diff options
Diffstat (limited to 'vendor/google.golang.org/grpc/credentials')
3 files changed, 0 insertions, 687 deletions
diff --git a/vendor/google.golang.org/grpc/credentials/credentials.go b/vendor/google.golang.org/grpc/credentials/credentials.go deleted file mode 100644 index 665e790bb..000000000 --- a/vendor/google.golang.org/grpc/credentials/credentials.go +++ /dev/null @@ -1,291 +0,0 @@ -/* - * - * Copyright 2014 gRPC authors. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - * - */ - -// Package credentials implements various credentials supported by gRPC library, -// which encapsulate all the state needed by a client to authenticate with a -// server and make various assertions, e.g., about the client's identity, role, -// or whether it is authorized to make a particular call. -package credentials // import "google.golang.org/grpc/credentials" - -import ( - "context" - "errors" - "fmt" - "net" - - "google.golang.org/grpc/attributes" - icredentials "google.golang.org/grpc/internal/credentials" - "google.golang.org/protobuf/proto" -) - -// PerRPCCredentials defines the common interface for the credentials which need to -// attach security information to every RPC (e.g., oauth2). -type PerRPCCredentials interface { - // GetRequestMetadata gets the current request metadata, refreshing tokens - // if required. This should be called by the transport layer on each - // request, and the data should be populated in headers or other - // context. If a status code is returned, it will be used as the status for - // the RPC (restricted to an allowable set of codes as defined by gRFC - // A54). uri is the URI of the entry point for the request. When supported - // by the underlying implementation, ctx can be used for timeout and - // cancellation. Additionally, RequestInfo data will be available via ctx - // to this call. TODO(zhaoq): Define the set of the qualified keys instead - // of leaving it as an arbitrary string. - GetRequestMetadata(ctx context.Context, uri ...string) (map[string]string, error) - // RequireTransportSecurity indicates whether the credentials requires - // transport security. - RequireTransportSecurity() bool -} - -// SecurityLevel defines the protection level on an established connection. -// -// This API is experimental. -type SecurityLevel int - -const ( - // InvalidSecurityLevel indicates an invalid security level. - // The zero SecurityLevel value is invalid for backward compatibility. - InvalidSecurityLevel SecurityLevel = iota - // NoSecurity indicates a connection is insecure. - NoSecurity - // IntegrityOnly indicates a connection only provides integrity protection. - IntegrityOnly - // PrivacyAndIntegrity indicates a connection provides both privacy and integrity protection. - PrivacyAndIntegrity -) - -// String returns SecurityLevel in a string format. -func (s SecurityLevel) String() string { - switch s { - case NoSecurity: - return "NoSecurity" - case IntegrityOnly: - return "IntegrityOnly" - case PrivacyAndIntegrity: - return "PrivacyAndIntegrity" - } - return fmt.Sprintf("invalid SecurityLevel: %v", int(s)) -} - -// CommonAuthInfo contains authenticated information common to AuthInfo implementations. -// It should be embedded in a struct implementing AuthInfo to provide additional information -// about the credentials. -// -// This API is experimental. -type CommonAuthInfo struct { - SecurityLevel SecurityLevel -} - -// GetCommonAuthInfo returns the pointer to CommonAuthInfo struct. -func (c CommonAuthInfo) GetCommonAuthInfo() CommonAuthInfo { - return c -} - -// ProtocolInfo provides information regarding the gRPC wire protocol version, -// security protocol, security protocol version in use, server name, etc. -type ProtocolInfo struct { - // ProtocolVersion is the gRPC wire protocol version. - ProtocolVersion string - // SecurityProtocol is the security protocol in use. - SecurityProtocol string - // SecurityVersion is the security protocol version. It is a static version string from the - // credentials, not a value that reflects per-connection protocol negotiation. To retrieve - // details about the credentials used for a connection, use the Peer's AuthInfo field instead. - // - // Deprecated: please use Peer.AuthInfo. - SecurityVersion string - // ServerName is the user-configured server name. - ServerName string -} - -// AuthInfo defines the common interface for the auth information the users are interested in. -// A struct that implements AuthInfo should embed CommonAuthInfo by including additional -// information about the credentials in it. -type AuthInfo interface { - AuthType() string -} - -// ErrConnDispatched indicates that rawConn has been dispatched out of gRPC -// and the caller should not close rawConn. -var ErrConnDispatched = errors.New("credentials: rawConn is dispatched out of gRPC") - -// TransportCredentials defines the common interface for all the live gRPC wire -// protocols and supported transport security protocols (e.g., TLS, SSL). -type TransportCredentials interface { - // ClientHandshake does the authentication handshake specified by the - // corresponding authentication protocol on rawConn for clients. It returns - // the authenticated connection and the corresponding auth information - // about the connection. The auth information should embed CommonAuthInfo - // to return additional information about the credentials. Implementations - // must use the provided context to implement timely cancellation. gRPC - // will try to reconnect if the error returned is a temporary error - // (io.EOF, context.DeadlineExceeded or err.Temporary() == true). If the - // returned error is a wrapper error, implementations should make sure that - // the error implements Temporary() to have the correct retry behaviors. - // Additionally, ClientHandshakeInfo data will be available via the context - // passed to this call. - // - // The second argument to this method is the `:authority` header value used - // while creating new streams on this connection after authentication - // succeeds. Implementations must use this as the server name during the - // authentication handshake. - // - // If the returned net.Conn is closed, it MUST close the net.Conn provided. - ClientHandshake(context.Context, string, net.Conn) (net.Conn, AuthInfo, error) - // ServerHandshake does the authentication handshake for servers. It returns - // the authenticated connection and the corresponding auth information about - // the connection. The auth information should embed CommonAuthInfo to return additional information - // about the credentials. - // - // If the returned net.Conn is closed, it MUST close the net.Conn provided. - ServerHandshake(net.Conn) (net.Conn, AuthInfo, error) - // Info provides the ProtocolInfo of this TransportCredentials. - Info() ProtocolInfo - // Clone makes a copy of this TransportCredentials. - Clone() TransportCredentials - // OverrideServerName specifies the value used for the following: - // - verifying the hostname on the returned certificates - // - as SNI in the client's handshake to support virtual hosting - // - as the value for `:authority` header at stream creation time - // - // Deprecated: use grpc.WithAuthority instead. Will be supported - // throughout 1.x. - OverrideServerName(string) error -} - -// Bundle is a combination of TransportCredentials and PerRPCCredentials. -// -// It also contains a mode switching method, so it can be used as a combination -// of different credential policies. -// -// Bundle cannot be used together with individual TransportCredentials. -// PerRPCCredentials from Bundle will be appended to other PerRPCCredentials. -// -// This API is experimental. -type Bundle interface { - // TransportCredentials returns the transport credentials from the Bundle. - // - // Implementations must return non-nil transport credentials. If transport - // security is not needed by the Bundle, implementations may choose to - // return insecure.NewCredentials(). - TransportCredentials() TransportCredentials - - // PerRPCCredentials returns the per-RPC credentials from the Bundle. - // - // May be nil if per-RPC credentials are not needed. - PerRPCCredentials() PerRPCCredentials - - // NewWithMode should make a copy of Bundle, and switch mode. Modifying the - // existing Bundle may cause races. - // - // NewWithMode returns nil if the requested mode is not supported. - NewWithMode(mode