advancedtls

package module
v0.0.0-...-9cf408e Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 18, 2024 License: Apache-2.0 Imports: 25 Imported by: 12

Documentation

Overview

Package advancedtls is a utility library containing functions to construct credentials.TransportCredentials that can perform credential reloading and custom verification check.

Index

Constants

View Source 
const (
	// RevocationUndetermined means we couldn't find or verify a CRL for the cert.
	RevocationUndetermined revocationStatus = iota
	// RevocationUnrevoked means we found the CRL for the cert and the cert is not revoked.
	RevocationUnrevoked
	// RevocationRevoked means we found the CRL and the cert is revoked.
	RevocationRevoked
)

Variables

This section is empty.

Functions

func NewClientCreds 

func NewClientCreds(o *ClientOptions) (credentials.TransportCredentials, error)

NewClientCreds uses ClientOptions to construct a TransportCredentials based on TLS.

func NewServerCreds 

func NewServerCreds(o *ServerOptions) (credentials.TransportCredentials, error)

NewServerCreds uses ServerOptions to construct a TransportCredentials based on TLS.

Types

type CRL 

type CRL struct {
	// contains filtered or unexported fields
}

CRL contains a pkix.CertificateList and parsed extensions that aren't provided by the golang CRL parser. All CRLs should be loaded using NewCRL() for bytes directly or ReadCRLFile() to read directly from a filepath

func NewCRL 

func NewCRL(b []byte) (*CRL, error)

NewCRL constructs new CRL from the provided byte array.

func ReadCRLFile 

func ReadCRLFile(path string) (*CRL, error)

ReadCRLFile reads a file from the provided path, and returns constructed CRL struct from it.

type CRLProvider 

type CRLProvider interface {
	// CRL accepts x509 Cert and returns a related CRL struct, which can contain
	// either an empty or non-empty list of revoked certificates. If an error is
	// thrown or (nil, nil) is returned, it indicates that we can't load any
	// authoritative CRL files (which may not necessarily be a problem). It's not
	// considered invalid to have no CRLs if there are no revocations for an
	// issuer. In such cases, the status of the check CRL operation is marked as
	// RevocationUndetermined, as defined in [RFC5280 - Undetermined].
	//
	// [RFC5280 - Undetermined]: https://datatracker.ietf.org/doc/html/rfc5280#section-6.3.3
	CRL(cert *x509.Certificate) (*CRL, error)
}

CRLProvider is the interface to be implemented to enable custom CRL provider behavior, as defined in gRFC A69.

The interface defines how gRPC gets CRLs from the provider during handshakes, but doesn't prescribe a specific way to load and store CRLs. Such implementations can be used in RevocationConfig of advancedtls.ClientOptions and/or advancedtls.ServerOptions. Please note that checking CRLs is directly on the path of connection establishment, so implementations of the CRL function need to be fast, and slow things such as file IO should be done asynchronously.

type Cache 

type Cache interface {
	// Add adds a value to the cache.
	Add(key, value any) bool
	// Get looks up a key's value from the cache.
	Get(key any) (value any, ok bool)
}

Cache is an interface to cache CRL files. The cache implementation must be concurrency safe. A fixed size lru cache from golang-lru is recommended.

type ClientOptions 

type ClientOptions struct {
	// IdentityOptions is OPTIONAL on client side. This field only needs to be
	// set if mutual authentication is required on server side.
	IdentityOptions IdentityCertificateOptions
	// VerifyPeer is a custom verification check after certificate signature
	// check.
	// If this is set, we will perform this customized check after doing the
	// normal check(s) indicated by setting VType.
	VerifyPeer CustomVerificationFunc
	// RootOptions is OPTIONAL on client side. If not set, we will try to use the
	// default trust certificates in users' OS system.
	RootOptions RootCertificateOptions
	// VType is the verification type on the client side.
	VType VerificationType
	// RevocationConfig is the configurations for certificate revocation checks.
	// It could be nil if such checks are not needed.
	RevocationConfig *RevocationConfig
	// MinVersion contains the minimum TLS version that is acceptable.
	// By default, TLS 1.2 is currently used as the minimum when acting as a
	// client, and TLS 1.0 when acting as a server. TLS 1.0 is the minimum
	// supported by this package, both as a client and as a server.
	MinVersion uint16
	// MaxVersion contains the maximum TLS version that is acceptable.
	// By default, the maximum version supported by this package is used,
	// which is currently TLS 1.3.
	MaxVersion uint16
	// contains filtered or unexported fields
}

ClientOptions contains the fields needed to be filled by the client.

