Documentation ¶
Index ¶
- func GetCertificate(svid x509svid.Source, opts ...Option) func(*tls.ClientHelloInfo) (*tls.Certificate, error)
- func GetClientCertificate(svid x509svid.Source, opts ...Option) func(*tls.CertificateRequestInfo) (*tls.Certificate, error)
- func HookMTLSClientConfig(config *tls.Config, svid x509svid.Source, bundle x509bundle.Source, ...)
- func HookMTLSServerConfig(config *tls.Config, svid x509svid.Source, bundle x509bundle.Source, ...)
- func HookMTLSWebClientConfig(config *tls.Config, svid x509svid.Source, roots *x509.CertPool, opts ...Option)
- func HookMTLSWebServerConfig(config *tls.Config, cert *tls.Certificate, bundle x509bundle.Source, ...)
- func HookTLSClientConfig(config *tls.Config, bundle x509bundle.Source, authorizer Authorizer, ...)
- func HookTLSServerConfig(config *tls.Config, svid x509svid.Source, opts ...Option)
- func MTLSClientConfig(svid x509svid.Source, bundle x509bundle.Source, authorizer Authorizer, ...) *tls.Config
- func MTLSServerConfig(svid x509svid.Source, bundle x509bundle.Source, authorizer Authorizer, ...) *tls.Config
- func MTLSWebClientConfig(svid x509svid.Source, roots *x509.CertPool, opts ...Option) *tls.Config
- func MTLSWebServerConfig(cert *tls.Certificate, bundle x509bundle.Source, authorizer Authorizer, ...) *tls.Config
- func TLSClientConfig(bundle x509bundle.Source, authorizer Authorizer, opts ...Option) *tls.Config
- func TLSServerConfig(svid x509svid.Source, opts ...Option) *tls.Config
- func VerifyPeerCertificate(bundle x509bundle.Source, authorizer Authorizer, opts ...Option) func([][]byte, [][]*x509.Certificate) error
- func WrapVerifyPeerCertificate(wrapped func([][]byte, [][]*x509.Certificate) error, bundle x509bundle.Source, ...) func([][]byte, [][]*x509.Certificate) error
- type Authorizer
- type GotCertificateInfo
- type Option
- type Trace
Examples ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func GetCertificate ¶
func GetCertificate(svid x509svid.Source, opts ...Option) func(*tls.ClientHelloInfo) (*tls.Certificate, error)
GetCertificate returns a GetCertificate callback for tls.Config. It uses the given X509-SVID getter to obtain a server X509-SVID for the TLS handshake.
func GetClientCertificate ¶
func GetClientCertificate(svid x509svid.Source, opts ...Option) func(*tls.CertificateRequestInfo) (*tls.Certificate, error)
GetClientCertificate returns a GetClientCertificate callback for tls.Config. It uses the given X509-SVID getter to obtain a client X509-SVID for the TLS handshake.
func HookMTLSClientConfig ¶
func HookMTLSClientConfig(config *tls.Config, svid x509svid.Source, bundle x509bundle.Source, authorizer Authorizer, opts ...Option)
HookMTLSClientConfig sets up the TLS configuration to present an X509-SVID to the server and verify and authorize the server X509-SVID. If there is an existing callback set for VerifyPeerCertificate it will be wrapped by by this package and invoked after SPIFFE authentication has completed.
func HookMTLSServerConfig ¶
func HookMTLSServerConfig(config *tls.Config, svid x509svid.Source, bundle x509bundle.Source, authorizer Authorizer, opts ...Option)
HookMTLSServerConfig sets up the TLS configuration to present an X509-SVID to the client and require, verify, and authorize the client X509-SVID. If there is an existing callback set for VerifyPeerCertificate it will be wrapped by by this package and invoked after SPIFFE authentication has completed.
func HookMTLSWebClientConfig ¶
func HookMTLSWebClientConfig(config *tls.Config, svid x509svid.Source, roots *x509.CertPool, opts ...Option)
HookMTLSWebClientConfig sets up the TLS configuration to present an X509-SVID to the server and verifies the server certificate using the provided roots (or the system roots if nil).
func HookMTLSWebServerConfig ¶
func HookMTLSWebServerConfig(config *tls.Config, cert *tls.Certificate, bundle x509bundle.Source, authorizer Authorizer, opts ...Option)
HookMTLSWebServerConfig sets up the TLS configuration to presents a web server certificate to the client and require, verify, and authorize client X509-SVIDs. If there is an existing callback set for VerifyPeerCertificate it will be wrapped by by this package and invoked after SPIFFE authentication has completed.
func HookTLSClientConfig ¶
func HookTLSClientConfig(config *tls.Config, bundle x509bundle.Source, authorizer Authorizer, opts ...Option)
HookTLSClientConfig sets up the TLS configuration to verify and authorize the server X509-SVID. If there is an existing callback set for VerifyPeerCertificate it will be wrapped by by this package and invoked after SPIFFE authentication has completed.
func HookTLSServerConfig ¶
HookTLSServerConfig sets up the TLS configuration to present an X509-SVID to the client and to not require or verify client certificates.
func MTLSClientConfig ¶
func MTLSClientConfig(svid x509svid.Source, bundle x509bundle.Source, authorizer Authorizer, opts ...Option) *tls.Config
MTLSClientConfig returns a TLS configuration which presents an X509-SVID to the server and verifies and authorizes the server X509-SVID.
func MTLSServerConfig ¶
func MTLSServerConfig(svid x509svid.Source, bundle x509bundle.Source, authorizer Authorizer, opts ...Option) *tls.Config
MTLSServerConfig returns a TLS configuration which presents an X509-SVID to the client and requires, verifies, and authorizes client X509-SVIDs.
Example (FileSource) ¶
package main import ( "github.com/spiffe/go-spiffe/v2/bundle/x509bundle" "github.com/spiffe/go-spiffe/v2/spiffeid" "github.com/spiffe/go-spiffe/v2/spiffetls/tlsconfig" "github.com/spiffe/go-spiffe/v2/svid/x509svid" ) func main() { td, err := spiffeid.TrustDomainFromString("example.org") if err != nil { // TODO: error handling } svid, err := x509svid.Load("svid.pem", "key.pem") if err != nil { // TODO: handle error } bundle, err := x509bundle.Load(td, "cacert.pem") if err != nil { // TODO: handle error } config := tlsconfig.MTLSServerConfig(svid, bundle, tlsconfig.AuthorizeMemberOf(td)) // TODO: use the config config = config }
Output:
Example (WorkloadAPISource) ¶
package main import ( "context" "github.com/spiffe/go-spiffe/v2/spiffeid" "github.com/spiffe/go-spiffe/v2/spiffetls/tlsconfig" "github.com/spiffe/go-spiffe/v2/workloadapi" ) func main() { td, err := spiffeid.TrustDomainFromString("example.org") if err != nil { // TODO: error handling } source, err := workloadapi.NewX509Source(context.Background()) if err != nil { // TODO: handle error } defer source.Close() config := tlsconfig.MTLSServerConfig(source, source, tlsconfig.AuthorizeMemberOf(td)) // TODO: use the config config = config }
Output:
func MTLSWebClientConfig ¶
MTLSWebClientConfig returns a TLS configuration which presents an X509-SVID to the server and verifies the server certificate using provided roots (or the system roots if nil).
func MTLSWebServerConfig ¶
func MTLSWebServerConfig(cert *tls.Certificate, bundle x509bundle.Source, authorizer Authorizer, opts ...Option) *tls.Config
MTLSWebServerConfig returns a TLS configuration which presents a web server certificate to the client and requires, verifies, and authorizes client X509-SVIDs.
func TLSClientConfig ¶
func TLSClientConfig(bundle x509bundle.Source, authorizer Authorizer, opts ...Option) *tls.Config
TLSClientConfig returns a TLS configuration which verifies and authorizes the server X509-SVID.
func TLSServerConfig ¶
TLSServerConfig returns a TLS configuration which presents an X509-SVID to the client and does not require or verify client certificates.
func VerifyPeerCertificate ¶
func VerifyPeerCertificate(bundle x509bundle.Source, authorizer Authorizer, opts ...Option) func([][]byte, [][]*x509.Certificate) error
VerifyPeerCertificate returns a VerifyPeerCertificate callback for tls.Config. It uses the given bundle source and authorizer to verify and authorize X509-SVIDs provided by peers during the TLS handshake.
func WrapVerifyPeerCertificate ¶
func WrapVerifyPeerCertificate(wrapped func([][]byte, [][]*x509.Certificate) error, bundle x509bundle.Source, authorizer Authorizer, opts ...Option) func([][]byte, [][]*x509.Certificate) error
WrapVerifyPeerCertificate wraps a VeriyPeerCertificate callback, performing SPIFFE authentication against the peer certificates using the given bundle and authorizer. The wrapped callback will be passed the verified chains. Note: TLS clients must set `InsecureSkipVerify` when doing SPIFFE authentication to disable hostname verification.
Types ¶
type Authorizer ¶
type Authorizer func(id spiffeid.ID, verifiedChains [][]*x509.Certificate) error
Authorizer authorizes an X509-SVID given the SPIFFE ID and the chain of trust. The certificate chain starts with the X509-SVID certificate back to an X.509 root for the trust domain.
func AdaptMatcher ¶
func AdaptMatcher(matcher spiffeid.Matcher) Authorizer
AdaptMatcher adapts any spiffeid.Matcher for use as an Authorizer which only authorizes the SPIFFE ID but otherwise ignores the verified chains.
func AuthorizeID ¶
func AuthorizeID(allowed spiffeid.ID) Authorizer
AuthorizeID allows a specific SPIFFE ID.
func AuthorizeMemberOf ¶
func AuthorizeMemberOf(allowed spiffeid.TrustDomain) Authorizer
AuthorizeMemberOf allows any SPIFFE ID in the given trust domain.
func AuthorizeOneOf ¶
func AuthorizeOneOf(allowed ...spiffeid.ID) Authorizer
AuthorizeOneOf allows any SPIFFE ID in the given list of IDs.
type GotCertificateInfo ¶
type GotCertificateInfo struct { Cert *tls.Certificate Err error }
GotCertificateInfo provides err and TLS certificate info to Trace
type Option ¶
type Option interface {
// contains filtered or unexported methods
}
A Option changes the defaults used to by mTLS ClientConfig functions.
type Trace ¶
type Trace struct { GetCertificate func() interface{} GotCertificate func(interface{}, GotCertificateInfo) }
Trace is the interface to define what functions are triggered when functions in tlsconfig are called