working-config-otel

Signed-off-by: Davanum Srinivas <davanum@gmail.com>

vendor/github.com/google/s2a-go/internal/v2/tlsconfigstore/testdata/client_cert.pem

@@ -0,0 +1,24 @@
+-----BEGIN CERTIFICATE-----
+MIID8TCCAtmgAwIBAgIUKXNlBRVe6UepjQUijIFPZBd/4qYwDQYJKoZIhvcNAQEL
+BQAwgYcxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTESMBAGA1UEBwwJU3Vubnl2
+YWxlMRAwDgYDVQQKDAdDb21wYW55MREwDwYDVQQLDAhEaXZpc2lvbjEWMBQGA1UE
+AwwNczJhX3Rlc3RfY2VydDEaMBgGCSqGSIb3DQEJARYLeHl6QHh5ei5jb20wHhcN
+MjIwNTMxMjAwMzE1WhcNNDIwNTI2MjAwMzE1WjCBhzELMAkGA1UEBhMCVVMxCzAJ
+BgNVBAgMAkNBMRIwEAYDVQQHDAlTdW5ueXZhbGUxEDAOBgNVBAoMB0NvbXBhbnkx
+ETAPBgNVBAsMCERpdmlzaW9uMRYwFAYDVQQDDA1zMmFfdGVzdF9jZXJ0MRowGAYJ
+KoZIhvcNAQkBFgt4eXpAeHl6LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
+AQoCggEBAOOFuIucH7XXfohGxKd3uR/ihUA/LdduR9I8kfpUEbq5BOt8xZe5/Yn9
+a1ozEHVW6cOAbHbnwAR8tkSgZ/t42QIA2k77HWU1Jh2xiEIsJivo3imm4/kZWuR0
+OqPh7MhzxpR/hvNwpI5mJsAVBWFMa5KtecFZLnyZtwHylrRN1QXzuLrOxuKFufK3
+RKbTABScn5RbZL976H/jgfSeXrbt242NrIoBnVe6fRbekbq2DQ6zFArbQMUgHjHK
+P0UqBgdr1QmHfi9KytFyx9BTP3gXWnWIu+bY7/v7qKJMHFwGETo+dCLWYevJL316
+HnLfhApDMfP8U+Yv/y1N/YvgaSOSlEcCAwEAAaNTMFEwHQYDVR0OBBYEFKhAU4nu
+0h/lrnggbIGvx4ej0WklMB8GA1UdIwQYMBaAFKhAU4nu0h/lrnggbIGvx4ej0Wkl
+MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAE/6NghzQ5fu6yR6
+EHKbj/YMrFdT7aGn5n2sAf7wJ33LIhiFHkpWBsVlm7rDtZtwhe891ZK/P60anlg9
+/P0Ua53tSRVRmCvTnEbXWOVMN4is6MsR7BlmzUxl4AtIn7jbeifEwRL7B4xDYmdA
+QrQnsqoz45dLgS5xK4WDqXATP09Q91xQDuhud/b+A4jrvgwFASmL7rMIZbp4f1JQ
+nlnl/9VoTBQBvJiWkDUtQDMpRLtauddEkv4AGz75p5IspXWD6cOemuh2iQec11xD
+X20rs2WZbAcAiUa3nmy8OKYw435vmpj8gp39WYbX/Yx9TymrFFbVY92wYn+quTco
+pKklVz0=
+-----END CERTIFICATE-----

vendor/github.com/google/s2a-go/internal/v2/tlsconfigstore/testdata/client_key.pem

@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEogIBAAKCAQEA44W4i5wftdd+iEbEp3e5H+KFQD8t125H0jyR+lQRurkE63zF
+l7n9if1rWjMQdVbpw4BsdufABHy2RKBn+3jZAgDaTvsdZTUmHbGIQiwmK+jeKabj
++Rla5HQ6o+HsyHPGlH+G83CkjmYmwBUFYUxrkq15wVkufJm3AfKWtE3VBfO4us7G
+4oW58rdEptMAFJyflFtkv3vof+OB9J5etu3bjY2sigGdV7p9Ft6RurYNDrMUCttA
+xSAeMco/RSoGB2vVCYd+L0rK0XLH0FM/eBdadYi75tjv+/uookwcXAYROj50ItZh
+68kvfXoect+ECkMx8/xT5i//LU39i+BpI5KURwIDAQABAoIBABgyjo/6iLzUMFbZ
+/+w3pW6orrdIgN2akvTfED9pVYFgUA+jc3hRhY95bkNnjuaL2cy7Cc4Tk65mfRQL
+Y0OxdJLr+EvSFSxAXM9npDA1ddHRsF8JqtFBSxNk8R+g1Yf0GDiO35Fgd3/ViWWA
+VtQkRoSRApP3oiQKTRZd8H04keFR+PvmDk/Lq11l3Kc24A1PevKIPX1oI990ggw9
+9i4uSV+cnuMxmcI9xxJtgwdDFdjr39l2arLOHr4s6LGoV2IOdXHNlv5xRqWUZ0FH
+MDHowkLgwDrdSTnNeaVNkce14Gqx+bd4hNaLCdKXMpedBTEmrut3f3hdV1kKjaKt
+aqRYr8ECgYEA/YDGZY2jvFoHHBywlqmEMFrrCvQGH51m5R1Ntpkzr+Rh3YCmrpvq
+xgwJXING0PUw3dz+xrH5lJICrfNE5Kt3fPu1rAEy+13mYsNowghtUq2Rtu0Hsjjx
+2E3Bf8vEB6RNBMmGkUpTTIAroGF5tpJoRvfnWax+k4pFdrKYFtyZdNcCgYEA5cNv
+EPltvOobjTXlUmtVP3n27KZN2aXexTcagLzRxE9CV4cYySENl3KuOMmccaZpIl6z
+aHk6BT4X+M0LqElNUczrInfVqI+SGAFLGy7W6CJaqSr6cpyFUP/fosKpm6wKGgLq
+udHfpvz5rckhKd8kJxFLvhGOK9yN5qpzih0gfhECgYAJfwRvk3G5wYmYpP58dlcs
+VIuPenqsPoI3PPTHTU/hW+XKnWIhElgmGRdUrto9Q6IT/Y5RtSMLTLjq+Tzwb/fm
+56rziYv2XJsfwgAvnI8z1Kqrto9ePsHYf3krJ1/thVsZPc9bq/QY3ohD1sLvcuaT
+GgBBnLOVJU3a12/ZE2RwOwKBgF0csWMAoj8/5IB6if+3ral2xOGsl7oPZVMo/J2V
+Z7EVqb4M6rd/pKFugTpUQgkwtkSOekhpcGD1hAN5HTNK2YG/+L5UMAsKe9sskwJm
+HgOfAHy0BSDzW3ey6i9skg2bT9Cww+0gJ3Hl7U1HSCBO5LjMYpSZSrNtwzfqdb5Q
+BX3xAoGARZdR28Ej3+/+0+fz47Yu2h4z0EI/EbrudLOWY936jIeAVwHckI3+BuqH
+qR4poj1gfbnMxNuI9UzIXzjEmGewx9kDZ7IYnvloZKqoVQODO5GlKF2ja6IcMNlh
+GCNdD6PSAS6HcmalmWo9sj+1YMkrl+GJikKZqVBHrHNwMGAG67w=
+-----END RSA PRIVATE KEY-----

vendor/github.com/google/s2a-go/internal/v2/tlsconfigstore/testdata/server_cert.pem

@@ -0,0 +1,24 @@
+-----BEGIN CERTIFICATE-----
+MIID8TCCAtmgAwIBAgIUKCoDuLtiZXvhsBY2RoDm0ugizJ8wDQYJKoZIhvcNAQEL
+BQAwgYcxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTESMBAGA1UEBwwJU3Vubnl2
+YWxlMRAwDgYDVQQKDAdDb21wYW55MREwDwYDVQQLDAhEaXZpc2lvbjEWMBQGA1UE
+AwwNczJhX3Rlc3RfY2VydDEaMBgGCSqGSIb3DQEJARYLeHl6QHh5ei5jb20wHhcN
+MjIwNTMxMjAwODI1WhcNNDIwNTI2MjAwODI1WjCBhzELMAkGA1UEBhMCVVMxCzAJ
+BgNVBAgMAkNBMRIwEAYDVQQHDAlTdW5ueXZhbGUxEDAOBgNVBAoMB0NvbXBhbnkx
+ETAPBgNVBAsMCERpdmlzaW9uMRYwFAYDVQQDDA1zMmFfdGVzdF9jZXJ0MRowGAYJ
+KoZIhvcNAQkBFgt4eXpAeHl6LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
+AQoCggEBAKK1++PXQ+M3hjYH/v0K4UEYl5ljzpNM1i52eQM+gFooojT87PDSaphT
+fs0PXy/PTAjHBEvPhWpOpmQXfJNYzjwcCvg66hbqkv++/VTZiFLAsHagzkEz+FRJ
+qT5Eq7G5FLyw1izX1uxyPN7tAEWEEg7eqsiaXD3Cq8+TYN9cjirPeF7RZF8yFCYE
+xqvbo+Yc6RL6xw19iXVTfctRgQe581KQuIY5/LXo3dWDEilFdsADAe8XAEcO64es
+Ow0g1UvXLnpXSE151kXBFb3sKH/ZjCecDYMCIMEb4sWLSblkSxJ5sNSmXIG4wtr2
+Qnii7CXZgnVYraQE/Jyh+NMQANuoSdMCAwEAAaNTMFEwHQYDVR0OBBYEFAyQQQuM
+ab+YUQqjK8dVVOoHVFmXMB8GA1UdIwQYMBaAFAyQQQuMab+YUQqjK8dVVOoHVFmX
+MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBADj0vQ6ykWhicoqR
+e6VZMwlEJV7/DSvWWKBd9MUjfKye0A4565ya5lmnzP3DiD3nqGe3miqmLsXKDs+X
+POqlPXTWIamP7D4MJ32XtSLwZB4ru+I+Ao/P/VngPepoRPQoBnzHe7jww0rokqxl
+AZERjlbTUwUAy/BPWPSzSJZ2j0tcs6ZLDNyYzpK4ao8R9/1VmQ92Tcp3feJs1QTg
+odRQc3om/AkWOwsll+oyX0UbJeHkFHiLanUPXbdh+/BkSvZJ8ynL+feSDdaurPe+
+PSfnqLtQft9/neecGRdEaQzzzSFVQUVQzTdK1Q7hA7b55b2HvIa3ktDiks+sJsYN
+Dhm6uZM=
+-----END CERTIFICATE-----

vendor/github.com/google/s2a-go/internal/v2/tlsconfigstore/testdata/server_key.pem

@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEAorX749dD4zeGNgf+/QrhQRiXmWPOk0zWLnZ5Az6AWiiiNPzs
+8NJqmFN+zQ9fL89MCMcES8+Fak6mZBd8k1jOPBwK+DrqFuqS/779VNmIUsCwdqDO
+QTP4VEmpPkSrsbkUvLDWLNfW7HI83u0ARYQSDt6qyJpcPcKrz5Ng31yOKs94XtFk
+XzIUJgTGq9uj5hzpEvrHDX2JdVN9y1GBB7nzUpC4hjn8tejd1YMSKUV2wAMB7xcA
+Rw7rh6w7DSDVS9cueldITXnWRcEVvewof9mMJ5wNgwIgwRvixYtJuWRLEnmw1KZc
+gbjC2vZCeKLsJdmCdVitpAT8nKH40xAA26hJ0wIDAQABAoIBACaNR+lsD8G+XiZf
+LqN1+HkcAo9tfnyYMAdCOtnx7SdviT9Uzi8hK/B7mAeuJLeHPlS2EuaDfPD7QaFl
+jza6S+MiIdc+3kgfvESsVAnOoOY6kZUJ9NSuI6CU82y1iJjLaYZrv9NQMLRFPPb0
+4KOX709mosB1EnXvshW0rbc+jtDFhrm1SxMt+k9TuzmMxjbOeW4LOLXPgU8X1T3Q
+Xy0hMZZtcgBs9wFIo8yCtmOixax9pnFE8rRltgDxTodn9LLdz1FieyntNgDksZ0P
+nt4kV7Mqly7ELaea+Foaj244mKsesic2e3GhAlMRLun/VSunSf7mOCxfpITB8dp1
+drDhOYECgYEA19151dVxRcviuovN6Dar+QszMTnU8pDJ8BjLFjXjP/hNBBwMTHDE
+duMuWk2qnwZqMooI/shxrF/ufmTgS0CFrh2+ANBZu27vWConJNXcyNtdigI4wt50
+L0Y2qcZn2mg67qFXHwoR3QNwrwnPwEjRXA09at9CSRZzcwDQ0ETXhYsCgYEAwPaG
+06QdK8Zyly7TTzZJwxzv9uGiqzodmGtX6NEKjgij2JaCxHpukqZBJoqa0jKeK1cm
+eNVkOvT5ff9TMzarSHQLr3pZen2/oVLb5gaFkbcJt/klv9Fd+ZRilHY3i6QwS6pD
