grpc
/
grpc-go
mirror of https://github.com/grpc/grpc-go.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

advancedtls: Rename custom verification function APIs (#7140) 

* Rename custom verification function APIs
This commit is contained in:
Gregory Cooke 2024-04-23 14:20:28 -04:00 committed by GitHub
parent 34de5cf483
commit d75b5e2f5e
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
5 changed files with 103 additions and 60 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

79
security/advancedtls/advancedtls.go
View File

@ -35,10 +35,10 @@ import (
credinternal "google.golang.org/grpc/internal/credentials" credinternal "google.golang.org/grpc/internal/credentials"
) )
// VerificationFuncParams contains parameters available to users when // HandshakeVerificationInfo contains information about a handshake needed for
// implementing CustomVerificationFunc. // verification for use when implementing the `PostHandshakeVerificationFunc`
// The fields in this struct are read-only. // The fields in this struct are read-only.
type VerificationFuncParams struct { type HandshakeVerificationInfo struct {
// The target server name that the client connects to when establishing the // The target server name that the client connects to when establishing the
// connection. This field is only meaningful for client side. On server side, // connection. This field is only meaningful for client side. On server side,
// this field would be an empty string. // this field would be an empty string.
@ -54,17 +54,36 @@ type VerificationFuncParams struct {
Leaf *x509.Certificate Leaf *x509.Certificate
} }
// VerificationResults contains the information about results of // VerificationFuncParams contains parameters available to users when
// CustomVerificationFunc. // implementing CustomVerificationFunc.
// VerificationResults is an empty struct for now. It may be extended in the // The fields in this struct are read-only.
//
// Deprecated: use HandshakeVerificationInfo instead.
type VerificationFuncParams = HandshakeVerificationInfo
// PostHandshakeVerificationResults contains the information about results of
// PostHandshakeVerificationFunc.
// PostHandshakeVerificationResults is an empty struct for now. It may be extended in the
// future to include more information. // future to include more information.
type VerificationResults struct{} type PostHandshakeVerificationResults struct{}
// Deprecated: use PostHandshakeVerificationResults instead.
type VerificationResults = PostHandshakeVerificationResults
// PostHandshakeVerificationFunc is the function defined by users to perform
// custom verification checks after chain building and regular handshake
// verification has been completed.
// PostHandshakeVerificationFunc should return (nil, error) if the authorization
// should fail, with the error containing information on why it failed.
type PostHandshakeVerificationFunc func(params *HandshakeVerificationInfo) (*PostHandshakeVerificationResults, error)
// CustomVerificationFunc is the function defined by users to perform custom // CustomVerificationFunc is the function defined by users to perform custom
// verification check. // verification check.
// CustomVerificationFunc returns nil if the authorization fails; otherwise // CustomVerificationFunc returns nil if the authorization fails; otherwise
// returns an empty struct. // returns an empty struct.
type CustomVerificationFunc func(params *VerificationFuncParams) (*VerificationResults, error) //
// Deprecated: use PostHandshakeVerificationFunc instead.
type CustomVerificationFunc = PostHandshakeVerificationFunc
// GetRootCAsParams contains the parameters available to users when // GetRootCAsParams contains the parameters available to users when
// implementing GetRootCAs. // implementing GetRootCAs.
@ -167,11 +186,18 @@ type ClientOptions struct {
// IdentityOptions is OPTIONAL on client side. This field only needs to be // IdentityOptions is OPTIONAL on client side. This field only needs to be
// set if mutual authentication is required on server side. // set if mutual authentication is required on server side.
IdentityOptions IdentityCertificateOptions IdentityOptions IdentityCertificateOptions
// AdditionalPeerVerification is a custom verification check after certificate signature
// check.
// If this is set, we will perform this customized check after doing the
// normal check(s) indicated by setting VerificationType.
AdditionalPeerVerification PostHandshakeVerificationFunc
// VerifyPeer is a custom verification check after certificate signature // VerifyPeer is a custom verification check after certificate signature
// check. // check.
// If this is set, we will perform this customized check after doing the // If this is set, we will perform this customized check after doing the
// normal check(s) indicated by setting VType. // normal check(s) indicated by setting VerificationType.
VerifyPeer CustomVerificationFunc //
// Deprecated: use AdditionalPeerVerification instead.
VerifyPeer PostHandshakeVerificationFunc
// RootOptions is OPTIONAL on client side. If not set, we will try to use the // RootOptions is OPTIONAL on client side. If not set, we will try to use the
// default trust certificates in users' OS system. // default trust certificates in users' OS system.
RootOptions RootCertificateOptions RootOptions RootCertificateOptions
@ -206,11 +232,18 @@ type ClientOptions struct {
type ServerOptions struct { type ServerOptions struct {
// IdentityOptions is REQUIRED on server side. // IdentityOptions is REQUIRED on server side.
IdentityOptions IdentityCertificateOptions IdentityOptions IdentityCertificateOptions
// AdditionalPeerVerification is a custom verification check after certificate signature
// check.
// If this is set, we will perform this customized check after doing the
// normal check(s) indicated by setting VerificationType.
AdditionalPeerVerification PostHandshakeVerificationFunc
// VerifyPeer is a custom verification check after certificate signature // VerifyPeer is a custom verification check after certificate signature
// check. // check.
// If this is set, we will perform this customized check after doing the // If this is set, we will perform this customized check after doing the
// normal check(s) indicated by setting VType. // normal check(s) indicated by setting VerificationType.
VerifyPeer CustomVerificationFunc //
// Deprecated: use AdditionalPeerVerification instead.
VerifyPeer PostHandshakeVerificationFunc
// RootOptions is OPTIONAL on server side. This field only needs to be set if // RootOptions is OPTIONAL on server side. This field only needs to be set if
// mutual authentication is required(RequireClientCert is true). // mutual authentication is required(RequireClientCert is true).
RootOptions RootCertificateOptions RootOptions RootCertificateOptions
@ -239,13 +272,18 @@ type ServerOptions struct {
} }
func (o *ClientOptions) config() (*tls.Config, error) { func (o *ClientOptions) config() (*tls.Config, error) {
// TODO(gtcooke94) Remove this block when o.VerifyPeer is remoed.
// VerifyPeer is deprecated, but do this to aid the transitory migration time.
if o.AdditionalPeerVerification == nil {
o.AdditionalPeerVerification = o.VerifyPeer
}
// TODO(gtcooke94). VType is deprecated, eventually remove this block. This // TODO(gtcooke94). VType is deprecated, eventually remove this block. This
// will ensure that users still explicitly setting `VType` will get the // will ensure that users still explicitly setting `VType` will get the
// setting to the right place. // setting to the right place.
if o.VType != CertAndHostVerification { if o.VType != CertAndHostVerification {
o.VerificationType = o.VType o.VerificationType = o.VType
} }
if o.VerificationType == SkipVerification && o.VerifyPeer == nil { if o.VerificationType == SkipVerification && o.AdditionalPeerVerification == nil {
return nil, fmt.Errorf("client needs to provide custom verification mechanism if choose to skip default verification") return nil, fmt.Errorf("client needs to provide custom verification mechanism if choose to skip default verification")
} }
// Make sure users didn't specify more than one fields in // Make sure users didn't specify more than one fields in
@ -321,13 +359,18 @@ func (o *ClientOptions) config() (*tls.Config, error) {
} }
func (o *ServerOptions) config() (*tls.Config, error) { func (o *ServerOptions) config() (*tls.Config, error) {
// TODO(gtcooke94) Remove this block when o.VerifyPeer is remoed.
// VerifyPeer is deprecated, but do this to aid the transitory migration time.
if o.AdditionalPeerVerification == nil {
o.AdditionalPeerVerification = o.VerifyPeer
}
// TODO(gtcooke94). VType is deprecated, eventually remove this block. This // TODO(gtcooke94). VType is deprecated, eventually remove this block. This
// will ensure that users still explicitly setting `VType` will get the // will ensure that users still explicitly setting `VType` will get the
// setting to the right place. // setting to the right place.
if o.VType != CertAndHostVerification { if o.VType != CertAndHostVerification {
o.VerificationType = o.VType o.VerificationType = o.VType
} }
if o.RequireClientCert && o.VerificationType == SkipVerification && o.VerifyPeer == nil { if o.RequireClientCert && o.VerificationType == SkipVerification && o.AdditionalPeerVerification == nil {
return nil, fmt.Errorf("server needs to provide custom verification mechanism if choose to skip default verification, but require client certificate(s)") return nil, fmt.Errorf("server needs to provide custom verification mechanism if choose to skip default verification, but require client certificate(s)")
} }
// Make sure users didn't specify more than one fields in // Make sure users didn't specify more than one fields in
@ -416,7 +459,7 @@ func (o *ServerOptions) config() (*tls.Config, error) {
// using TLS. // using TLS.
type advancedTLSCreds struct { type advancedTLSCreds struct {
config *tls.Config config *tls.Config
verifyFunc CustomVerificationFunc verifyFunc PostHandshakeVerificationFunc
getRootCAs func(params *GetRootCAsParams) (*GetRootCAsResults, error) getRootCAs func(params *GetRootCAsParams) (*GetRootCAsResults, error)
isClient bool isClient bool
verificationType VerificationType verificationType VerificationType
@ -579,7 +622,7 @@ func buildVerifyFunc(c *advancedTLSCreds,
} }
// Perform custom verification check if specified. // Perform custom verification check if specified.
if c.verifyFunc != nil { if c.verifyFunc != nil {
_, err := c.verifyFunc(&VerificationFuncParams{ _, err := c.verifyFunc(&HandshakeVerificationInfo{
ServerName: serverName, ServerName: serverName,
RawCerts: rawCerts, RawCerts: rawCerts,
VerifiedChains: chains, VerifiedChains: chains,
@ -602,7 +645,7 @@ func NewClientCreds(o *ClientOptions) (credentials.TransportCredentials, error)
config: conf, config: conf,
isClient: true, isClient: true,
getRootCAs: o.RootOptions.GetRootCertificates, getRootCAs: o.RootOptions.GetRootCertificates,
verifyFunc: o.VerifyPeer, verifyFunc: o.AdditionalPeerVerification,
verificationType: o.VerificationType, verificationType: o.VerificationType,
revocationConfig: o.RevocationConfig, revocationConfig: o.RevocationConfig,
} }
@ -621,7 +664,7 @@ func NewServerCreds(o *ServerOptions) (credentials.TransportCredentials, error)
config: conf, config: conf,
isClient: false, isClient: false,
getRootCAs: o.RootOptions.GetRootCertificates, getRootCAs: o.RootOptions.GetRootCertificates,
verifyFunc: o.VerifyPeer, verifyFunc: o.AdditionalPeerVerification,
verificationType: o.VerificationType, verificationType: o.VerificationType,
revocationConfig: o.RevocationConfig, revocationConfig: o.RevocationConfig,
} }

52
security/advancedtls/advancedtls_integration_test.go
View File

@ -143,13 +143,13 @@ func (s) TestEnd2End(t *testing.T) {
clientGetCert func(*tls.CertificateRequestInfo) (*tls.Certificate, error) clientGetCert func(*tls.CertificateRequestInfo) (*tls.Certificate, error)
clientRoot *x509.CertPool clientRoot *x509.CertPool
clientGetRoot func(params *GetRootCAsParams) (*GetRootCAsResults, error) clientGetRoot func(params *GetRootCAsParams) (*GetRootCAsResults, error)
clientVerifyFunc CustomVerificationFunc clientVerifyFunc PostHandshakeVerificationFunc
clientVerificationType VerificationType clientVerificationType VerificationType
serverCert []tls.Certificate serverCert []tls.Certificate
serverGetCert func(*tls.ClientHelloInfo) ([]*tls.Certificate, error) serverGetCert func(*tls.ClientHelloInfo) ([]*tls.Certificate, error)
serverRoot *x509.CertPool serverRoot *x509.CertPool
serverGetRoot func(params *GetRootCAsParams) (*GetRootCAsResults, error) serverGetRoot func(params *GetRootCAsParams) (*GetRootCAsResults, error)
serverVerifyFunc CustomVerificationFunc serverVerifyFunc PostHandshakeVerificationFunc
serverVerificationType VerificationType serverVerificationType VerificationType
}{ }{
// Test Scenarios: // Test Scenarios:
@ -175,8 +175,8 @@ func (s) TestEnd2End(t *testing.T) {
} }
}, },
clientRoot: cs.ClientTrust1, clientRoot: cs.ClientTrust1,
clientVerifyFunc: func(params *VerificationFuncParams) (*VerificationResults, error) { clientVerifyFunc: func(params *HandshakeVerificationInfo) (*PostHandshakeVerificationResults, error) {
return &VerificationResults{}, nil return &PostHandshakeVerificationResults{}, nil
}, },
clientVerificationType: CertVerification, clientVerificationType: CertVerification,
serverCert: []tls.Certificate{cs.ServerCert1}, serverCert: []tls.Certificate{cs.ServerCert1},
@ -188,8 +188,8 @@ func (s) TestEnd2End(t *testing.T) {
return &GetRootCAsResults{TrustCerts: cs.ServerTrust2}, nil return &GetRootCAsResults{TrustCerts: cs.ServerTrust2}, nil
} }
}, },
serverVerifyFunc: func(params *VerificationFuncParams) (*VerificationResults, error) { serverVerifyFunc: func(params *HandshakeVerificationInfo) (*PostHandshakeVerificationResults, error) {
return &VerificationResults{}, nil return &PostHandshakeVerificationResults{}, nil
}, },
serverVerificationType: CertVerification, serverVerificationType: CertVerification,
}, },
@ -216,8 +216,8 @@ func (s) TestEnd2End(t *testing.T) {
return &GetRootCAsResults{TrustCerts: cs.ClientTrust2}, nil return &GetRootCAsResults{TrustCerts: cs.ClientTrust2}, nil
} }
}, },
clientVerifyFunc: func(params *VerificationFuncParams) (*VerificationResults, error) { clientVerifyFunc: func(params *HandshakeVerificationInfo) (*PostHandshakeVerificationResults, error) {
return &VerificationResults{}, nil return &PostHandshakeVerificationResults{}, nil
}, },
clientVerificationType: CertVerification, clientVerificationType: CertVerification,
serverGetCert: func(*tls.ClientHelloInfo) ([]*tls.Certificate, error) { serverGetCert: func(*tls.ClientHelloInfo) ([]*tls.Certificate, error) {
@ -229,8 +229,8 @@ func (s) TestEnd2End(t *testing.T) {
} }
}, },
serverRoot: cs.ServerTrust1, serverRoot: cs.ServerTrust1,
serverVerifyFunc: func(params *VerificationFuncParams) (*VerificationResults, error) { serverVerifyFunc: func(params *HandshakeVerificationInfo) (*PostHandshakeVerificationResults, error) {
return &VerificationResults{}, nil return &PostHandshakeVerificationResults{}, nil
}, },
serverVerificationType: CertVerification, serverVerificationType: CertVerification,
}, },
@ -258,7 +258,7 @@ func (s) TestEnd2End(t *testing.T) {
return &GetRootCAsResults{TrustCerts: cs.ClientTrust2}, nil return &GetRootCAsResults{TrustCerts: cs.ClientTrust2}, nil
} }
}, },
clientVerifyFunc: func(params *VerificationFuncParams) (*VerificationResults, error) { clientVerifyFunc: func(params *HandshakeVerificationInfo) (*PostHandshakeVerificationResults, error) {
if len(params.RawCerts) == 0 { if len(params.RawCerts) == 0 {
return nil, fmt.Errorf("no peer certs") return nil, fmt.Errorf("no peer certs")
} }
@ -280,7 +280,7 @@ func (s) TestEnd2End(t *testing.T) {
} }
} }
if authzCheck { if authzCheck {
return &VerificationResults{}, nil return &PostHandshakeVerificationResults{}, nil
} }
return nil, fmt.Errorf("custom authz check fails") return nil, fmt.Errorf("custom authz check fails")
}, },
@ -294,8 +294,8 @@ func (s) TestEnd2End(t *testing.T) {
} }
}, },
serverRoot: cs.ServerTrust1, serverRoot: cs.ServerTrust1,
serverVerifyFunc: func(params *VerificationFuncParams) (*VerificationResults, error) { serverVerifyFunc: func(params *HandshakeVerificationInfo) (*PostHandshakeVerificationResults, error) {
return &VerificationResults{}, nil return &PostHandshakeVerificationResults{}, nil
}, },
serverVerificationType: CertVerification, serverVerificationType: CertVerification,
}, },
@ -314,16 +314,16 @@ func (s) TestEnd2End(t *testing.T) {
desc: "TestServerCustomVerification", desc: "TestServerCustomVerification",
clientCert: []tls.Certificate{cs.ClientCert1}, clientCert: []tls.Certificate{cs.ClientCert1},
clientRoot: cs.ClientTrust1, clientRoot: cs.ClientTrust1,
clientVerifyFunc: func(params *VerificationFuncParams) (*VerificationResults, error) { clientVerifyFunc: func(params *HandshakeVerificationInfo) (*PostHandshakeVerificationResults, error) {
return &VerificationResults{}, nil return &PostHandshakeVerificationResults{}, nil
}, },
clientVerificationType: CertVerification, clientVerificationType: CertVerification,
serverCert: []tls.Certificate{cs.ServerCert1}, serverCert: []tls.Certificate{cs.ServerCert1},
serverRoot: cs.ServerTrust1, serverRoot: cs.ServerTrust1,
serverVerifyFunc: func(params *VerificationFuncParams) (*VerificationResults, error) { serverVerifyFunc: func(params *HandshakeVerificationInfo) (*PostHandshakeVerificationResults, error) {
switch stage.read() { switch stage.read() {
case 0, 2: case 0, 2:
return &VerificationResults{}, nil return &PostHandshakeVerificationResults{}, nil
case 1: case 1:
return nil, fmt.Errorf("custom authz check fails") return nil, fmt.Errorf("custom authz check fails")
default: default:
@ -345,9 +345,9 @@ func (s) TestEnd2End(t *testing.T) {
RootCACerts: test.serverRoot, RootCACerts: test.serverRoot,
GetRootCertificates: test.serverGetRoot, GetRootCertificates: test.serverGetRoot,
}, },
RequireClientCert: true, RequireClientCert: true,
VerifyPeer: test.serverVerifyFunc, AdditionalPeerVerification: test.serverVerifyFunc,
VerificationType: test.serverVerificationType, VerificationType: test.serverVerificationType,
} }
serverTLSCreds, err := NewServerCreds(serverOptions) serverTLSCreds, err := NewServerCreds(serverOptions)
if err != nil { if err != nil {
@ -368,7 +368,7 @@ func (s) TestEnd2End(t *testing.T) {
Certificates: test.clientCert, Certificates: test.clientCert,
GetIdentityCertificatesForClient: test.clientGetCert, GetIdentityCertificatesForClient: test.clientGetCert,
}, },
VerifyPeer: test.clientVerifyFunc, AdditionalPeerVerification: test.clientVerifyFunc,
RootOptions: RootCertificateOptions{ RootOptions: RootCertificateOptions{
RootCACerts: test.clientRoot, RootCACerts: test.clientRoot,
GetRootCertificates: test.clientGetRoot, GetRootCertificates: test.clientGetRoot,
@ -635,8 +635,8 @@ func (s) TestPEMFileProviderEnd2End(t *testing.T) {
RootProvider: serverRootProvider, RootProvider: serverRootProvider,
}, },
RequireClientCert: true, RequireClientCert: true,
VerifyPeer: func(params *VerificationFuncParams) (*VerificationResults, error) { AdditionalPeerVerification: func(params *HandshakeVerificationInfo) (*PostHandshakeVerificationResults, error) {
return &VerificationResults{}, nil return &PostHandshakeVerificationResults{}, nil
}, },
VerificationType: CertVerification, VerificationType: CertVerification,
} }
@ -658,8 +658,8 @@ func (s) TestPEMFileProviderEnd2End(t *testing.T) {
IdentityOptions: IdentityCertificateOptions{ IdentityOptions: IdentityCertificateOptions{
IdentityProvider: clientIdentityProvider, IdentityProvider: clientIdentityProvider,
}, },
VerifyPeer: func(params *VerificationFuncParams) (*VerificationResults, error) { AdditionalPeerVerification: func(params *HandshakeVerificationInfo) (*PostHandshakeVerificationResults, error) {
return &VerificationResults{}, nil return &PostHandshakeVerificationResults{}, nil
}, },
RootOptions: RootCertificateOptions{ RootOptions: RootCertificateOptions{
RootProvider: clientRootProvider, RootProvider: clientRootProvider,

24
security/advancedtls/advancedtls_test.go
View File

@ -369,7 +369,7 @@ func (s) TestClientServerHandshake(t *testing.T) {
getRootCAsForClient := func(params *GetRootCAsParams) (*GetRootCAsResults, error) { getRootCAsForClient := func(params *GetRootCAsParams) (*GetRootCAsResults, error) {
return &GetRootCAsResults{TrustCerts: cs.ClientTrust1}, nil return &GetRootCAsResults{TrustCerts: cs.ClientTrust1}, nil
} }
clientVerifyFuncGood := func(params *VerificationFuncParams) (*VerificationResults, error) { clientVerifyFuncGood := func(params *HandshakeVerificationInfo) (*PostHandshakeVerificationResults, error) {
if params.ServerName == "" { if params.ServerName == "" {
return nil, errors.New("client side server name should have a value") return nil, errors.New("client side server name should have a value")
} }
@ -378,15 +378,15 @@ func (s) TestClientServerHandshake(t *testing.T) {
return nil, errors.New("client side params parsing error") return nil, errors.New("client side params parsing error")
} }
return &VerificationResults{}, nil return &PostHandshakeVerificationResults{}, nil
} }
verifyFuncBad := func(params *VerificationFuncParams) (*VerificationResults, error) { verifyFuncBad := func(params *HandshakeVerificationInfo) (*PostHandshakeVerificationResults, error) {
return nil, fmt.Errorf("custom verification function failed") return nil, fmt.Errorf("custom verification function failed")
} }
getRootCAsForServer := func(params *GetRootCAsParams) (*GetRootCAsResults, error) { getRootCAsForServer := func(params *GetRootCAsParams) (*GetRootCAsResults, error) {
return &GetRootCAsResults{TrustCerts: cs.ServerTrust1}, nil return &GetRootCAsResults{TrustCerts: cs.ServerTrust1}, nil
} }
serverVerifyFunc := func(params *VerificationFuncParams) (*VerificationResults, error) { serverVerifyFunc := func(params *HandshakeVerificationInfo) (*PostHandshakeVerificationResults, error) {
if params.ServerName != "" { if params.ServerName != "" {
return nil, errors.New("server side server name should not have a value") return nil, errors.New("server side server name should not have a value")
} }
@ -395,7 +395,7 @@ func (s) TestClientServerHandshake(t *testing.T) {
return nil, errors.New("server side params parsing error") return nil, errors.New("server side params parsing error")
} }
return &VerificationResults{}, nil return &PostHandshakeVerificationResults{}, nil
} }
getRootCAsForServerBad := func(params *GetRootCAsParams) (*GetRootCAsResults, error) { getRootCAsForServerBad := func(params *GetRootCAsParams) (*GetRootCAsResults, error) {
return nil, fmt.Errorf("bad root certificate reloading") return nil, fmt.Errorf("bad root certificate reloading")
@ -431,7 +431,7 @@ func (s) TestClientServerHandshake(t *testing.T) {
clientGetCert func(*tls.CertificateRequestInfo) (*tls.Certificate, error) clientGetCert func(*tls.CertificateRequestInfo) (*tls.Certificate, error)
clientRoot *x509.CertPool clientRoot *x509.CertPool
clientGetRoot func(params *GetRootCAsParams) (*GetRootCAsResults, error) clientGetRoot func(params *GetRootCAsParams) (*GetRootCAsResults, error)
clientVerifyFunc CustomVerificationFunc clientVerifyFunc PostHandshakeVerificationFunc
clientVerificationType VerificationType clientVerificationType VerificationType
clientRootProvider certprovider.Provider clientRootProvider certprovider.Provider
clientIdentityProvider certprovider.Provider clientIdentityProvider certprovider.Provider
@ -442,7 +442,7 @@ func (s) TestClientServerHandshake(t *testing.T) {
serverGetCert func(*tls.ClientHelloInfo) ([]*tls.Certificate, error) serverGetCert func(*tls.ClientHelloInfo) ([]*tls.Certificate, error)
serverRoot *x509.CertPool serverRoot *x509.CertPool
serverGetRoot func(params *GetRootCAsParams) (*GetRootCAsResults, error) serverGetRoot func(params *GetRootCAsParams) (*GetRootCAsResults, error)
serverVerifyFunc CustomVerificationFunc serverVerifyFunc PostHandshakeVerificationFunc
serverVerificationType VerificationType serverVerificationType VerificationType
serverRootProvider certprovider.Provider serverRootProvider certprovider.Provider
serverIdentityProvider certprovider.Provider serverIdentityProvider certprovider.Provider
@ -822,10 +822,10 @@ func (s) TestClientServerHandshake(t *testing.T) {
GetRootCertificates: test.serverGetRoot, GetRootCertificates: test.serverGetRoot,
RootProvider: test.serverRootProvider, RootProvider: test.serverRootProvider,
}, },
RequireClientCert: test.serverMutualTLS, RequireClientCert: test.serverMutualTLS,
VerifyPeer: test.serverVerifyFunc, AdditionalPeerVerification: test.serverVerifyFunc,
VerificationType: test.serverVerificationType, VerificationType: test.serverVerificationType,
RevocationConfig: test.serverRevocationConfig, RevocationConfig: test.serverRevocationConfig,
} }
go func(done chan credentials.AuthInfo, lis net.Listener, serverOptions *ServerOptions) { go func(done chan credentials.AuthInfo, lis net.Listener, serverOptions *ServerOptions) {
serverRawConn, err := lis.Accept() serverRawConn, err := lis.Accept()
@ -861,7 +861,7 @@ func (s) TestClientServerHandshake(t *testing.T) {
GetIdentityCertificatesForClient: test.clientGetCert, GetIdentityCertificatesForClient: test.clientGetCert,
IdentityProvider: test.clientIdentityProvider, IdentityProvider: test.clientIdentityProvider,
}, },
VerifyPeer: test.clientVerifyFunc, AdditionalPeerVerification: test.clientVerifyFunc,
RootOptions: RootCertificateOptions{ RootOptions: RootCertificateOptions{
RootCACerts: test.clientRoot, RootCACerts: test.clientRoot,
GetRootCertificates: test.clientGetRoot, GetRootCertificates: test.clientGetRoot,

4
security/advancedtls/examples/credential_reloading_from_files/client/main.go
View File

@ -76,8 +76,8 @@ func main() {
IdentityOptions: advancedtls.IdentityCertificateOptions{ IdentityOptions: advancedtls.IdentityCertificateOptions{
IdentityProvider: identityProvider, IdentityProvider: identityProvider,
}, },
VerifyPeer: func(params *advancedtls.VerificationFuncParams) (*advancedtls.VerificationResults, error) { AdditionalPeerVerification: func(params *advancedtls.HandshakeVerificationInfo) (*advancedtls.PostHandshakeVerificationResults, error) {
return &advancedtls.VerificationResults{}, nil return &advancedtls.PostHandshakeVerificationResults{}, nil
}, },
RootOptions: advancedtls.RootCertificateOptions{ RootOptions: advancedtls.RootCertificateOptions{
RootProvider: rootProvider, RootProvider: rootProvider,

4
security/advancedtls/examples/credential_reloading_from_files/server/main.go
View File

@ -84,10 +84,10 @@ func main() {
RootProvider: rootProvider, RootProvider: rootProvider,
}, },
RequireClientCert: true, RequireClientCert: true,
VerifyPeer: func(params *advancedtls.VerificationFuncParams) (*advancedtls.VerificationResults, error) { AdditionalPeerVerification: func(params *advancedtls.HandshakeVerificationInfo) (*advancedtls.PostHandshakeVerificationResults, error) {
// This message is to show the certificate under the hood is actually reloaded. // This message is to show the certificate under the hood is actually reloaded.
fmt.Printf("Client common name: %s.\n", params.Leaf.Subject.CommonName) fmt.Printf("Client common name: %s.\n", params.Leaf.Subject.CommonName)
return &advancedtls.VerificationResults{}, nil return &advancedtls.PostHandshakeVerificationResults{}, nil
}, },
VerificationType: advancedtls.CertVerification, VerificationType: advancedtls.CertVerification,
} }