mtls

package

v3.32.3 Latest Latest Go to latest Published: Dec 4, 2024 License: Apache-2.0 Imports: 11 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/TheThingsNetwork/lorawan-stack

Links

Open Source Insights

Documentation ¶

Overview ¶

Package mtls provides functions to authenticate client TLS certificates.

Index ¶

func AppendRootCAsToContext(parent context.Context, pem []byte) context.Context
func ClientCertificateFromContext(ctx context.Context) *x509.Certificate
func FromProxyHeaders(h HeaderReader) (*x509.Certificate, bool, error)
func NewContextWithClientCertificate(parent context.Context, cert *x509.Certificate) context.Context
func RootCAsFromContext(ctx context.Context) *x509.CertPool
type CAStore
- func NewCAStore(_ context.Context, fetcher fetch.Interface) (*CAStore, error)
- func (c *CAStore) Verify(ctx context.Context, clientType ClientType, cn string, cert *x509.Certificate) error
type ClientType
type HeaderReader

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func AppendRootCAsToContext ¶ added in v3.32.0

func AppendRootCAsToContext(parent context.Context, pem []byte) context.Context

AppendRootCAsToContext appends the given PEM encoded Root Certificates to the root CAs in the context.

func ClientCertificateFromContext ¶

func ClientCertificateFromContext(ctx context.Context) *x509.Certificate

ClientCertificateFromContext returns the certificate from the context if present. If the certificate is not present in the context, it tries to extract it from the peer.

func FromProxyHeaders ¶

func FromProxyHeaders(h HeaderReader) (*x509.Certificate, bool, error)

FromProxyHeaders extracts a client certificate from proxy headers. This function supports Envoy Proxy and Traefik. If a proxy's header is set, it expects the value to contain a client certificate, otherwise an error is returned. If no proxy headers are set, it returns nil, false, nil.

func NewContextWithClientCertificate ¶

func NewContextWithClientCertificate(parent context.Context, cert *x509.Certificate) context.Context

NewContextWithClientCertificate returns a context derived from parent that contains the client TLS certificate.

func RootCAsFromContext ¶ added in v3.32.0

func RootCAsFromContext(ctx context.Context) *x509.CertPool

RootCAsFromContext returns the root CAs from the context if present.

Types ¶

type CAStore ¶

type CAStore struct {
	// contains filtered or unexported fields
}

CAStore is a store of CA Certs.

func NewCAStore ¶

func NewCAStore(_ context.Context, fetcher fetch.Interface) (*CAStore, error)

NewCAStore creates a new CAStore. If the fetcher is given, the index file must be present. If the index file contains a common pool, it will be loaded.

func (*CAStore) Verify ¶

func (c *CAStore) Verify(ctx context.Context, clientType ClientType, cn string, cert *x509.Certificate) error

Verify verifies the certificate against the certificate pool for the client type. The common pool is always used. If the client type is unspecified, only the common certificate pool is used. The method also checks that common name in the certificate matches the provided value.

type ClientType ¶

type ClientType int

ClientType represents the type of the client.

const (
	ClientTypeUnspecified ClientType = iota
	ClientTypeGateway
)

Client types.

type HeaderReader ¶

type HeaderReader interface {
	Get(key string) string
}

HeaderReader is an interface for reading headers, typically HTTP headers and gRPC metadata.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL