MCPcopy
hub / github.com/grpc/grpc-go / buildVerifyFunc

Method buildVerifyFunc

internal/credentials/xds/handshake_info.go:211–277  ·  view source on GitHub ↗
(km *certprovider.KeyMaterial, isClient bool, sni string)

Source from the content-addressed store, hash-verified

209}
210
211func (hi *HandshakeInfo) buildVerifyFunc(km *certprovider.KeyMaterial, isClient bool, sni string) func(rawCerts [][]byte, _ [][]*x509.Certificate) error {
212 return func(rawCerts [][]byte, _ [][]*x509.Certificate) error {
213 // Parse all raw certificates presented by the peer.
214 var certs []*x509.Certificate
215 for _, rc := range rawCerts {
216 cert, err := x509.ParseCertificate(rc)
217 if err != nil {
218 return err
219 }
220 certs = append(certs, cert)
221 }
222
223 // Build the intermediates list and verify that the leaf certificate is
224 // signed by one of the root certificates. If a SPIFFE Bundle Map is
225 // configured, it is used to get the root certs. Otherwise, the
226 // configured roots in the root provider are used.
227 intermediates := x509.NewCertPool()
228 for _, cert := range certs[1:] {
229 intermediates.AddCert(cert)
230 }
231 roots := km.Roots
232 // If a SPIFFE Bundle Map is configured, find the roots for the trust
233 // domain of the leaf certificate.
234 if km.SPIFFEBundleMap != nil {
235 var err error
236 roots, err = spiffe.GetRootsFromSPIFFEBundleMap(km.SPIFFEBundleMap, certs[0])
237 if err != nil {
238 return err
239 }
240 }
241 opts := x509.VerifyOptions{
242 Roots: roots,
243 Intermediates: intermediates,
244 KeyUsages: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
245 }
246 if isClient {
247 opts.KeyUsages = []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth}
248 } else {
249 opts.KeyUsages = []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth}
250 }
251 if _, err := certs[0].Verify(opts); err != nil {
252 return err
253 }
254
255 // If XDSSNIEnabled and AutoSNISANValidation are both true and the SNI is
256 // non-empty, validate only DNS SANs against the SNI. Otherwise, fallback to
257 // validating all received SANs against the control plane provided SAN
258 // matchers.
259 if envconfig.XDSSNIEnabled && hi.validateSANUsingSNI && sni != "" {
260 // Verify SAN of leaf certificate with SNI using exact DNS matcher.
261 for _, san := range certs[0].DNSNames {
262 if dnsMatch(sni, san) {
263 return nil
264 }
265 }
266 return fmt.Errorf("xds: received DNS SANs: %v do not match the SNI: %s", certs[0].DNSNames, sni)
267 }
268 // The SANs sent by the xDS control plane are encoded as SPIFFE IDs. We need to

Callers 2

ClientSideTLSConfigMethod · 0.95
ServerSideTLSConfigMethod · 0.95

Calls 4

MatchingSANExistsMethod · 0.95
dnsMatchFunction · 0.85
ErrorfMethod · 0.65

Tested by

no test coverage detected