Make public the necessary functions and types to allow other packages to register identity and roots providers.
- Types `CertificatePrimitive` and `RootsPrimitive`
- Driver registration functions: `RegisterIdentityDriver`, `RegisterRootDriver`
- `newDialContextFunc` -> `MakeDialContextFunc`
- `newTlsCertificate` -> `MakeTlsCertificate`
var identityDrivers []*identityDriver
-func registerIdentityDriver(name string, load identityLoaderFunc) {
+func RegisterIdentityDriver(name string, load identityLoaderFunc) {
driver := &identityDriver{
name: name,
load: load,
return identityIsValid(id.CertificateProvider)
}
-func identityIsValid(id certificatePrimitive) bool {
+func identityIsValid(id CertificatePrimitive) bool {
cert, err := id.LeafCertificate()
if err != nil {
return false
}
func (a *anonymousIdentity) NewDialContextFunc() DialContextFunc {
- return newDialContextFunc(a)
+ return MakeDialContextFunc(a)
}
-func (a *anonymousIdentity) newTlsCertificate() (*tls.Certificate, error) {
+func (a *anonymousIdentity) NewTlsCertificate() (*tls.Certificate, error) {
return nil, nil
}
}
func (c *FileBackedCertificate) GetCertificate(clientHello *tls.ClientHelloInfo) (*tls.Certificate, error) {
- return c.newTlsCertificate()
+ return c.NewTlsCertificate()
}
func (c *FileBackedCertificate) GetClientCertificate(reqInfo *tls.CertificateRequestInfo) (*tls.Certificate, error) {
- return c.newTlsCertificate()
+ return c.NewTlsCertificate()
}
-func (c *FileBackedCertificate) newTlsCertificate() (*tls.Certificate, error) {
- return newTlsCertificate(c)
+func (c *FileBackedCertificate) NewTlsCertificate() (*tls.Certificate, error) {
+ return MakeTlsCertificate(c)
}
func (c *FileBackedCertificate) NewDialContextFunc() DialContextFunc {
- return newDialContextFunc(c)
+ return MakeDialContextFunc(c)
}
func (c *FileBackedCertificate) notifyEvent(filePath string, op fsnotify.Op) {
flag.StringVar(&sslCertsBaseDir, "tls.certs-dir", sslCertsBaseDir, "directory to look under for public-site SSL certificates (NOT mTLS certs)")
flag.Func("mtls.certs-dir", "additional directory to search for mTLS certificates", appendMtlsCertificateDir)
- registerIdentityDriver("file_service_global", func(serviceName string) (CertificateProvider, error) {
+ RegisterIdentityDriver("file_service_global", func(serviceName string) (CertificateProvider, error) {
return LoadServiceIdentityFromFilesystem(serviceName)
})
- registerIdentityDriver("file_service_csi_spiffe", func(serviceName string) (CertificateProvider, error) {
+ RegisterIdentityDriver("file_service_csi_spiffe", func(serviceName string) (CertificateProvider, error) {
return LoadServiceIdentityFromKubernetesCSIDriverSPIFFE(serviceName)
})
- registerIdentityDriver("file_user_home", func(_ string) (CertificateProvider, error) {
+ RegisterIdentityDriver("file_user_home", func(_ string) (CertificateProvider, error) {
return LoadUserIdentityFromFilesystem()
})
- registerRootDriver("file_etc_mtls", func() (rootsPrimitive, error) {
+ RegisterRootDriver("file_etc_mtls", func() (RootsPrimitive, error) {
return defaultFileBackedRoots, nil
})
- registerRootDriver("file_csi_spiffe", func() (rootsPrimitive, error) {
+ RegisterRootDriver("file_csi_spiffe", func() (RootsPrimitive, error) {
return csiSpiffeRoots, nil
})
- registerRootDriver("file_csi_spiffe_altname", func() (rootsPrimitive, error) {
+ RegisterRootDriver("file_csi_spiffe_altname", func() (RootsPrimitive, error) {
return csiSpiffeRootsAltName, nil
})
}
type DialContextFunc func(context.Context, string, string) (net.Conn, error)
type CertificateProvider interface {
- certificatePrimitive
+ CertificatePrimitive
TlsConfig(context.Context) (*tls.Config, error)
NewDialContextFunc() DialContextFunc
}
-type rootsPrimitive interface {
+type RootsPrimitive interface {
RootCertificates() ([]*x509.Certificate, error)
IntermediateCertificates() ([]*x509.Certificate, error)
}
-type certificatePrimitive interface {
+type CertificatePrimitive interface {
RootCertificate() (*x509.Certificate, error)
IntermediateCertificates() ([]*x509.Certificate, error)
LeafCertificate() (*x509.Certificate, error)
PrivateKey() (crypto.PrivateKey, error)
- newTlsCertificate() (*tls.Certificate, error)
+ NewTlsCertificate() (*tls.Certificate, error)
}
type inaccessibleCertificate struct{}
return nil, ErrCertificateInaccessible
}
-func (c *inaccessibleCertificate) newTlsCertificate() (*tls.Certificate, error) {
+func (c *inaccessibleCertificate) NewTlsCertificate() (*tls.Certificate, error) {
return nil, ErrCertificateInaccessible
}
}
func (c *inaccessibleCertificate) NewDialContextFunc() DialContextFunc {
- return newDialContextFunc(c)
+ return MakeDialContextFunc(c)
}
)
type macosKeychainCertificate struct {
- certificatePrimitive
+ CertificatePrimitive
ints []*x509.Certificate
root *x509.Certificate
return c.pkey, nil
}
-func (c *macosKeychainCertificate) newTlsCertificate() (*tls.Certificate, error) {
- return newTlsCertificate(c)
+func (c *macosKeychainCertificate) NewTlsCertificate() (*tls.Certificate, error) {
+ return MakeTlsCertificate(c)
}
func (c *macosKeychainCertificate) NewDialContextFunc() DialContextFunc {
- return newDialContextFunc(c)
+ return MakeDialContextFunc(c)
}
func (c *macosKeychainCertificate) TlsConfig(ctx context.Context) (*tls.Config, error) {
}
func (c *macosKeychainCertificate) GetCertificate(clientHello *tls.ClientHelloInfo) (*tls.Certificate, error) {
- return c.newTlsCertificate()
+ return c.NewTlsCertificate()
}
func (c *macosKeychainCertificate) GetClientCertificate(reqInfo *tls.CertificateRequestInfo) (*tls.Certificate, error) {
- return c.newTlsCertificate()
+ return c.NewTlsCertificate()
}
func getMtlsIntermediatesFromMacKeychain() ([]*x509.Certificate, error) {
func init() {
kcLogger = log.WithPrefix("mtls.macOSKeychain")
- registerIdentityDriver("macos_keychain", NewCertificateFromMacKeychain)
+ RegisterIdentityDriver("macos_keychain", NewCertificateFromMacKeychain)
- registerRootDriver("macos_keychain", func() (rootsPrimitive, error) {
+ RegisterRootDriver("macos_keychain", func() (RootsPrimitive, error) {
return &macosKeychainRoots{}, nil
})
}
"net"
)
-func newTlsCertificate(id certificatePrimitive) (*tls.Certificate, error) {
+func MakeTlsCertificate(id CertificatePrimitive) (*tls.Certificate, error) {
leafCertificate, err := id.LeafCertificate()
if err != nil {
return nil, err
}, nil
}
-func newDialContextFunc(id CertificateProvider) DialContextFunc {
+func MakeDialContextFunc(id CertificateProvider) DialContextFunc {
dcf := func(ctx context.Context, network, addr string) (net.Conn, error) {
c, err := id.TlsConfig(ctx)
if err != nil {
var tpmLogger = log.WithPrefix("mtls.provider_tpm2_pkcs11")
type TPMBackedCertificate struct {
- certificatePrimitive
+ CertificatePrimitive
p11 *p11
}
}
func (c *TPMBackedCertificate) getCertificate(clientHello *tls.ClientHelloInfo) (*tls.Certificate, error) {
- return newTlsCertificate(c)
+ return MakeTlsCertificate(c)
}
func (c *TPMBackedCertificate) getClientCertificate(reqInfo *tls.CertificateRequestInfo) (*tls.Certificate, error) {
- return newTlsCertificate(c)
+ return MakeTlsCertificate(c)
}
func (c *TPMBackedCertificate) TlsConfig(ctx context.Context) (*tls.Config, error) {
}
func (c *TPMBackedCertificate) NewDialContextFunc() DialContextFunc {
- return newDialContextFunc(c)
+ return MakeDialContextFunc(c)
}
func init() {
- registerIdentityDriver("tpm2-pkcs11", func(_ string) (CertificateProvider, error) {
+ RegisterIdentityDriver("tpm2-pkcs11", func(_ string) (CertificateProvider, error) {
return NewTPMBackedCertificate()
})
}
type rootDriver struct {
name string
- load func() (rootsPrimitive, error)
+ load func() (RootsPrimitive, error)
}
-func registerRootDriver(name string, load func() (rootsPrimitive, error)) {
+func RegisterRootDriver(name string, load func() (RootsPrimitive, error)) {
if rootsDrivers == nil {
rootsDrivers = make([]*rootDriver, 0)
}
projects / runtime.git / commitdiff