forked from hyperledger/fabric
-
Notifications
You must be signed in to change notification settings - Fork 0
/
creds.go
80 lines (68 loc) · 2.46 KB
/
creds.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
/*
Copyright IBM Corp. All Rights Reserved.
SPDX-License-Identifier: Apache-2.0
*/
package comm
import (
"crypto/tls"
"errors"
"net"
"golang.org/x/net/context"
"google.golang.org/grpc/credentials"
)
var (
ClientHandshakeNotImplError = errors.New("core/comm: Client handshakes" +
"are not implemented with serverCreds")
OverrrideHostnameNotSupportedError = errors.New(
"core/comm: OverrideServerName is " +
"not supported")
MissingServerConfigError = errors.New(
"core/comm: `serverConfig` cannot be nil")
// alpnProtoStr are the specified application level protocols for gRPC.
alpnProtoStr = []string{"h2"}
)
// NewServerTransportCredentials returns a new initialized
// grpc/credentials.TransportCredentials
func NewServerTransportCredentials(serverConfig *tls.Config) credentials.TransportCredentials {
// NOTE: unlike the default grpc/credentials implementation, we do not
// clone the tls.Config which allows us to update it dynamically
serverConfig.NextProtos = alpnProtoStr
// override TLS version and ensure it is 1.2
serverConfig.MinVersion = tls.VersionTLS12
serverConfig.MaxVersion = tls.VersionTLS12
return &serverCreds{serverConfig}
}
// serverCreds is an implementation of grpc/credentials.TransportCredentials.
type serverCreds struct {
serverConfig *tls.Config
}
// ClientHandShake is not implemented for `serverCreds`.
func (sc *serverCreds) ClientHandshake(context.Context,
string, net.Conn) (net.Conn, credentials.AuthInfo, error) {
return nil, nil, ClientHandshakeNotImplError
}
// ServerHandshake does the authentication handshake for servers.
func (sc *serverCreds) ServerHandshake(rawConn net.Conn) (net.Conn, credentials.AuthInfo, error) {
conn := tls.Server(rawConn, sc.serverConfig)
if err := conn.Handshake(); err != nil {
return nil, nil, err
}
return conn, credentials.TLSInfo{conn.ConnectionState()}, nil
}
// Info provides the ProtocolInfo of this TransportCredentials.
func (sc *serverCreds) Info() credentials.ProtocolInfo {
return credentials.ProtocolInfo{
SecurityProtocol: "tls",
SecurityVersion: "1.2",
}
}
// Clone makes a copy of this TransportCredentials.
func (sc *serverCreds) Clone() credentials.TransportCredentials {
creds := NewServerTransportCredentials(sc.serverConfig)
return creds
}
// OverrideServerName overrides the server name used to verify the hostname
// on the returned certificates from the server.
func (sc *serverCreds) OverrideServerName(string) error {
return OverrrideHostnameNotSupportedError
}