string) (Bundle, error) -} - -// RequestInfo contains request data attached to the context passed to GetRequestMetadata calls. -// -// This API is experimental. -type RequestInfo struct { - // The method passed to Invoke or NewStream for this RPC. (For proto methods, this has the format "/some.Service/Method") - Method string - // AuthInfo contains the information from a security handshake (TransportCredentials.ClientHandshake, TransportCredentials.ServerHandshake) - AuthInfo AuthInfo -} - -// RequestInfoFromContext extracts the RequestInfo from the context if it exists. -// -// This API is experimental. -func RequestInfoFromContext(ctx context.Context) (ri RequestInfo, ok bool) { - ri, ok = icredentials.RequestInfoFromContext(ctx).(RequestInfo) - return ri, ok -} - -// ClientHandshakeInfo holds data to be passed to ClientHandshake. This makes -// it possible to pass arbitrary data to the handshaker from gRPC, resolver, -// balancer etc. Individual credential implementations control the actual -// format of the data that they are willing to receive. -// -// This API is experimental. -type ClientHandshakeInfo struct { - // Attributes contains the attributes for the address. It could be provided - // by the gRPC, resolver, balancer etc. - Attributes *attributes.Attributes -} - -// ClientHandshakeInfoFromContext returns the ClientHandshakeInfo struct stored -// in ctx. -// -// This API is experimental. -func ClientHandshakeInfoFromContext(ctx context.Context) ClientHandshakeInfo { - chi, _ := icredentials.ClientHandshakeInfoFromContext(ctx).(ClientHandshakeInfo) - return chi -} - -// CheckSecurityLevel checks if a connection's security level is greater than or equal to the specified one. -// It returns success if 1) the condition is satisfied or 2) AuthInfo struct does not implement GetCommonAuthInfo() method -// or 3) CommonAuthInfo.SecurityLevel has an invalid zero value. For 2) and 3), it is for the purpose of backward-compatibility. -// -// This API is experimental. -func CheckSecurityLevel(ai AuthInfo, level SecurityLevel) error { - type internalInfo interface { - GetCommonAuthInfo() CommonAuthInfo - } - if ai == nil { - return errors.New("AuthInfo is nil") - } - if ci, ok := ai.(internalInfo); ok { - // CommonAuthInfo.SecurityLevel has an invalid value. - if ci.GetCommonAuthInfo().SecurityLevel == InvalidSecurityLevel { - return nil - } - if ci.GetCommonAuthInfo().SecurityLevel < level { - return fmt.Errorf("requires SecurityLevel %v; connection has %v", level, ci.GetCommonAuthInfo().SecurityLevel) - } - } - // The condition is satisfied or AuthInfo struct does not implement GetCommonAuthInfo() method. - return nil -} - -// ChannelzSecurityInfo defines the interface that security protocols should implement -// in order to provide security info to channelz. -// -// This API is experimental. -type ChannelzSecurityInfo interface { - GetSecurityValue() ChannelzSecurityValue -} - -// ChannelzSecurityValue defines the interface that GetSecurityValue() return value -// should satisfy. This interface should only be satisfied by *TLSChannelzSecurityValue -// and *OtherChannelzSecurityValue. -// -// This API is experimental. -type ChannelzSecurityValue interface { - isChannelzSecurityValue() -} - -// OtherChannelzSecurityValue defines the struct that non-TLS protocol should return -// from GetSecurityValue(), which contains protocol specific security info. Note -// the Value field will be sent to users of channelz requesting channel info, and -// thus sensitive info should better be avoided. -// -// This API is experimental. -type OtherChannelzSecurityValue struct { - ChannelzSecurityValue - Name string - Value proto.Message -} diff --git a/vendor/google.golang.org/grpc/credentials/insecure/insecure.go b/vendor/google.golang.org/grpc/credentials/insecure/insecure.go deleted file mode 100644 index 4c805c644..000000000 --- a/vendor/google.golang.org/grpc/credentials/insecure/insecure.go +++ /dev/null @@ -1,98 +0,0 @@ -/* - * - * Copyright 2020 gRPC authors. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - * - */ - -// Package insecure provides an implementation of the -// credentials.TransportCredentials interface which disables transport security. -package insecure - -import ( - "context" - "net" - - "google.golang.org/grpc/credentials" -) - -// NewCredentials returns a credentials which disables transport security. -// -// Note that using this credentials with per-RPC credentials which require -// transport security is incompatible and will cause grpc.Dial() to fail. -func NewCredentials() credentials.TransportCredentials { - return insecureTC{} -} - -// insecureTC implements the insecure transport credentials. The handshake -// methods simply return the passed in net.Conn and set the security level to -// NoSecurity. -type insecureTC struct{} - -func (insecureTC) ClientHandshake(_ context.Context, _ string, conn net.Conn) (net.Conn, credentials.AuthInfo, error) { - return conn, info{credentials.CommonAuthInfo{SecurityLevel: credentials.NoSecurity}}, nil -} - -func (insecureTC) ServerHandshake(conn net.Conn) (net.Conn, credentials.AuthInfo, error) { - return conn, info{credentials.CommonAuthInfo{SecurityLevel: credentials.NoSecurity}}, nil -} - -func (insecureTC) Info() credentials.ProtocolInfo { - return credentials.ProtocolInfo{SecurityProtocol: "insecure"} -} - -func (insecureTC) Clone() credentials.TransportCredentials { - return insecureTC{} -} - -func (insecureTC) OverrideServerName(string) error { - return nil -} - -// info contains the auth information for an insecure connection. -// It implements the AuthInfo interface. -type info struct { - credentials.CommonAuthInfo -} - -// AuthType returns the type of info as a string. -func (info) AuthType() string { - return "insecure" -} - -// insecureBundle implements an insecure bundle. -// An insecure bundle provides a thin wrapper around insecureTC to support -// the credentials.Bundle interface. -type insecureBundle struct{} - -// NewBundle returns a bundle with disabled transport security and no per rpc credential. -func NewBundle() credentials.Bundle { - return insecureBundle{} -} - -// NewWithMode returns a new insecure Bundle. The mode is ignored. -func (insecureBundle) NewWithMode(string) (credentials.Bundle, error) { - return insecureBundle{}, nil -} - -// PerRPCCredentials returns an nil implementation as insecure -// bundle does not support a per rpc credential. -func (insecureBundle) PerRPCCredentials() credentials.PerRPCCredentials { - return nil -} - -// TransportCredentials returns the underlying insecure transport credential. -func (insecureBundle) TransportCredentials() credentials.TransportCredentials { - return NewCredentials() -} diff --git a/vendor/google.golang.org/grpc/credentials/tls.go b/vendor/google.golang.org/grpc/credentials/tls.go deleted file mode 100644 index e163a473d..000000000 --- a/vendor/google.golang.org/grpc/credentials/tls.go +++ /dev/null @@ -1,298 +0,0 @@ -/* - * - * Copyright 2014 gRPC authors. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - * - */ - -package credentials - -import ( - "context" - "crypto/tls" - "crypto/x509" - "fmt" - "net" - "net/url" - "os" - - "google.golang.org/grpc/grpclog" - credinternal "google.golang.org/grpc/internal/credentials" - "google.golang.org/grpc/internal/envconfig" -) - -var logger = grpclog.Component("credentials") - -// TLSInfo contains the auth information for a TLS authenticated connection. -// It implements the AuthInfo interface. -type TLSInfo struct { - State tls.ConnectionState - CommonAuthInfo - // This API is experimental. - SPIFFEID *url.URL -} - -// AuthType returns the type of TLSInfo as a string. -func (t TLSInfo) AuthType() string { - return "tls" -} - -// cipherSuiteLookup returns the string version of a TLS cipher suite ID. -func cipherSuiteLookup(cipherSuiteID uint16) string { - for _, s := range tls.CipherSuites() { - if s.ID == cipherSuiteID { - return s.Name - } - } - for _, s := range tls.InsecureCipherSuites() { - if s.ID == cipherSuiteID { - return s.Name - } - } - return fmt.Sprintf("unknown ID: %v", cipherSuiteID) -} - -// GetSecurityValue returns security info requested by channelz. -func (t TLSInfo) GetSecurityValue() ChannelzSecurityValue { - v := &TLSChannelzSecurityValue{ - StandardName: cipherSuiteLookup(t.State.CipherSuite), - } - // Currently there's no way to get LocalCertificate info from tls package. - if len(t.State.PeerCertificates) > 0 { - v.RemoteCertificate = t.State.PeerCertificates[0].Raw - } - return v -} - -// tlsCreds is the credentials required for authenticating a connection using TLS. -type tlsCreds struct { - // TLS configuration - config *tls.Config -} - -func (c tlsCreds) Info() ProtocolInfo { - return ProtocolInfo{ - SecurityProtocol: "tls", - SecurityVersion: "1.2", - ServerName: c.config.ServerName, - } -} - -func (c *tlsCreds) ClientHandshake(ctx context.Context, authority string, rawConn net.Conn) (_ net.Conn, _ AuthInfo, err error) { - // use local cfg to avoid clobbering ServerName if using multiple endpoints - cfg := credinternal.CloneTLSConfig(c.config) - if cfg.ServerName == "" { - serverName, _, err := net.SplitHostPort(authority) - if err != nil { - // If the authority had no host port or if the authority cannot be parsed, use it as-is. - serverName = authority - } - cfg.ServerName = serverName - } - conn := tls.Client(rawConn, cfg) - errChannel := make(chan error, 1) - go func() { - errChannel <- conn.Handshake() - close(errChannel) - }() - select { - case err := <-errChannel: - if err != nil { - conn.Close() - return nil, nil, err - } - case <-ctx.Done(): - conn.Close() - return nil, nil, ctx.Err() - } - - // The negotiated protocol can be either of the following: - // 1. h2: When the server supports ALPN. Only HTTP/2 can be negotiated since - // it is the only protocol advertised by the client during the handshake. - // The tls library ensures that the server chooses a protocol advertised - // by the client. - // 2. "" (empty string): If the server doesn't support ALPN. ALPN is a requirement - // for using HTTP/2 over TLS. We can terminate the connection immediately. - np := conn.ConnectionState().NegotiatedProtocol - if np == "" { - if envconfig.EnforceALPNEnabled { - conn.Close() - return nil, nil, fmt.Errorf("credentials: cannot check peer: missing selected ALPN property") - } - logger.Warningf("Allowing TLS connection to server %q with ALPN disabled. TLS connections to servers with ALPN disabled will be disallowed in future grpc-go releases", cfg.ServerName) - } - tlsInfo := TLSInfo{ - State: conn.ConnectionState(), - CommonAuthInfo: CommonAuthInfo{ - SecurityLevel: PrivacyAndIntegrity, - }, - } - id := credinternal.SPIFFEIDFromState(conn.ConnectionState()) - if id != nil { - tlsInfo.SPIFFEID = id - } - return credinternal.WrapSyscallConn(rawConn, conn), tlsInfo, nil -} - -func (c *tlsCreds) ServerHandshake(rawConn net.Conn) (net.Conn, AuthInfo, error) { - conn := tls.Server(rawConn, c.config) - if err := conn.Handshake(); err != nil { - conn.Close() - return nil, nil, err - } - cs := conn.ConnectionState() - // The negotiated application protocol can be empty only if the client doesn't - // support ALPN. In such cases, we can close the connection since ALPN is required - // for using HTTP/2 over TLS. - if cs.NegotiatedProtocol == "" { - if envconfig.EnforceALPNEnabled { - conn.Close() - return nil, nil, fmt.Errorf("credentials: cannot check peer: missing selected ALPN property") - } else if logger.V(2) { - logger.Info("Allowing TLS connection from client with ALPN disabled. TLS connections with ALPN disabled will be disallowed in future grpc-go releases") - } - } - tlsInfo := TLSInfo{ - State: cs, - CommonAuthInfo: CommonAuthInfo{ - SecurityLevel: PrivacyAndIntegrity, - }, - } - id := credinternal.SPIFFEIDFromState(conn.ConnectionState()) - if id != nil { - tlsInfo.SPIFFEID = id - } - return credinternal.WrapSyscallConn(rawConn, conn), tlsInfo, nil -} - -func (c *tlsCreds) Clone() TransportCredentials { - return NewTLS(c.config) -} - -func (c *tlsCreds) OverrideServerName(serverNameOverride string) error { - c.config.ServerName = serverNameOverride - return nil -} - -// The following cipher suites are forbidden for use with HTTP/2 by -// https://datatracker.ietf.org/doc/html/rfc7540#appendix-A -var tls12ForbiddenCipherSuites = map[uint16]struct{}{ - tls.TLS_RSA_WITH_AES_128_CBC_SHA: {}, - tls.TLS_RSA_WITH_AES_256_CBC_SHA: {}, - tls.TLS_RSA_WITH_AES_128_GCM_SHA256: {}, - tls.TLS_RSA_WITH_AES_256_GCM_SHA384: {}, - tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: {}, - tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: {}, - tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: {}, - tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: {}, -} - -// NewTLS uses c to construct a TransportCredentials based on TLS. -func NewTLS(c *tls.Config) TransportCredentials { - config := applyDefaults(c) - if config.GetConfigForClient != nil { - oldFn := config.GetConfigForClient - config.GetConfigForClient = func(hello *tls.ClientHelloInfo) (*tls.Config, error) { - cfgForClient, err := oldFn(hello) - if err != nil || cfgForClient == nil { - return cfgForClient, err - } - return applyDefaults(cfgForClient), nil - } - } - return &tlsCreds{config: config} -} - -func applyDefaults(c *tls.Config) *tls.Config { - config := credinternal.CloneTLSConfig(c) - config.NextProtos = credinternal.AppendH2ToNextProtos(config.NextProtos) - // If the user did not configure a MinVersion and did not configure a - // MaxVersion < 1.2, use MinVersion=1.2, which is required by - // https://datatracker.ietf.org/doc/html/rfc7540#section-9.2 - if config.MinVersion == 0 && (config.MaxVersion == 0 || config.MaxVersion >= tls.VersionTLS12) { - config.MinVersion = tls.VersionTLS12 - } - // If the user did not configure CipherSuites, use all "secure" cipher - // suites reported by the TLS package, but remove some explicitly forbidden - // by https://datatracker.ietf.org/doc/html/rfc7540#appendix-A - if config.CipherSuites == nil { - for _, cs := range tls.CipherSuites() { - if _, ok := tls12ForbiddenCipherSuites[cs.ID]; !ok { - config.CipherSuites = append(config.CipherSuites, cs.ID) - } - } - } - return config -} - -// NewClientTLSFromCert constructs TLS credentials from the provided root -// certificate authority certificate(s) to validate server connections. If -// certificates to establish the identity of the client need to be included in -// the credentials (eg: for mTLS), use NewTLS instead, where a complete -// tls.Config can be specified. -// serverNameOverride is for testing only. If set to a non empty string, -// it will override the virtual host name of authority (e.g. :authority header -// field) in requests. -func NewClientTLSFromCert(cp *x509.CertPool, serverNameOverride string) TransportCredentials { - return NewTLS(&tls.Config{ServerName: serverNameOverride, RootCAs: cp}) -} - -// NewClientTLSFromFile constructs TLS credentials from the provided root -// certificate authority certificate file(s) to validate server connections. If -// certificates to establish the identity of the client need to be included in -// the credentials (eg: for mTLS), use NewTLS instead, where a complete -// tls.Config can be specified. -// serverNameOverride is for testing only. If set to a non empty string, -// it will override the virtual host name of authority (e.g. :authority header -// field) in requests. -func NewClientTLSFromFile(certFile, serverNameOverride string) (TransportCredentials, error) { - b, err := os.ReadFile(certFile) - if err != nil { - return nil, err - } - cp := x509.NewCertPool() - if !cp.AppendCertsFromPEM(b) { - return nil, fmt.Errorf("credentials: failed to append certificates") - } - return NewTLS(&tls.Config{ServerName: serverNameOverride, RootCAs: cp}), nil -} - -// NewServerTLSFromCert constructs TLS credentials from the input certificate for server. -func NewServerTLSFromCert(cert *tls.Certificate) TransportCredentials { - return NewTLS(&tls.Config{Certificates: []tls.Certificate{*cert}}) -} - -// NewServerTLSFromFile constructs TLS credentials from the input certificate file and key -// file for server. -func NewServerTLSFromFile(certFile, keyFile string) (TransportCredentials, error) { - cert, err := tls.LoadX509KeyPair(certFile, keyFile) - if err != nil { - return nil, err - } - return NewTLS(&tls.Config{Certificates: []tls.Certificate{cert}}), nil -} - -// TLSChannelzSecurityValue defines the struct that TLS protocol should return -// from GetSecurityValue(), containing security info like cipher and certificate used. -// -// # Experimental -// -// Notice: This type is EXPERIMENTAL and may be changed or removed in a -// later release. -type TLSChannelzSecurityValue struct { - ChannelzSecurityValue - StandardName string - LocalCertificate []byte - RemoteCertificate []byte -} |