gmtlssupport

package
v0.0.5 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Sep 22, 2021 License: Apache-2.0 Imports: 13 Imported by: 1

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func AppendNewCertsToTrustRoots 

func AppendNewCertsToTrustRoots(tlsTrustRoots *ChainTrustRoots, chainId string, certPemBytes []byte) (bool, error)

AppendNewCertsToTrustRoots will load all cert from cert pem bytes, then append them to chain trust roots.

func GenerateGMTlsServerConfigWithDualCerts 

func GenerateGMTlsServerConfigWithDualCerts(encryptCert *gmtls.Certificate, signKeyBytes, signCertBytes []byte, certValidator *CertValidator) (*gmtls.Config, bool, error)

GenerateGMTlsServerConfigWithDualCerts will generate a gm tls config for server on dual certs mode. If sign key or sign cert bytes is empty, random sign cert will be created with the encrypt cert, and second value returned will be true, otherwise be false.

func GenerateSignCertificateWithEncryptCertificate 

func GenerateSignCertificateWithEncryptCertificate(encryptCert *x509.Certificate) (*gmtls.Certificate, error)

GenerateSignCertificateWithEncryptCertificate will create a new random sign cert with the encrypt cert given.

func GetCertAndPeerIdWithKeyPair 

func GetCertAndPeerIdWithKeyPair(certPEMBlock []byte, keyPEMBlock []byte) (*gmtls.Certificate, string, error)

GetCertAndPeerIdWithKeyPair will create a gmtls cert with gmx509 key pair and load the peer id from cert.

func NewTlsClientConfig 

func NewTlsClientConfig(
	certificate gmtls.Certificate,
	certValidator *CertValidator,
	dualCert bool,
) (*gmtls.Config, error)

NewTlsClientConfig create a new gm tls config for client.

func NewTlsServerConfigDualCertMode 

func NewTlsServerConfigDualCertMode(
	signCertificate gmtls.Certificate,
	certificate gmtls.Certificate,
	certValidator *CertValidator,
) (*gmtls.Config, error)

NewTlsServerConfigDualCertMode create a new gm tls config for server with dual cert mode.

func NewTlsServerConfigSingleCertMode 

func NewTlsServerConfigSingleCertMode(
	certificate gmtls.Certificate,
	certValidator *CertValidator,
) (*gmtls.Config, error)

NewTlsServerConfigSingleCertMode create a new gm tls config for server with single cert mode.

Types

type CertValidator 

type CertValidator struct {
	// contains filtered or unexported fields
}

CertValidator wraps a ChainTrustRoots instance and a common.MemberStatusValidator. It provides a function for verifying peer certificate when tls handshaking. In handshaking process, the function will load remote tls certificate and verify it by chain trust roots, also load remote peer id and cert id. All these infos will stored in validator. These infos could be queried with QueryDerivedInfoWithPeerId function. And could be removed with CleanDerivedInfoWithPeerId function.

func NewCertValidator 

func NewCertValidator(tlsTrustRoots *ChainTrustRoots, memberStatusValidator *common.MemberStatusValidator) *CertValidator

NewCertValidator create a new CertValidator instance.

func (*CertValidator) CleanDerivedInfoWithPeerId 

func (v *CertValidator) CleanDerivedInfoWithPeerId(peerId string)

CleanDerivedInfoWithPeerId remove all infos of peer if exist.

func (*CertValidator) QueryDerivedInfoWithPeerId 

func (v *CertValidator) QueryDerivedInfoWithPeerId(peerId string) *DerivedInfoWithCert

QueryDerivedInfoWithPeerId return all infos that loaded with VerifyPeerCertificateFunc and stored in validator.

func (*CertValidator) VerifyPeerCertificateFunc 

func (v *CertValidator) VerifyPeerCertificateFunc(dualCert bool) func(rawCerts [][]byte, _ [][]*x509.Certificate) error

VerifyPeerCertificateFunc provides a function for verify peer certificate in tls config. In handshaking process, the function will load remote tls certificate and verify it by chain trust roots, also load remote peer id and cert id. All these infos will stored in validator.

type ChainTrustRoots 

type ChainTrustRoots struct {
	// contains filtered or unexported fields
}

ChainTrustRoots keep the trust root cert pools and the trust intermediates cert pools of all chains.

func BuildTlsTrustRoots 

func BuildTlsTrustRoots(chainTrustRoots map[string][][]byte) (*ChainTrustRoots, error)

BuildTlsTrustRoots build the cert pool with cert bytes of chain.

func NewChainTrustRoots 

func NewChainTrustRoots() *ChainTrustRoots

NewChainTrustRoots create a new ChainTrustRoots instance.

func (*ChainTrustRoots) AddIntermediates 

func (ctr *ChainTrustRoots) AddIntermediates(chainId string, intermediates *x509.Certificate)

AddIntermediates add a trust intermediates cert to cert pool.

func (*ChainTrustRoots) AddRoot 

func (ctr *ChainTrustRoots) AddRoot(chainId string, root *x509.Certificate)

AddRoot add a trust root cert to cert pool.

func (*ChainTrustRoots) AppendIntermediatesFromPem 

func (ctr *ChainTrustRoots) AppendIntermediatesFromPem(chainId string, intermediatesPem []byte) bool

AppendIntermediatesFromPem append trust intermediates certs from pem bytes to cert pool.

func (*ChainTrustRoots) AppendRootsFromPem 

func (ctr *ChainTrustRoots) AppendRootsFromPem(chainId string, rootPem []byte) bool

AppendRootsFromPem append trust root certs from pem bytes to cert pool.

func (*ChainTrustRoots) IntermediatesPool 

func (ctr *ChainTrustRoots) IntermediatesPool(chainId string) (*x509.CertPool, bool)

IntermediatesPool return the trust intermediates cert pool of the chain which id is the id given.

func (*ChainTrustRoots) RefreshIntermediatesFromPem 

func (ctr *ChainTrustRoots) RefreshIntermediatesFromPem(chainId string, intermediatesPem [][]byte) bool

RefreshIntermediatesFromPem reset all trust intermediates certs from pem bytes array to cert pool.

func (*ChainTrustRoots) RefreshRootsFromPem 

func (ctr *ChainTrustRoots) RefreshRootsFromPem(chainId string, rootsPem [][]byte) bool

RefreshRootsFromPem reset all trust root certs from pem bytes array to cert pool.

func (*ChainTrustRoots) RootsPool 

func (ctr *ChainTrustRoots) RootsPool(chainId string) (*x509.CertPool, bool)

RootsPool return the trust root cert pool of the chain which id is the id given.

func (*ChainTrustRoots) VerifyCert 

func (ctr *ChainTrustRoots) VerifyCert(cert *x509.Certificate) ([]string, error)

VerifyCert verify the cert given. If ok, return chain id list.

func (*ChainTrustRoots) VerifyCertOfChain 

func (ctr *ChainTrustRoots) VerifyCertOfChain(chainId string, cert *x509.Certificate) bool

VerifyCertOfChain verify the cert given with chainId. If ok, return true.

type DerivedInfoWithCert 

type DerivedInfoWithCert struct {
	TlsCertBytes []byte
	ChainIds     []string
	PeerId       string
	CertId       string
}

DerivedInfoWithCert contains infos loaded from tls cert when verifying peer certificate.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.