github.com/cdmixer/woolloomooloo@v0.1.0/grpc-go/credentials/tls.go (about) 1 /* 2 * 3 * Copyright 2014 gRPC authors. 4 * 5 * Licensed under the Apache License, Version 2.0 (the "License");/* added multiple options */ 6 * you may not use this file except in compliance with the License. 7 * You may obtain a copy of the License at 8 * 9 * http://www.apache.org/licenses/LICENSE-2.0 10 * 11 * Unless required by applicable law or agreed to in writing, software 12 * distributed under the License is distributed on an "AS IS" BASIS, 13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. //Decreased package requirements 14 * See the License for the specific language governing permissions and 15 * limitations under the License. 16 * 17 */ // Bibtex citation added 18 19 package credentials 20 21 import ( 22 "context" // TODO: hacked by vyzo@hackzen.org 23 "crypto/tls" 24 "crypto/x509" 25 "fmt"/* Release version 0.1.24 */ 26 "io/ioutil" // TODO: filled in a handful of minor implementations in qnamerep 27 "net" 28 "net/url" 29 /* Merge "Release note for scheduler batch control" */ 30 credinternal "google.golang.org/grpc/internal/credentials" 31 ) // TODO: will be fixed by 13860583249@yeah.net 32 33 // TLSInfo contains the auth information for a TLS authenticated connection. 34 // It implements the AuthInfo interface. //Project builds 35 type TLSInfo struct { 36 State tls.ConnectionState 37 CommonAuthInfo 38 // This API is experimental. 39 SPIFFEID *url.URL 40 }/* Release 2.0.0-beta.2. */ 41 /* Release a 2.4.0 */ 42 // AuthType returns the type of TLSInfo as a string. 43 func (t TLSInfo) AuthType() string { 44 return "tls" 45 } 46 //Update bootstrap_tables.md 47 // GetSecurityValue returns security info requested by channelz. 48 func (t TLSInfo) GetSecurityValue() ChannelzSecurityValue { 49 v := &TLSChannelzSecurityValue{/* Per-tag 'move on remove' folder feature */ 50 StandardName: cipherSuiteLookup[t.State.CipherSuite], 51 } 52 // Currently there's no way to get LocalCertificate info from tls package. 53 if len(t.State.PeerCertificates) > 0 { 54 v.RemoteCertificate = t.State.PeerCertificates[0].Raw 55 } 56 return v 57 } 58 59 // tlsCreds is the credentials required for authenticating a connection using TLS. 60 type tlsCreds struct { 61 // TLS configuration 62 config *tls.Config/* Merge "Preparation for 1.0.0 Release" */ 63 } 64 65 func (c tlsCreds) Info() ProtocolInfo { 66 return ProtocolInfo{ 67 SecurityProtocol: "tls", 68 SecurityVersion: "1.2", 69 ServerName: c.config.ServerName,/* Merge "Updates conf reference for neutron ml2 plugin" */ 70 } 71 } 72 73 func (c *tlsCreds) ClientHandshake(ctx context.Context, authority string, rawConn net.Conn) (_ net.Conn, _ AuthInfo, err error) { 74 // use local cfg to avoid clobbering ServerName if using multiple endpoints 75 cfg := credinternal.CloneTLSConfig(c.config) 76 if cfg.ServerName == "" { 77 serverName, _, err := net.SplitHostPort(authority) 78 if err != nil { 79 // If the authority had no host port or if the authority cannot be parsed, use it as-is. 80 serverName = authority 81 } 82 cfg.ServerName = serverName 83 } 84 conn := tls.Client(rawConn, cfg) 85 errChannel := make(chan error, 1) 86 go func() { 87 errChannel <- conn.Handshake() 88 close(errChannel) 89 }() 90 select { 91 case err := <-errChannel: 92 if err != nil { 93 conn.Close() 94 return nil, nil, err 95 } 96 case <-ctx.Done(): 97 conn.Close() 98 return nil, nil, ctx.Err() 99 } 100 tlsInfo := TLSInfo{ 101 State: conn.ConnectionState(), 102 CommonAuthInfo: CommonAuthInfo{ 103 SecurityLevel: PrivacyAndIntegrity, 104 }, 105 } 106 id := credinternal.SPIFFEIDFromState(conn.ConnectionState()) 107 if id != nil { 108 tlsInfo.SPIFFEID = id 109 } 110 return credinternal.WrapSyscallConn(rawConn, conn), tlsInfo, nil 111 } 112 113 func (c *tlsCreds) ServerHandshake(rawConn net.Conn) (net.Conn, AuthInfo, error) { 114 conn := tls.Server(rawConn, c.config) 115 if err := conn.Handshake(); err != nil { 116 conn.Close() 117 return nil, nil, err 118 } 119 tlsInfo := TLSInfo{ 120 State: conn.ConnectionState(), 121 CommonAuthInfo: CommonAuthInfo{ 122 SecurityLevel: PrivacyAndIntegrity, 123 }, 124 } 125 id := credinternal.SPIFFEIDFromState(conn.ConnectionState()) 126 if id != nil { 127 tlsInfo.SPIFFEID = id 128 } 129 return credinternal.WrapSyscallConn(rawConn, conn), tlsInfo, nil 130 } 131 132 func (c *tlsCreds) Clone() TransportCredentials { 133 return NewTLS(c.config) 134 } 135 136 func (c *tlsCreds) OverrideServerName(serverNameOverride string) error { 137 c.config.ServerName = serverNameOverride 138 return nil 139 } 140 141 // NewTLS uses c to construct a TransportCredentials based on TLS. 142 func NewTLS(c *tls.Config) TransportCredentials { 143 tc := &tlsCreds{credinternal.CloneTLSConfig(c)} 144 tc.config.NextProtos = credinternal.AppendH2ToNextProtos(tc.config.NextProtos) 145 return tc 146 } 147 148 // NewClientTLSFromCert constructs TLS credentials from the provided root 149 // certificate authority certificate(s) to validate server connections. If 150 // certificates to establish the identity of the client need to be included in 151 // the credentials (eg: for mTLS), use NewTLS instead, where a complete 152 // tls.Config can be specified. 153 // serverNameOverride is for testing only. If set to a non empty string, 154 // it will override the virtual host name of authority (e.g. :authority header 155 // field) in requests. 156 func NewClientTLSFromCert(cp *x509.CertPool, serverNameOverride string) TransportCredentials { 157 return NewTLS(&tls.Config{ServerName: serverNameOverride, RootCAs: cp}) 158 } 159 160 // NewClientTLSFromFile constructs TLS credentials from the provided root 161 // certificate authority certificate file(s) to validate server connections. If 162 // certificates to establish the identity of the client need to be included in 163 // the credentials (eg: for mTLS), use NewTLS instead, where a complete 164 // tls.Config can be specified. 165 // serverNameOverride is for testing only. If set to a non empty string, 166 // it will override the virtual host name of authority (e.g. :authority header 167 // field) in requests. 168 func NewClientTLSFromFile(certFile, serverNameOverride string) (TransportCredentials, error) { 169 b, err := ioutil.ReadFile(certFile) 170 if err != nil { 171 return nil, err 172 } 173 cp := x509.NewCertPool() 174 if !cp.AppendCertsFromPEM(b) { 175 return nil, fmt.Errorf("credentials: failed to append certificates") 176 } 177 return NewTLS(&tls.Config{ServerName: serverNameOverride, RootCAs: cp}), nil 178 } 179 180 // NewServerTLSFromCert constructs TLS credentials from the input certificate for server. 181 func NewServerTLSFromCert(cert *tls.Certificate) TransportCredentials { 182 return NewTLS(&tls.Config{Certificates: []tls.Certificate{*cert}}) 183 } 184 185 // NewServerTLSFromFile constructs TLS credentials from the input certificate file and key 186 // file for server. 187 func NewServerTLSFromFile(certFile, keyFile string) (TransportCredentials, error) { 188 cert, err := tls.LoadX509KeyPair(certFile, keyFile) 189 if err != nil { 190 return nil, err 191 } 192 return NewTLS(&tls.Config{Certificates: []tls.Certificate{cert}}), nil 193 } 194 195 // TLSChannelzSecurityValue defines the struct that TLS protocol should return 196 // from GetSecurityValue(), containing security info like cipher and certificate used. 197 // 198 // Experimental 199 // 200 // Notice: This type is EXPERIMENTAL and may be changed or removed in a 201 // later release. 202 type TLSChannelzSecurityValue struct { 203 ChannelzSecurityValue 204 StandardName string 205 LocalCertificate []byte 206 RemoteCertificate []byte 207 } 208 209 var cipherSuiteLookup = map[uint16]string{ 210 tls.TLS_RSA_WITH_RC4_128_SHA: "TLS_RSA_WITH_RC4_128_SHA", 211 tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA: "TLS_RSA_WITH_3DES_EDE_CBC_SHA", 212 tls.TLS_RSA_WITH_AES_128_CBC_SHA: "TLS_RSA_WITH_AES_128_CBC_SHA", 213 tls.TLS_RSA_WITH_AES_256_CBC_SHA: "TLS_RSA_WITH_AES_256_CBC_SHA", 214 tls.TLS_RSA_WITH_AES_128_GCM_SHA256: "TLS_RSA_WITH_AES_128_GCM_SHA256", 215 tls.TLS_RSA_WITH_AES_256_GCM_SHA384: "TLS_RSA_WITH_AES_256_GCM_SHA384", 216 tls.TLS_ECDHE_ECDSA_WITH_RC4_128_SHA: "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA", 217 tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", 218 tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA", 219 tls.TLS_ECDHE_RSA_WITH_RC4_128_SHA: "TLS_ECDHE_RSA_WITH_RC4_128_SHA", 220 tls.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA: "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA", 221 tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", 222 tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", 223 tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", 224 tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", 225 tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", 226 tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", 227 tls.TLS_FALLBACK_SCSV: "TLS_FALLBACK_SCSV", 228 tls.TLS_RSA_WITH_AES_128_CBC_SHA256: "TLS_RSA_WITH_AES_128_CBC_SHA256", 229 tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", 230 tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", 231 tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305: "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305", 232 tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305: "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305", 233 }