+uMiPOWS4DrLHDRVoVlAZTDjT1RVwwTs+P2NhJdkCgYEAsriXysbxBYyMp05gqEW7
+lHIFbFgpSrs9th+Q5U6wW6JEgYaHWDJ1NslY80MiZI93FWjbkbZ7BvBWESeL3EIL
+a+EMErht0pVCbIhZ6FF4foPAqia0wAJVx14mm+G80kNBp5jE/NnleEsE3KcO7nBb
+hg8gLn+x7bk81JZ0TDrzBYkCgYEAuQKluv47SeF3tSScTfKLPpvcKCWmxe1uutkQ
+7JShPhVioyOMNb39jnYBOWbjkm4d4QgqRuiytSR0oi3QI+Ziy5EYMyNn713qAk9j
+r2TJZDDPDKnBW+zt4YI4EohWMXk3JRUW4XDKggjjwJQA7bZ812TtHHvP/xoThfG7
+eSNb3eECgYBw6ssgCtMrdvQiEmjKVX/9yI38mvC2kSGyzbrQnGUfgqRGomRpeZuD
+B5E3kysA4td5pT5lvcLgSW0TbOz+YbiriXjwOihPIelCvc9gE2eOUI71/byUWPFz
+7u5F/xQ4NaGr5suLF+lBC6h7pSbM4El9lIHQAQadpuEdzHqrw+hs3g==
+-----END RSA PRIVATE KEY-----

vendor/github.com/google/s2a-go/internal/v2/tlsconfigstore/tlsconfigstore.go

@@ -0,0 +1,404 @@
+/*
+ *
+ * Copyright 2022 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+// Package tlsconfigstore offloads operations to S2Av2.
+package tlsconfigstore
+
+import (
+	"crypto/tls"
+	"crypto/x509"
+	"encoding/pem"
+	"errors"
+	"fmt"
+
+	"github.com/google/s2a-go/internal/tokenmanager"
+	"github.com/google/s2a-go/internal/v2/certverifier"
+	"github.com/google/s2a-go/internal/v2/remotesigner"
+	"github.com/google/s2a-go/stream"
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/grpclog"
+
+	commonpbv1 "github.com/google/s2a-go/internal/proto/common_go_proto"
+	commonpb "github.com/google/s2a-go/internal/proto/v2/common_go_proto"
+	s2av2pb "github.com/google/s2a-go/internal/proto/v2/s2a_go_proto"
+)
+
+const (
+	// HTTP/2
+	h2 = "h2"
+)
+
+// GetTLSConfigurationForClient returns a tls.Config instance for use by a client application.
+func GetTLSConfigurationForClient(serverHostname string, s2AStream stream.S2AStream, tokenManager tokenmanager.AccessTokenManager, localIdentity *commonpbv1.Identity, verificationMode s2av2pb.ValidatePeerCertificateChainReq_VerificationMode, serverAuthorizationPolicy []byte) (*tls.Config, error) {
+	authMechanisms := getAuthMechanisms(tokenManager, []*commonpbv1.Identity{localIdentity})
+
+	if grpclog.V(1) {
+		grpclog.Infof("Sending request to S2Av2 for client TLS config.")
+	}
+	// Send request to S2Av2 for config.
+	if err := s2AStream.Send(&s2av2pb.SessionReq{
+		LocalIdentity:            localIdentity,
+		AuthenticationMechanisms: authMechanisms,
+		ReqOneof: &s2av2pb.SessionReq_GetTlsConfigurationReq{
+			GetTlsConfigurationReq: &s2av2pb.GetTlsConfigurationReq{
+				ConnectionSide: commonpb.ConnectionSide_CONNECTION_SIDE_CLIENT,
+			},
+		},
+	}); err != nil {
+		grpclog.Infof("Failed to send request to S2Av2 for client TLS config")
+		return nil, err
+	}
+
+	// Get the response containing config from S2Av2.
+	resp, err := s2AStream.Recv()
+	if err != nil {
+		grpclog.Infof("Failed to receive client TLS config response from S2Av2.")
+		return nil, err
+	}
+
+	// TODO(rmehta19): Add unit test for this if statement.
+	if (resp.GetStatus() != nil) && (resp.GetStatus().Code != uint32(codes.OK)) {
+		return nil, fmt.Errorf("failed to get TLS configuration from S2A: %d, %v", resp.GetStatus().Code, resp.GetStatus().Details)
+	}
+
+	// Extract TLS configiguration from SessionResp.
+	tlsConfig := resp.GetGetTlsConfigurationResp().GetClientTlsConfiguration()
+
+	var cert tls.Certificate
+	for i, v := range tlsConfig.CertificateChain {
+		// Populate Certificates field.
+		block, _ := pem.Decode([]byte(v))
+		if block == nil {
+			return nil, errors.New("certificate in CertificateChain obtained from S2Av2 is empty")
+		}
+		x509Cert, err := x509.ParseCertificate(block.Bytes)
+		if err != nil {
+			return nil, err
+		}
+		cert.Certificate = append(cert.Certificate, x509Cert.Raw)
+		if i == 0 {
+			cert.Leaf = x509Cert
+		}
+	}
+
+	if len(tlsConfig.CertificateChain) > 0 {
+		cert.PrivateKey = remotesigner.New(cert.Leaf, s2AStream)
+		if cert.PrivateKey == nil {
+			return nil, errors.New("failed to retrieve Private Key from Remote Signer Library")
+		}
+	}
+
+	minVersion, maxVersion, err := getTLSMinMaxVersionsClient(tlsConfig)
+	if err != nil {
+		return nil, err
+	}
+
+	// Create mTLS credentials for client.
+	config := &tls.Config{
+		VerifyPeerCertificate:  certverifier.VerifyServerCertificateChain(serverHostname, verificationMode, s2AStream, serverAuthorizationPolicy),
+		ServerName:             serverHostname,
+		InsecureSkipVerify:     true, // NOLINT
+		ClientSessionCache:     nil,
+		SessionTicketsDisabled: true,
+		MinVersion:             minVersion,
+		MaxVersion:             maxVersion,
+		NextProtos:             []string{h2},
+	}
+	if len(tlsConfig.CertificateChain) > 0 {
+		config.Certificates = []tls.Certificate{cert}
+	}
+	return config, nil
+}
+
+// GetTLSConfigurationForServer returns a tls.Config instance for use by a server application.
+func GetTLSConfigurationForServer(s2AStream stream.S2AStream, tokenManager tokenmanager.AccessTokenManager, localIdentities []*commonpbv1.Identity, verificationMode s2av2pb.ValidatePeerCertificateChainReq_VerificationMode) (*tls.Config, error) {
+	return &tls.Config{
+		GetConfigForClient: ClientConfig(tokenManager, localIdentities, verificationMode, s2AStream),
+	}, nil
+}
+
+// ClientConfig builds a TLS config for a server to establish a secure
+// connection with a client, based on SNI communicated during ClientHello.
+// Ensures that server presents the correct certificate to establish a TLS
+// connection.
+func ClientConfig(tokenManager tokenmanager.AccessTokenManager, localIdentities []*commonpbv1.Identity, verificationMode s2av2pb.ValidatePeerCertificateChainReq_VerificationMode, s2AStream stream.S2AStream) func(chi *tls.ClientHelloInfo) (*tls.Config, error) {
+	return func(chi *tls.ClientHelloInfo) (*tls.Config, error) {
+		tlsConfig, err := getServerConfigFromS2Av2(tokenManager, localIdentities, chi.ServerName, s2AStream)
+		if err != nil {
+			return nil, err
+		}
+
+		var cert tls.Certificate
+		for i, v := range tlsConfig.CertificateChain {
+			// Populate Certificates field.
+			block, _ := pem.Decode([]byte(v))
+			if block == nil {
+				return nil, errors.New("certificate in CertificateChain obtained from S2Av2 is empty")
+			}
+			x509Cert, err := x509.ParseCertificate(block.Bytes)
+			if err != nil {
+				return nil, err
+			}
+			cert.Certificate = append(cert.Certificate, x509Cert.Raw)
+			if i == 0 {
+				cert.Leaf = x509Cert
+			}
+		}
+
+		cert.PrivateKey = remotesigner.New(cert.Leaf, s2AStream)
+		if cert.PrivateKey == nil {
+			return nil, errors.New("failed to retrieve Private Key from Remote Signer Library")
+		}
+
+		minVersion, maxVersion, err := getTLSMinMaxVersionsServer(tlsConfig)
+		if err != nil {
+			return nil, err
+		}
+
+		clientAuth := getTLSClientAuthType(tlsConfig)
+
+		var cipherSuites []uint16
+		cipherSuites = getCipherSuites(tlsConfig.Ciphersuites)
+
+		// Create mTLS credentials for server.
+		return &tls.Config{
+			Certificates:           []tls.Certificate{cert},
+			VerifyPeerCertificate:  certverifier.VerifyClientCertificateChain(verificationMode, s2AStream),
+			ClientAuth:             clientAuth,
+			CipherSuites:           cipherSuites,
+			SessionTicketsDisabled: true,
+			MinVersion:             minVersion,
+			MaxVersion:             maxVersion,
+			NextProtos:             []string{h2},
+		}, nil
+	}
+}
+
+func getCipherSuites(tlsConfigCipherSuites []commonpb.Ciphersuite) []uint16 {
+	var tlsGoCipherSuites []uint16
+	for _, v := range tlsConfigCipherSuites {
+		s := getTLSCipherSuite(v)
+		if s != 0xffff {
+			tlsGoCipherSuites = append(tlsGoCipherSuites, s)
+		}
+	}
+	return tlsGoCipherSuites
+}
+
+func getTLSCipherSuite(tlsCipherSuite commonpb.Ciphersuite) uint16 {
+	switch tlsCipherSuite {
+	case commonpb.Ciphersuite_CIPHERSUITE_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256:
+		return tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
+	case commonpb.Ciphersuite_CIPHERSUITE_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384:
+		return tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
+	case commonpb.Ciphersuite_CIPHERSUITE_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256:
+		return tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
+	case commonpb.Ciphersuite_CIPHERSUITE_ECDHE_RSA_WITH_AES_128_GCM_SHA256:
+		return tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+	case commonpb.Ciphersuite_CIPHERSUITE_ECDHE_RSA_WITH_AES_256_GCM_SHA384:
+		return tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+	case commonpb.Ciphersuite_CIPHERSUITE_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256:
+		return tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
+	default:
+		return 0xffff
+	}
+}
+
+func getServerConfigFromS2Av2(tokenManager tokenmanager.AccessTokenManager, localIdentities []*commonpbv1.Identity, sni string, s2AStream stream.S2AStream) (*s2av2pb.GetTlsConfigurationResp_ServerTlsConfiguration, error) {
+	authMechanisms := getAuthMechanisms(tokenManager, localIdentities)
+	var locID *commonpbv1.Identity
+	if localIdentities != nil {
+		locID = localIdentities[0]
+	}
+
+	if err := s2AStream.Send(&s2av2pb.SessionReq{
+		LocalIdentity:            locID,
+		AuthenticationMechanisms: authMechanisms,
+		ReqOneof: &s2av2pb.SessionReq_GetTlsConfigurationReq{
+			GetTlsConfigurationReq: &s2av2pb.GetTlsConfigurationReq{
+				ConnectionSide: commonpb.ConnectionSide_CONNECTION_SIDE_SERVER,
+				Sni:            sni,
+			},
+		},
+	}); err != nil {
+		return nil, err
+	}
+
+	resp, err := s2AStream.Recv()
+	if err != nil {
+		return nil, err
+	}
+
+	// TODO(rmehta19): Add unit test for this if statement.
+	if (resp.GetStatus() != nil) && (resp.GetStatus().Code != uint32(codes.OK)) {
+		return nil, fmt.Errorf("failed to get TLS configuration from S2A: %d, %v", resp.GetStatus().Code, resp.GetStatus().Details)
+	}
+
+	return resp.GetGetTlsConfigurationResp().GetServerTlsConfiguration(), nil
+}
+
+func getTLSClientAuthType(tlsConfig *s2av2pb.GetTlsConfigurationResp_ServerTlsConfiguration) tls.ClientAuthType {
+	var clientAuth tls.ClientAuthType
+	switch x := tlsConfig.RequestClientCertificate; x {
+	case s2av2pb.GetTlsConfigurationResp_ServerTlsConfiguration_DONT_REQUEST_CLIENT_CERTIFICATE:
+		clientAuth = tls.NoClientCert
+	case s2av2pb.GetTlsConfigurationResp_ServerTlsConfiguration_REQUEST_CLIENT_CERTIFICATE_BUT_DONT_VERIFY:
+		clientAuth = tls.RequestClientCert
+	case s2av2pb.GetTlsConfigurationResp_ServerTlsConfiguration_REQUEST_CLIENT_CERTIFICATE_AND_VERIFY:
+		// This case actually maps to tls.VerifyClientCertIfGiven. However this
+		// mapping triggers normal verification, followed by custom verification,
+		// specified in VerifyPeerCertificate. To bypass normal verification, and
+		// only do custom verification we set clientAuth to RequireAnyClientCert or
+		// RequestClientCert. See https://github.com/google/s2a-go/pull/43 for full
+		// discussion.
+		clientAuth = tls.RequireAnyClientCert
+	case s2av2pb.GetTlsConfigurationResp_ServerTlsConfiguration_REQUEST_AND_REQUIRE_CLIENT_CERTIFICATE_BUT_DONT_VERIFY:
+		clientAuth = tls.RequireAnyClientCert
+	case s2av2pb.GetTlsConfigurationResp_ServerTlsConfiguration_REQUEST_AND_REQUIRE_CLIENT_CERTIFICATE_AND_VERIFY:
+		// This case actually maps to tls.RequireAndVerifyClientCert. However this
+		// mapping triggers normal verification, followed by custom verification,
+		// specified in VerifyPeerCertificate. To bypass normal verification, and
+		// only do custom verification we set clientAuth to RequireAnyClientCert or
+		// RequestClientCert. See https://github.com/google/s2a-go/pull/43 for full
+		// discussion.
+		clientAuth = tls.RequireAnyClientCert
+	default:
+		clientAuth = tls.RequireAnyClientCert
+	}
+	return clientAuth
+}
+
+func getAuthMechanisms(tokenManager tokenmanager.AccessTokenManager, localIdentities []*commonpbv1.Identity) []*s2av2pb.AuthenticationMechanism {
+	if tokenManager == nil {
+		return nil
+	}
+	if len(localIdentities) == 0 {
+		token, err := tokenManager.DefaultToken()
+		if err != nil {
+			grpclog.Infof("Unable to get token for empty local identity: %v", err)
+			return nil
+		}
+		return []*s2av2pb.AuthenticationMechanism{
+			{
+				MechanismOneof: &s2av2pb.AuthenticationMechanism_Token{
+					Token: token,
+				},
+			},
+		}
+	}
+	var authMechanisms []*s2av2pb.AuthenticationMechanism
+	for _, localIdentity := range localIdentities {
+		if localIdentity == nil {
+			token, err := tokenManager.DefaultToken()
+			if err != nil {
+				grpclog.Infof("Unable to get default token for local identity %v: %v", localIdentity, err)
+				continue
+			}
+			authMechanisms = append(authMechanisms, &s2av2pb.AuthenticationMechanism{
+				Identity: localIdentity,
+				MechanismOneof: &s2av2pb.AuthenticationMechanism_Token{
+					Token: token,
+				},
+			})
+		} else {
+			token, err := tokenManager.Token(localIdentity)
+			if err != nil {
+				grpclog.Infof("Unable to get token for local identity %v: %v", localIdentity, err)
+				continue
+			}
+			authMechanisms = append(authMechanisms, &s2av2pb.AuthenticationMechanism{
+				Identity: localIdentity,
+				MechanismOneof: &s2av2pb.AuthenticationMechanism_Token{
+					Token: token,
+				},
+			})
+		}
+	}
+	return authMechanisms
+}
+
+// TODO(rmehta19): refactor switch statements into a helper function.
+func getTLSMinMaxVersionsClient(tlsConfig *s2av2pb.GetTlsConfigurationResp_ClientTlsConfiguration) (uint16, uint16, error) {
+	// Map S2Av2 TLSVersion to consts defined in tls package.
+	var minVersion uint16
+	var maxVersion uint16
+	switch x := tlsConfig.MinTlsVersion; x {
+	case commonpb.TLSVersion_TLS_VERSION_1_0:
+		minVersion = tls.VersionTLS10
+	case commonpb.TLSVersion_TLS_VERSION_1_1:
+		minVersion = tls.VersionTLS11
+	case commonpb.TLSVersion_TLS_VERSION_1_2:
+		minVersion = tls.VersionTLS12
+	case commonpb.TLSVersion_TLS_VERSION_1_3:
+		minVersion = tls.VersionTLS13
+	default:
+		return minVersion, maxVersion, fmt.Errorf("S2Av2 provided invalid MinTlsVersion: %v", x)
+	}
+
+	switch x := tlsConfig.MaxTlsVersion; x {
+	case commonpb.TLSVersion_TLS_VERSION_1_0:
+		maxVersion = tls.VersionTLS10
+	case commonpb.TLSVersion_TLS_VERSION_1_1:
+		maxVersion = tls.VersionTLS11
+	case commonpb.TLSVersion_TLS_VERSION_1_2:
+		maxVersion = tls.VersionTLS12
+	case commonpb.TLSVersion_TLS_VERSION_1_3:
+		maxVersion = tls.VersionTLS13
+	default:
+		return minVersion, maxVersion, fmt.Errorf("S2Av2 provided invalid MaxTlsVersion: %v", x)
+	}
+	if minVersion > maxVersion {
+		return minVersion, maxVersion, errors.New("S2Av2 provided minVersion > maxVersion")
+	}
+	return minVersion, maxVersion, nil
+}
+
+func getTLSMinMaxVersionsServer(tlsConfig *s2av2pb.GetTlsConfigurationResp_ServerTlsConfiguration) (uint16, uint16, error) {
+	// Map S2Av2 TLSVersion to consts defined in tls package.
+	var minVersion uint16
+	var maxVersion uint16
+	switch x := tlsConfig.MinTlsVersion; x {
+	case commonpb.TLSVersion_TLS_VERSION_1_0:
+		minVersion = tls.VersionTLS10
+	case commonpb.TLSVersion_TLS_VERSION_1_1:
+		minVersion = tls.VersionTLS11
+	case commonpb.TLSVersion_TLS_VERSION_1_2:
+		minVersion = tls.VersionTLS12
+	case commonpb.TLSVersion_TLS_VERSION_1_3:
+		minVersion = tls.VersionTLS13
+	default:
+		return minVersion, maxVersion, fmt.Errorf("S2Av2 provided invalid MinTlsVersion: %v", x)
+	}
+
+	switch x := tlsConfig.MaxTlsVersion; x {
+	case commonpb.TLSVersion_TLS_VERSION_1_0:
+		maxVersion = tls.VersionTLS10
+	case commonpb.TLSVersion_TLS_VERSION_1_1:
+		maxVersion = tls.VersionTLS11
+	case commonpb.TLSVersion_TLS_VERSION_1_2:
+		maxVersion = tls.VersionTLS12
+	case commonpb.TLSVersion_TLS_VERSION_1_3:
+		maxVersion = tls.VersionTLS13
+	default:
+		return minVersion, maxVersion, fmt.Errorf("S2Av2 provided invalid MaxTlsVersion: %v", x)
+	}
+	if minVersion > maxVersion {
+		return minVersion, maxVersion, errors.New("S2Av2 provided minVersion > maxVersion")
+	}
+	return minVersion, maxVersion, nil
+}