mtls

package
v0.27.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Apr 6, 2022 License: Apache-2.0 Imports: 25 Imported by: 6

Documentation

Index

Constants

This section is empty.

Variables

View Source
var ErrorNoCertConfigure = errors.New("no certificate config")

ErrorNoCertConfigure represents config has no certificate

Functions

func ClearSecretManager

func ClearSecretManager()

func GetSdsClient

func GetSdsClient(cfg interface{}) types.SdsClient

func GetTLSConn

func GetTLSConn(c net.Conn, b []byte) (net.Conn, error)

GetTLSConn return TLSConn

func MockClient added in v0.27.0

func MockClient(addr string, cltMng types.TLSClientContextManager) (*http.Response, error)

func NewProvider

func NewProvider(index string, cfg *v2.TLSConfig) (types.TLSProvider, error)

NewProvider returns a types.Provider. we support sds provider and static provider.

func NewTLSClientContextManager

func NewTLSClientContextManager(name string, cfg *v2.TLSConfig) (types.TLSClientContextManager, error)

NewTLSClientContextManager returns a types.TLSContextManager used in TLS Client

func NewTLSServerContextManager

func NewTLSServerContextManager(cfg *v2.Listener) (types.TLSContextManager, error)

NewTLSServerContextManager returns a types.TLSContextManager used in TLS Server A Server Manager can contains multiple certificates in provider

func Register

func Register(name string, factory ConfigHooksFactory) error

Register registers an extension.

func RegisterSdsCallback

func RegisterSdsCallback(name string, f func(*v2.TLSConfig))

func RegisterTlsContextCallback added in v0.27.0

func RegisterTlsContextCallback(cb TlsContextCallback)

Types

type ConfigHooks

type ConfigHooks interface {
	// GetClientAuth sets the tls.Config's ClientAuth fields
	GetClientAuth(cfg *v2.TLSConfig) tls.ClientAuthType
	// GetCertificate returns the tls.Certificate by index.
	// By default the index is the cert/key file path or cert/key pem string
	GetCertificate(certIndex, keyIndex string) (tls.Certificate, error)
	// GetX509Pool returns the x509.CertPool, which is a set of certificates.
	// By default the index is the ca certificate file path or certificate pem string
	GetX509Pool(caIndex string) (*x509.CertPool, error)
	// ServerHandshakeVerify returns a function that used to set "VerifyPeerCertificate" defined in tls.Config.
	// If it is returns nil, the normal certificate verification will be used.
	// Notice that we set tls.Config.InsecureSkipVerify to make sure the "VerifyPeerCertificate" is called,
	// so the ServerHandshakeVerify should verify the trusted ca if necessary.
	// If the TLSConfig.RequireClientCert is false, the ServerHandshakeVerify will be ignored
	ServerHandshakeVerify(cfg *tls.Config) func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error
	// ClientHandshakeVerify returns a function that used to set "VerifyPeerCertificate" defined in tls.Config.
	// If it is returns nil, the normal certificate verification will be used.
	// Notice that we set tls.Config.InsecureSkipVerify to make sure the "VerifyPeerCertificate" is called,
	// so the ClientHandshakeVerify should verify the trusted ca if necessary.
	// If TLSConfig.InsecureSkip is true, the ClientHandshakeVerify will be ignored.
	ClientHandshakeVerify(cfg *tls.Config) func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error
	// GenerateHashValue creates a hash value based on the tls.Config
	GenerateHashValue(cfg *tls.Config) *types.HashValue
}

ConfigHooks is a set of functions used to make a tls config

func DefaultConfigHooks

func DefaultConfigHooks() ConfigHooks

DefaultConfigHooks returns the default config hooks implement

type ConfigHooksFactory

type ConfigHooksFactory interface {
	CreateConfigHooks(config map[string]interface{}) ConfigHooks
}

ConfigHooksFactory creates ConfigHooks by config

type Conn

type Conn struct {
	net.Conn
	// contains filtered or unexported fields
}

Conn is a generic stream-oriented network connection. It implements the net.Conn interface.

func (*Conn) Peek

func (c *Conn) Peek() ([]byte, error)

Peek returns 1 byte from connection, without draining any buffered data.

func (*Conn) Read

func (c *Conn) Read(b []byte) (int, error)

Read reads data from the connection.

type MockListener added in v0.27.0

type MockListener struct {
	net.Listener
	Mng types.TLSContextManager
}

Some Mock structure for simplify unit test code

func (MockListener) Accept added in v0.27.0

func (ln MockListener) Accept() (net.Conn, error)

type MockServer added in v0.27.0

type MockServer struct {
	Mng  types.TLSContextManager
	Addr string
	// contains filtered or unexported fields
}

func (*MockServer) Close added in v0.27.0

func (s *MockServer) Close()

func (*MockServer) GoListenAndServe added in v0.27.0

func (s *MockServer) GoListenAndServe()

func (*MockServer) ServeHTTP added in v0.27.0

func (s *MockServer) ServeHTTP(w http.ResponseWriter, r *http.Request)

type SecretInfo added in v0.27.0

type SecretInfo struct {
	Certificate  string
	PrivateKey   string
	Validation   string // root ca
	NoValidation bool
}

func (*SecretInfo) Full added in v0.27.0

func (info *SecretInfo) Full() bool

Full returns whether the secret info is full enough for a tls config

type TLSConn

type TLSConn struct {
	*tls.Conn
}

TLSConn represents a secured connection. It implements the net.Conn interface.

func (*TLSConn) ConnectionState

func (c *TLSConn) ConnectionState() gotls.ConnectionState

ConnectionState records basic TLS details about the connection.

func (*TLSConn) GetRawConn

func (c *TLSConn) GetRawConn() net.Conn

GetRawConn returns network connection.

func (*TLSConn) GetTLSInfo

func (c *TLSConn) GetTLSInfo(buf types.IoBuffer) int

GetTLSInfo returns TLSInfo

func (*TLSConn) Read added in v0.11.0

func (c *TLSConn) Read(b []byte) (int, error)

func (*TLSConn) SetALPN

func (c *TLSConn) SetALPN(alpn string)

SetALPN sets ALPN

func (*TLSConn) WriteTo

func (c *TLSConn) WriteTo(v *net.Buffers) (int64, error)

WriteTo writes data

type TLSStats added in v0.14.0

type TLSStats struct {
	TLSConnpoolChanged gometrics.Counter
}

func NewStats added in v0.14.0

func NewStats(name string) *TLSStats

type TlsContext added in v0.27.0

type TlsContext interface {
	// set the server side tls config
	SetServerConfig(template *tls.Config, cfg *v2.TLSConfig, hooks ConfigHooks)
	// return the server side TLSConfigContext
	GetServerTLSConfigContext() *types.TLSConfigContext

	// set the client side tls config
	SetClientConfig(template *tls.Config, cfg *v2.TLSConfig, hooks ConfigHooks)
	// return the client side TLSConfigContext
	GetClientTLSConfigContext() *types.TLSConfigContext

	// return the v2 tls config set by SetServerConfig/SetClientConfig
	GetTLSConfig() *v2.TLSConfig
	// return the tls SecretInfo set by SetServerConfig/SetClientConfig
	GetSecretInfo() *SecretInfo

	// whether the tls context matches the server name
	MatchedServerName(sn string) bool
	// whether the tls context matches the ALPN
	MatchedALPN(protocols []string) bool
}

type TlsContextCallback added in v0.27.0

type TlsContextCallback func(tlsContext TlsContext)

TlsContextCallback will be called before 'newTlsContext' returns, which allows the retrieval of TlsContext

Directories

Path Synopsis
Package certtool used for generate certificate for test/examples By default, use CreateTemplate, GeneratePrivateKey, and SignCertificate, the certificates created in same process have same root ca
Package certtool used for generate certificate for test/examples By default, use CreateTemplate, GeneratePrivateKey, and SignCertificate, the certificates created in same process have same root ca
crypto
tls
Package tls partially implements TLS 1.2, as specified in RFC 5246, and TLS 1.3, as specified in RFC 8446.
Package tls partially implements TLS 1.2, as specified in RFC 5246, and TLS 1.3, as specified in RFC 8446.
extensions
sni

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL