tlsconfig

package
v2.4.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Oct 5, 2024 License: Apache-2.0 Imports: 5 Imported by: 115

Documentation

Index

Examples

Constants

This section is empty.

Variables

This section is empty.

Functions

func GetCertificate

func GetCertificate(svid x509svid.Source, opts ...Option) func(*tls.ClientHelloInfo) (*tls.Certificate, error)

GetCertificate returns a GetCertificate callback for tls.Config. It uses the given X509-SVID getter to obtain a server X509-SVID for the TLS handshake.

func GetClientCertificate

func GetClientCertificate(svid x509svid.Source, opts ...Option) func(*tls.CertificateRequestInfo) (*tls.Certificate, error)

GetClientCertificate returns a GetClientCertificate callback for tls.Config. It uses the given X509-SVID getter to obtain a client X509-SVID for the TLS handshake.

func HookMTLSClientConfig

func HookMTLSClientConfig(config *tls.Config, svid x509svid.Source, bundle x509bundle.Source, authorizer Authorizer, opts ...Option)

HookMTLSClientConfig sets up the TLS configuration to present an X509-SVID to the server and verify and authorize the server X509-SVID. If there is an existing callback set for VerifyPeerCertificate it will be wrapped by this package and invoked after SPIFFE authentication has completed.

func HookMTLSServerConfig

func HookMTLSServerConfig(config *tls.Config, svid x509svid.Source, bundle x509bundle.Source, authorizer Authorizer, opts ...Option)

HookMTLSServerConfig sets up the TLS configuration to present an X509-SVID to the client and require, verify, and authorize the client X509-SVID. If there is an existing callback set for VerifyPeerCertificate it will be wrapped by this package and invoked after SPIFFE authentication has completed.

func HookMTLSWebClientConfig

func HookMTLSWebClientConfig(config *tls.Config, svid x509svid.Source, roots *x509.CertPool, opts ...Option)

HookMTLSWebClientConfig sets up the TLS configuration to present an X509-SVID to the server and verifies the server certificate using the provided roots (or the system roots if nil).

func HookMTLSWebServerConfig

func HookMTLSWebServerConfig(config *tls.Config, cert *tls.Certificate, bundle x509bundle.Source, authorizer Authorizer, opts ...Option)

HookMTLSWebServerConfig sets up the TLS configuration to presents a web server certificate to the client and require, verify, and authorize client X509-SVIDs. If there is an existing callback set for VerifyPeerCertificate it will be wrapped by this package and invoked after SPIFFE authentication has completed.

func HookTLSClientConfig

func HookTLSClientConfig(config *tls.Config, bundle x509bundle.Source, authorizer Authorizer, opts ...Option)

HookTLSClientConfig sets up the TLS configuration to verify and authorize the server X509-SVID. If there is an existing callback set for VerifyPeerCertificate it will be wrapped by this package and invoked after SPIFFE authentication has completed.

func HookTLSServerConfig

func HookTLSServerConfig(config *tls.Config, svid x509svid.Source, opts ...Option)

HookTLSServerConfig sets up the TLS configuration to present an X509-SVID to the client and to not require or verify client certificates.

func MTLSClientConfig

func MTLSClientConfig(svid x509svid.Source, bundle x509bundle.Source, authorizer Authorizer, opts ...Option) *tls.Config

MTLSClientConfig returns a TLS configuration which presents an X509-SVID to the server and verifies and authorizes the server X509-SVID.

func MTLSServerConfig

func MTLSServerConfig(svid x509svid.Source, bundle x509bundle.Source, authorizer Authorizer, opts ...Option) *tls.Config

MTLSServerConfig returns a TLS configuration which presents an X509-SVID to the client and requires, verifies, and authorizes client X509-SVIDs.

Example (FileSource)
package main

import (
	"github.com/spiffe/go-spiffe/v2/bundle/x509bundle"
	"github.com/spiffe/go-spiffe/v2/spiffeid"
	"github.com/spiffe/go-spiffe/v2/spiffetls/tlsconfig"
	"github.com/spiffe/go-spiffe/v2/svid/x509svid"
)

func main() {
	td, err := spiffeid.TrustDomainFromString("example.org")
	if err != nil {
		// TODO: error handling
	}

	svid, err := x509svid.Load("svid.pem", "key.pem")
	if err != nil {
		// TODO: handle error
	}

	bundle, err := x509bundle.Load(td, "cacert.pem")
	if err != nil {
		// TODO: handle error
	}

	config := tlsconfig.MTLSServerConfig(svid, bundle, tlsconfig.AuthorizeMemberOf(td))
	// TODO: use the config
	config = config
}
Output:

Example (WorkloadAPISource)
package main

import (
	"context"

	"github.com/spiffe/go-spiffe/v2/spiffeid"
	"github.com/spiffe/go-spiffe/v2/spiffetls/tlsconfig"
	"github.com/spiffe/go-spiffe/v2/workloadapi"
)

func main() {
	td, err := spiffeid.TrustDomainFromString("example.org")
	if err != nil {
		// TODO: error handling
	}

	source, err := workloadapi.NewX509Source(context.Background())
	if err != nil {
		// TODO: handle error
	}
	defer source.Close()

	config := tlsconfig.MTLSServerConfig(source, source, tlsconfig.AuthorizeMemberOf(td))
	// TODO: use the config
	config = config
}
Output:

func MTLSWebClientConfig

func MTLSWebClientConfig(svid x509svid.Source, roots *x509.CertPool, opts ...Option) *tls.Config

MTLSWebClientConfig returns a TLS configuration which presents an X509-SVID to the server and verifies the server certificate using provided roots (or the system roots if nil).

func MTLSWebServerConfig

func MTLSWebServerConfig(cert *tls.Certificate, bundle x509bundle.Source, authorizer Authorizer, opts ...Option) *tls.Config

MTLSWebServerConfig returns a TLS configuration which presents a web server certificate to the client and requires, verifies, and authorizes client X509-SVIDs.

func TLSClientConfig

func TLSClientConfig(bundle x509bundle.Source, authorizer Authorizer, opts ...Option) *tls.Config

TLSClientConfig returns a TLS configuration which verifies and authorizes the server X509-SVID.

func TLSServerConfig

func TLSServerConfig(svid x509svid.Source, opts ...Option) *tls.Config

TLSServerConfig returns a TLS configuration which presents an X509-SVID to the client and does not require or verify client certificates.

func VerifyPeerCertificate

func VerifyPeerCertificate(bundle x509bundle.Source, authorizer Authorizer, opts ...Option) func([][]byte, [][]*x509.Certificate) error

VerifyPeerCertificate returns a VerifyPeerCertificate callback for tls.Config. It uses the given bundle source and authorizer to verify and authorize X509-SVIDs provided by peers during the TLS handshake.

func WrapVerifyPeerCertificate

func WrapVerifyPeerCertificate(wrapped func([][]byte, [][]*x509.Certificate) error, bundle x509bundle.Source, authorizer Authorizer, opts ...Option) func([][]byte, [][]*x509.Certificate) error

WrapVerifyPeerCertificate wraps a VerifyPeerCertificate callback, performing SPIFFE authentication against the peer certificates using the given bundle and authorizer. The wrapped callback will be passed the verified chains. Note: TLS clients must set `InsecureSkipVerify` when doing SPIFFE authentication to disable hostname verification.

Types

type Authorizer

type Authorizer func(id spiffeid.ID, verifiedChains [][]*x509.Certificate) error

Authorizer authorizes an X509-SVID given the SPIFFE ID and the chain of trust. The certificate chain starts with the X509-SVID certificate back to an X.509 root for the trust domain.

func AdaptMatcher

func AdaptMatcher(matcher spiffeid.Matcher) Authorizer

AdaptMatcher adapts any spiffeid.Matcher for use as an Authorizer which only authorizes the SPIFFE ID but otherwise ignores the verified chains.

func AuthorizeAny

func AuthorizeAny() Authorizer

AuthorizeAny allows any SPIFFE ID.

func AuthorizeID

func AuthorizeID(allowed spiffeid.ID) Authorizer

AuthorizeID allows a specific SPIFFE ID.

func AuthorizeMemberOf

func AuthorizeMemberOf(allowed spiffeid.TrustDomain) Authorizer

AuthorizeMemberOf allows any SPIFFE ID in the given trust domain.

func AuthorizeOneOf

func AuthorizeOneOf(allowed ...spiffeid.ID) Authorizer

AuthorizeOneOf allows any SPIFFE ID in the given list of IDs.

type GetCertificateInfo

type GetCertificateInfo struct {
}

GetCertificateInfo is an empty placeholder for future expansion

type GotCertificateInfo

type GotCertificateInfo struct {
	Cert *tls.Certificate
	Err  error
}

GotCertificateInfo provides err and TLS certificate info to Trace

type Option

type Option interface {
	// contains filtered or unexported methods
}

A Option changes the defaults used to by mTLS ClientConfig functions.

func WithTrace

func WithTrace(trace Trace) Option

WithTrace will use the provided tracing callbacks when various TLS config functions gets invoked.

type Trace

type Trace struct {
	GetCertificate func(GetCertificateInfo) interface{}
	GotCertificate func(GotCertificateInfo, interface{})
}

Trace is the interface to define what functions are triggered when functions in tlsconfig are called

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL