MCPcopy
hub / github.com/grpc/grpc-go / SPIFFEIDFromCert

Function SPIFFEIDFromCert

internal/credentials/spiffe.go:45–75  ·  view source on GitHub ↗

SPIFFEIDFromCert parses the SPIFFE ID from x509.Certificate. If the SPIFFE ID format is invalid, return nil with warning.

(cert *x509.Certificate)

Source from the content-addressed store, hash-verified

43// SPIFFEIDFromCert parses the SPIFFE ID from x509.Certificate. If the SPIFFE
44// ID format is invalid, return nil with warning.
45func SPIFFEIDFromCert(cert *x509.Certificate) *url.URL {
46 if cert == nil || cert.URIs == nil {
47 return nil
48 }
49 var spiffeID *url.URL
50 for _, uri := range cert.URIs {
51 if uri == nil || uri.Scheme != "spiffe" || uri.Opaque != "" || (uri.User != nil && uri.User.Username() != "") {
52 continue
53 }
54 // From this point, we assume the uri is intended for a SPIFFE ID.
55 if len(uri.String()) > 2048 {
56 logger.Warning("invalid SPIFFE ID: total ID length larger than 2048 bytes")
57 return nil
58 }
59 if len(uri.Host) == 0 || len(uri.Path) == 0 {
60 logger.Warning("invalid SPIFFE ID: domain or workload ID is empty")
61 return nil
62 }
63 if len(uri.Host) > 255 {
64 logger.Warning("invalid SPIFFE ID: domain length larger than 255 characters")
65 return nil
66 }
67 // A valid SPIFFE certificate can only have exactly one URI SAN field.
68 if len(cert.URIs) > 1 {
69 logger.Warning("invalid SPIFFE ID: multiple URI SANs")
70 return nil
71 }
72 spiffeID = uri
73 }
74 return spiffeID
75}

Callers 2

SPIFFEIDFromStateFunction · 0.70
TestSPIFFEIDFromCertMethod · 0.70

Calls 2

StringMethod · 0.65
WarningMethod · 0.65

Tested by 1

TestSPIFFEIDFromCertMethod · 0.56