gwutils

package

v0.11.20 Latest Latest Go to latest Published: Dec 30, 2024 License: Apache-2.0 Imports: 13 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/PaloAltoNetworks/a3s

Links

Open Source Insights

Documentation ¶

Index ¶

func MakeTLSPeerCertificateForwarder(encryptionPassphrase string) gateway.InterceptorFunc
func MakeTLSPeerCertificateVerifier(ctx context.Context, m manipulate.Manipulator, opts ...VerifierOption) func([][]byte, [][]*x509.Certificate) error
type VerifierOption

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func MakeTLSPeerCertificateForwarder ¶

func MakeTLSPeerCertificateForwarder(encryptionPassphrase string) gateway.InterceptorFunc

MakeTLSPeerCertificateForwarder returns a bahamut gateway.InterceptorFunc that you will need to add to the bahamut.Gateway in order to intercept any calls going to the A3S /issue endpoint (or any other one you would have as a proxy) in order to pass the user certificates as a secure header.

The encryptionPassphrase is necessary as A3S will refuse to trust a header containing a user certificate if it is not encrypted with that key. The key must be exactly 16, 24 or 32 bytes long to encrypt respectively to AES-128, A3S-192 or AES-256.

WARNING: You MUST NOT use this function without installing a custom peer certificate verifier with MakeTLSPeerCertificateVerifier in the gateway's server TLS config. A3S will blindly trust the certificate in the header, which is why you MUST verify it before.

func MakeTLSPeerCertificateVerifier ¶

func MakeTLSPeerCertificateVerifier(
	ctx context.Context,
	m manipulate.Manipulator,
	opts ...VerifierOption,
) func([][]byte, [][]*x509.Certificate) error

MakeTLSPeerCertificateVerifier returns a function you can use as tls.Config.VerifyPeerCertificate. You will need to do this if you want to support user authentication through MTLS while you are behind a bahamut.Gateway.

This is the first step of the necessary dance to securely forward the client certificate in a trusted header. You will then need to add an interceptor using MakeTLSPeerCertificateForwarder

The returned function will use the provided manipulator to search A3S for an mtls source that holds the CA that has issued the presented client certificates by matching the certificate AuthorityKeyID. If it can find one, the certificate signature will be checked using the matching CA.

The results are cached for the provided cacheDuration and a maximum of cacheSize items will be kept.

Types ¶

type VerifierOption ¶

type VerifierOption func(*verifierConf)

VerifierOption can be used to configure optional aspect of MakeTLSPeerCertificateVerifier.

func OptionCacheDuration ¶

func OptionCacheDuration(d time.Duration) VerifierOption

OptionCacheDuration sets the life time of cached CAs.

func OptionCacheSize ¶

func OptionCacheSize(s int64) VerifierOption

OptionCacheSize sets the maximum number of items that can be in the cache, before evicting older ones.

func OptionTimeout ¶

func OptionTimeout(d time.Duration) VerifierOption

OptionTimeout sets the maximum amount of time to wait for A3S to reply.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL