mtls

package

v1.0.0 Latest Latest Go to latest Published: Apr 15, 2022 License: Apache-2.0 Imports: 25 Imported by: 6

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/mosn/mosn

Links

Open Source Insights

Documentation ¶

Index ¶

Variables
func ClearSecretManager()
func GetSdsClient(cfg interface{}) types.SdsClient
func GetTLSConn(c net.Conn, b []byte) (net.Conn, error)
func MockClient(addr string, cltMng types.TLSClientContextManager) (*http.Response, error)
func NewProvider(index string, cfg *v2.TLSConfig) (types.TLSProvider, error)
func NewTLSClientContextManager(name string, cfg *v2.TLSConfig) (types.TLSClientContextManager, error)
func NewTLSServerContextManager(cfg *v2.Listener) (types.TLSContextManager, error)
func Register(name string, factory ConfigHooksFactory) error
func RegisterSdsCallback(name string, f func(*v2.TLSConfig))
func RegisterTlsContextCallback(cb TlsContextCallback)
type ConfigHooks
- func DefaultConfigHooks() ConfigHooks
type ConfigHooksFactory
type Conn
- func (c *Conn) Peek() ([]byte, error)
- func (c *Conn) Read(b []byte) (int, error)
type MockListener
- func (ln MockListener) Accept() (net.Conn, error)
type MockServer
- func (s *MockServer) Close()
- func (s *MockServer) GoListenAndServe()
- func (s *MockServer) ServeHTTP(w http.ResponseWriter, r *http.Request)
type SecretInfo
- func (info *SecretInfo) Full() bool
type TLSConn
- func (c *TLSConn) ConnectionState() gotls.ConnectionState
- func (c *TLSConn) GetRawConn() net.Conn
- func (c *TLSConn) GetTLSInfo(buf types.IoBuffer) int
- func (c *TLSConn) Read(b []byte) (int, error)
- func (c *TLSConn) SetALPN(alpn string)
- func (c *TLSConn) WriteTo(v *net.Buffers) (int64, error)
type TLSStats
- func NewStats(name string) *TLSStats
type TlsContext
type TlsContextCallback

Constants ¶

This section is empty.

Variables ¶

View Source

var ErrorNoCertConfigure = errors.New("no certificate config")

ErrorNoCertConfigure represents config has no certificate

Functions ¶

func ClearSecretManager ¶

func ClearSecretManager()

func GetSdsClient ¶

func GetSdsClient(cfg interface{}) types.SdsClient

func GetTLSConn ¶

func GetTLSConn(c net.Conn, b []byte) (net.Conn, error)

GetTLSConn return TLSConn

func MockClient ¶ added in v0.27.0

func MockClient(addr string, cltMng types.TLSClientContextManager) (*http.Response, error)

func NewProvider ¶

func NewProvider(index string, cfg *v2.TLSConfig) (types.TLSProvider, error)

NewProvider returns a types.Provider. we support sds provider and static provider.

func NewTLSClientContextManager ¶

func NewTLSClientContextManager(name string, cfg *v2.TLSConfig) (types.TLSClientContextManager, error)

NewTLSClientContextManager returns a types.TLSContextManager used in TLS Client

func NewTLSServerContextManager ¶

func NewTLSServerContextManager(cfg *v2.Listener) (types.TLSContextManager, error)

NewTLSServerContextManager returns a types.TLSContextManager used in TLS Server A Server Manager can contains multiple certificates in provider

func Register ¶

func Register(name string, factory ConfigHooksFactory) error

Register registers an extension.

func RegisterSdsCallback ¶

func RegisterSdsCallback(name string, f func(*v2.TLSConfig))

func RegisterTlsContextCallback ¶ added in v0.27.0

func RegisterTlsContextCallback(cb TlsContextCallback)

Types ¶

type ConfigHooks ¶

type ConfigHooks interface {
	// GetClientAuth sets the tls.Config's ClientAuth fields
	GetClientAuth(cfg *v2.TLSConfig) tls.ClientAuthType
	// GetCertificate returns the tls.Certificate by index.
	// By default the index is the cert/key file path or cert/key pem string
	GetCertificate(certIndex, keyIndex string) (tls.Certificate, error)
	// GetX509Pool returns the x509.CertPool, which is a set of certificates.
	// By default the index is the ca certificate file path or certificate pem string
	GetX509Pool(caIndex string) (*x509.CertPool, error)
	// ServerHandshakeVerify returns a function that used to set "VerifyPeerCertificate" defined in tls.Config.
	// If it is returns nil, the normal certificate verification will be used.
	// Notice that we set tls.Config.InsecureSkipVerify to make sure the "VerifyPeerCertificate" is called,
	// so the ServerHandshakeVerify should verify the trusted ca if necessary.
	// If the TLSConfig.RequireClientCert is false, the ServerHandshakeVerify will be ignored
	ServerHandshakeVerify(cfg *tls.Config) func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error
	// ClientHandshakeVerify returns a function that used to set "VerifyPeerCertificate" defined in tls.Config.
	// If it is returns nil, the normal certificate verification will be used.
	// Notice that we set tls.Config.InsecureSkipVerify to make sure the "VerifyPeerCertificate" is called,
	// so the ClientHandshakeVerify should verify the trusted ca if necessary.
	// If TLSConfig.InsecureSkip is true, the ClientHandshakeVerify will be ignored.
	ClientHandshakeVerify(cfg *tls.Config) func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error
	// GenerateHashValue creates a hash value based on the tls.Config
	GenerateHashValue(cfg *tls.Config) *types.HashValue
}

ConfigHooks is a set of functions used to make a tls config

func DefaultConfigHooks ¶

func DefaultConfigHooks() ConfigHooks

DefaultConfigHooks returns the default config hooks implement

type ConfigHooksFactory ¶

type ConfigHooksFactory interface {
	CreateConfigHooks(config map[string]interface{}) ConfigHooks
}

ConfigHooksFactory creates ConfigHooks by config

type Conn ¶

type Conn struct {
	net.Conn
	// contains filtered or unexported fields
}

Conn is a generic stream-oriented network connection. It implements the net.Conn interface.

func (*Conn) Peek ¶

func (c *Conn) Peek() ([]byte, error)

Peek returns 1 byte from connection, without draining any buffered data.

func (*Conn) Read ¶

func (c *Conn) Read(b []byte) (int, error)

Read reads data from the connection.

type MockListener ¶ added in v0.27.0

type MockListener struct {
	net.Listener
	Mng types.TLSContextManager
}

Some Mock structure for simplify unit test code

func (MockListener) Accept ¶ added in v0.27.0

func (ln MockListener) Accept() (net.Conn, error)

type MockServer ¶ added in v0.27.0

type MockServer struct {
	Mng  types.TLSContextManager
	Addr string
	// contains filtered or unexported fields
}

func (*MockServer) Close ¶ added in v0.27.0

func (s *MockServer) Close()

func (*MockServer) GoListenAndServe ¶ added in v0.27.0

func (s *MockServer) GoListenAndServe()

func (*MockServer) ServeHTTP ¶ added in v0.27.0

func (s *MockServer) ServeHTTP(w http.ResponseWriter, r *http.Request)

type SecretInfo ¶ added in v0.27.0

type SecretInfo struct {
	Certificate  string
	PrivateKey   string
	Validation   string // root ca
	NoValidation bool
}

func (*SecretInfo) Full ¶ added in v0.27.0

func (info *SecretInfo) Full() bool

Full returns whether the secret info is full enough for a tls config

type TLSConn ¶

type TLSConn struct {
	*tls.Conn
}

TLSConn represents a secured connection. It implements the net.Conn interface.

func (*TLSConn) ConnectionState ¶

func (c *TLSConn) ConnectionState() gotls.ConnectionState

ConnectionState records basic TLS details about the connection.

func (*TLSConn) GetRawConn ¶

func (c *TLSConn) GetRawConn() net.Conn

GetRawConn returns network connection.

func (*TLSConn) GetTLSInfo ¶

func (c *TLSConn) GetTLSInfo(buf types.IoBuffer) int

GetTLSInfo returns TLSInfo

func (*TLSConn) Read ¶ added in v0.11.0

func (c *TLSConn) Read(b []byte) (int, error)

func (*TLSConn) SetALPN ¶

func (c *TLSConn) SetALPN(alpn string)

SetALPN sets ALPN

func (*TLSConn) WriteTo ¶

func (c *TLSConn) WriteTo(v *net.Buffers) (int64, error)

WriteTo writes data

type TLSStats ¶ added in v0.14.0

type TLSStats struct {
	TLSConnpoolChanged gometrics.Counter
}

func NewStats ¶ added in v0.14.0

func NewStats(name string) *TLSStats

type TlsContext ¶ added in v0.27.0

type TlsContext interface {
	// set the server side tls config
	SetServerConfig(template *tls.Config, cfg *v2.TLSConfig, hooks ConfigHooks)
	// return the server side TLSConfigContext
	GetServerTLSConfigContext() *types.TLSConfigContext

	// set the client side tls config
	SetClientConfig(template *tls.Config, cfg *v2.TLSConfig, hooks ConfigHooks)
	// return the client side TLSConfigContext
	GetClientTLSConfigContext() *types.TLSConfigContext

	// return the v2 tls config set by SetServerConfig/SetClientConfig
	GetTLSConfig() *v2.TLSConfig
	// return the tls SecretInfo set by SetServerConfig/SetClientConfig
	GetSecretInfo() *SecretInfo

	// whether the tls context matches the server name
	MatchedServerName(sn string) bool
	// whether the tls context matches the ALPN
	MatchedALPN(protocols []string) bool
}

type TlsContextCallback ¶ added in v0.27.0

type TlsContextCallback func(tlsContext TlsContext)

TlsContextCallback will be called before 'newTlsContext' returns, which allows the retrieval of TlsContext

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
certtool Package certtool used for generate certificate for test/examples By default, use CreateTemplate, GeneratePrivateKey, and SignCertificate, the certificates created in same process have same root ca	Package certtool used for generate certificate for test/examples By default, use CreateTemplate, GeneratePrivateKey, and SignCertificate, the certificates created in same process have same root ca
crypto
tls Package tls partially implements TLS 1.2, as specified in RFC 5246, and TLS 1.3, as specified in RFC 8446.	Package tls partially implements TLS 1.2, as specified in RFC 5246, and TLS 1.3, as specified in RFC 8446.
extensions
sni
sds

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL