MCPcopy
hub / github.com/grpc/grpc-go / GetRootsFromSPIFFEBundleMap

Function GetRootsFromSPIFFEBundleMap

internal/credentials/spiffe/spiffe.go:68–90  ·  view source on GitHub ↗

GetRootsFromSPIFFEBundleMap returns the root trust certificates from the SPIFFE bundle map for the given trust domain from the leaf certificate.

(bundleMap map[string]*spiffebundle.Bundle, leafCert *x509.Certificate)

Source from the content-addressed store, hash-verified

66// GetRootsFromSPIFFEBundleMap returns the root trust certificates from the
67// SPIFFE bundle map for the given trust domain from the leaf certificate.
68func GetRootsFromSPIFFEBundleMap(bundleMap map[string]*spiffebundle.Bundle, leafCert *x509.Certificate) (*x509.CertPool, error) {
69 // 1. Upon receiving a peer certificate, verify that it is a well-formed SPIFFE
70 // leaf certificate. In particular, it must have a single URI SAN containing
71 // a well-formed SPIFFE ID ([SPIFFE ID format]).
72 spiffeID, err := idFromCert(leafCert)
73 if err != nil {
74 return nil, fmt.Errorf("spiffe: could not get spiffe ID from peer leaf cert but verification with spiffe trust map was configured: %v", err)
75 }
76
77 // 2. Use the trust domain in the peer certificate's SPIFFE ID to lookup
78 // the SPIFFE trust bundle. If the trust domain is not contained in the
79 // configured trust map, reject the certificate.
80 spiffeBundle, ok := bundleMap[spiffeID.TrustDomain().Name()]
81 if !ok {
82 return nil, fmt.Errorf("spiffe: no bundle found for peer certificates trust domain %q but verification with a SPIFFE trust map was configured", spiffeID.TrustDomain().Name())
83 }
84 roots := spiffeBundle.X509Authorities()
85 rootPool := x509.NewCertPool()
86 for _, root := range roots {
87 rootPool.AddCert(root)
88 }
89 return rootPool, nil
90}
91
92// idFromCert parses the SPIFFE ID from the x509.Certificate. If the certificate
93// does not have a valid SPIFFE ID, returns an error.

Calls 3

idFromCertFunction · 0.85
ErrorfMethod · 0.65
NameMethod · 0.65