type CustomVerificationFunc 

type CustomVerificationFunc func(params *VerificationFuncParams) (*VerificationResults, error)

CustomVerificationFunc is the function defined by users to perform custom verification check. CustomVerificationFunc returns nil if the authorization fails; otherwise returns an empty struct.

type FileWatcherCRLProvider 

type FileWatcherCRLProvider struct {
	// contains filtered or unexported fields
}

FileWatcherCRLProvider implements the CRLProvider interface by periodically scanning CRLDirectory (see FileWatcherOptions) and storing CRL structs in-memory. Users should call Close to stop the background refresh of CRLDirectory.

func NewFileWatcherCRLProvider 

func NewFileWatcherCRLProvider(o FileWatcherOptions) (*FileWatcherCRLProvider, error)

NewFileWatcherCRLProvider returns a new instance of the FileWatcherCRLProvider. It uses FileWatcherOptions to validate and apply configuration required for creating a new instance. The initial scan of CRLDirectory is performed inside this function. Users should call Close to stop the background refresh of CRLDirectory.

func (*FileWatcherCRLProvider) CRL 

func (p *FileWatcherCRLProvider) CRL(cert *x509.Certificate) (*CRL, error)

CRL retrieves the CRL associated with the given certificate's issuer DN from in-memory if it was loaded during FileWatcherOptions.CRLDirectory scan before the execution of this function.

func (*FileWatcherCRLProvider) Close 

func (p *FileWatcherCRLProvider) Close()

Close waits till the background refresh of CRLDirectory of FileWatcherCRLProvider is done and then stops it.

type FileWatcherOptions 

type FileWatcherOptions struct {
	CRLDirectory               string          // Path of the directory containing CRL files
	RefreshDuration            time.Duration   // Time interval (default value is 1 hour) between CRLDirectory scans, can't be smaller than 1 minute
	CRLReloadingFailedCallback func(err error) // Custom callback executed when a CRL file can’t be processed
}

FileWatcherOptions represents a data structure holding a configuration for FileWatcherCRLProvider.

type GetRootCAsParams 

type GetRootCAsParams struct {
	RawConn  net.Conn
	RawCerts [][]byte
}

GetRootCAsParams contains the parameters available to users when implementing GetRootCAs.

type GetRootCAsResults 

type GetRootCAsResults struct {
	TrustCerts *x509.CertPool
}

GetRootCAsResults contains the results of GetRootCAs. If users want to reload the root trust certificate, it is required to return the proper TrustCerts in GetRootCAs.

type IdentityCertificateOptions 

type IdentityCertificateOptions struct {
	// If Certificates is set, it will be used every time when needed to present
	//identity certificates, without performing identity certificate reloading.
	Certificates []tls.Certificate
	// If GetIdentityCertificatesForClient is set, it will be invoked to obtain
	// identity certs for every new connection.
	// This field MUST be set on client side.
	GetIdentityCertificatesForClient func(*tls.CertificateRequestInfo) (*tls.Certificate, error)
	// If GetIdentityCertificatesForServer is set, it will be invoked to obtain
	// identity certs for every new connection.
	// This field MUST be set on server side.
	GetIdentityCertificatesForServer func(*tls.ClientHelloInfo) ([]*tls.Certificate, error)
	// If IdentityProvider is set, we will use the identity certs from the
	// Provider's KeyMaterial() call in the new connections. The Provider must
	// have initial credentials if specified. Otherwise, KeyMaterial() will block
	// forever.
	IdentityProvider certprovider.Provider
}

IdentityCertificateOptions contains options to obtain identity certificates for both the client and the server. At most one option could be set.

type RevocationConfig 

type RevocationConfig struct {
	// RootDir is the directory to search for CRL files.
	// Directory format must match OpenSSL X509_LOOKUP_hash_dir(3).
	// Deprecated: use CRLProvider instead.
	RootDir string
	// AllowUndetermined controls if certificate chains with RevocationUndetermined
	// revocation status are allowed to complete.
	AllowUndetermined bool
	// Cache will store CRL files if not nil, otherwise files are reloaded for every lookup.
	// Only used for caching CRLs when using the RootDir setting.
	// Deprecated: use CRLProvider instead.
	Cache Cache
	// CRLProvider is an alternative to using RootDir directly for the
	// X509_LOOKUP_hash_dir approach to CRL files. If set, the CRLProvider's CRL
	// function will be called when looking up and fetching CRLs during the
	// handshake.
	CRLProvider CRLProvider
}

RevocationConfig contains options for CRL lookup.

type RootCertificateOptions 

type RootCertificateOptions struct {
	// If RootCACerts is set, it will be used every time when verifying
	// the peer certificates, without performing root certificate reloading.
	RootCACerts *x509.CertPool
	// If GetRootCertificates is set, it will be invoked to obtain root certs for
	// every new connection.
	GetRootCertificates func(params *GetRootCAsParams) (*GetRootCAsResults, error)
	// If RootProvider is set, we will use the root certs from the Provider's
	// KeyMaterial() call in the new connections. The Provider must have initial
	// credentials if specified. Otherwise, KeyMaterial() will block forever.
	RootProvider certprovider.Provider
}

RootCertificateOptions contains options to obtain root trust certificates for both the client and the server. At most one option could be set. If none of them are set, we use the system default trust certificates.

type ServerOptions 

type ServerOptions struct {
	// IdentityOptions is REQUIRED on server side.
	IdentityOptions IdentityCertificateOptions
	// VerifyPeer is a custom verification check after certificate signature
	// check.
	// If this is set, we will perform this customized check after doing the
	// normal check(s) indicated by setting VType.
	VerifyPeer CustomVerificationFunc
	// RootOptions is OPTIONAL on server side. This field only needs to be set if
	// mutual authentication is required(RequireClientCert is true).
	RootOptions RootCertificateOptions
	// If the server want the client to send certificates.
	RequireClientCert bool
	// VType is the verification type on the server side.
	VType VerificationType
	// RevocationConfig is the configurations for certificate revocation checks.
	// It could be nil if such checks are not needed.
	RevocationConfig *RevocationConfig
	// MinVersion contains the minimum TLS version that is acceptable.
	// By default, TLS 1.2 is currently used as the minimum when acting as a
	// client, and TLS 1.0 when acting as a server. TLS 1.0 is the minimum
	// supported by this package, both as a client and as a server.
	MinVersion uint16
	// MaxVersion contains the maximum TLS version that is acceptable.
	// By default, the maximum version supported by this package is used,
	// which is currently TLS 1.3.
	MaxVersion uint16
}

ServerOptions contains the fields needed to be filled by the server.

type StaticCRLProvider 

type StaticCRLProvider struct {
	// contains filtered or unexported fields
}

StaticCRLProvider implements CRLProvider interface by accepting raw content of CRL files at creation time and storing parsed CRL structs in-memory.

func NewStaticCRLProvider 

func NewStaticCRLProvider(rawCRLs [][]byte) *StaticCRLProvider

NewStaticCRLProvider processes raw content of CRL files, adds parsed CRL structs into in-memory, and returns a new instance of the StaticCRLProvider.

func (*StaticCRLProvider) CRL 

func (p *StaticCRLProvider) CRL(cert *x509.Certificate) (*CRL, error)

CRL returns CRL struct if it was passed to NewStaticCRLProvider.

type VerificationFuncParams 

type VerificationFuncParams struct {
	// The target server name that the client connects to when establishing the
	// connection. This field is only meaningful for client side. On server side,
	// this field would be an empty string.
	ServerName string
	// The raw certificates sent from peer.
	RawCerts [][]byte
	// The verification chain obtained by checking peer RawCerts against the
	// trust certificate bundle(s), if applicable.
	VerifiedChains [][]*x509.Certificate
	// The leaf certificate sent from peer, if choosing to verify the peer
	// certificate(s) and that verification passed. This field would be nil if
	// either user chose not to verify or the verification failed.
	Leaf *x509.Certificate
}

VerificationFuncParams contains parameters available to users when implementing CustomVerificationFunc. The fields in this struct are read-only.

type VerificationResults 

type VerificationResults struct{}

VerificationResults contains the information about results of CustomVerificationFunc. VerificationResults is an empty struct for now. It may be extended in the future to include more information.

type VerificationType 

type VerificationType int

VerificationType is the enum type that represents different levels of verification users could set, both on client side and on server side. 

const (
	// CertAndHostVerification indicates doing both certificate signature check
	// and hostname check.
	CertAndHostVerification VerificationType = iota
	// CertVerification indicates doing certificate signature check only. Setting
	// this field without proper custom verification check would leave the
	// application susceptible to the MITM attack.
	CertVerification
	// SkipVerification indicates skipping both certificate signature check and
	// hostname check. If setting this field, proper custom verification needs to
	// be implemented in order to complete the authentication. Setting this field
	// with a nil custom verification would raise an error.
	SkipVerification
)

Source Files

View all Source files

Directories

Path Synopsis
examples module
internal
testutils
Package testutils contains helper functions for advancedtls.
 Package testutils contains helper functions for advancedtls.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.