Documentation
¶
Overview ¶
Package advancedtls is a utility library containing functions to construct credentials.TransportCredentials that can perform credential reloading and custom verification check.
Index ¶
- func NewClientCreds(o *ClientOptions) (credentials.TransportCredentials, error)
- func NewServerCreds(o *ServerOptions) (credentials.TransportCredentials, error)
- func WrapSyscallConn(rawConn, newConn net.Conn) net.Conn
- type ClientOptions
- type CustomVerificationFunc
- type GetRootCAsParams
- type GetRootCAsResults
- type RootCertificateOptions
- type ServerOptions
- type VerificationFuncParams
- type VerificationResults
- type VerificationType
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func NewClientCreds ¶
func NewClientCreds(o *ClientOptions) (credentials.TransportCredentials, error)
NewClientCreds uses ClientOptions to construct a TransportCredentials based on TLS.
func NewServerCreds ¶
func NewServerCreds(o *ServerOptions) (credentials.TransportCredentials, error)
NewServerCreds uses ServerOptions to construct a TransportCredentials based on TLS.
func WrapSyscallConn ¶
WrapSyscallConn tries to wrap rawConn and newConn into a net.Conn that implements syscall.Conn. rawConn will be used to support syscall, and newConn will be used for read/write.
This function returns newConn if rawConn doesn't implement syscall.Conn.
Types ¶
type ClientOptions ¶
type ClientOptions struct {
// If field Certificates is set, field GetClientCertificate will be ignored.
// The client will use Certificates every time when asked for a certificate,
// without performing certificate reloading.
Certificates []tls.Certificate
// If GetClientCertificate is set and Certificates is nil, the client will
// invoke this function every time asked to present certificates to the
// server when a new connection is established. This is known as peer
// certificate reloading.
GetClientCertificate func(*tls.CertificateRequestInfo) (*tls.Certificate, error)
// VerifyPeer is a custom verification check after certificate signature
// check.
// If this is set, we will perform this customized check after doing the
// normal check(s) indicated by setting VType.
VerifyPeer CustomVerificationFunc
// ServerNameOverride is for testing only. If set to a non-empty string,
// it will override the virtual host name of authority (e.g. :authority
// header field) in requests.
ServerNameOverride string
// RootCertificateOptions is REQUIRED to be correctly set on client side.
RootCertificateOptions
// VType is the verification type on the client side.
VType VerificationType
}
ClientOptions contains all the fields and functions needed to be filled by the client. General rules for certificate setting on client side: Certificates or GetClientCertificate indicates the certificates sent from the client to the server to prove client's identities. The rules for setting these two fields are: If requiring mutual authentication on server side:
Either Certificates or GetClientCertificate must be set; the other will be ignored.
Otherwise:
Nothing needed(the two fields will be ignored).
type CustomVerificationFunc ¶
type CustomVerificationFunc func(params *VerificationFuncParams) (*VerificationResults, error)
CustomVerificationFunc is the function defined by users to perform custom verification check. CustomVerificationFunc returns nil if the authorization fails; otherwise returns an empty struct.
type GetRootCAsParams ¶
GetRootCAsParams contains the parameters available to users when implementing GetRootCAs.
type GetRootCAsResults ¶
GetRootCAsResults contains the results of GetRootCAs. If users want to reload the root trust certificate, it is required to return the proper TrustCerts in GetRootCAs.
type RootCertificateOptions ¶
type RootCertificateOptions struct {
// If field RootCACerts is set, field GetRootCAs will be ignored. RootCACerts
// will be used every time when verifying the peer certificates, without
// performing root certificate reloading.
RootCACerts *x509.CertPool
// If GetRootCAs is set and RootCACerts is nil, GetRootCAs will be invoked
// every time asked to check certificates sent from the server when a new
// connection is established.
// This is known as root CA certificate reloading.
GetRootCAs func(params *GetRootCAsParams) (*GetRootCAsResults, error)
}
RootCertificateOptions contains a field and a function for obtaining root trust certificates. It is used by both ClientOptions and ServerOptions.
type ServerOptions ¶
type ServerOptions struct {
// If field Certificates is set, field GetClientCertificate will be ignored.
// The server will use Certificates every time when asked for a certificate,
// without performing certificate reloading.
Certificates []tls.Certificate
// If GetClientCertificate is set and Certificates is nil, the server will
// invoke this function every time asked to present certificates to the
// client when a new connection is established. This is known as peer
// certificate reloading.
GetCertificate func(*tls.ClientHelloInfo) (*tls.Certificate, error)
// VerifyPeer is a custom verification check after certificate signature
// check.
// If this is set, we will perform this customized check after doing the
// normal check(s) indicated by setting VType.
VerifyPeer CustomVerificationFunc
// RootCertificateOptions is only required when mutual TLS is
// enabled(RequireClientCert is true).
RootCertificateOptions
// If the server want the client to send certificates.
RequireClientCert bool
// VType is the verification type on the server side.
VType VerificationType
}
ServerOptions contains all the fields and functions needed to be filled by the client. General rules for certificate setting on server side: Certificates or GetClientCertificate indicates the certificates sent from the server to the client to prove server's identities. The rules for setting these two fields are: Either Certificates or GetCertificate must be set; the other will be ignored.
type VerificationFuncParams ¶
type VerificationFuncParams struct {
// The target server name that the client connects to when establishing the
// connection. This field is only meaningful for client side. On server side,
// this field would be an empty string.
ServerName string
// The raw certificates sent from peer.
RawCerts [][]byte
// The verification chain obtained by checking peer RawCerts against the
// trust certificate bundle(s), if applicable.
VerifiedChains [][]*x509.Certificate
// The leaf certificate sent from peer, if choosing to verify the peer
// certificate(s) and that verification passed. This field would be nil if
// either user chose not to verify or the verification failed.
Leaf *x509.Certificate
}
VerificationFuncParams contains parameters available to users when implementing CustomVerificationFunc. The fields in this struct are read-only.
type VerificationResults ¶
type VerificationResults struct{}
VerificationResults contains the information about results of CustomVerificationFunc. VerificationResults is an empty struct for now. It may be extended in the future to include more information.
type VerificationType ¶
type VerificationType int
VerificationType is the enum type that represents different levels of verification users could set, both on client side and on server side.
const ( // CertAndHostVerification indicates doing both certificate signature check // and hostname check. CertAndHostVerification VerificationType = iota // CertVerification indicates doing certificate signature check only. Setting // this field without proper custom verification check would leave the // application susceptible to the MITM attack. CertVerification // SkipVerification indicates skipping both certificate signature check and // hostname check. If setting this field, proper custom verification needs to // be implemented in order to complete the authentication. Setting this field // with a nil custom verification would raise an error. SkipVerification )
Source Files