tlsconfig

package

v2.2.0 Latest Latest Go to latest Published: Feb 28, 2023 License: Apache-2.0 Imports: 5 Imported by: 5

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/accuknox/go-spiffe

Links

Open Source Insights

Documentation ¶

Index ¶

func GetCertificate(svid x509svid.Source, opts ...Option) func(*tls.ClientHelloInfo) (*tls.Certificate, error)
func GetClientCertificate(svid x509svid.Source, opts ...Option) func(*tls.CertificateRequestInfo) (*tls.Certificate, error)
func HookMTLSClientConfig(config *tls.Config, svid x509svid.Source, bundle x509bundle.Source, ...)
func HookMTLSServerConfig(config *tls.Config, svid x509svid.Source, bundle x509bundle.Source, ...)
func HookMTLSWebClientConfig(config *tls.Config, svid x509svid.Source, roots *x509.CertPool, opts ...Option)
func HookMTLSWebServerConfig(config *tls.Config, cert *tls.Certificate, bundle x509bundle.Source, ...)
func HookTLSClientConfig(config *tls.Config, bundle x509bundle.Source, authorizer Authorizer, ...)
func HookTLSServerConfig(config *tls.Config, svid x509svid.Source, opts ...Option)
func MTLSClientConfig(svid x509svid.Source, bundle x509bundle.Source, authorizer Authorizer, ...) *tls.Config
func MTLSServerConfig(svid x509svid.Source, bundle x509bundle.Source, authorizer Authorizer, ...) *tls.Config
func MTLSWebClientConfig(svid x509svid.Source, roots *x509.CertPool, opts ...Option) *tls.Config
func MTLSWebServerConfig(cert *tls.Certificate, bundle x509bundle.Source, authorizer Authorizer, ...) *tls.Config
func TLSClientConfig(bundle x509bundle.Source, authorizer Authorizer, opts ...Option) *tls.Config
func TLSServerConfig(svid x509svid.Source, opts ...Option) *tls.Config
func VerifyPeerCertificate(bundle x509bundle.Source, authorizer Authorizer, opts ...Option) func([][]byte, [][]*x509.Certificate) error
func WrapVerifyPeerCertificate(wrapped func([][]byte, [][]*x509.Certificate) error, bundle x509bundle.Source, ...) func([][]byte, [][]*x509.Certificate) error
type Authorizer
- func AdaptMatcher(matcher spiffeid.Matcher) Authorizer
- func AuthorizeAny() Authorizer
- func AuthorizeID(allowed spiffeid.ID) Authorizer
- func AuthorizeMemberOf(allowed spiffeid.TrustDomain) Authorizer
- func AuthorizeOneOf(allowed ...spiffeid.ID) Authorizer
type GetCertificateInfo
type GotCertificateInfo
type Option
- func WithTrace(trace Trace) Option
type Trace

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func GetCertificate ¶

func GetCertificate(svid x509svid.Source, opts ...Option) func(*tls.ClientHelloInfo) (*tls.Certificate, error)

GetCertificate returns a GetCertificate callback for tls.Config. It uses the given X509-SVID getter to obtain a server X509-SVID for the TLS handshake.

func GetClientCertificate ¶

func GetClientCertificate(svid x509svid.Source, opts ...Option) func(*tls.CertificateRequestInfo) (*tls.Certificate, error)

GetClientCertificate returns a GetClientCertificate callback for tls.Config. It uses the given X509-SVID getter to obtain a client X509-SVID for the TLS handshake.

func HookMTLSClientConfig ¶

func HookMTLSClientConfig(config *tls.Config, svid x509svid.Source, bundle x509bundle.Source, authorizer Authorizer, opts ...Option)

HookMTLSClientConfig sets up the TLS configuration to present an X509-SVID to the server and verify and authorize the server X509-SVID. If there is an existing callback set for VerifyPeerCertificate it will be wrapped by this package and invoked after SPIFFE authentication has completed.

func HookMTLSServerConfig ¶

func HookMTLSServerConfig(config *tls.Config, svid x509svid.Source, bundle x509bundle.Source, authorizer Authorizer, opts ...Option)

HookMTLSServerConfig sets up the TLS configuration to present an X509-SVID to the client and require, verify, and authorize the client X509-SVID. If there is an existing callback set for VerifyPeerCertificate it will be wrapped by this package and invoked after SPIFFE authentication has completed.

func HookMTLSWebClientConfig ¶

func HookMTLSWebClientConfig(config *tls.Config, svid x509svid.Source, roots *x509.CertPool, opts ...Option)

HookMTLSWebClientConfig sets up the TLS configuration to present an X509-SVID to the server and verifies the server certificate using the provided roots (or the system roots if nil).

func HookMTLSWebServerConfig ¶

func HookMTLSWebServerConfig(config *tls.Config, cert *tls.Certificate, bundle x509bundle.Source, authorizer Authorizer, opts ...Option)

HookMTLSWebServerConfig sets up the TLS configuration to presents a web server certificate to the client and require, verify, and authorize client X509-SVIDs. If there is an existing callback set for VerifyPeerCertificate it will be wrapped by this package and invoked after SPIFFE authentication has completed.

func HookTLSClientConfig ¶

func HookTLSClientConfig(config *tls.Config, bundle x509bundle.Source, authorizer Authorizer, opts ...Option)

HookTLSClientConfig sets up the TLS configuration to verify and authorize the server X509-SVID. If there is an existing callback set for VerifyPeerCertificate it will be wrapped by this package and invoked after SPIFFE authentication has completed.

func HookTLSServerConfig ¶

func HookTLSServerConfig(config *tls.Config, svid x509svid.Source, opts ...Option)

HookTLSServerConfig sets up the TLS configuration to present an X509-SVID to the client and to not require or verify client certificates.

func MTLSClientConfig ¶

func MTLSClientConfig(svid x509svid.Source, bundle x509bundle.Source, authorizer Authorizer, opts ...Option) *tls.Config

MTLSClientConfig returns a TLS configuration which presents an X509-SVID to the server and verifies and authorizes the server X509-SVID.

func MTLSServerConfig ¶

func MTLSServerConfig(svid x509svid.Source, bundle x509bundle.Source, authorizer Authorizer, opts ...Option) *tls.Config

MTLSServerConfig returns a TLS configuration which presents an X509-SVID to the client and requires, verifies, and authorizes client X509-SVIDs.

Example (FileSource) ¶

package main

import (
	"github.com/accuknox/go-spiffe/v2/bundle/x509bundle"
	"github.com/accuknox/go-spiffe/v2/spiffeid"
	"github.com/accuknox/go-spiffe/v2/spiffetls/tlsconfig"
	"github.com/accuknox/go-spiffe/v2/svid/x509svid"
)

func main() {
	td, err := spiffeid.TrustDomainFromString("example.org")
	if err != nil {
		// TODO: error handling
	}

	svid, err := x509svid.Load("svid.pem", "key.pem")
	if err != nil {
		// TODO: handle error
	}

	bundle, err := x509bundle.Load(td, "cacert.pem")
	if err != nil {
		// TODO: handle error
	}

	config := tlsconfig.MTLSServerConfig(svid, bundle, tlsconfig.AuthorizeMemberOf(td))
	// TODO: use the config
	config = config
}

Output:

Example (WorkloadAPISource) ¶

package main

import (
	"context"

	"github.com/accuknox/go-spiffe/v2/spiffeid"
	"github.com/accuknox/go-spiffe/v2/spiffetls/tlsconfig"
	"github.com/accuknox/go-spiffe/v2/workloadapi"
)

func main() {
	td, err := spiffeid.TrustDomainFromString("example.org")
	if err != nil {
		// TODO: error handling
	}

	source, err := workloadapi.NewX509Source(context.Background(), nil)
	if err != nil {
		// TODO: handle error
	}
	defer source.Close()

	config := tlsconfig.MTLSServerConfig(source, source, tlsconfig.AuthorizeMemberOf(td))
	// TODO: use the config
	config = config
}

Output:

func MTLSWebClientConfig ¶

func MTLSWebClientConfig(svid x509svid.Source, roots *x509.CertPool, opts ...Option) *tls.Config

MTLSWebClientConfig returns a TLS configuration which presents an X509-SVID to the server and verifies the server certificate using provided roots (or the system roots if nil).

func MTLSWebServerConfig ¶

func MTLSWebServerConfig(cert *tls.Certificate, bundle x509bundle.Source, authorizer Authorizer, opts ...Option) *tls.Config

MTLSWebServerConfig returns a TLS configuration which presents a web server certificate to the client and requires, verifies, and authorizes client X509-SVIDs.

func TLSClientConfig ¶

func TLSClientConfig(bundle x509bundle.Source, authorizer Authorizer, opts ...Option) *tls.Config

TLSClientConfig returns a TLS configuration which verifies and authorizes the server X509-SVID.

func TLSServerConfig ¶

func TLSServerConfig(svid x509svid.Source, opts ...Option) *tls.Config

TLSServerConfig returns a TLS configuration which presents an X509-SVID to the client and does not require or verify client certificates.

func VerifyPeerCertificate ¶

func VerifyPeerCertificate(bundle x509bundle.Source, authorizer Authorizer, opts ...Option) func([][]byte, [][]*x509.Certificate) error

VerifyPeerCertificate returns a VerifyPeerCertificate callback for tls.Config. It uses the given bundle source and authorizer to verify and authorize X509-SVIDs provided by peers during the TLS handshake.

func WrapVerifyPeerCertificate ¶

func WrapVerifyPeerCertificate(wrapped func([][]byte, [][]*x509.Certificate) error, bundle x509bundle.Source, authorizer Authorizer, opts ...Option) func([][]byte, [][]*x509.Certificate) error

WrapVerifyPeerCertificate wraps a VerifyPeerCertificate callback, performing SPIFFE authentication against the peer certificates using the given bundle and authorizer. The wrapped callback will be passed the verified chains. Note: TLS clients must set `InsecureSkipVerify` when doing SPIFFE authentication to disable hostname verification.

Types ¶

type Authorizer ¶

type Authorizer func(id spiffeid.ID, verifiedChains [][]*x509.Certificate) error

Authorizer authorizes an X509-SVID given the SPIFFE ID and the chain of trust. The certificate chain starts with the X509-SVID certificate back to an X.509 root for the trust domain.

func AdaptMatcher ¶

func AdaptMatcher(matcher spiffeid.Matcher) Authorizer

AdaptMatcher adapts any spiffeid.Matcher for use as an Authorizer which only authorizes the SPIFFE ID but otherwise ignores the verified chains.

func AuthorizeAny ¶

func AuthorizeAny() Authorizer

AuthorizeAny allows any SPIFFE ID.

func AuthorizeID ¶

func AuthorizeID(allowed spiffeid.ID) Authorizer

AuthorizeID allows a specific SPIFFE ID.

func AuthorizeMemberOf ¶

func AuthorizeMemberOf(allowed spiffeid.TrustDomain) Authorizer

AuthorizeMemberOf allows any SPIFFE ID in the given trust domain.

func AuthorizeOneOf ¶

func AuthorizeOneOf(allowed ...spiffeid.ID) Authorizer

AuthorizeOneOf allows any SPIFFE ID in the given list of IDs.

type GetCertificateInfo ¶

type GetCertificateInfo struct {
}

GetCertificateInfo is an empty placeholder for future expansion

type GotCertificateInfo ¶

type GotCertificateInfo struct {
	Cert *tls.Certificate
	Err  error
}

GotCertificateInfo provides err and TLS certificate info to Trace

type Option ¶

type Option interface {
	// contains filtered or unexported methods
}

A Option changes the defaults used to by mTLS ClientConfig functions.

func WithTrace ¶

func WithTrace(trace Trace) Option

WithTrace will use the provided tracing callbacks when various TLS config functions gets invoked.

type Trace ¶

type Trace struct {
	GetCertificate func(GetCertificateInfo) interface{}
	GotCertificate func(GotCertificateInfo, interface{})
}

Trace is the interface to define what functions are triggered when functions in tlsconfig are called

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL