grpc: google.golang.org/grpc/security/advancedtls Index | Files

package advancedtls

import "google.golang.org/grpc/security/advancedtls"

Package advancedtls is a utility library containing functions to construct credentials.TransportCredentials that can perform credential reloading and custom server authorization.

Index

Package Files

advancedtls.go

func NewClient Uses

func NewClient(o *ClientOptions) (credentials.TransportCredentials, error)

NewClient uses ClientOptions to construct a TransportCredentials based on TLS.

func NewServer Uses

func NewServer(o *ServerOptions) (credentials.TransportCredentials, error)

NewServer uses ServerOptions to construct a TransportCredentials based on TLS.

func WrapSyscallConn Uses

func WrapSyscallConn(rawConn, newConn net.Conn) net.Conn

WrapSyscallConn tries to wrap rawConn and newConn into a net.Conn that implements syscall.Conn. rawConn will be used to support syscall, and newConn will be used for read/write.

This function returns newConn if rawConn doesn't implement syscall.Conn.

type ClientOptions Uses

type ClientOptions struct {
    // If field Certificates is set, field GetClientCertificate will be ignored. The client will use
    // Certificates every time when asked for a certificate, without performing certificate reloading.
    Certificates []tls.Certificate
    // If GetClientCertificate is set and Certificates is nil, the client will invoke this
    // function every time asked to present certificates to the server when a new connection is
    // established. This is known as peer certificate reloading.
    GetClientCertificate func(*tls.CertificateRequestInfo) (*tls.Certificate, error)
    // VerifyPeer is a custom server authorization checking after certificate signature check.
    // If this is set, we will replace the hostname check with this customized authorization check.
    // If this is nil, we fall back to typical hostname check.
    VerifyPeer CustomVerificationFunc
    // ServerNameOverride is for testing only. If set to a non-empty string,
    // it will override the virtual host name of authority (e.g. :authority header field) in requests.
    ServerNameOverride string
    RootCertificateOptions
}

ClientOptions contains all the fields and functions needed to be filled by the client. General rules for certificate setting on client side: Certificates or GetClientCertificate indicates the certificates sent from the client to the server to prove client's identities. The rules for setting these two fields are: If requiring mutual authentication on server side:

Either Certificates or GetClientCertificate must be set; the other will be ignored

Otherwise:

Nothing needed(the two fields will be ignored)

type CustomVerificationFunc Uses

type CustomVerificationFunc func(params *VerificationFuncParams) (*VerificationResults, error)

CustomVerificationFunc is the function defined by users to perform custom server authorization. CustomVerificationFunc returns nil if the authorization fails; otherwise returns an empty struct.

type GetRootCAsParams Uses

type GetRootCAsParams struct {
    RawConn  net.Conn
    RawCerts [][]byte
}

GetRootCAsParams contains the parameters available to users when implementing GetRootCAs.

type GetRootCAsResults Uses

type GetRootCAsResults struct {
    TrustCerts *x509.CertPool
}

GetRootCAsResults contains the results of GetRootCAs. If users want to reload the root trust certificate, it is required to return the proper TrustCerts in GetRootCAs.

type RootCertificateOptions Uses

type RootCertificateOptions struct {
    // If field RootCACerts is set, field GetRootCAs will be ignored. RootCACerts will be used
    // every time when verifying the peer certificates, without performing root certificate reloading.
    RootCACerts *x509.CertPool
    // If GetRootCAs is set and RootCACerts is nil, GetRootCAs will be invoked every time
    // asked to check certificates sent from the server when a new connection is established.
    // This is known as root CA certificate reloading.
    GetRootCAs func(params *GetRootCAsParams) (*GetRootCAsResults, error)
}

RootCertificateOptions contains a field and a function for obtaining root trust certificates. It is used by both ClientOptions and ServerOptions. Note that RootCertificateOptions is required to be correctly set on client side; on server side, it is only required when mutual TLS is enabled(RequireClientCert in ServerOptions is true).

type ServerOptions Uses

type ServerOptions struct {
    // If field Certificates is set, field GetClientCertificate will be ignored. The server will use
    // Certificates every time when asked for a certificate, without performing certificate reloading.
    Certificates []tls.Certificate
    // If GetClientCertificate is set and Certificates is nil, the server will invoke this
    // function every time asked to present certificates to the client when a new connection is
    // established. This is known as peer certificate reloading.
    GetCertificate func(*tls.ClientHelloInfo) (*tls.Certificate, error)
    RootCertificateOptions
    // If the server want the client to send certificates.
    RequireClientCert bool
}

ServerOptions contains all the fields and functions needed to be filled by the client. General rules for certificate setting on server side: Certificates or GetClientCertificate indicates the certificates sent from the server to the client to prove server's identities. The rules for setting these two fields are: Either Certificates or GetCertificate must be set; the other will be ignored

type VerificationFuncParams Uses

type VerificationFuncParams struct {
    ServerName     string
    RawCerts       [][]byte
    VerifiedChains [][]*x509.Certificate
}

VerificationFuncParams contains the parameters available to users when implementing CustomVerificationFunc.

type VerificationResults Uses

type VerificationResults struct{}

VerificationResults contains the information about results of CustomVerificationFunc. VerificationResults is an empty struct for now. It may be extended in the future to include more information.

Package advancedtls imports 8 packages (graph). Updated 2020-01-15. Refresh now. Tools for package owners.