoming or VerifyOutgoing to verify
	// the TLS connection.
	CAPath string

	// CertFile is used to provide a TLS certificate that is used for
	// serving TLS connections.  Must be provided to serve TLS connections.
	CertFile string

	// KeyFile is used to provide a TLS key that is used for serving TLS
	// connections.  Must be provided to serve TLS connections.
	KeyFile string

	TLSMinVersion types.TLSVersion

	// CipherSuites is the list of TLS cipher suites to use.
	//
	// We don't support the raw 0xNNNN values from
	// https://golang.org/pkg/crypto/tls/#pkg-constants
	// even though they are standardized by IANA because it would increase
	// the likelihood of an operator inadvertently setting an insecure configuration
	CipherSuites []types.TLSCipherSuite

	// VerifyOutgoing is used to verify the authenticity of outgoing
	// connections.  This means that TLS requests are used, and TCP
	// requests are not made. TLS connections must match a provided
	// certificate authority. This is used to verify authenticity of server
	// nodes.
	//
	// Note: this setting doesn't apply to the external gRPC configuration, as Consul
	// makes no outgoing connections using this protocol.
	VerifyOutgoing bool

	// VerifyServerHostname is used to enable hostname verification of
	// servers. This ensures that the certificate presented is valid for
	// server.<datacenter>.<domain>.  This prevents a compromised client
	// from being restarted as a server, and then intercepting request
	// traffic as well as being added as a raft peer. This should be
	// enabled by default with VerifyOutgoing, but for legacy reasons we
	// cannot break existing clients.
	//
	// Note: this setting only applies to the Internal RPC configuration.
	VerifyServerHostname bool

	// UseAutoCert is used to enable usage of auto_encrypt/auto_config generated
	// certificate & key material on external gRPC listener.
	UseAutoCert bool
}

ProtocolConfig contains configuration for a given protocol.

type TLSConn

type TLSConn interface {
	ConnectionState() tls.ConnectionState
}

type Wrapper

type Wrapper func(conn net.Conn) (net.Conn, error)

Wrapper is a variant of DCWrapper, where the DC is provided as a constant value. This is usually done by currying DCWrapper.

func SpecificDC

func SpecificDC(dc string, tlsWrap DCWrapper) Wrapper

SpecificDC is used to invoke a static datacenter and turns a DCWrapper into a Wrapper type.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL