MCPcopy
hub / github.com/grpc/grpc-go / serverConfig

Method serverConfig

security/advancedtls/advancedtls.go:316–409  ·  view source on GitHub ↗
()

Source from the content-addressed store, hash-verified

314}
315
316func (o *Options) serverConfig() (*tls.Config, error) {
317 if o.RequireClientCert && o.VerificationType == SkipVerification && o.AdditionalPeerVerification == nil {
318 return nil, fmt.Errorf("server needs to provide custom verification mechanism if choose to skip default verification, but require client certificate(s)")
319 }
320 // If the MinTLSVersion isn't set, default to 1.2
321 if o.MinTLSVersion == 0 {
322 o.MinTLSVersion = tls.VersionTLS12
323 }
324 // If the MaxTLSVersion isn't set, default to 1.3
325 if o.MaxTLSVersion == 0 {
326 o.MaxTLSVersion = tls.VersionTLS13
327 }
328 // Make sure users didn't specify more than one fields in
329 // RootCertificateOptions and IdentityCertificateOptions.
330 if num := o.RootOptions.nonNilFieldCount(); num > 1 {
331 return nil, fmt.Errorf("at most one field in RootCertificateOptions could be specified")
332 }
333 if num := o.IdentityOptions.nonNilFieldCount(); num > 1 {
334 return nil, fmt.Errorf("at most one field in IdentityCertificateOptions could be specified")
335 }
336 if o.IdentityOptions.GetIdentityCertificatesForClient != nil {
337 return nil, fmt.Errorf("GetIdentityCertificatesForClient cannot be specified on the server side")
338 }
339 if o.MinTLSVersion > o.MaxTLSVersion {
340 return nil, fmt.Errorf("the minimum TLS version is larger than the maximum TLS version")
341 }
342 clientAuth := tls.NoClientCert
343 if o.RequireClientCert {
344 // We have to set clientAuth to RequireAnyClientCert to force underlying
345 // TLS package to use the verification function we built from
346 // buildVerifyFunc.
347 clientAuth = tls.RequireAnyClientCert
348 }
349 config := &tls.Config{
350 ClientAuth: clientAuth,
351 MinVersion: o.MinTLSVersion,
352 MaxVersion: o.MaxTLSVersion,
353 CipherSuites: o.CipherSuites,
354 }
355 // Propagate root-certificate-related fields in tls.Config.
356 switch {
357 case o.RootOptions.RootCertificates != nil:
358 config.ClientCAs = o.RootOptions.RootCertificates
359 case o.RootOptions.GetRootCertificates != nil:
360 // In cases when users provide GetRootCertificates callback, since this
361 // callback is not contained in tls.Config, we have nothing to set here.
362 // We will invoke the callback in ServerHandshake.
363 case o.RootOptions.RootProvider != nil:
364 o.RootOptions.GetRootCertificates = func(*ConnectionInfo) (*RootCertificates, error) {
365 km, err := o.RootOptions.RootProvider.KeyMaterial(context.Background())
366 if err != nil {
367 return nil, err
368 }
369 return &RootCertificates{TrustCerts: km.Roots}, nil
370 }
371 default:
372 // No root certificate options specified by user. Use the certificates
373 // stored in system default path as the last resort.

Calls 4

buildGetCertificatesFunction · 0.85
ErrorfMethod · 0.65
KeyMaterialMethod · 0.65
nonNilFieldCountMethod · 0.45