tlsconfig

package
v3.29.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Feb 6, 2024 License: Apache-2.0 Imports: 10 Imported by: 0

Documentation

Overview

Package tlsconfig provides configuration for TLS clients and servers.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type ACME

type ACME struct {

	// TODO: Remove Enable (https://github.com/TheThingsNetwork/lorawan-stack/issues/1450)
	Enable bool `` //nolint:lll
	/* 145-byte string literal not displayed */
	Endpoint    string   `name:"endpoint" description:"ACME endpoint"`
	Dir         string   `name:"dir" description:"Location of ACME storage directory"`
	Email       string   `name:"email" description:"Email address to register with the ACME account"`
	Hosts       []string `name:"hosts" description:"Hosts to enable automatic certificates for"`
	DefaultHost string   `name:"default-host" description:"Default host to assume for clients without SNI"`
	// contains filtered or unexported fields
}

ACME represents ACME configuration.

func (*ACME) Initialize

func (a *ACME) Initialize() (*autocert.Manager, error)

Initialize initializes the autocert manager for the ACME configuration. If it was already initialized, any changes after the previous initialization are ignored.

func (ACME) IsZero

func (a ACME) IsZero() bool

IsZero returns whether the ACME configuration is empty.

type Client

type Client struct {
	FileReader         FileReader `json:"-" yaml:"-" name:"-"`
	RootCA             string     `json:"root-ca" yaml:"root-ca" name:"root-ca" description:"Location of TLS root CA certificate (optional)"` //nolint:lll
	InsecureSkipVerify bool       `name:"insecure-skip-verify" description:"Skip verification of certificate chains (insecure)"`              //nolint:lll
}

Client is client-side configuration for server TLS.

func (Client) ApplyTo

func (c Client) ApplyTo(tlsConfig *tls.Config) error

ApplyTo applies the client configuration options to the given TLS configuration. If tlsConfig is nil, this is a no-op.

func (Client) Equals added in v3.17.0

func (c Client) Equals(other Client) bool

Equals checks if the other configuration is equivalent to this.

type ClientAuth

type ClientAuth struct {
	Source      string         `name:"source" description:"Source of the TLS certificate (file, key-vault)"`
	FileReader  FileReader     `json:"-" yaml:"-" name:"-"`
	Certificate string         `json:"certificate" yaml:"certificate" name:"certificate" description:"Location of TLS certificate"` //nolint:lll
	Key         string         `json:"key" yaml:"key" name:"key" description:"Location of TLS private key"`
	KeyVault    ClientKeyVault `name:"key-vault"`
}

ClientAuth is (client-side) configuration for TLS client authentication.

func (*ClientAuth) ApplyTo

func (c *ClientAuth) ApplyTo(tlsConfig *tls.Config) error

ApplyTo applies the TLS authentication configuration options to the given TLS configuration. If tlsConfig is nil, this is a no-op.

type ClientKeyVault added in v3.24.0

type ClientKeyVault struct {
	CertificateProvider interface {
		ClientCertificate(ctx context.Context, label string) (tls.Certificate, error)
	} `name:"-"`
	ID string `name:"id" description:"ID of the certificate"`
}

ClientKeyVault defines configuration for loading a TLS client certificate from the key vault.

type Config

type Config struct {
	Client     `name:",squash"`
	ServerAuth `name:",squash"`
}

Config represents TLS configuration.

type ConfigOptionFunc added in v3.17.0

type ConfigOptionFunc func(*tls.Config)

ConfigOptionFunc is a Option.

type ConfigurationProvider added in v3.17.0

type ConfigurationProvider func(context.Context) Config

ConfigurationProvider generates a Config from the provided context.

func (ConfigurationProvider) GetTLSClientConfig added in v3.17.0

func (p ConfigurationProvider) GetTLSClientConfig(ctx context.Context, opts ...Option) (*tls.Config, error)

GetTLSClientConfig gets the component's client TLS config and applies the given options.

func (ConfigurationProvider) GetTLSServerConfig added in v3.17.0

func (p ConfigurationProvider) GetTLSServerConfig(ctx context.Context, opts ...Option) (*tls.Config, error)

GetTLSServerConfig gets the component's server TLS config and applies the given options.

type FileReader

type FileReader interface {
	ReadFile(filename string) ([]byte, error)
}

FileReader is the interface used to read TLS certificates and keys.

func FromFetcher added in v3.24.1

func FromFetcher(fetcher fetch.Interface) FileReader

FromFetcher returns a FileReader that reads files from the given fetcher.

type Option added in v3.17.0

type Option interface {
	// contains filtered or unexported methods
}

Option provides customization for TLS configuration.

func WithNextProtos added in v3.17.0

func WithNextProtos(protos ...string) Option

WithNextProtos appends the given protocols to NextProtos.

func WithTLSCertificates added in v3.17.0

func WithTLSCertificates(certificates ...tls.Certificate) Option

WithTLSCertificates sets TLS certificates.

func WithTLSClientAuth added in v3.17.0

func WithTLSClientAuth(
	auth tls.ClientAuthType,
	cas *x509.CertPool,
	verify func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error,
) Option

WithTLSClientAuth sets TLS client authentication options.

type ServerAuth

type ServerAuth struct {
	Source       string         `name:"source" description:"Source of the TLS certificate (file, acme, key-vault)"`
	FileReader   FileReader     `json:"-" yaml:"-" name:"-"`
	Certificate  string         `json:"certificate" yaml:"certificate" name:"certificate" description:"Location of TLS certificate"` //nolint:lll
	Key          string         `json:"key" yaml:"key" name:"key" description:"Location of TLS private key"`
	ACME         ACME           `name:"acme"`
	KeyVault     ServerKeyVault `name:"key-vault"`
	CipherSuites []string       `name:"cipher-suites" description:"List of IANA names of TLS cipher suites to use (DEPRECATED)"` //nolint:lll
}

ServerAuth is configuration for TLS server authentication.

func (*ServerAuth) ApplyTo

func (c *ServerAuth) ApplyTo(tlsConfig *tls.Config) error

ApplyTo applies the TLS authentication configuration options to the given TLS configuration. If tlsConfig is nil, this is a no-op.

func (*ServerAuth) GetCipherSuites added in v3.15.2

func (c *ServerAuth) GetCipherSuites() ([]uint16, error)

GetCipherSuites returns a list of IDs of cipher suites in configuration. This list can be passed to tls.Config.

type ServerKeyVault added in v3.24.0

type ServerKeyVault struct {
	CertificateProvider interface {
		ServerCertificate(ctx context.Context, id string) (tls.Certificate, error)
	} `name:"-"`
	ID string `name:"id" description:"ID of the certificate"`
}

ServerKeyVault defines configuration for loading a TLS server certificate from the key vault.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL