mtls

package
v3.32.1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Oct 24, 2024 License: Apache-2.0 Imports: 11 Imported by: 0

Documentation

Overview

Package mtls provides functions to authenticate client TLS certificates.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func AppendRootCAsToContext added in v3.32.0

func AppendRootCAsToContext(parent context.Context, pem []byte) context.Context

AppendRootCAsToContext appends the given PEM encoded Root Certificates to the root CAs in the context.

func ClientCertificateFromContext

func ClientCertificateFromContext(ctx context.Context) *x509.Certificate

ClientCertificateFromContext returns the certificate from the context if present. If the certificate is not present in the context, it tries to extract it from the peer.

func FromProxyHeaders

func FromProxyHeaders(h HeaderReader) (*x509.Certificate, bool, error)

FromProxyHeaders extracts a client certificate from proxy headers. This function supports Envoy Proxy and Traefik. If a proxy's header is set, it expects the value to contain a client certificate, otherwise an error is returned. If no proxy headers are set, it returns nil, false, nil.

func NewContextWithClientCertificate

func NewContextWithClientCertificate(parent context.Context, cert *x509.Certificate) context.Context

NewContextWithClientCertificate returns a context derived from parent that contains the client TLS certificate.

func RootCAsFromContext added in v3.32.0

func RootCAsFromContext(ctx context.Context) *x509.CertPool

RootCAsFromContext returns the root CAs from the context if present.

Types

type CAStore

type CAStore struct {
	// contains filtered or unexported fields
}

CAStore is a store of CA Certs.

func NewCAStore

func NewCAStore(_ context.Context, fetcher fetch.Interface) (*CAStore, error)

NewCAStore creates a new CAStore. If the fetcher is given, the index file must be present. If the index file contains a common pool, it will be loaded.

func (*CAStore) Verify

func (c *CAStore) Verify(ctx context.Context, clientType ClientType, cn string, cert *x509.Certificate) error

Verify verifies the certificate against the certificate pool for the client type. The common pool is always used. If the client type is unspecified, only the common certificate pool is used. The method also checks that common name in the certificate matches the provided value.

type ClientType

type ClientType int

ClientType represents the type of the client.

const (
	ClientTypeUnspecified ClientType = iota
	ClientTypeGateway
)

Client types.

type HeaderReader

type HeaderReader interface {
	Get(key string) string
}

HeaderReader is an interface for reading headers, typically HTTP headers and gRPC metadata.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL