MCPcopy
hub / github.com/grpc/grpc-go / buildSPIFFEVerifyFunc

Function buildSPIFFEVerifyFunc

internal/xds/bootstrap/tlscreds/bundle.go:160–194  ·  view source on GitHub ↗
(spiffeBundleMap map[string]*spiffebundle.Bundle)

Source from the content-addressed store, hash-verified

158}
159
160func buildSPIFFEVerifyFunc(spiffeBundleMap map[string]*spiffebundle.Bundle) func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
161 return func(rawCerts [][]byte, _ [][]*x509.Certificate) error {
162 rawCertList := make([]*x509.Certificate, len(rawCerts))
163 for i, asn1Data := range rawCerts {
164 cert, err := x509.ParseCertificate(asn1Data)
165 if err != nil {
166 return fmt.Errorf("spiffe: verify function could not parse input certificate: %v", err)
167 }
168 rawCertList[i] = cert
169 }
170 if len(rawCertList) == 0 {
171 return fmt.Errorf("spiffe: verify function has no valid input certificates")
172 }
173 leafCert := rawCertList[0]
174 roots, err := spiffe.GetRootsFromSPIFFEBundleMap(spiffeBundleMap, leafCert)
175 if err != nil {
176 return err
177 }
178
179 opts := x509.VerifyOptions{
180 Roots: roots,
181 CurrentTime: time.Now(),
182 Intermediates: x509.NewCertPool(),
183 }
184
185 for _, cert := range rawCertList[1:] {
186 opts.Intermediates.AddCert(cert)
187 }
188 // The verified chain is (surprisingly) unused.
189 if _, err = rawCertList[0].Verify(opts); err != nil {
190 return fmt.Errorf("spiffe: x509 certificate Verify failed: %v", err)
191 }
192 return nil
193 }
194}

Callers 2

ClientHandshakeMethod · 0.85

Calls 3

NowMethod · 0.80
ErrorfMethod · 0.65

Tested by 1