mirror of
https://github.com/optim-enterprises-bv/kubernetes.git
synced 2025-12-07 16:45:35 +00:00
working-config-otel
Signed-off-by: Davanum Srinivas <davanum@gmail.com>
This commit is contained in:
Davanum Srinivas
1
vendor/github.com/google/s2a-go/internal/v2/README.md
generated
vendored
Normal file
1
vendor/github.com/google/s2a-go/internal/v2/README.md
generated
vendored
Normal file
@@ -0,0 +1 @@
|
||||
**This directory has the implementation of the S2Av2's gRPC-Go client libraries**
|
||||
122
vendor/github.com/google/s2a-go/internal/v2/certverifier/certverifier.go
generated
vendored
Normal file
122
vendor/github.com/google/s2a-go/internal/v2/certverifier/certverifier.go
generated
vendored
Normal file
@@ -0,0 +1,122 @@
|
||||
/*
|
||||
*
|
||||
* Copyright 2022 Google LLC
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* https://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*
|
||||
*/
|
||||
|
||||
// Package certverifier offloads verifications to S2Av2.
|
||||
package certverifier
|
||||
|
||||
import (
|
||||
"crypto/x509"
|
||||
"fmt"
|
||||
|
||||
"github.com/google/s2a-go/stream"
|
||||
"google.golang.org/grpc/codes"
|
||||
"google.golang.org/grpc/grpclog"
|
||||
|
||||
s2av2pb "github.com/google/s2a-go/internal/proto/v2/s2a_go_proto"
|
||||
)
|
||||
|
||||
// VerifyClientCertificateChain builds a SessionReq, sends it to S2Av2 and
|
||||
// receives a SessionResp.
|
||||
func VerifyClientCertificateChain(verificationMode s2av2pb.ValidatePeerCertificateChainReq_VerificationMode, s2AStream stream.S2AStream) func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
|
||||
return func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
|
||||
// Offload verification to S2Av2.
|
||||
if grpclog.V(1) {
|
||||
grpclog.Infof("Sending request to S2Av2 for client peer cert chain validation.")
|
||||
}
|
||||
if err := s2AStream.Send(&s2av2pb.SessionReq{
|
||||
ReqOneof: &s2av2pb.SessionReq_ValidatePeerCertificateChainReq{
|
||||
ValidatePeerCertificateChainReq: &s2av2pb.ValidatePeerCertificateChainReq{
|
||||
Mode: verificationMode,
|
||||
PeerOneof: &s2av2pb.ValidatePeerCertificateChainReq_ClientPeer_{
|
||||
ClientPeer: &s2av2pb.ValidatePeerCertificateChainReq_ClientPeer{
|
||||
CertificateChain: rawCerts,
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
}); err != nil {
|
||||
grpclog.Infof("Failed to send request to S2Av2 for client peer cert chain validation.")
|
||||
return err
|
||||
}
|
||||
|
||||
// Get the response from S2Av2.
|
||||
resp, err := s2AStream.Recv()
|
||||
if err != nil {
|
||||
grpclog.Infof("Failed to receive client peer cert chain validation response from S2Av2.")
|
||||
return err
|
||||
}
|
||||
|
||||
// Parse the response.
|
||||
if (resp.GetStatus() != nil) && (resp.GetStatus().Code != uint32(codes.OK)) {
|
||||
return fmt.Errorf("failed to offload client cert verification to S2A: %d, %v", resp.GetStatus().Code, resp.GetStatus().Details)
|
||||
|
||||
}
|
||||
|
||||
if resp.GetValidatePeerCertificateChainResp().ValidationResult != s2av2pb.ValidatePeerCertificateChainResp_SUCCESS {
|
||||
return fmt.Errorf("client cert verification failed: %v", resp.GetValidatePeerCertificateChainResp().ValidationDetails)
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
}
|
||||
|
||||
// VerifyServerCertificateChain builds a SessionReq, sends it to S2Av2 and
|
||||
// receives a SessionResp.
|
||||
func VerifyServerCertificateChain(hostname string, verificationMode s2av2pb.ValidatePeerCertificateChainReq_VerificationMode, s2AStream stream.S2AStream, serverAuthorizationPolicy []byte) func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
|
||||
return func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
|
||||
// Offload verification to S2Av2.
|
||||
if grpclog.V(1) {
|
||||
grpclog.Infof("Sending request to S2Av2 for server peer cert chain validation.")
|
||||
}
|
||||
if err := s2AStream.Send(&s2av2pb.SessionReq{
|
||||
ReqOneof: &s2av2pb.SessionReq_ValidatePeerCertificateChainReq{
|
||||
ValidatePeerCertificateChainReq: &s2av2pb.ValidatePeerCertificateChainReq{
|
||||
Mode: verificationMode,
|
||||
PeerOneof: &s2av2pb.ValidatePeerCertificateChainReq_ServerPeer_{
|
||||
ServerPeer: &s2av2pb.ValidatePeerCertificateChainReq_ServerPeer{
|
||||
CertificateChain: rawCerts,
|
||||
ServerHostname: hostname,
|
||||
SerializedUnrestrictedClientPolicy: serverAuthorizationPolicy,
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
}); err != nil {
|
||||
grpclog.Infof("Failed to send request to S2Av2 for server peer cert chain validation.")
|
||||
return err
|
||||
}
|
||||
|
||||
// Get the response from S2Av2.
|
||||
resp, err := s2AStream.Recv()
|
||||
if err != nil {
|
||||
grpclog.Infof("Failed to receive server peer cert chain validation response from S2Av2.")
|
||||
return err
|
||||
}
|
||||
|
||||
// Parse the response.
|
||||
if (resp.GetStatus() != nil) && (resp.GetStatus().Code != uint32(codes.OK)) {
|
||||
return fmt.Errorf("failed to offload server cert verification to S2A: %d, %v", resp.GetStatus().Code, resp.GetStatus().Details)
|
||||
}
|
||||
|
||||
if resp.GetValidatePeerCertificateChainResp().ValidationResult != s2av2pb.ValidatePeerCertificateChainResp_SUCCESS {
|
||||
return fmt.Errorf("server cert verification failed: %v", resp.GetValidatePeerCertificateChainResp().ValidationDetails)
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
}
|
||||
BIN
vendor/github.com/google/s2a-go/internal/v2/certverifier/testdata/client_intermediate_cert.der
generated
vendored
Normal file
BIN
vendor/github.com/google/s2a-go/internal/v2/certverifier/testdata/client_intermediate_cert.der
generated
vendored
Normal file
Binary file not shown.
BIN
vendor/github.com/google/s2a-go/internal/v2/certverifier/testdata/client_leaf_cert.der
generated
vendored
Normal file
BIN
vendor/github.com/google/s2a-go/internal/v2/certverifier/testdata/client_leaf_cert.der
generated
vendored
Normal file
Binary file not shown.
BIN
vendor/github.com/google/s2a-go/internal/v2/certverifier/testdata/client_root_cert.der
generated
vendored
Normal file
BIN
vendor/github.com/google/s2a-go/internal/v2/certverifier/testdata/client_root_cert.der
generated
vendored
Normal file
Binary file not shown.
BIN
vendor/github.com/google/s2a-go/internal/v2/certverifier/testdata/server_intermediate_cert.der
generated
vendored
Normal file
BIN
vendor/github.com/google/s2a-go/internal/v2/certverifier/testdata/server_intermediate_cert.der
generated
vendored
Normal file
Binary file not shown.
BIN
vendor/github.com/google/s2a-go/internal/v2/certverifier/testdata/server_leaf_cert.der
generated
vendored
Normal file
BIN
vendor/github.com/google/s2a-go/internal/v2/certverifier/testdata/server_leaf_cert.der
generated
vendored
Normal file
Binary file not shown.
BIN
vendor/github.com/google/s2a-go/internal/v2/certverifier/testdata/server_root_cert.der
generated
vendored
Normal file
BIN
vendor/github.com/google/s2a-go/internal/v2/certverifier/testdata/server_root_cert.der
generated
vendored
Normal file
Binary file not shown.
186
vendor/github.com/google/s2a-go/internal/v2/remotesigner/remotesigner.go
generated
vendored
Normal file
186
vendor/github.com/google/s2a-go/internal/v2/remotesigner/remotesigner.go
generated
vendored
Normal file
@@ -0,0 +1,186 @@
|
||||
/*
|
||||
*
|
||||
* Copyright 2022 Google LLC
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* https://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*
|
||||
*/
|
||||
|
||||
// Package remotesigner offloads private key operations to S2Av2.
|
||||
package remotesigner
|
||||
|
||||
import (
|
||||
"crypto"
|
||||
"crypto/rsa"
|
||||
"crypto/x509"
|
||||
"fmt"
|
||||
"io"
|
||||
|
||||
"github.com/google/s2a-go/stream"
|
||||
"google.golang.org/grpc/codes"
|
||||
"google.golang.org/grpc/grpclog"
|
||||
|
||||
s2av2pb "github.com/google/s2a-go/internal/proto/v2/s2a_go_proto"
|
||||
)
|
||||
|
||||
// remoteSigner implementes the crypto.Signer interface.
|
||||
type remoteSigner struct {
|
||||
leafCert *x509.Certificate
|
||||
s2AStream stream.S2AStream
|
||||
}
|
||||
|
||||
// New returns an instance of RemoteSigner, an implementation of the
|
||||
// crypto.Signer interface.
|
||||
func New(leafCert *x509.Certificate, s2AStream stream.S2AStream) crypto.Signer {
|
||||
return &remoteSigner{leafCert, s2AStream}
|
||||
}
|
||||
|
||||
func (s *remoteSigner) Public() crypto.PublicKey {
|
||||
return s.leafCert.PublicKey
|
||||
}
|
||||
|
||||
func (s *remoteSigner) Sign(rand io.Reader, digest []byte, opts crypto.SignerOpts) (signature []byte, err error) {
|
||||
signatureAlgorithm, err := getSignatureAlgorithm(opts, s.leafCert)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
req, err := getSignReq(signatureAlgorithm, digest)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
if grpclog.V(1) {
|
||||
grpclog.Infof("Sending request to S2Av2 for signing operation.")
|
||||
}
|
||||
if err := s.s2AStream.Send(&s2av2pb.SessionReq{
|
||||
ReqOneof: &s2av2pb.SessionReq_OffloadPrivateKeyOperationReq{
|
||||
OffloadPrivateKeyOperationReq: req,
|
||||
},
|
||||
}); err != nil {
|
||||
grpclog.Infof("Failed to send request to S2Av2 for signing operation.")
|
||||
return nil, err
|
||||
}
|
||||
|
||||
resp, err := s.s2AStream.Recv()
|
||||
if err != nil {
|
||||
grpclog.Infof("Failed to receive signing operation response from S2Av2.")
|
||||
return nil, err
|
||||
}
|
||||
|
||||
if (resp.GetStatus() != nil) && (resp.GetStatus().Code != uint32(codes.OK)) {
|
||||
return nil, fmt.Errorf("failed to offload signing with private key to S2A: %d, %v", resp.GetStatus().Code, resp.GetStatus().Details)
|
||||
}
|
||||
|
||||
return resp.GetOffloadPrivateKeyOperationResp().GetOutBytes(), nil
|
||||
}
|
||||
|
||||
// getCert returns the leafCert field in s.
|
||||
func (s *remoteSigner) getCert() *x509.Certificate {
|
||||
return s.leafCert
|
||||
}
|
||||
|
||||
// getStream returns the s2AStream field in s.
|
||||
func (s *remoteSigner) getStream() stream.S2AStream {
|
||||
return s.s2AStream
|
||||
}
|
||||
|
||||
func getSignReq(signatureAlgorithm s2av2pb.SignatureAlgorithm, digest []byte) (*s2av2pb.OffloadPrivateKeyOperationReq, error) {
|
||||
if (signatureAlgorithm == s2av2pb.SignatureAlgorithm_S2A_SSL_SIGN_RSA_PKCS1_SHA256) || (signatureAlgorithm == s2av2pb.SignatureAlgorithm_S2A_SSL_SIGN_ECDSA_SECP256R1_SHA256) || (signatureAlgorithm == s2av2pb.SignatureAlgorithm_S2A_SSL_SIGN_RSA_PSS_RSAE_SHA256) {
|
||||
return &s2av2pb.OffloadPrivateKeyOperationReq{
|
||||
Operation: s2av2pb.OffloadPrivateKeyOperationReq_SIGN,
|
||||
SignatureAlgorithm: signatureAlgorithm,
|
||||
InBytes: &s2av2pb.OffloadPrivateKeyOperationReq_Sha256Digest{
|
||||
Sha256Digest: digest,
|
||||
},
|
||||
}, nil
|
||||
} else if (signatureAlgorithm == s2av2pb.SignatureAlgorithm_S2A_SSL_SIGN_RSA_PKCS1_SHA384) || (signatureAlgorithm == s2av2pb.SignatureAlgorithm_S2A_SSL_SIGN_ECDSA_SECP384R1_SHA384) || (signatureAlgorithm == s2av2pb.SignatureAlgorithm_S2A_SSL_SIGN_RSA_PSS_RSAE_SHA384) {
|
||||
return &s2av2pb.OffloadPrivateKeyOperationReq{
|
||||
Operation: s2av2pb.OffloadPrivateKeyOperationReq_SIGN,
|
||||
SignatureAlgorithm: signatureAlgorithm,
|
||||
InBytes: &s2av2pb.OffloadPrivateKeyOperationReq_Sha384Digest{
|
||||
Sha384Digest: digest,
|
||||
},
|
||||
}, nil
|
||||
} else if (signatureAlgorithm == s2av2pb.SignatureAlgorithm_S2A_SSL_SIGN_RSA_PKCS1_SHA512) || (signatureAlgorithm == s2av2pb.SignatureAlgorithm_S2A_SSL_SIGN_ECDSA_SECP521R1_SHA512) || (signatureAlgorithm == s2av2pb.SignatureAlgorithm_S2A_SSL_SIGN_RSA_PSS_RSAE_SHA512) || (signatureAlgorithm == s2av2pb.SignatureAlgorithm_S2A_SSL_SIGN_ED25519) {
|
||||
return &s2av2pb.OffloadPrivateKeyOperationReq{
|
||||
Operation: s2av2pb.OffloadPrivateKeyOperationReq_SIGN,
|
||||
SignatureAlgorithm: signatureAlgorithm,
|
||||
InBytes: &s2av2pb.OffloadPrivateKeyOperationReq_Sha512Digest{
|
||||
Sha512Digest: digest,
|
||||
},
|
||||
}, nil
|
||||
} else {
|
||||
return nil, fmt.Errorf("unknown signature algorithm: %v", signatureAlgorithm)
|
||||
}
|
||||
}
|
||||
|
||||
// getSignatureAlgorithm returns the signature algorithm that S2A must use when
|
||||
// performing a signing operation that has been offloaded by an application
|
||||
// using the crypto/tls libraries.
|
||||
func getSignatureAlgorithm(opts crypto.SignerOpts, leafCert *x509.Certificate) (s2av2pb.SignatureAlgorithm, error) {
|
||||
if opts == nil || leafCert == nil {
|
||||
return s2av2pb.SignatureAlgorithm_S2A_SSL_SIGN_UNSPECIFIED, fmt.Errorf("unknown signature algorithm")
|
||||
}
|
||||
switch leafCert.PublicKeyAlgorithm {
|
||||
case x509.RSA:
|
||||
if rsaPSSOpts, ok := opts.(*rsa.PSSOptions); ok {
|
||||
return rsaPSSAlgorithm(rsaPSSOpts)
|
||||
}
|
||||
return rsaPPKCS1Algorithm(opts)
|
||||
case x509.ECDSA:
|
||||
return ecdsaAlgorithm(opts)
|
||||
case x509.Ed25519:
|
||||
return s2av2pb.SignatureAlgorithm_S2A_SSL_SIGN_ED25519, nil
|
||||
default:
|
||||
return s2av2pb.SignatureAlgorithm_S2A_SSL_SIGN_UNSPECIFIED, fmt.Errorf("unknown signature algorithm: %q", leafCert.PublicKeyAlgorithm)
|
||||
}
|
||||
}
|
||||
|
||||
func rsaPSSAlgorithm(opts *rsa.PSSOptions) (s2av2pb.SignatureAlgorithm, error) {
|
||||
switch opts.HashFunc() {
|
||||
case crypto.SHA256:
|
||||
return s2av2pb.SignatureAlgorithm_S2A_SSL_SIGN_RSA_PSS_RSAE_SHA256, nil
|
||||
case crypto.SHA384:
|
||||
return s2av2pb.SignatureAlgorithm_S2A_SSL_SIGN_RSA_PSS_RSAE_SHA384, nil
|
||||
case crypto.SHA512:
|
||||
return s2av2pb.SignatureAlgorithm_S2A_SSL_SIGN_RSA_PSS_RSAE_SHA512, nil
|
||||
default:
|
||||
return s2av2pb.SignatureAlgorithm_S2A_SSL_SIGN_UNSPECIFIED, fmt.Errorf("unknown signature algorithm")
|
||||
}
|
||||
}
|
||||
|
||||
func rsaPPKCS1Algorithm(opts crypto.SignerOpts) (s2av2pb.SignatureAlgorithm, error) {
|
||||
switch opts.HashFunc() {
|
||||
case crypto.SHA256:
|
||||
return s2av2pb.SignatureAlgorithm_S2A_SSL_SIGN_RSA_PKCS1_SHA256, nil
|
||||
case crypto.SHA384:
|
||||
return s2av2pb.SignatureAlgorithm_S2A_SSL_SIGN_RSA_PKCS1_SHA384, nil
|
||||
case crypto.SHA512:
|
||||
return s2av2pb.SignatureAlgorithm_S2A_SSL_SIGN_RSA_PKCS1_SHA512, nil
|
||||
default:
|
||||
return s2av2pb.SignatureAlgorithm_S2A_SSL_SIGN_UNSPECIFIED, fmt.Errorf("unknown signature algorithm")
|
||||
}
|
||||
}
|
||||
|
||||
func ecdsaAlgorithm(opts crypto.SignerOpts) (s2av2pb.SignatureAlgorithm, error) {
|
||||
switch opts.HashFunc() {
|
||||
case crypto.SHA256:
|
||||
return s2av2pb.SignatureAlgorithm_S2A_SSL_SIGN_ECDSA_SECP256R1_SHA256, nil
|
||||
case crypto.SHA384:
|
||||
return s2av2pb.SignatureAlgorithm_S2A_SSL_SIGN_ECDSA_SECP384R1_SHA384, nil
|
||||
case crypto.SHA512:
|
||||
return s2av2pb.SignatureAlgorithm_S2A_SSL_SIGN_ECDSA_SECP521R1_SHA512, nil
|
||||
default:
|
||||
return s2av2pb.SignatureAlgorithm_S2A_SSL_SIGN_UNSPECIFIED, fmt.Errorf("unknown signature algorithm")
|
||||
}
|
||||
}
|
||||
BIN
vendor/github.com/google/s2a-go/internal/v2/remotesigner/testdata/client_cert.der
generated
vendored
Normal file
BIN
vendor/github.com/google/s2a-go/internal/v2/remotesigner/testdata/client_cert.der
generated
vendored
Normal file
Binary file not shown.
24
vendor/github.com/google/s2a-go/internal/v2/remotesigner/testdata/client_cert.pem
generated
vendored
Normal file
24
vendor/github.com/google/s2a-go/internal/v2/remotesigner/testdata/client_cert.pem
generated
vendored
Normal file
@@ -0,0 +1,24 @@
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIID8TCCAtmgAwIBAgIUKXNlBRVe6UepjQUijIFPZBd/4qYwDQYJKoZIhvcNAQEL
|
||||
BQAwgYcxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTESMBAGA1UEBwwJU3Vubnl2
|
||||
YWxlMRAwDgYDVQQKDAdDb21wYW55MREwDwYDVQQLDAhEaXZpc2lvbjEWMBQGA1UE
|
||||
AwwNczJhX3Rlc3RfY2VydDEaMBgGCSqGSIb3DQEJARYLeHl6QHh5ei5jb20wHhcN
|
||||
MjIwNTMxMjAwMzE1WhcNNDIwNTI2MjAwMzE1WjCBhzELMAkGA1UEBhMCVVMxCzAJ
|
||||
BgNVBAgMAkNBMRIwEAYDVQQHDAlTdW5ueXZhbGUxEDAOBgNVBAoMB0NvbXBhbnkx
|
||||
ETAPBgNVBAsMCERpdmlzaW9uMRYwFAYDVQQDDA1zMmFfdGVzdF9jZXJ0MRowGAYJ
|
||||
KoZIhvcNAQkBFgt4eXpAeHl6LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
|
||||
AQoCggEBAOOFuIucH7XXfohGxKd3uR/ihUA/LdduR9I8kfpUEbq5BOt8xZe5/Yn9
|
||||
a1ozEHVW6cOAbHbnwAR8tkSgZ/t42QIA2k77HWU1Jh2xiEIsJivo3imm4/kZWuR0
|
||||
OqPh7MhzxpR/hvNwpI5mJsAVBWFMa5KtecFZLnyZtwHylrRN1QXzuLrOxuKFufK3
|
||||
RKbTABScn5RbZL976H/jgfSeXrbt242NrIoBnVe6fRbekbq2DQ6zFArbQMUgHjHK
|
||||
P0UqBgdr1QmHfi9KytFyx9BTP3gXWnWIu+bY7/v7qKJMHFwGETo+dCLWYevJL316
|
||||
HnLfhApDMfP8U+Yv/y1N/YvgaSOSlEcCAwEAAaNTMFEwHQYDVR0OBBYEFKhAU4nu
|
||||
0h/lrnggbIGvx4ej0WklMB8GA1UdIwQYMBaAFKhAU4nu0h/lrnggbIGvx4ej0Wkl
|
||||
MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAE/6NghzQ5fu6yR6
|
||||
EHKbj/YMrFdT7aGn5n2sAf7wJ33LIhiFHkpWBsVlm7rDtZtwhe891ZK/P60anlg9
|
||||
/P0Ua53tSRVRmCvTnEbXWOVMN4is6MsR7BlmzUxl4AtIn7jbeifEwRL7B4xDYmdA
|
||||
QrQnsqoz45dLgS5xK4WDqXATP09Q91xQDuhud/b+A4jrvgwFASmL7rMIZbp4f1JQ
|
||||
nlnl/9VoTBQBvJiWkDUtQDMpRLtauddEkv4AGz75p5IspXWD6cOemuh2iQec11xD
|
||||
X20rs2WZbAcAiUa3nmy8OKYw435vmpj8gp39WYbX/Yx9TymrFFbVY92wYn+quTco
|
||||
pKklVz0=
|
||||
-----END CERTIFICATE-----
|
||||
27
vendor/github.com/google/s2a-go/internal/v2/remotesigner/testdata/client_key.pem
generated
vendored
Normal file
27
vendor/github.com/google/s2a-go/internal/v2/remotesigner/testdata/client_key.pem
generated
vendored
Normal file
@@ -0,0 +1,27 @@
|
||||
-----BEGIN RSA PRIVATE KEY-----
|
||||
MIIEogIBAAKCAQEA44W4i5wftdd+iEbEp3e5H+KFQD8t125H0jyR+lQRurkE63zF
|
||||
l7n9if1rWjMQdVbpw4BsdufABHy2RKBn+3jZAgDaTvsdZTUmHbGIQiwmK+jeKabj
|
||||
+Rla5HQ6o+HsyHPGlH+G83CkjmYmwBUFYUxrkq15wVkufJm3AfKWtE3VBfO4us7G
|
||||
4oW58rdEptMAFJyflFtkv3vof+OB9J5etu3bjY2sigGdV7p9Ft6RurYNDrMUCttA
|
||||
xSAeMco/RSoGB2vVCYd+L0rK0XLH0FM/eBdadYi75tjv+/uookwcXAYROj50ItZh
|
||||
68kvfXoect+ECkMx8/xT5i//LU39i+BpI5KURwIDAQABAoIBABgyjo/6iLzUMFbZ
|
||||
/+w3pW6orrdIgN2akvTfED9pVYFgUA+jc3hRhY95bkNnjuaL2cy7Cc4Tk65mfRQL
|
||||
Y0OxdJLr+EvSFSxAXM9npDA1ddHRsF8JqtFBSxNk8R+g1Yf0GDiO35Fgd3/ViWWA
|
||||
VtQkRoSRApP3oiQKTRZd8H04keFR+PvmDk/Lq11l3Kc24A1PevKIPX1oI990ggw9
|
||||
9i4uSV+cnuMxmcI9xxJtgwdDFdjr39l2arLOHr4s6LGoV2IOdXHNlv5xRqWUZ0FH
|
||||
MDHowkLgwDrdSTnNeaVNkce14Gqx+bd4hNaLCdKXMpedBTEmrut3f3hdV1kKjaKt
|
||||
aqRYr8ECgYEA/YDGZY2jvFoHHBywlqmEMFrrCvQGH51m5R1Ntpkzr+Rh3YCmrpvq
|
||||
xgwJXING0PUw3dz+xrH5lJICrfNE5Kt3fPu1rAEy+13mYsNowghtUq2Rtu0Hsjjx
|
||||
2E3Bf8vEB6RNBMmGkUpTTIAroGF5tpJoRvfnWax+k4pFdrKYFtyZdNcCgYEA5cNv
|
||||
EPltvOobjTXlUmtVP3n27KZN2aXexTcagLzRxE9CV4cYySENl3KuOMmccaZpIl6z
|
||||
aHk6BT4X+M0LqElNUczrInfVqI+SGAFLGy7W6CJaqSr6cpyFUP/fosKpm6wKGgLq
|
||||
udHfpvz5rckhKd8kJxFLvhGOK9yN5qpzih0gfhECgYAJfwRvk3G5wYmYpP58dlcs
|
||||
VIuPenqsPoI3PPTHTU/hW+XKnWIhElgmGRdUrto9Q6IT/Y5RtSMLTLjq+Tzwb/fm
|
||||
56rziYv2XJsfwgAvnI8z1Kqrto9ePsHYf3krJ1/thVsZPc9bq/QY3ohD1sLvcuaT
|
||||
GgBBnLOVJU3a12/ZE2RwOwKBgF0csWMAoj8/5IB6if+3ral2xOGsl7oPZVMo/J2V
|
||||
Z7EVqb4M6rd/pKFugTpUQgkwtkSOekhpcGD1hAN5HTNK2YG/+L5UMAsKe9sskwJm
|
||||
HgOfAHy0BSDzW3ey6i9skg2bT9Cww+0gJ3Hl7U1HSCBO5LjMYpSZSrNtwzfqdb5Q
|
||||
BX3xAoGARZdR28Ej3+/+0+fz47Yu2h4z0EI/EbrudLOWY936jIeAVwHckI3+BuqH
|
||||
qR4poj1gfbnMxNuI9UzIXzjEmGewx9kDZ7IYnvloZKqoVQODO5GlKF2ja6IcMNlh
|
||||
GCNdD6PSAS6HcmalmWo9sj+1YMkrl+GJikKZqVBHrHNwMGAG67w=
|
||||
-----END RSA PRIVATE KEY-----
|
||||
BIN
vendor/github.com/google/s2a-go/internal/v2/remotesigner/testdata/server_cert.der
generated
vendored
Normal file
BIN
vendor/github.com/google/s2a-go/internal/v2/remotesigner/testdata/server_cert.der
generated
vendored
Normal file
Binary file not shown.
24
vendor/github.com/google/s2a-go/internal/v2/remotesigner/testdata/server_cert.pem
generated
vendored
Normal file
24
vendor/github.com/google/s2a-go/internal/v2/remotesigner/testdata/server_cert.pem
generated
vendored
Normal file
@@ -0,0 +1,24 @@
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIID8TCCAtmgAwIBAgIUKCoDuLtiZXvhsBY2RoDm0ugizJ8wDQYJKoZIhvcNAQEL
|
||||
BQAwgYcxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTESMBAGA1UEBwwJU3Vubnl2
|
||||
YWxlMRAwDgYDVQQKDAdDb21wYW55MREwDwYDVQQLDAhEaXZpc2lvbjEWMBQGA1UE
|
||||
AwwNczJhX3Rlc3RfY2VydDEaMBgGCSqGSIb3DQEJARYLeHl6QHh5ei5jb20wHhcN
|
||||
MjIwNTMxMjAwODI1WhcNNDIwNTI2MjAwODI1WjCBhzELMAkGA1UEBhMCVVMxCzAJ
|
||||
BgNVBAgMAkNBMRIwEAYDVQQHDAlTdW5ueXZhbGUxEDAOBgNVBAoMB0NvbXBhbnkx
|
||||
ETAPBgNVBAsMCERpdmlzaW9uMRYwFAYDVQQDDA1zMmFfdGVzdF9jZXJ0MRowGAYJ
|
||||
KoZIhvcNAQkBFgt4eXpAeHl6LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
|
||||
AQoCggEBAKK1++PXQ+M3hjYH/v0K4UEYl5ljzpNM1i52eQM+gFooojT87PDSaphT
|
||||
fs0PXy/PTAjHBEvPhWpOpmQXfJNYzjwcCvg66hbqkv++/VTZiFLAsHagzkEz+FRJ
|
||||
qT5Eq7G5FLyw1izX1uxyPN7tAEWEEg7eqsiaXD3Cq8+TYN9cjirPeF7RZF8yFCYE
|
||||
xqvbo+Yc6RL6xw19iXVTfctRgQe581KQuIY5/LXo3dWDEilFdsADAe8XAEcO64es
|
||||
Ow0g1UvXLnpXSE151kXBFb3sKH/ZjCecDYMCIMEb4sWLSblkSxJ5sNSmXIG4wtr2
|
||||
Qnii7CXZgnVYraQE/Jyh+NMQANuoSdMCAwEAAaNTMFEwHQYDVR0OBBYEFAyQQQuM
|
||||
ab+YUQqjK8dVVOoHVFmXMB8GA1UdIwQYMBaAFAyQQQuMab+YUQqjK8dVVOoHVFmX
|
||||
MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBADj0vQ6ykWhicoqR
|
||||
e6VZMwlEJV7/DSvWWKBd9MUjfKye0A4565ya5lmnzP3DiD3nqGe3miqmLsXKDs+X
|
||||
POqlPXTWIamP7D4MJ32XtSLwZB4ru+I+Ao/P/VngPepoRPQoBnzHe7jww0rokqxl
|
||||
AZERjlbTUwUAy/BPWPSzSJZ2j0tcs6ZLDNyYzpK4ao8R9/1VmQ92Tcp3feJs1QTg
|
||||
odRQc3om/AkWOwsll+oyX0UbJeHkFHiLanUPXbdh+/BkSvZJ8ynL+feSDdaurPe+
|
||||
PSfnqLtQft9/neecGRdEaQzzzSFVQUVQzTdK1Q7hA7b55b2HvIa3ktDiks+sJsYN
|
||||
Dhm6uZM=
|
||||
-----END CERTIFICATE-----
|
||||
27
vendor/github.com/google/s2a-go/internal/v2/remotesigner/testdata/server_key.pem
generated
vendored
Normal file
27
vendor/github.com/google/s2a-go/internal/v2/remotesigner/testdata/server_key.pem
generated
vendored
Normal file
@@ -0,0 +1,27 @@
|
||||
-----BEGIN RSA PRIVATE KEY-----
|
||||
MIIEpAIBAAKCAQEAorX749dD4zeGNgf+/QrhQRiXmWPOk0zWLnZ5Az6AWiiiNPzs
|
||||
8NJqmFN+zQ9fL89MCMcES8+Fak6mZBd8k1jOPBwK+DrqFuqS/779VNmIUsCwdqDO
|
||||
QTP4VEmpPkSrsbkUvLDWLNfW7HI83u0ARYQSDt6qyJpcPcKrz5Ng31yOKs94XtFk
|
||||
XzIUJgTGq9uj5hzpEvrHDX2JdVN9y1GBB7nzUpC4hjn8tejd1YMSKUV2wAMB7xcA
|
||||
Rw7rh6w7DSDVS9cueldITXnWRcEVvewof9mMJ5wNgwIgwRvixYtJuWRLEnmw1KZc
|
||||
gbjC2vZCeKLsJdmCdVitpAT8nKH40xAA26hJ0wIDAQABAoIBACaNR+lsD8G+XiZf
|
||||
LqN1+HkcAo9tfnyYMAdCOtnx7SdviT9Uzi8hK/B7mAeuJLeHPlS2EuaDfPD7QaFl
|
||||
jza6S+MiIdc+3kgfvESsVAnOoOY6kZUJ9NSuI6CU82y1iJjLaYZrv9NQMLRFPPb0
|
||||
4KOX709mosB1EnXvshW0rbc+jtDFhrm1SxMt+k9TuzmMxjbOeW4LOLXPgU8X1T3Q
|
||||
Xy0hMZZtcgBs9wFIo8yCtmOixax9pnFE8rRltgDxTodn9LLdz1FieyntNgDksZ0P
|
||||
nt4kV7Mqly7ELaea+Foaj244mKsesic2e3GhAlMRLun/VSunSf7mOCxfpITB8dp1
|
||||
drDhOYECgYEA19151dVxRcviuovN6Dar+QszMTnU8pDJ8BjLFjXjP/hNBBwMTHDE
|
||||
duMuWk2qnwZqMooI/shxrF/ufmTgS0CFrh2+ANBZu27vWConJNXcyNtdigI4wt50
|
||||
L0Y2qcZn2mg67qFXHwoR3QNwrwnPwEjRXA09at9CSRZzcwDQ0ETXhYsCgYEAwPaG
|
||||
06QdK8Zyly7TTzZJwxzv9uGiqzodmGtX6NEKjgij2JaCxHpukqZBJoqa0jKeK1cm
|
||||
eNVkOvT5ff9TMzarSHQLr3pZen2/oVLb5gaFkbcJt/klv9Fd+ZRilHY3i6QwS6pD
|
||||
uMiPOWS4DrLHDRVoVlAZTDjT1RVwwTs+P2NhJdkCgYEAsriXysbxBYyMp05gqEW7
|
||||
lHIFbFgpSrs9th+Q5U6wW6JEgYaHWDJ1NslY80MiZI93FWjbkbZ7BvBWESeL3EIL
|
||||
a+EMErht0pVCbIhZ6FF4foPAqia0wAJVx14mm+G80kNBp5jE/NnleEsE3KcO7nBb
|
||||
hg8gLn+x7bk81JZ0TDrzBYkCgYEAuQKluv47SeF3tSScTfKLPpvcKCWmxe1uutkQ
|
||||
7JShPhVioyOMNb39jnYBOWbjkm4d4QgqRuiytSR0oi3QI+Ziy5EYMyNn713qAk9j
|
||||
r2TJZDDPDKnBW+zt4YI4EohWMXk3JRUW4XDKggjjwJQA7bZ812TtHHvP/xoThfG7
|
||||
eSNb3eECgYBw6ssgCtMrdvQiEmjKVX/9yI38mvC2kSGyzbrQnGUfgqRGomRpeZuD
|
||||
B5E3kysA4td5pT5lvcLgSW0TbOz+YbiriXjwOihPIelCvc9gE2eOUI71/byUWPFz
|
||||
7u5F/xQ4NaGr5suLF+lBC6h7pSbM4El9lIHQAQadpuEdzHqrw+hs3g==
|
||||
-----END RSA PRIVATE KEY-----
|
||||
391
vendor/github.com/google/s2a-go/internal/v2/s2av2.go
generated
vendored
Normal file
391
vendor/github.com/google/s2a-go/internal/v2/s2av2.go
generated
vendored
Normal file
@@ -0,0 +1,391 @@
|
||||
/*
|
||||
*
|
||||
* Copyright 2022 Google LLC
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* https://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*
|
||||
*/
|
||||
|
||||
// Package v2 provides the S2Av2 transport credentials used by a gRPC
|
||||
// application.
|
||||
package v2
|
||||
|
||||
import (
|
||||
"context"
|
||||
"crypto/tls"
|
||||
"errors"
|
||||
"net"
|
||||
"os"
|
||||
"time"
|
||||
|
||||
"github.com/golang/protobuf/proto"
|
||||
"github.com/google/s2a-go/fallback"
|
||||
"github.com/google/s2a-go/internal/handshaker/service"
|
||||
"github.com/google/s2a-go/internal/tokenmanager"
|
||||
"github.com/google/s2a-go/internal/v2/tlsconfigstore"
|
||||
"github.com/google/s2a-go/retry"
|
||||
"github.com/google/s2a-go/stream"
|
||||
"google.golang.org/grpc"
|
||||
"google.golang.org/grpc/credentials"
|
||||
"google.golang.org/grpc/grpclog"
|
||||
|
||||
commonpbv1 "github.com/google/s2a-go/internal/proto/common_go_proto"
|
||||
s2av2pb "github.com/google/s2a-go/internal/proto/v2/s2a_go_proto"
|
||||
)
|
||||
|
||||
const (
|
||||
s2aSecurityProtocol = "tls"
|
||||
defaultS2ATimeout = 6 * time.Second
|
||||
)
|
||||
|
||||
// An environment variable, which sets the timeout enforced on the connection to the S2A service for handshake.
|
||||
const s2aTimeoutEnv = "S2A_TIMEOUT"
|
||||
|
||||
type s2av2TransportCreds struct {
|
||||
info *credentials.ProtocolInfo
|
||||
isClient bool
|
||||
serverName string
|
||||
s2av2Address string
|
||||
transportCreds credentials.TransportCredentials
|
||||
tokenManager *tokenmanager.AccessTokenManager
|
||||
// localIdentity should only be used by the client.
|
||||
localIdentity *commonpbv1.Identity
|
||||
// localIdentities should only be used by the server.
|
||||
localIdentities []*commonpbv1.Identity
|
||||
verificationMode s2av2pb.ValidatePeerCertificateChainReq_VerificationMode
|
||||
fallbackClientHandshake fallback.ClientHandshake
|
||||
getS2AStream func(ctx context.Context, s2av2Address string) (stream.S2AStream, error)
|
||||
serverAuthorizationPolicy []byte
|
||||
}
|
||||
|
||||
// NewClientCreds returns a client-side transport credentials object that uses
|
||||
// the S2Av2 to establish a secure connection with a server.
|
||||
func NewClientCreds(s2av2Address string, transportCreds credentials.TransportCredentials, localIdentity *commonpbv1.Identity, verificationMode s2av2pb.ValidatePeerCertificateChainReq_VerificationMode, fallbackClientHandshakeFunc fallback.ClientHandshake, getS2AStream func(ctx context.Context, s2av2Address string) (stream.S2AStream, error), serverAuthorizationPolicy []byte) (credentials.TransportCredentials, error) {
|
||||
// Create an AccessTokenManager instance to use to authenticate to S2Av2.
|
||||
accessTokenManager, err := tokenmanager.NewSingleTokenAccessTokenManager()
|
||||
|
||||
creds := &s2av2TransportCreds{
|
||||
info: &credentials.ProtocolInfo{
|
||||
SecurityProtocol: s2aSecurityProtocol,
|
||||
},
|
||||
isClient: true,
|
||||
serverName: "",
|
||||
s2av2Address: s2av2Address,
|
||||
transportCreds: transportCreds,
|
||||
localIdentity: localIdentity,
|
||||
verificationMode: verificationMode,
|
||||
fallbackClientHandshake: fallbackClientHandshakeFunc,
|
||||
getS2AStream: getS2AStream,
|
||||
serverAuthorizationPolicy: serverAuthorizationPolicy,
|
||||
}
|
||||
if err != nil {
|
||||
creds.tokenManager = nil
|
||||
} else {
|
||||
creds.tokenManager = &accessTokenManager
|
||||
}
|
||||
if grpclog.V(1) {
|
||||
grpclog.Info("Created client S2Av2 transport credentials.")
|
||||
}
|
||||
return creds, nil
|
||||
}
|
||||
|
||||
// NewServerCreds returns a server-side transport credentials object that uses
|
||||
// the S2Av2 to establish a secure connection with a client.
|
||||
func NewServerCreds(s2av2Address string, transportCreds credentials.TransportCredentials, localIdentities []*commonpbv1.Identity, verificationMode s2av2pb.ValidatePeerCertificateChainReq_VerificationMode, getS2AStream func(ctx context.Context, s2av2Address string) (stream.S2AStream, error)) (credentials.TransportCredentials, error) {
|
||||
// Create an AccessTokenManager instance to use to authenticate to S2Av2.
|
||||
accessTokenManager, err := tokenmanager.NewSingleTokenAccessTokenManager()
|
||||
creds := &s2av2TransportCreds{
|
||||
info: &credentials.ProtocolInfo{
|
||||
SecurityProtocol: s2aSecurityProtocol,
|
||||
},
|
||||
isClient: false,
|
||||
s2av2Address: s2av2Address,
|
||||
transportCreds: transportCreds,
|
||||
localIdentities: localIdentities,
|
||||
verificationMode: verificationMode,
|
||||
getS2AStream: getS2AStream,
|
||||
}
|
||||
if err != nil {
|
||||
creds.tokenManager = nil
|
||||
} else {
|
||||
creds.tokenManager = &accessTokenManager
|
||||
}
|
||||
if grpclog.V(1) {
|
||||
grpclog.Info("Created server S2Av2 transport credentials.")
|
||||
}
|
||||
return creds, nil
|
||||
}
|
||||
|
||||
// ClientHandshake performs a client-side mTLS handshake using the S2Av2.
|
||||
func (c *s2av2TransportCreds) ClientHandshake(ctx context.Context, serverAuthority string, rawConn net.Conn) (net.Conn, credentials.AuthInfo, error) {
|
||||
if !c.isClient {
|
||||
return nil, nil, errors.New("client handshake called using server transport credentials")
|
||||
}
|
||||
// Remove the port from serverAuthority.
|
||||
serverName := removeServerNamePort(serverAuthority)
|
||||
timeoutCtx, cancel := context.WithTimeout(ctx, GetS2ATimeout())
|
||||
defer cancel()
|
||||
var s2AStream stream.S2AStream
|
||||
var err error
|
||||
retry.Run(timeoutCtx,
|
||||
func() error {
|
||||
s2AStream, err = createStream(timeoutCtx, c.s2av2Address, c.transportCreds, c.getS2AStream)
|
||||
return err
|
||||
})
|
||||
if err != nil {
|
||||
grpclog.Infof("Failed to connect to S2Av2: %v", err)
|
||||
if c.fallbackClientHandshake != nil {
|
||||
return c.fallbackClientHandshake(ctx, serverAuthority, rawConn, err)
|
||||
}
|
||||
return nil, nil, err
|
||||
}
|
||||
defer s2AStream.CloseSend()
|
||||
if grpclog.V(1) {
|
||||
grpclog.Infof("Connected to S2Av2.")
|
||||
}
|
||||
var config *tls.Config
|
||||
|
||||
var tokenManager tokenmanager.AccessTokenManager
|
||||
if c.tokenManager == nil {
|
||||
tokenManager = nil
|
||||
} else {
|
||||
tokenManager = *c.tokenManager
|
||||
}
|
||||
|
||||
sn := serverName
|
||||
if c.serverName != "" {
|
||||
sn = c.serverName
|
||||
}
|
||||
retry.Run(timeoutCtx,
|
||||
func() error {
|
||||
config, err = tlsconfigstore.GetTLSConfigurationForClient(sn, s2AStream, tokenManager, c.localIdentity, c.verificationMode, c.serverAuthorizationPolicy)
|
||||
return err
|
||||
})
|
||||
if err != nil {
|
||||
grpclog.Info("Failed to get client TLS config from S2Av2: %v", err)
|
||||
if c.fallbackClientHandshake != nil {
|
||||
return c.fallbackClientHandshake(ctx, serverAuthority, rawConn, err)
|
||||
}
|
||||
return nil, nil, err
|
||||
}
|
||||
if grpclog.V(1) {
|
||||
grpclog.Infof("Got client TLS config from S2Av2.")
|
||||
}
|
||||
|
||||
creds := credentials.NewTLS(config)
|
||||
var conn net.Conn
|
||||
var authInfo credentials.AuthInfo
|
||||
retry.Run(timeoutCtx,
|
||||
func() error {
|
||||
conn, authInfo, err = creds.ClientHandshake(timeoutCtx, serverName, rawConn)
|
||||
return err
|
||||
})
|
||||
if err != nil {
|
||||
grpclog.Infof("Failed to do client handshake using S2Av2: %v", err)
|
||||
if c.fallbackClientHandshake != nil {
|
||||
return c.fallbackClientHandshake(ctx, serverAuthority, rawConn, err)
|
||||
}
|
||||
return nil, nil, err
|
||||
}
|
||||
grpclog.Infof("Successfully done client handshake using S2Av2 to: %s", serverName)
|
||||
|
||||
return conn, authInfo, err
|
||||
}
|
||||
|
||||
// ServerHandshake performs a server-side mTLS handshake using the S2Av2.
|
||||
func (c *s2av2TransportCreds) ServerHandshake(rawConn net.Conn) (net.Conn, credentials.AuthInfo, error) {
|
||||
if c.isClient {
|
||||
return nil, nil, errors.New("server handshake called using client transport credentials")
|
||||
}
|
||||
ctx, cancel := context.WithTimeout(context.Background(), GetS2ATimeout())
|
||||
defer cancel()
|
||||
var s2AStream stream.S2AStream
|
||||
var err error
|
||||
retry.Run(ctx,
|
||||
func() error {
|
||||
s2AStream, err = createStream(ctx, c.s2av2Address, c.transportCreds, c.getS2AStream)
|
||||
return err
|
||||
})
|
||||
if err != nil {
|
||||
grpclog.Infof("Failed to connect to S2Av2: %v", err)
|
||||
return nil, nil, err
|
||||
}
|
||||
defer s2AStream.CloseSend()
|
||||
if grpclog.V(1) {
|
||||
grpclog.Infof("Connected to S2Av2.")
|
||||
}
|
||||
|
||||
var tokenManager tokenmanager.AccessTokenManager
|
||||
if c.tokenManager == nil {
|
||||
tokenManager = nil
|
||||
} else {
|
||||
tokenManager = *c.tokenManager
|
||||
}
|
||||
|
||||
var config *tls.Config
|
||||
retry.Run(ctx,
|
||||
func() error {
|
||||
config, err = tlsconfigstore.GetTLSConfigurationForServer(s2AStream, tokenManager, c.localIdentities, c.verificationMode)
|
||||
return err
|
||||
})
|
||||
if err != nil {
|
||||
grpclog.Infof("Failed to get server TLS config from S2Av2: %v", err)
|
||||
return nil, nil, err
|
||||
}
|
||||
if grpclog.V(1) {
|
||||
grpclog.Infof("Got server TLS config from S2Av2.")
|
||||
}
|
||||
|
||||
creds := credentials.NewTLS(config)
|
||||
var conn net.Conn
|
||||
var authInfo credentials.AuthInfo
|
||||
retry.Run(ctx,
|
||||
func() error {
|
||||
conn, authInfo, err = creds.ServerHandshake(rawConn)
|
||||
return err
|
||||
})
|
||||
if err != nil {
|
||||
grpclog.Infof("Failed to do server handshake using S2Av2: %v", err)
|
||||
return nil, nil, err
|
||||
}
|
||||
return conn, authInfo, err
|
||||
}
|
||||
|
||||
// Info returns protocol info of s2av2TransportCreds.
|
||||
func (c *s2av2TransportCreds) Info() credentials.ProtocolInfo {
|
||||
return *c.info
|
||||
}
|
||||
|
||||
// Clone makes a deep copy of s2av2TransportCreds.
|
||||
func (c *s2av2TransportCreds) Clone() credentials.TransportCredentials {
|
||||
info := *c.info
|
||||
serverName := c.serverName
|
||||
fallbackClientHandshake := c.fallbackClientHandshake
|
||||
|
||||
s2av2Address := c.s2av2Address
|
||||
var tokenManager tokenmanager.AccessTokenManager
|
||||
if c.tokenManager == nil {
|
||||
tokenManager = nil
|
||||
} else {
|
||||
tokenManager = *c.tokenManager
|
||||
}
|
||||
verificationMode := c.verificationMode
|
||||
var localIdentity *commonpbv1.Identity
|
||||
if c.localIdentity != nil {
|
||||
localIdentity = proto.Clone(c.localIdentity).(*commonpbv1.Identity)
|
||||
}
|
||||
var localIdentities []*commonpbv1.Identity
|
||||
if c.localIdentities != nil {
|
||||
localIdentities = make([]*commonpbv1.Identity, len(c.localIdentities))
|
||||
for i, localIdentity := range c.localIdentities {
|
||||
localIdentities[i] = proto.Clone(localIdentity).(*commonpbv1.Identity)
|
||||
}
|
||||
}
|
||||
creds := &s2av2TransportCreds{
|
||||
info: &info,
|
||||
isClient: c.isClient,
|
||||
serverName: serverName,
|
||||
fallbackClientHandshake: fallbackClientHandshake,
|
||||
s2av2Address: s2av2Address,
|
||||
localIdentity: localIdentity,
|
||||
localIdentities: localIdentities,
|
||||
verificationMode: verificationMode,
|
||||
}
|
||||
if c.tokenManager == nil {
|
||||
creds.tokenManager = nil
|
||||
} else {
|
||||
creds.tokenManager = &tokenManager
|
||||
}
|
||||
return creds
|
||||
}
|
||||
|
||||
// NewClientTLSConfig returns a tls.Config instance that uses S2Av2 to establish a TLS connection as
|
||||
// a client. The tls.Config MUST only be used to establish a single TLS connection.
|
||||
func NewClientTLSConfig(
|
||||
ctx context.Context,
|
||||
s2av2Address string,
|
||||
transportCreds credentials.TransportCredentials,
|
||||
tokenManager tokenmanager.AccessTokenManager,
|
||||
verificationMode s2av2pb.ValidatePeerCertificateChainReq_VerificationMode,
|
||||
serverName string,
|
||||
serverAuthorizationPolicy []byte) (*tls.Config, error) {
|
||||
s2AStream, err := createStream(ctx, s2av2Address, transportCreds, nil)
|
||||
if err != nil {
|
||||
grpclog.Infof("Failed to connect to S2Av2: %v", err)
|
||||
return nil, err
|
||||
}
|
||||
|
||||
return tlsconfigstore.GetTLSConfigurationForClient(removeServerNamePort(serverName), s2AStream, tokenManager, nil, verificationMode, serverAuthorizationPolicy)
|
||||
}
|
||||
|
||||
// OverrideServerName sets the ServerName in the s2av2TransportCreds protocol
|
||||
// info. The ServerName MUST be a hostname.
|
||||
func (c *s2av2TransportCreds) OverrideServerName(serverNameOverride string) error {
|
||||
serverName := removeServerNamePort(serverNameOverride)
|
||||
c.info.ServerName = serverName
|
||||
c.serverName = serverName
|
||||
return nil
|
||||
}
|
||||
|
||||
// Remove the trailing port from server name.
|
||||
func removeServerNamePort(serverName string) string {
|
||||
name, _, err := net.SplitHostPort(serverName)
|
||||
if err != nil {
|
||||
name = serverName
|
||||
}
|
||||
return name
|
||||
}
|
||||
|
||||
type s2AGrpcStream struct {
|
||||
stream s2av2pb.S2AService_SetUpSessionClient
|
||||
}
|
||||
|
||||
func (x s2AGrpcStream) Send(m *s2av2pb.SessionReq) error {
|
||||
return x.stream.Send(m)
|
||||
}
|
||||
|
||||
func (x s2AGrpcStream) Recv() (*s2av2pb.SessionResp, error) {
|
||||
return x.stream.Recv()
|
||||
}
|
||||
|
||||
func (x s2AGrpcStream) CloseSend() error {
|
||||
return x.stream.CloseSend()
|
||||
}
|
||||
|
||||
func createStream(ctx context.Context, s2av2Address string, transportCreds credentials.TransportCredentials, getS2AStream func(ctx context.Context, s2av2Address string) (stream.S2AStream, error)) (stream.S2AStream, error) {
|
||||
if getS2AStream != nil {
|
||||
return getS2AStream(ctx, s2av2Address)
|
||||
}
|
||||
// TODO(rmehta19): Consider whether to close the connection to S2Av2.
|
||||
conn, err := service.Dial(ctx, s2av2Address, transportCreds)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
client := s2av2pb.NewS2AServiceClient(conn)
|
||||
gRPCStream, err := client.SetUpSession(ctx, []grpc.CallOption{}...)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return &s2AGrpcStream{
|
||||
stream: gRPCStream,
|
||||
}, nil
|
||||
}
|
||||
|
||||
// GetS2ATimeout returns the timeout enforced on the connection to the S2A service for handshake.
|
||||
func GetS2ATimeout() time.Duration {
|
||||
timeout, err := time.ParseDuration(os.Getenv(s2aTimeoutEnv))
|
||||
if err != nil {
|
||||
return defaultS2ATimeout
|
||||
}
|
||||
return timeout
|
||||
}
|
||||
24
vendor/github.com/google/s2a-go/internal/v2/testdata/client_cert.pem
generated
vendored
Normal file
24
vendor/github.com/google/s2a-go/internal/v2/testdata/client_cert.pem
generated
vendored
Normal file
@@ -0,0 +1,24 @@
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIID8TCCAtmgAwIBAgIUKXNlBRVe6UepjQUijIFPZBd/4qYwDQYJKoZIhvcNAQEL
|
||||
BQAwgYcxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTESMBAGA1UEBwwJU3Vubnl2
|
||||
YWxlMRAwDgYDVQQKDAdDb21wYW55MREwDwYDVQQLDAhEaXZpc2lvbjEWMBQGA1UE
|
||||
AwwNczJhX3Rlc3RfY2VydDEaMBgGCSqGSIb3DQEJARYLeHl6QHh5ei5jb20wHhcN
|
||||
MjIwNTMxMjAwMzE1WhcNNDIwNTI2MjAwMzE1WjCBhzELMAkGA1UEBhMCVVMxCzAJ
|
||||
BgNVBAgMAkNBMRIwEAYDVQQHDAlTdW5ueXZhbGUxEDAOBgNVBAoMB0NvbXBhbnkx
|
||||
ETAPBgNVBAsMCERpdmlzaW9uMRYwFAYDVQQDDA1zMmFfdGVzdF9jZXJ0MRowGAYJ
|
||||
KoZIhvcNAQkBFgt4eXpAeHl6LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
|
||||
AQoCggEBAOOFuIucH7XXfohGxKd3uR/ihUA/LdduR9I8kfpUEbq5BOt8xZe5/Yn9
|
||||
a1ozEHVW6cOAbHbnwAR8tkSgZ/t42QIA2k77HWU1Jh2xiEIsJivo3imm4/kZWuR0
|
||||
OqPh7MhzxpR/hvNwpI5mJsAVBWFMa5KtecFZLnyZtwHylrRN1QXzuLrOxuKFufK3
|
||||
RKbTABScn5RbZL976H/jgfSeXrbt242NrIoBnVe6fRbekbq2DQ6zFArbQMUgHjHK
|
||||
P0UqBgdr1QmHfi9KytFyx9BTP3gXWnWIu+bY7/v7qKJMHFwGETo+dCLWYevJL316
|
||||
HnLfhApDMfP8U+Yv/y1N/YvgaSOSlEcCAwEAAaNTMFEwHQYDVR0OBBYEFKhAU4nu
|
||||
0h/lrnggbIGvx4ej0WklMB8GA1UdIwQYMBaAFKhAU4nu0h/lrnggbIGvx4ej0Wkl
|
||||
MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAE/6NghzQ5fu6yR6
|
||||
EHKbj/YMrFdT7aGn5n2sAf7wJ33LIhiFHkpWBsVlm7rDtZtwhe891ZK/P60anlg9
|
||||
/P0Ua53tSRVRmCvTnEbXWOVMN4is6MsR7BlmzUxl4AtIn7jbeifEwRL7B4xDYmdA
|
||||
QrQnsqoz45dLgS5xK4WDqXATP09Q91xQDuhud/b+A4jrvgwFASmL7rMIZbp4f1JQ
|
||||
nlnl/9VoTBQBvJiWkDUtQDMpRLtauddEkv4AGz75p5IspXWD6cOemuh2iQec11xD
|
||||
X20rs2WZbAcAiUa3nmy8OKYw435vmpj8gp39WYbX/Yx9TymrFFbVY92wYn+quTco
|
||||
pKklVz0=
|
||||
-----END CERTIFICATE-----
|
||||
27
vendor/github.com/google/s2a-go/internal/v2/testdata/client_key.pem
generated
vendored
Normal file
27
vendor/github.com/google/s2a-go/internal/v2/testdata/client_key.pem
generated
vendored
Normal file
@@ -0,0 +1,27 @@
|
||||
-----BEGIN RSA PRIVATE KEY-----
|
||||
MIIEogIBAAKCAQEA44W4i5wftdd+iEbEp3e5H+KFQD8t125H0jyR+lQRurkE63zF
|
||||
l7n9if1rWjMQdVbpw4BsdufABHy2RKBn+3jZAgDaTvsdZTUmHbGIQiwmK+jeKabj
|
||||
+Rla5HQ6o+HsyHPGlH+G83CkjmYmwBUFYUxrkq15wVkufJm3AfKWtE3VBfO4us7G
|
||||
4oW58rdEptMAFJyflFtkv3vof+OB9J5etu3bjY2sigGdV7p9Ft6RurYNDrMUCttA
|
||||
xSAeMco/RSoGB2vVCYd+L0rK0XLH0FM/eBdadYi75tjv+/uookwcXAYROj50ItZh
|
||||
68kvfXoect+ECkMx8/xT5i//LU39i+BpI5KURwIDAQABAoIBABgyjo/6iLzUMFbZ
|
||||
/+w3pW6orrdIgN2akvTfED9pVYFgUA+jc3hRhY95bkNnjuaL2cy7Cc4Tk65mfRQL
|
||||
Y0OxdJLr+EvSFSxAXM9npDA1ddHRsF8JqtFBSxNk8R+g1Yf0GDiO35Fgd3/ViWWA
|
||||
VtQkRoSRApP3oiQKTRZd8H04keFR+PvmDk/Lq11l3Kc24A1PevKIPX1oI990ggw9
|
||||
9i4uSV+cnuMxmcI9xxJtgwdDFdjr39l2arLOHr4s6LGoV2IOdXHNlv5xRqWUZ0FH
|
||||
MDHowkLgwDrdSTnNeaVNkce14Gqx+bd4hNaLCdKXMpedBTEmrut3f3hdV1kKjaKt
|
||||
aqRYr8ECgYEA/YDGZY2jvFoHHBywlqmEMFrrCvQGH51m5R1Ntpkzr+Rh3YCmrpvq
|
||||
xgwJXING0PUw3dz+xrH5lJICrfNE5Kt3fPu1rAEy+13mYsNowghtUq2Rtu0Hsjjx
|
||||
2E3Bf8vEB6RNBMmGkUpTTIAroGF5tpJoRvfnWax+k4pFdrKYFtyZdNcCgYEA5cNv
|
||||
EPltvOobjTXlUmtVP3n27KZN2aXexTcagLzRxE9CV4cYySENl3KuOMmccaZpIl6z
|
||||
aHk6BT4X+M0LqElNUczrInfVqI+SGAFLGy7W6CJaqSr6cpyFUP/fosKpm6wKGgLq
|
||||
udHfpvz5rckhKd8kJxFLvhGOK9yN5qpzih0gfhECgYAJfwRvk3G5wYmYpP58dlcs
|
||||
VIuPenqsPoI3PPTHTU/hW+XKnWIhElgmGRdUrto9Q6IT/Y5RtSMLTLjq+Tzwb/fm
|
||||
56rziYv2XJsfwgAvnI8z1Kqrto9ePsHYf3krJ1/thVsZPc9bq/QY3ohD1sLvcuaT
|
||||
GgBBnLOVJU3a12/ZE2RwOwKBgF0csWMAoj8/5IB6if+3ral2xOGsl7oPZVMo/J2V
|
||||
Z7EVqb4M6rd/pKFugTpUQgkwtkSOekhpcGD1hAN5HTNK2YG/+L5UMAsKe9sskwJm
|
||||
HgOfAHy0BSDzW3ey6i9skg2bT9Cww+0gJ3Hl7U1HSCBO5LjMYpSZSrNtwzfqdb5Q
|
||||
BX3xAoGARZdR28Ej3+/+0+fz47Yu2h4z0EI/EbrudLOWY936jIeAVwHckI3+BuqH
|
||||
qR4poj1gfbnMxNuI9UzIXzjEmGewx9kDZ7IYnvloZKqoVQODO5GlKF2ja6IcMNlh
|
||||
GCNdD6PSAS6HcmalmWo9sj+1YMkrl+GJikKZqVBHrHNwMGAG67w=
|
||||
-----END RSA PRIVATE KEY-----
|
||||
24
vendor/github.com/google/s2a-go/internal/v2/testdata/server_cert.pem
generated
vendored
Normal file
24
vendor/github.com/google/s2a-go/internal/v2/testdata/server_cert.pem
generated
vendored
Normal file
@@ -0,0 +1,24 @@
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIID8TCCAtmgAwIBAgIUKCoDuLtiZXvhsBY2RoDm0ugizJ8wDQYJKoZIhvcNAQEL
|
||||
BQAwgYcxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTESMBAGA1UEBwwJU3Vubnl2
|
||||
YWxlMRAwDgYDVQQKDAdDb21wYW55MREwDwYDVQQLDAhEaXZpc2lvbjEWMBQGA1UE
|
||||
AwwNczJhX3Rlc3RfY2VydDEaMBgGCSqGSIb3DQEJARYLeHl6QHh5ei5jb20wHhcN
|
||||
MjIwNTMxMjAwODI1WhcNNDIwNTI2MjAwODI1WjCBhzELMAkGA1UEBhMCVVMxCzAJ
|
||||
BgNVBAgMAkNBMRIwEAYDVQQHDAlTdW5ueXZhbGUxEDAOBgNVBAoMB0NvbXBhbnkx
|
||||
ETAPBgNVBAsMCERpdmlzaW9uMRYwFAYDVQQDDA1zMmFfdGVzdF9jZXJ0MRowGAYJ
|
||||
KoZIhvcNAQkBFgt4eXpAeHl6LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
|
||||
AQoCggEBAKK1++PXQ+M3hjYH/v0K4UEYl5ljzpNM1i52eQM+gFooojT87PDSaphT
|
||||
fs0PXy/PTAjHBEvPhWpOpmQXfJNYzjwcCvg66hbqkv++/VTZiFLAsHagzkEz+FRJ
|
||||
qT5Eq7G5FLyw1izX1uxyPN7tAEWEEg7eqsiaXD3Cq8+TYN9cjirPeF7RZF8yFCYE
|
||||
xqvbo+Yc6RL6xw19iXVTfctRgQe581KQuIY5/LXo3dWDEilFdsADAe8XAEcO64es
|
||||
Ow0g1UvXLnpXSE151kXBFb3sKH/ZjCecDYMCIMEb4sWLSblkSxJ5sNSmXIG4wtr2
|
||||
Qnii7CXZgnVYraQE/Jyh+NMQANuoSdMCAwEAAaNTMFEwHQYDVR0OBBYEFAyQQQuM
|
||||
ab+YUQqjK8dVVOoHVFmXMB8GA1UdIwQYMBaAFAyQQQuMab+YUQqjK8dVVOoHVFmX
|
||||
MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBADj0vQ6ykWhicoqR
|
||||
e6VZMwlEJV7/DSvWWKBd9MUjfKye0A4565ya5lmnzP3DiD3nqGe3miqmLsXKDs+X
|
||||
POqlPXTWIamP7D4MJ32XtSLwZB4ru+I+Ao/P/VngPepoRPQoBnzHe7jww0rokqxl
|
||||
AZERjlbTUwUAy/BPWPSzSJZ2j0tcs6ZLDNyYzpK4ao8R9/1VmQ92Tcp3feJs1QTg
|
||||
odRQc3om/AkWOwsll+oyX0UbJeHkFHiLanUPXbdh+/BkSvZJ8ynL+feSDdaurPe+
|
||||
PSfnqLtQft9/neecGRdEaQzzzSFVQUVQzTdK1Q7hA7b55b2HvIa3ktDiks+sJsYN
|
||||
Dhm6uZM=
|
||||
-----END CERTIFICATE-----
|
||||
27
vendor/github.com/google/s2a-go/internal/v2/testdata/server_key.pem
generated
vendored
Normal file
27
vendor/github.com/google/s2a-go/internal/v2/testdata/server_key.pem
generated
vendored
Normal file
@@ -0,0 +1,27 @@
|
||||
-----BEGIN RSA PRIVATE KEY-----
|
||||
MIIEpAIBAAKCAQEAorX749dD4zeGNgf+/QrhQRiXmWPOk0zWLnZ5Az6AWiiiNPzs
|
||||
8NJqmFN+zQ9fL89MCMcES8+Fak6mZBd8k1jOPBwK+DrqFuqS/779VNmIUsCwdqDO
|
||||
QTP4VEmpPkSrsbkUvLDWLNfW7HI83u0ARYQSDt6qyJpcPcKrz5Ng31yOKs94XtFk
|
||||
XzIUJgTGq9uj5hzpEvrHDX2JdVN9y1GBB7nzUpC4hjn8tejd1YMSKUV2wAMB7xcA
|
||||
Rw7rh6w7DSDVS9cueldITXnWRcEVvewof9mMJ5wNgwIgwRvixYtJuWRLEnmw1KZc
|
||||
gbjC2vZCeKLsJdmCdVitpAT8nKH40xAA26hJ0wIDAQABAoIBACaNR+lsD8G+XiZf
|
||||
LqN1+HkcAo9tfnyYMAdCOtnx7SdviT9Uzi8hK/B7mAeuJLeHPlS2EuaDfPD7QaFl
|
||||
jza6S+MiIdc+3kgfvESsVAnOoOY6kZUJ9NSuI6CU82y1iJjLaYZrv9NQMLRFPPb0
|
||||
4KOX709mosB1EnXvshW0rbc+jtDFhrm1SxMt+k9TuzmMxjbOeW4LOLXPgU8X1T3Q
|
||||
Xy0hMZZtcgBs9wFIo8yCtmOixax9pnFE8rRltgDxTodn9LLdz1FieyntNgDksZ0P
|
||||
nt4kV7Mqly7ELaea+Foaj244mKsesic2e3GhAlMRLun/VSunSf7mOCxfpITB8dp1
|
||||
drDhOYECgYEA19151dVxRcviuovN6Dar+QszMTnU8pDJ8BjLFjXjP/hNBBwMTHDE
|
||||
duMuWk2qnwZqMooI/shxrF/ufmTgS0CFrh2+ANBZu27vWConJNXcyNtdigI4wt50
|
||||
L0Y2qcZn2mg67qFXHwoR3QNwrwnPwEjRXA09at9CSRZzcwDQ0ETXhYsCgYEAwPaG
|
||||
06QdK8Zyly7TTzZJwxzv9uGiqzodmGtX6NEKjgij2JaCxHpukqZBJoqa0jKeK1cm
|
||||
eNVkOvT5ff9TMzarSHQLr3pZen2/oVLb5gaFkbcJt/klv9Fd+ZRilHY3i6QwS6pD
|
||||
uMiPOWS4DrLHDRVoVlAZTDjT1RVwwTs+P2NhJdkCgYEAsriXysbxBYyMp05gqEW7
|
||||
lHIFbFgpSrs9th+Q5U6wW6JEgYaHWDJ1NslY80MiZI93FWjbkbZ7BvBWESeL3EIL
|
||||
a+EMErht0pVCbIhZ6FF4foPAqia0wAJVx14mm+G80kNBp5jE/NnleEsE3KcO7nBb
|
||||
hg8gLn+x7bk81JZ0TDrzBYkCgYEAuQKluv47SeF3tSScTfKLPpvcKCWmxe1uutkQ
|
||||
7JShPhVioyOMNb39jnYBOWbjkm4d4QgqRuiytSR0oi3QI+Ziy5EYMyNn713qAk9j
|
||||
r2TJZDDPDKnBW+zt4YI4EohWMXk3JRUW4XDKggjjwJQA7bZ812TtHHvP/xoThfG7
|
||||
eSNb3eECgYBw6ssgCtMrdvQiEmjKVX/9yI38mvC2kSGyzbrQnGUfgqRGomRpeZuD
|
||||
B5E3kysA4td5pT5lvcLgSW0TbOz+YbiriXjwOihPIelCvc9gE2eOUI71/byUWPFz
|
||||
7u5F/xQ4NaGr5suLF+lBC6h7pSbM4El9lIHQAQadpuEdzHqrw+hs3g==
|
||||
-----END RSA PRIVATE KEY-----
|
||||
24
vendor/github.com/google/s2a-go/internal/v2/tlsconfigstore/testdata/client_cert.pem
generated
vendored
Normal file
24
vendor/github.com/google/s2a-go/internal/v2/tlsconfigstore/testdata/client_cert.pem
generated
vendored
Normal file
@@ -0,0 +1,24 @@
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIID8TCCAtmgAwIBAgIUKXNlBRVe6UepjQUijIFPZBd/4qYwDQYJKoZIhvcNAQEL
|
||||
BQAwgYcxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTESMBAGA1UEBwwJU3Vubnl2
|
||||
YWxlMRAwDgYDVQQKDAdDb21wYW55MREwDwYDVQQLDAhEaXZpc2lvbjEWMBQGA1UE
|
||||
AwwNczJhX3Rlc3RfY2VydDEaMBgGCSqGSIb3DQEJARYLeHl6QHh5ei5jb20wHhcN
|
||||
MjIwNTMxMjAwMzE1WhcNNDIwNTI2MjAwMzE1WjCBhzELMAkGA1UEBhMCVVMxCzAJ
|
||||
BgNVBAgMAkNBMRIwEAYDVQQHDAlTdW5ueXZhbGUxEDAOBgNVBAoMB0NvbXBhbnkx
|
||||
ETAPBgNVBAsMCERpdmlzaW9uMRYwFAYDVQQDDA1zMmFfdGVzdF9jZXJ0MRowGAYJ
|
||||
KoZIhvcNAQkBFgt4eXpAeHl6LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
|
||||
AQoCggEBAOOFuIucH7XXfohGxKd3uR/ihUA/LdduR9I8kfpUEbq5BOt8xZe5/Yn9
|
||||
a1ozEHVW6cOAbHbnwAR8tkSgZ/t42QIA2k77HWU1Jh2xiEIsJivo3imm4/kZWuR0
|
||||
OqPh7MhzxpR/hvNwpI5mJsAVBWFMa5KtecFZLnyZtwHylrRN1QXzuLrOxuKFufK3
|
||||
RKbTABScn5RbZL976H/jgfSeXrbt242NrIoBnVe6fRbekbq2DQ6zFArbQMUgHjHK
|
||||
P0UqBgdr1QmHfi9KytFyx9BTP3gXWnWIu+bY7/v7qKJMHFwGETo+dCLWYevJL316
|
||||
HnLfhApDMfP8U+Yv/y1N/YvgaSOSlEcCAwEAAaNTMFEwHQYDVR0OBBYEFKhAU4nu
|
||||
0h/lrnggbIGvx4ej0WklMB8GA1UdIwQYMBaAFKhAU4nu0h/lrnggbIGvx4ej0Wkl
|
||||
MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAE/6NghzQ5fu6yR6
|
||||
EHKbj/YMrFdT7aGn5n2sAf7wJ33LIhiFHkpWBsVlm7rDtZtwhe891ZK/P60anlg9
|
||||
/P0Ua53tSRVRmCvTnEbXWOVMN4is6MsR7BlmzUxl4AtIn7jbeifEwRL7B4xDYmdA
|
||||
QrQnsqoz45dLgS5xK4WDqXATP09Q91xQDuhud/b+A4jrvgwFASmL7rMIZbp4f1JQ
|
||||
nlnl/9VoTBQBvJiWkDUtQDMpRLtauddEkv4AGz75p5IspXWD6cOemuh2iQec11xD
|
||||
X20rs2WZbAcAiUa3nmy8OKYw435vmpj8gp39WYbX/Yx9TymrFFbVY92wYn+quTco
|
||||
pKklVz0=
|
||||
-----END CERTIFICATE-----
|
||||
27
vendor/github.com/google/s2a-go/internal/v2/tlsconfigstore/testdata/client_key.pem
generated
vendored
Normal file
27
vendor/github.com/google/s2a-go/internal/v2/tlsconfigstore/testdata/client_key.pem
generated
vendored
Normal file
@@ -0,0 +1,27 @@
|
||||
-----BEGIN RSA PRIVATE KEY-----
|
||||
MIIEogIBAAKCAQEA44W4i5wftdd+iEbEp3e5H+KFQD8t125H0jyR+lQRurkE63zF
|
||||
l7n9if1rWjMQdVbpw4BsdufABHy2RKBn+3jZAgDaTvsdZTUmHbGIQiwmK+jeKabj
|
||||
+Rla5HQ6o+HsyHPGlH+G83CkjmYmwBUFYUxrkq15wVkufJm3AfKWtE3VBfO4us7G
|
||||
4oW58rdEptMAFJyflFtkv3vof+OB9J5etu3bjY2sigGdV7p9Ft6RurYNDrMUCttA
|
||||
xSAeMco/RSoGB2vVCYd+L0rK0XLH0FM/eBdadYi75tjv+/uookwcXAYROj50ItZh
|
||||
68kvfXoect+ECkMx8/xT5i//LU39i+BpI5KURwIDAQABAoIBABgyjo/6iLzUMFbZ
|
||||
/+w3pW6orrdIgN2akvTfED9pVYFgUA+jc3hRhY95bkNnjuaL2cy7Cc4Tk65mfRQL
|
||||
Y0OxdJLr+EvSFSxAXM9npDA1ddHRsF8JqtFBSxNk8R+g1Yf0GDiO35Fgd3/ViWWA
|
||||
VtQkRoSRApP3oiQKTRZd8H04keFR+PvmDk/Lq11l3Kc24A1PevKIPX1oI990ggw9
|
||||
9i4uSV+cnuMxmcI9xxJtgwdDFdjr39l2arLOHr4s6LGoV2IOdXHNlv5xRqWUZ0FH
|
||||
MDHowkLgwDrdSTnNeaVNkce14Gqx+bd4hNaLCdKXMpedBTEmrut3f3hdV1kKjaKt
|
||||
aqRYr8ECgYEA/YDGZY2jvFoHHBywlqmEMFrrCvQGH51m5R1Ntpkzr+Rh3YCmrpvq
|
||||
xgwJXING0PUw3dz+xrH5lJICrfNE5Kt3fPu1rAEy+13mYsNowghtUq2Rtu0Hsjjx
|
||||
2E3Bf8vEB6RNBMmGkUpTTIAroGF5tpJoRvfnWax+k4pFdrKYFtyZdNcCgYEA5cNv
|
||||
EPltvOobjTXlUmtVP3n27KZN2aXexTcagLzRxE9CV4cYySENl3KuOMmccaZpIl6z
|
||||
aHk6BT4X+M0LqElNUczrInfVqI+SGAFLGy7W6CJaqSr6cpyFUP/fosKpm6wKGgLq
|
||||
udHfpvz5rckhKd8kJxFLvhGOK9yN5qpzih0gfhECgYAJfwRvk3G5wYmYpP58dlcs
|
||||
VIuPenqsPoI3PPTHTU/hW+XKnWIhElgmGRdUrto9Q6IT/Y5RtSMLTLjq+Tzwb/fm
|
||||
56rziYv2XJsfwgAvnI8z1Kqrto9ePsHYf3krJ1/thVsZPc9bq/QY3ohD1sLvcuaT
|
||||
GgBBnLOVJU3a12/ZE2RwOwKBgF0csWMAoj8/5IB6if+3ral2xOGsl7oPZVMo/J2V
|
||||
Z7EVqb4M6rd/pKFugTpUQgkwtkSOekhpcGD1hAN5HTNK2YG/+L5UMAsKe9sskwJm
|
||||
HgOfAHy0BSDzW3ey6i9skg2bT9Cww+0gJ3Hl7U1HSCBO5LjMYpSZSrNtwzfqdb5Q
|
||||
BX3xAoGARZdR28Ej3+/+0+fz47Yu2h4z0EI/EbrudLOWY936jIeAVwHckI3+BuqH
|
||||
qR4poj1gfbnMxNuI9UzIXzjEmGewx9kDZ7IYnvloZKqoVQODO5GlKF2ja6IcMNlh
|
||||
GCNdD6PSAS6HcmalmWo9sj+1YMkrl+GJikKZqVBHrHNwMGAG67w=
|
||||
-----END RSA PRIVATE KEY-----
|
||||
24
vendor/github.com/google/s2a-go/internal/v2/tlsconfigstore/testdata/server_cert.pem
generated
vendored
Normal file
24
vendor/github.com/google/s2a-go/internal/v2/tlsconfigstore/testdata/server_cert.pem
generated
vendored
Normal file
@@ -0,0 +1,24 @@
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIID8TCCAtmgAwIBAgIUKCoDuLtiZXvhsBY2RoDm0ugizJ8wDQYJKoZIhvcNAQEL
|
||||
BQAwgYcxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTESMBAGA1UEBwwJU3Vubnl2
|
||||
YWxlMRAwDgYDVQQKDAdDb21wYW55MREwDwYDVQQLDAhEaXZpc2lvbjEWMBQGA1UE
|
||||
AwwNczJhX3Rlc3RfY2VydDEaMBgGCSqGSIb3DQEJARYLeHl6QHh5ei5jb20wHhcN
|
||||
MjIwNTMxMjAwODI1WhcNNDIwNTI2MjAwODI1WjCBhzELMAkGA1UEBhMCVVMxCzAJ
|
||||
BgNVBAgMAkNBMRIwEAYDVQQHDAlTdW5ueXZhbGUxEDAOBgNVBAoMB0NvbXBhbnkx
|
||||
ETAPBgNVBAsMCERpdmlzaW9uMRYwFAYDVQQDDA1zMmFfdGVzdF9jZXJ0MRowGAYJ
|
||||
KoZIhvcNAQkBFgt4eXpAeHl6LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
|
||||
AQoCggEBAKK1++PXQ+M3hjYH/v0K4UEYl5ljzpNM1i52eQM+gFooojT87PDSaphT
|
||||
fs0PXy/PTAjHBEvPhWpOpmQXfJNYzjwcCvg66hbqkv++/VTZiFLAsHagzkEz+FRJ
|
||||
qT5Eq7G5FLyw1izX1uxyPN7tAEWEEg7eqsiaXD3Cq8+TYN9cjirPeF7RZF8yFCYE
|
||||
xqvbo+Yc6RL6xw19iXVTfctRgQe581KQuIY5/LXo3dWDEilFdsADAe8XAEcO64es
|
||||
Ow0g1UvXLnpXSE151kXBFb3sKH/ZjCecDYMCIMEb4sWLSblkSxJ5sNSmXIG4wtr2
|
||||
Qnii7CXZgnVYraQE/Jyh+NMQANuoSdMCAwEAAaNTMFEwHQYDVR0OBBYEFAyQQQuM
|
||||
ab+YUQqjK8dVVOoHVFmXMB8GA1UdIwQYMBaAFAyQQQuMab+YUQqjK8dVVOoHVFmX
|
||||
MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBADj0vQ6ykWhicoqR
|
||||
e6VZMwlEJV7/DSvWWKBd9MUjfKye0A4565ya5lmnzP3DiD3nqGe3miqmLsXKDs+X
|
||||
POqlPXTWIamP7D4MJ32XtSLwZB4ru+I+Ao/P/VngPepoRPQoBnzHe7jww0rokqxl
|
||||
AZERjlbTUwUAy/BPWPSzSJZ2j0tcs6ZLDNyYzpK4ao8R9/1VmQ92Tcp3feJs1QTg
|
||||
odRQc3om/AkWOwsll+oyX0UbJeHkFHiLanUPXbdh+/BkSvZJ8ynL+feSDdaurPe+
|
||||
PSfnqLtQft9/neecGRdEaQzzzSFVQUVQzTdK1Q7hA7b55b2HvIa3ktDiks+sJsYN
|
||||
Dhm6uZM=
|
||||
-----END CERTIFICATE-----
|
||||
27
vendor/github.com/google/s2a-go/internal/v2/tlsconfigstore/testdata/server_key.pem
generated
vendored
Normal file
27
vendor/github.com/google/s2a-go/internal/v2/tlsconfigstore/testdata/server_key.pem
generated
vendored
Normal file
@@ -0,0 +1,27 @@
|
||||
-----BEGIN RSA PRIVATE KEY-----
|
||||
MIIEpAIBAAKCAQEAorX749dD4zeGNgf+/QrhQRiXmWPOk0zWLnZ5Az6AWiiiNPzs
|
||||
8NJqmFN+zQ9fL89MCMcES8+Fak6mZBd8k1jOPBwK+DrqFuqS/779VNmIUsCwdqDO
|
||||
QTP4VEmpPkSrsbkUvLDWLNfW7HI83u0ARYQSDt6qyJpcPcKrz5Ng31yOKs94XtFk
|
||||
XzIUJgTGq9uj5hzpEvrHDX2JdVN9y1GBB7nzUpC4hjn8tejd1YMSKUV2wAMB7xcA
|
||||
Rw7rh6w7DSDVS9cueldITXnWRcEVvewof9mMJ5wNgwIgwRvixYtJuWRLEnmw1KZc
|
||||
gbjC2vZCeKLsJdmCdVitpAT8nKH40xAA26hJ0wIDAQABAoIBACaNR+lsD8G+XiZf
|
||||
LqN1+HkcAo9tfnyYMAdCOtnx7SdviT9Uzi8hK/B7mAeuJLeHPlS2EuaDfPD7QaFl
|
||||
jza6S+MiIdc+3kgfvESsVAnOoOY6kZUJ9NSuI6CU82y1iJjLaYZrv9NQMLRFPPb0
|
||||
4KOX709mosB1EnXvshW0rbc+jtDFhrm1SxMt+k9TuzmMxjbOeW4LOLXPgU8X1T3Q
|
||||
Xy0hMZZtcgBs9wFIo8yCtmOixax9pnFE8rRltgDxTodn9LLdz1FieyntNgDksZ0P
|
||||
nt4kV7Mqly7ELaea+Foaj244mKsesic2e3GhAlMRLun/VSunSf7mOCxfpITB8dp1
|
||||
drDhOYECgYEA19151dVxRcviuovN6Dar+QszMTnU8pDJ8BjLFjXjP/hNBBwMTHDE
|
||||
duMuWk2qnwZqMooI/shxrF/ufmTgS0CFrh2+ANBZu27vWConJNXcyNtdigI4wt50
|
||||
L0Y2qcZn2mg67qFXHwoR3QNwrwnPwEjRXA09at9CSRZzcwDQ0ETXhYsCgYEAwPaG
|
||||
06QdK8Zyly7TTzZJwxzv9uGiqzodmGtX6NEKjgij2JaCxHpukqZBJoqa0jKeK1cm
|
||||
eNVkOvT5ff9TMzarSHQLr3pZen2/oVLb5gaFkbcJt/klv9Fd+ZRilHY3i6QwS6pD
|
||||
uMiPOWS4DrLHDRVoVlAZTDjT1RVwwTs+P2NhJdkCgYEAsriXysbxBYyMp05gqEW7
|
||||
lHIFbFgpSrs9th+Q5U6wW6JEgYaHWDJ1NslY80MiZI93FWjbkbZ7BvBWESeL3EIL
|
||||
a+EMErht0pVCbIhZ6FF4foPAqia0wAJVx14mm+G80kNBp5jE/NnleEsE3KcO7nBb
|
||||
hg8gLn+x7bk81JZ0TDrzBYkCgYEAuQKluv47SeF3tSScTfKLPpvcKCWmxe1uutkQ
|
||||
7JShPhVioyOMNb39jnYBOWbjkm4d4QgqRuiytSR0oi3QI+Ziy5EYMyNn713qAk9j
|
||||
r2TJZDDPDKnBW+zt4YI4EohWMXk3JRUW4XDKggjjwJQA7bZ812TtHHvP/xoThfG7
|
||||
eSNb3eECgYBw6ssgCtMrdvQiEmjKVX/9yI38mvC2kSGyzbrQnGUfgqRGomRpeZuD
|
||||
B5E3kysA4td5pT5lvcLgSW0TbOz+YbiriXjwOihPIelCvc9gE2eOUI71/byUWPFz
|
||||
7u5F/xQ4NaGr5suLF+lBC6h7pSbM4El9lIHQAQadpuEdzHqrw+hs3g==
|
||||
-----END RSA PRIVATE KEY-----
|
||||
404
vendor/github.com/google/s2a-go/internal/v2/tlsconfigstore/tlsconfigstore.go
generated
vendored
Normal file
404
vendor/github.com/google/s2a-go/internal/v2/tlsconfigstore/tlsconfigstore.go
generated
vendored
Normal file
@@ -0,0 +1,404 @@
|
||||
/*
|
||||
*
|
||||
* Copyright 2022 Google LLC
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* https://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*
|
||||
*/
|
||||
|
||||
// Package tlsconfigstore offloads operations to S2Av2.
|
||||
package tlsconfigstore
|
||||
|
||||
import (
|
||||
"crypto/tls"
|
||||
"crypto/x509"
|
||||
"encoding/pem"
|
||||
"errors"
|
||||
"fmt"
|
||||
|
||||
"github.com/google/s2a-go/internal/tokenmanager"
|
||||
"github.com/google/s2a-go/internal/v2/certverifier"
|
||||
"github.com/google/s2a-go/internal/v2/remotesigner"
|
||||
"github.com/google/s2a-go/stream"
|
||||
"google.golang.org/grpc/codes"
|
||||
"google.golang.org/grpc/grpclog"
|
||||
|
||||
commonpbv1 "github.com/google/s2a-go/internal/proto/common_go_proto"
|
||||
commonpb "github.com/google/s2a-go/internal/proto/v2/common_go_proto"
|
||||
s2av2pb "github.com/google/s2a-go/internal/proto/v2/s2a_go_proto"
|
||||
)
|
||||
|
||||
const (
|
||||
// HTTP/2
|
||||
h2 = "h2"
|
||||
)
|
||||
|
||||
// GetTLSConfigurationForClient returns a tls.Config instance for use by a client application.
|
||||
func GetTLSConfigurationForClient(serverHostname string, s2AStream stream.S2AStream, tokenManager tokenmanager.AccessTokenManager, localIdentity *commonpbv1.Identity, verificationMode s2av2pb.ValidatePeerCertificateChainReq_VerificationMode, serverAuthorizationPolicy []byte) (*tls.Config, error) {
|
||||
authMechanisms := getAuthMechanisms(tokenManager, []*commonpbv1.Identity{localIdentity})
|
||||
|
||||
if grpclog.V(1) {
|
||||
grpclog.Infof("Sending request to S2Av2 for client TLS config.")
|
||||
}
|
||||
// Send request to S2Av2 for config.
|
||||
if err := s2AStream.Send(&s2av2pb.SessionReq{
|
||||
LocalIdentity: localIdentity,
|
||||
AuthenticationMechanisms: authMechanisms,
|
||||
ReqOneof: &s2av2pb.SessionReq_GetTlsConfigurationReq{
|
||||
GetTlsConfigurationReq: &s2av2pb.GetTlsConfigurationReq{
|
||||
ConnectionSide: commonpb.ConnectionSide_CONNECTION_SIDE_CLIENT,
|
||||
},
|
||||
},
|
||||
}); err != nil {
|
||||
grpclog.Infof("Failed to send request to S2Av2 for client TLS config")
|
||||
return nil, err
|
||||
}
|
||||
|
||||
// Get the response containing config from S2Av2.
|
||||
resp, err := s2AStream.Recv()
|
||||
if err != nil {
|
||||
grpclog.Infof("Failed to receive client TLS config response from S2Av2.")
|
||||
return nil, err
|
||||
}
|
||||
|
||||
// TODO(rmehta19): Add unit test for this if statement.
|
||||
if (resp.GetStatus() != nil) && (resp.GetStatus().Code != uint32(codes.OK)) {
|
||||
return nil, fmt.Errorf("failed to get TLS configuration from S2A: %d, %v", resp.GetStatus().Code, resp.GetStatus().Details)
|
||||
}
|
||||
|
||||
// Extract TLS configiguration from SessionResp.
|
||||
tlsConfig := resp.GetGetTlsConfigurationResp().GetClientTlsConfiguration()
|
||||
|
||||
var cert tls.Certificate
|
||||
for i, v := range tlsConfig.CertificateChain {
|
||||
// Populate Certificates field.
|
||||
block, _ := pem.Decode([]byte(v))
|
||||
if block == nil {
|
||||
return nil, errors.New("certificate in CertificateChain obtained from S2Av2 is empty")
|
||||
}
|
||||
x509Cert, err := x509.ParseCertificate(block.Bytes)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
cert.Certificate = append(cert.Certificate, x509Cert.Raw)
|
||||
if i == 0 {
|
||||
cert.Leaf = x509Cert
|
||||
}
|
||||
}
|
||||
|
||||
if len(tlsConfig.CertificateChain) > 0 {
|
||||
cert.PrivateKey = remotesigner.New(cert.Leaf, s2AStream)
|
||||
if cert.PrivateKey == nil {
|
||||
return nil, errors.New("failed to retrieve Private Key from Remote Signer Library")
|
||||
}
|
||||
}
|
||||
|
||||
minVersion, maxVersion, err := getTLSMinMaxVersionsClient(tlsConfig)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
// Create mTLS credentials for client.
|
||||
config := &tls.Config{
|
||||
VerifyPeerCertificate: certverifier.VerifyServerCertificateChain(serverHostname, verificationMode, s2AStream, serverAuthorizationPolicy),
|
||||
ServerName: serverHostname,
|
||||
InsecureSkipVerify: true, // NOLINT
|
||||
ClientSessionCache: nil,
|
||||
SessionTicketsDisabled: true,
|
||||
MinVersion: minVersion,
|
||||
MaxVersion: maxVersion,
|
||||
NextProtos: []string{h2},
|
||||
}
|
||||
if len(tlsConfig.CertificateChain) > 0 {
|
||||
config.Certificates = []tls.Certificate{cert}
|
||||
}
|
||||
return config, nil
|
||||
}
|
||||
|
||||
// GetTLSConfigurationForServer returns a tls.Config instance for use by a server application.
|
||||
func GetTLSConfigurationForServer(s2AStream stream.S2AStream, tokenManager tokenmanager.AccessTokenManager, localIdentities []*commonpbv1.Identity, verificationMode s2av2pb.ValidatePeerCertificateChainReq_VerificationMode) (*tls.Config, error) {
|
||||
return &tls.Config{
|
||||
GetConfigForClient: ClientConfig(tokenManager, localIdentities, verificationMode, s2AStream),
|
||||
}, nil
|
||||
}
|
||||
|
||||
// ClientConfig builds a TLS config for a server to establish a secure
|
||||
// connection with a client, based on SNI communicated during ClientHello.
|
||||
// Ensures that server presents the correct certificate to establish a TLS
|
||||
// connection.
|
||||
func ClientConfig(tokenManager tokenmanager.AccessTokenManager, localIdentities []*commonpbv1.Identity, verificationMode s2av2pb.ValidatePeerCertificateChainReq_VerificationMode, s2AStream stream.S2AStream) func(chi *tls.ClientHelloInfo) (*tls.Config, error) {
|
||||
return func(chi *tls.ClientHelloInfo) (*tls.Config, error) {
|
||||
tlsConfig, err := getServerConfigFromS2Av2(tokenManager, localIdentities, chi.ServerName, s2AStream)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
var cert tls.Certificate
|
||||
for i, v := range tlsConfig.CertificateChain {
|
||||
// Populate Certificates field.
|
||||
block, _ := pem.Decode([]byte(v))
|
||||
if block == nil {
|
||||
return nil, errors.New("certificate in CertificateChain obtained from S2Av2 is empty")
|
||||
}
|
||||
x509Cert, err := x509.ParseCertificate(block.Bytes)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
cert.Certificate = append(cert.Certificate, x509Cert.Raw)
|
||||
if i == 0 {
|
||||
cert.Leaf = x509Cert
|
||||
}
|
||||
}
|
||||
|
||||
cert.PrivateKey = remotesigner.New(cert.Leaf, s2AStream)
|
||||
if cert.PrivateKey == nil {
|
||||
return nil, errors.New("failed to retrieve Private Key from Remote Signer Library")
|
||||
}
|
||||
|
||||
minVersion, maxVersion, err := getTLSMinMaxVersionsServer(tlsConfig)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
clientAuth := getTLSClientAuthType(tlsConfig)
|
||||
|
||||
var cipherSuites []uint16
|
||||
cipherSuites = getCipherSuites(tlsConfig.Ciphersuites)
|
||||
|
||||
// Create mTLS credentials for server.
|
||||
return &tls.Config{
|
||||
Certificates: []tls.Certificate{cert},
|
||||
VerifyPeerCertificate: certverifier.VerifyClientCertificateChain(verificationMode, s2AStream),
|
||||
ClientAuth: clientAuth,
|
||||
CipherSuites: cipherSuites,
|
||||
SessionTicketsDisabled: true,
|
||||
MinVersion: minVersion,
|
||||
MaxVersion: maxVersion,
|
||||
NextProtos: []string{h2},
|
||||
}, nil
|
||||
}
|
||||
}
|
||||
|
||||
func getCipherSuites(tlsConfigCipherSuites []commonpb.Ciphersuite) []uint16 {
|
||||
var tlsGoCipherSuites []uint16
|
||||
for _, v := range tlsConfigCipherSuites {
|
||||
s := getTLSCipherSuite(v)
|
||||
if s != 0xffff {
|
||||
tlsGoCipherSuites = append(tlsGoCipherSuites, s)
|
||||
}
|
||||
}
|
||||
return tlsGoCipherSuites
|
||||
}
|
||||
|
||||
func getTLSCipherSuite(tlsCipherSuite commonpb.Ciphersuite) uint16 {
|
||||
switch tlsCipherSuite {
|
||||
case commonpb.Ciphersuite_CIPHERSUITE_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256:
|
||||
return tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
|
||||
case commonpb.Ciphersuite_CIPHERSUITE_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384:
|
||||
return tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
|
||||
case commonpb.Ciphersuite_CIPHERSUITE_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256:
|
||||
return tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
|
||||
case commonpb.Ciphersuite_CIPHERSUITE_ECDHE_RSA_WITH_AES_128_GCM_SHA256:
|
||||
return tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
|
||||
case commonpb.Ciphersuite_CIPHERSUITE_ECDHE_RSA_WITH_AES_256_GCM_SHA384:
|
||||
return tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
|
||||
case commonpb.Ciphersuite_CIPHERSUITE_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256:
|
||||
return tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
|
||||
default:
|
||||
return 0xffff
|
||||
}
|
||||
}
|
||||
|
||||
func getServerConfigFromS2Av2(tokenManager tokenmanager.AccessTokenManager, localIdentities []*commonpbv1.Identity, sni string, s2AStream stream.S2AStream) (*s2av2pb.GetTlsConfigurationResp_ServerTlsConfiguration, error) {
|
||||
authMechanisms := getAuthMechanisms(tokenManager, localIdentities)
|
||||
var locID *commonpbv1.Identity
|
||||
if localIdentities != nil {
|
||||
locID = localIdentities[0]
|
||||
}
|
||||
|
||||
if err := s2AStream.Send(&s2av2pb.SessionReq{
|
||||
LocalIdentity: locID,
|
||||
AuthenticationMechanisms: authMechanisms,
|
||||
ReqOneof: &s2av2pb.SessionReq_GetTlsConfigurationReq{
|
||||
GetTlsConfigurationReq: &s2av2pb.GetTlsConfigurationReq{
|
||||
ConnectionSide: commonpb.ConnectionSide_CONNECTION_SIDE_SERVER,
|
||||
Sni: sni,
|
||||
},
|
||||
},
|
||||
}); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
resp, err := s2AStream.Recv()
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
// TODO(rmehta19): Add unit test for this if statement.
|
||||
if (resp.GetStatus() != nil) && (resp.GetStatus().Code != uint32(codes.OK)) {
|
||||
return nil, fmt.Errorf("failed to get TLS configuration from S2A: %d, %v", resp.GetStatus().Code, resp.GetStatus().Details)
|
||||
}
|
||||
|
||||
return resp.GetGetTlsConfigurationResp().GetServerTlsConfiguration(), nil
|
||||
}
|
||||
|
||||
func getTLSClientAuthType(tlsConfig *s2av2pb.GetTlsConfigurationResp_ServerTlsConfiguration) tls.ClientAuthType {
|
||||
var clientAuth tls.ClientAuthType
|
||||
switch x := tlsConfig.RequestClientCertificate; x {
|
||||
case s2av2pb.GetTlsConfigurationResp_ServerTlsConfiguration_DONT_REQUEST_CLIENT_CERTIFICATE:
|
||||
clientAuth = tls.NoClientCert
|
||||
case s2av2pb.GetTlsConfigurationResp_ServerTlsConfiguration_REQUEST_CLIENT_CERTIFICATE_BUT_DONT_VERIFY:
|
||||
clientAuth = tls.RequestClientCert
|
||||
case s2av2pb.GetTlsConfigurationResp_ServerTlsConfiguration_REQUEST_CLIENT_CERTIFICATE_AND_VERIFY:
|
||||
// This case actually maps to tls.VerifyClientCertIfGiven. However this
|
||||
// mapping triggers normal verification, followed by custom verification,
|
||||
// specified in VerifyPeerCertificate. To bypass normal verification, and
|
||||
// only do custom verification we set clientAuth to RequireAnyClientCert or
|
||||
// RequestClientCert. See https://github.com/google/s2a-go/pull/43 for full
|
||||
// discussion.
|
||||
clientAuth = tls.RequireAnyClientCert
|
||||
case s2av2pb.GetTlsConfigurationResp_ServerTlsConfiguration_REQUEST_AND_REQUIRE_CLIENT_CERTIFICATE_BUT_DONT_VERIFY:
|
||||
clientAuth = tls.RequireAnyClientCert
|
||||
case s2av2pb.GetTlsConfigurationResp_ServerTlsConfiguration_REQUEST_AND_REQUIRE_CLIENT_CERTIFICATE_AND_VERIFY:
|
||||
// This case actually maps to tls.RequireAndVerifyClientCert. However this
|
||||
// mapping triggers normal verification, followed by custom verification,
|
||||
// specified in VerifyPeerCertificate. To bypass normal verification, and
|
||||
// only do custom verification we set clientAuth to RequireAnyClientCert or
|
||||
// RequestClientCert. See https://github.com/google/s2a-go/pull/43 for full
|
||||
// discussion.
|
||||
clientAuth = tls.RequireAnyClientCert
|
||||
default:
|
||||
clientAuth = tls.RequireAnyClientCert
|
||||
}
|
||||
return clientAuth
|
||||
}
|
||||
|
||||
func getAuthMechanisms(tokenManager tokenmanager.AccessTokenManager, localIdentities []*commonpbv1.Identity) []*s2av2pb.AuthenticationMechanism {
|
||||
if tokenManager == nil {
|
||||
return nil
|
||||
}
|
||||
if len(localIdentities) == 0 {
|
||||
token, err := tokenManager.DefaultToken()
|
||||
if err != nil {
|
||||
grpclog.Infof("Unable to get token for empty local identity: %v", err)
|
||||
return nil
|
||||
}
|
||||
return []*s2av2pb.AuthenticationMechanism{
|
||||
{
|
||||
MechanismOneof: &s2av2pb.AuthenticationMechanism_Token{
|
||||
Token: token,
|
||||
},
|
||||
},
|
||||
}
|
||||
}
|
||||
var authMechanisms []*s2av2pb.AuthenticationMechanism
|
||||
for _, localIdentity := range localIdentities {
|
||||
if localIdentity == nil {
|
||||
token, err := tokenManager.DefaultToken()
|
||||
if err != nil {
|
||||
grpclog.Infof("Unable to get default token for local identity %v: %v", localIdentity, err)
|
||||
continue
|
||||
}
|
||||
authMechanisms = append(authMechanisms, &s2av2pb.AuthenticationMechanism{
|
||||
Identity: localIdentity,
|
||||
MechanismOneof: &s2av2pb.AuthenticationMechanism_Token{
|
||||
Token: token,
|
||||
},
|
||||
})
|
||||
} else {
|
||||
token, err := tokenManager.Token(localIdentity)
|
||||
if err != nil {
|
||||
grpclog.Infof("Unable to get token for local identity %v: %v", localIdentity, err)
|
||||
continue
|
||||
}
|
||||
authMechanisms = append(authMechanisms, &s2av2pb.AuthenticationMechanism{
|
||||
Identity: localIdentity,
|
||||
MechanismOneof: &s2av2pb.AuthenticationMechanism_Token{
|
||||
Token: token,
|
||||
},
|
||||
})
|
||||
}
|
||||
}
|
||||
return authMechanisms
|
||||
}
|
||||
|
||||
// TODO(rmehta19): refactor switch statements into a helper function.
|
||||
func getTLSMinMaxVersionsClient(tlsConfig *s2av2pb.GetTlsConfigurationResp_ClientTlsConfiguration) (uint16, uint16, error) {
|
||||
// Map S2Av2 TLSVersion to consts defined in tls package.
|
||||
var minVersion uint16
|
||||
var maxVersion uint16
|
||||
switch x := tlsConfig.MinTlsVersion; x {
|
||||
case commonpb.TLSVersion_TLS_VERSION_1_0:
|
||||
minVersion = tls.VersionTLS10
|
||||
case commonpb.TLSVersion_TLS_VERSION_1_1:
|
||||
minVersion = tls.VersionTLS11
|
||||
case commonpb.TLSVersion_TLS_VERSION_1_2:
|
||||
minVersion = tls.VersionTLS12
|
||||
case commonpb.TLSVersion_TLS_VERSION_1_3:
|
||||
minVersion = tls.VersionTLS13
|
||||
default:
|
||||
return minVersion, maxVersion, fmt.Errorf("S2Av2 provided invalid MinTlsVersion: %v", x)
|
||||
}
|
||||
|
||||
switch x := tlsConfig.MaxTlsVersion; x {
|
||||
case commonpb.TLSVersion_TLS_VERSION_1_0:
|
||||
maxVersion = tls.VersionTLS10
|
||||
case commonpb.TLSVersion_TLS_VERSION_1_1:
|
||||
maxVersion = tls.VersionTLS11
|
||||
case commonpb.TLSVersion_TLS_VERSION_1_2:
|
||||
maxVersion = tls.VersionTLS12
|
||||
case commonpb.TLSVersion_TLS_VERSION_1_3:
|
||||
maxVersion = tls.VersionTLS13
|
||||
default:
|
||||
return minVersion, maxVersion, fmt.Errorf("S2Av2 provided invalid MaxTlsVersion: %v", x)
|
||||
}
|
||||
if minVersion > maxVersion {
|
||||
return minVersion, maxVersion, errors.New("S2Av2 provided minVersion > maxVersion")
|
||||
}
|
||||
return minVersion, maxVersion, nil
|
||||
}
|
||||
|
||||
func getTLSMinMaxVersionsServer(tlsConfig *s2av2pb.GetTlsConfigurationResp_ServerTlsConfiguration) (uint16, uint16, error) {
|
||||
// Map S2Av2 TLSVersion to consts defined in tls package.
|
||||
var minVersion uint16
|
||||
var maxVersion uint16
|
||||
switch x := tlsConfig.MinTlsVersion; x {
|
||||
case commonpb.TLSVersion_TLS_VERSION_1_0:
|
||||
minVersion = tls.VersionTLS10
|
||||
case commonpb.TLSVersion_TLS_VERSION_1_1:
|
||||
minVersion = tls.VersionTLS11
|
||||
case commonpb.TLSVersion_TLS_VERSION_1_2:
|
||||
minVersion = tls.VersionTLS12
|
||||
case commonpb.TLSVersion_TLS_VERSION_1_3:
|
||||
minVersion = tls.VersionTLS13
|
||||
default:
|
||||
return minVersion, maxVersion, fmt.Errorf("S2Av2 provided invalid MinTlsVersion: %v", x)
|
||||
}
|
||||
|
||||
switch x := tlsConfig.MaxTlsVersion; x {
|
||||
case commonpb.TLSVersion_TLS_VERSION_1_0:
|
||||
maxVersion = tls.VersionTLS10
|
||||
case commonpb.TLSVersion_TLS_VERSION_1_1:
|
||||
maxVersion = tls.VersionTLS11
|
||||
case commonpb.TLSVersion_TLS_VERSION_1_2:
|
||||
maxVersion = tls.VersionTLS12
|
||||
case commonpb.TLSVersion_TLS_VERSION_1_3:
|
||||
maxVersion = tls.VersionTLS13
|
||||
default:
|
||||
return minVersion, maxVersion, fmt.Errorf("S2Av2 provided invalid MaxTlsVersion: %v", x)
|
||||
}
|
||||
if minVersion > maxVersion {
|
||||
return minVersion, maxVersion, errors.New("S2Av2 provided minVersion > maxVersion")
|
||||
}
|
||||
return minVersion, maxVersion, nil
|
||||
}
|
||||
Reference in New Issue
Block a user