github.com/hxx258456/ccgo@v0.0.5-0.20230213014102-48b35f46f66f/grpc/internal/credentials/spiffe.go (about) 1 /* 2 * 3 * Copyright 2020 gRPC authors. 4 * 5 * Licensed under the Apache License, Version 2.0 (the "License"); 6 * you may not use this file except in compliance with the License. 7 * You may obtain a copy of the License at 8 * 9 * http://www.apache.org/licenses/LICENSE-2.0 10 * 11 * Unless required by applicable law or agreed to in writing, software 12 * distributed under the License is distributed on an "AS IS" BASIS, 13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 * See the License for the specific language governing permissions and 15 * limitations under the License. 16 * 17 */ 18 19 // Package credentials defines APIs for parsing SPIFFE ID. 20 // 21 // All APIs in this package are experimental. 22 package credentials 23 24 import ( 25 "net/url" 26 27 "github.com/hxx258456/ccgo/x509" 28 29 tls "github.com/hxx258456/ccgo/gmtls" 30 31 "github.com/hxx258456/ccgo/grpc/grpclog" 32 ) 33 34 var logger = grpclog.Component("credentials") 35 36 // SPIFFEIDFromState parses the SPIFFE ID from State. If the SPIFFE ID format 37 // is invalid, return nil with warning. 38 func SPIFFEIDFromState(state tls.ConnectionState) *url.URL { 39 if len(state.PeerCertificates) == 0 || len(state.PeerCertificates[0].URIs) == 0 { 40 return nil 41 } 42 return SPIFFEIDFromCert(state.PeerCertificates[0]) 43 } 44 45 // SPIFFEIDFromCert parses the SPIFFE ID from x509.Certificate. If the SPIFFE 46 // ID format is invalid, return nil with warning. 47 func SPIFFEIDFromCert(cert *x509.Certificate) *url.URL { 48 if cert == nil || cert.URIs == nil { 49 return nil 50 } 51 var spiffeID *url.URL 52 for _, uri := range cert.URIs { 53 if uri == nil || uri.Scheme != "spiffe" || uri.Opaque != "" || (uri.User != nil && uri.User.Username() != "") { 54 continue 55 } 56 // From this point, we assume the uri is intended for a SPIFFE ID. 57 if len(uri.String()) > 2048 { 58 logger.Warning("invalid SPIFFE ID: total ID length larger than 2048 bytes") 59 return nil 60 } 61 if len(uri.Host) == 0 || len(uri.Path) == 0 { 62 logger.Warning("invalid SPIFFE ID: domain or workload ID is empty") 63 return nil 64 } 65 if len(uri.Host) > 255 { 66 logger.Warning("invalid SPIFFE ID: domain length larger than 255 characters") 67 return nil 68 } 69 // A valid SPIFFE certificate can only have exactly one URI SAN field. 70 if len(cert.URIs) > 1 { 71 logger.Warning("invalid SPIFFE ID: multiple URI SANs") 72 return nil 73 } 74 spiffeID = uri 75 } 76 return spiffeID 77 }