mtls

package

v1.27.0 Latest Latest Go to latest Published: Apr 3, 2024 License: Apache-2.0 Imports: 13 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/Snowflake-Labs/sansshell

Links

Open Source Insights

Documentation ¶

Overview ¶

Package mtls facilitates Mutual TLS authentication for SansShell.

Index ¶

func LoadClientCredentials(ctx context.Context, loaderName string) (credentials.TransportCredentials, error)
func LoadClientTLS(clientCertFile, clientKeyFile string, CAPool *x509.CertPool) (credentials.TransportCredentials, error)
func LoadRootOfTrust(path string) (*x509.CertPool, error)
func LoadServerCredentials(ctx context.Context, loaderName string) (credentials.TransportCredentials, error)
func LoadServerTLS(clientCertFile, clientKeyFile string, CAPool *x509.CertPool) (credentials.TransportCredentials, error)
func Loaders() []string
func NewClientCredentials(cert tls.Certificate, CAPool *x509.CertPool) credentials.TransportCredentials
func NewServerCredentials(cert tls.Certificate, CAPool *x509.CertPool) credentials.TransportCredentials
func Register(name string, loader CredentialsLoader) error
type CredentialsLoader
- func Loader(name string) (CredentialsLoader, error)
type WrappedTransportCredentials

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func LoadClientCredentials ¶

func LoadClientCredentials(ctx context.Context, loaderName string) (credentials.TransportCredentials, error)

LoadClientCredentials returns transport credentials for SansShell clients, based on the provided `loaderName`

func LoadClientTLS ¶

func LoadClientTLS(clientCertFile, clientKeyFile string, CAPool *x509.CertPool) (credentials.TransportCredentials, error)

LoadClientTLS reads the certificates and keys from disk at the supplied paths, and assembles them into a set of TransportCredentials for the gRPC client.

func LoadRootOfTrust ¶

func LoadRootOfTrust(path string) (*x509.CertPool, error)

LoadRootOfTrust will load an CA root of trust(s) from the given file and return a CertPool to use in validating certificates. All CA's to validate against must be presented together in the PEM file. If the file is a directory, LoadRootOfTrust will load all files in that directory.

func LoadServerCredentials ¶

func LoadServerCredentials(ctx context.Context, loaderName string) (credentials.TransportCredentials, error)

LoadServerCredentials returns transport credentials for a SansShell server as retrieved from the specified `loaderName`. This should be the most commonly used method to generate credentials as this will support reloadable credentials as the TransportCredentials returned are a WrappedTransportCredentials which will check at call time if new certificates are available.

func LoadServerTLS ¶

func LoadServerTLS(clientCertFile, clientKeyFile string, CAPool *x509.CertPool) (credentials.TransportCredentials, error)

LoadServerTLS reads the certificates and keys from disk at the supplied paths, and assembles them into a set of TransportCredentials for the gRPC server. NOTE: This doesn't support reloadable credentials.

func Loaders ¶

func Loaders() []string

Loaders returns the names of all currently registered CredentialLoader implementations as a sorted list of strings.

func NewClientCredentials ¶

func NewClientCredentials(cert tls.Certificate, CAPool *x509.CertPool) credentials.TransportCredentials

NewClientCredentials returns transport credentials for SansShell clients.

func NewServerCredentials ¶

func NewServerCredentials(cert tls.Certificate, CAPool *x509.CertPool) credentials.TransportCredentials

NewServerCredentials creates transport credentials for a SansShell server. NOTE: This doesn't support reloadable credentials.

func Register ¶

func Register(name string, loader CredentialsLoader) error

Register associates a name with a mechanism for loading credentials. Implementations of CredentialsLoader will typically call Register during init()

Types ¶

type CredentialsLoader ¶

type CredentialsLoader interface {
	// LoadClientCA returns a CertPool which should be used by a server to
	// validate client certificates.
	// NOTE: The pool returned here will be the only pool used to validate certificates.
	//       Inclusion of system certificates should be done by copying from x509.SystemCertPool(),
	//       with any custom certificates appended.
	LoadClientCA(context.Context) (*x509.CertPool, error)

	// LoadRootCA returns a CertPool which should be used by clients to
	// validate server certificates.
	// NOTE: The pool returned here will be the only pool used to validate certificates.
	//       Inclusion of system certificates should be done by copying from x509.SystemCertPool(),
	//       with any custom certificates appended.
	LoadRootCA(context.Context) (*x509.CertPool, error)

	// LoadClientCertificates returns the certificate that should be presented
	// by the client when connecting to a server.
	LoadClientCertificate(context.Context) (tls.Certificate, error)

	// LoadServerCertificate returns the certificate that should be presented
	// by the server to incoming clients.
	LoadServerCertificate(context.Context) (tls.Certificate, error)

	// CertRefreshed indicates if internally any of the cert data has
	// been refreshed and should be reloaded. This will depend on the
	// implementation to support but allows for dynamic refresh of certificates
	// without a server restart.
	CertsRefreshed() bool
}

A CredentialsLoader loads mTLS credential data.

func Loader ¶

func Loader(name string) (CredentialsLoader, error)

Loader returns the CredentialsLoader associated with `name` or an error if no such implementation is registered.

type WrappedTransportCredentials ¶ added in v1.1.0

type WrappedTransportCredentials struct {
	// contains filtered or unexported fields
}

WrappedTransportCredentials wraps a credentials.TransportCredentials and monitors any access to the underlying credentials are up to date by calling CertsRefreshed before continuing.

func (*WrappedTransportCredentials) ClientHandshake ¶ added in v1.1.0

func (w *WrappedTransportCredentials) ClientHandshake(ctx context.Context, s string, n net.Conn) (net.Conn, credentials.AuthInfo, error)

ClientHandshake -- see credentials.ClientHandshake

func (*WrappedTransportCredentials) Clone ¶ added in v1.1.0

func (w *WrappedTransportCredentials) Clone() credentials.TransportCredentials

Clone -- see credentials.Clone

func (*WrappedTransportCredentials) Info ¶ added in v1.1.0

func (w *WrappedTransportCredentials) Info() credentials.ProtocolInfo

Info -- see credentials.Info

func (*WrappedTransportCredentials) OverrideServerName ¶ added in v1.1.0

func (w *WrappedTransportCredentials) OverrideServerName(s string) error

OverrideServerName -- see credentials.OverrideServerName

func (*WrappedTransportCredentials) ServerHandshake ¶ added in v1.1.0

func (w *WrappedTransportCredentials) ServerHandshake(n net.Conn) (net.Conn, credentials.AuthInfo, error)

ServerHandshake -- see credentials.ServerHandshake

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
flags Package flags provides flag support for loading client/server certs and CA root of trust.	Package flags provides flag support for loading client/server certs and CA root of trust.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL