vendor/github.com/docker/swarmkit/ca/transport.go - third_party/github.com/docker/docker - Git at Google

 package ca

 import (
 	"context"
 	"crypto/tls"
 	"crypto/x509"
 	"crypto/x509/pkix"
 	"net"
 	"strings"
 	"sync"

 	"github.com/pkg/errors"
 	"google.golang.org/grpc/credentials"
 )

 var (
 	// alpnProtoStr is the specified application level protocols for gRPC.
 	alpnProtoStr = []string{"h2"}
 )

 // MutableTLSCreds is the credentials required for authenticating a connection using TLS.
 type MutableTLSCreds struct {
 	// Mutex for the tls config
 	sync.Mutex
 	// TLS configuration
 	config *tls.Config
 	// TLS Credentials
 	tlsCreds credentials.TransportCredentials
 	// store the subject for easy access
 	subject pkix.Name
 }

 // Info implements the credentials.TransportCredentials interface
 func (c *MutableTLSCreds) Info() credentials.ProtocolInfo {
 	return credentials.ProtocolInfo{
 		SecurityProtocol: "tls",
 		SecurityVersion:  "1.2",
 	}
 }

 // Clone returns new MutableTLSCreds created from underlying *tls.Config.
 // It panics if validation of underlying config fails.
 func (c *MutableTLSCreds) Clone() credentials.TransportCredentials {
 	c.Lock()
 	newCfg, err := NewMutableTLS(c.config.Clone())
 	if err != nil {
 		panic("validation error on Clone")
 	}
 	c.Unlock()
 	return newCfg
 }

 // OverrideServerName overrides *tls.Config.ServerName.
 func (c *MutableTLSCreds) OverrideServerName(name string) error {
 	c.Lock()
 	c.config.ServerName = name
 	c.Unlock()
 	return nil
 }

 // GetRequestMetadata implements the credentials.TransportCredentials interface
 func (c *MutableTLSCreds) GetRequestMetadata(ctx context.Context, uri ...string) (map[string]string, error) {
 	return nil, nil
 }

 // RequireTransportSecurity implements the credentials.TransportCredentials interface
 func (c *MutableTLSCreds) RequireTransportSecurity() bool {
 	return true
 }

 // ClientHandshake implements the credentials.TransportCredentials interface
 func (c *MutableTLSCreds) ClientHandshake(ctx context.Context, addr string, rawConn net.Conn) (net.Conn, credentials.AuthInfo, error) {
 	// borrow all the code from the original TLS credentials
 	c.Lock()
 	if c.config.ServerName == "" {
 		colonPos := strings.LastIndex(addr, ":")
 		if colonPos == -1 {
 			colonPos = len(addr)
 		}
 		c.config.ServerName = addr[:colonPos]
 	}

 	conn := tls.Client(rawConn, c.config)
 	// Need to allow conn.Handshake to have access to config,
 	// would create a deadlock otherwise
 	c.Unlock()
 	var err error
 	errChannel := make(chan error, 1)
 	go func() {
 		errChannel <- conn.Handshake()
 	}()
 	select {
 	case err = <-errChannel:
 	case <-ctx.Done():
 		err = ctx.Err()
 	}
 	if err != nil {
 		rawConn.Close()
 		return nil, nil, err
 	}
 	return conn, nil, nil
 }

 // ServerHandshake implements the credentials.TransportCredentials interface
 func (c *MutableTLSCreds) ServerHandshake(rawConn net.Conn) (net.Conn, credentials.AuthInfo, error) {
 	c.Lock()
 	conn := tls.Server(rawConn, c.config)
 	c.Unlock()
 	if err := conn.Handshake(); err != nil {
 		rawConn.Close()
 		return nil, nil, err
 	}

 	return conn, credentials.TLSInfo{State: conn.ConnectionState()}, nil
 }

 // loadNewTLSConfig replaces the currently loaded TLS config with a new one
 func (c *MutableTLSCreds) loadNewTLSConfig(newConfig *tls.Config) error {
 	newSubject, err := GetAndValidateCertificateSubject(newConfig.Certificates)
 	if err != nil {
 		return err
 	}

 	c.Lock()
 	defer c.Unlock()
 	c.subject = newSubject
 	c.config = newConfig

 	return nil
 }

 // Config returns the current underlying TLS config.
 func (c *MutableTLSCreds) Config() *tls.Config {
 	c.Lock()
 	defer c.Unlock()

 	return c.config
 }

 // Role returns the OU for the certificate encapsulated in this TransportCredentials
 func (c *MutableTLSCreds) Role() string {
 	c.Lock()
 	defer c.Unlock()

 	return c.subject.OrganizationalUnit[0]
 }

 // Organization returns the O for the certificate encapsulated in this TransportCredentials
 func (c *MutableTLSCreds) Organization() string {
 	c.Lock()
 	defer c.Unlock()

 	return c.subject.Organization[0]
 }

 // NodeID returns the CN for the certificate encapsulated in this TransportCredentials
 func (c *MutableTLSCreds) NodeID() string {
 	c.Lock()
 	defer c.Unlock()

 	return c.subject.CommonName
 }

 // NewMutableTLS uses c to construct a mutable TransportCredentials based on TLS.
 func NewMutableTLS(c *tls.Config) (*MutableTLSCreds, error) {
 	originalTC := credentials.NewTLS(c)

 	if len(c.Certificates) < 1 {
 		return nil, errors.New("invalid configuration: needs at least one certificate")
 	}

 	subject, err := GetAndValidateCertificateSubject(c.Certificates)
 	if err != nil {
 		return nil, err
 	}

 	tc := &MutableTLSCreds{config: c, tlsCreds: originalTC, subject: subject}
 	tc.config.NextProtos = alpnProtoStr

 	return tc, nil
 }

 // GetAndValidateCertificateSubject is a helper method to retrieve and validate the subject
 // from the x509 certificate underlying a tls.Certificate
 func GetAndValidateCertificateSubject(certs []tls.Certificate) (pkix.Name, error) {
 	for i := range certs {
 		cert := &certs[i]
 		x509Cert, err := x509.ParseCertificate(cert.Certificate[0])
 		if err != nil {
 			continue
 		}
 		if len(x509Cert.Subject.OrganizationalUnit) < 1 {
 			return pkix.Name{}, errors.New("no OU found in certificate subject")
 		}

 		if len(x509Cert.Subject.Organization) < 1 {
 			return pkix.Name{}, errors.New("no organization found in certificate subject")
 		}
 		if x509Cert.Subject.CommonName == "" {
 			return pkix.Name{}, errors.New("no valid subject names found for TLS configuration")
 		}

 		return x509Cert.Subject, nil
 	}

 	return pkix.Name{}, errors.New("no valid certificates found for TLS configuration")
 }
	package ca

	import (
	"context"
	"crypto/tls"
	"crypto/x509"
	"crypto/x509/pkix"
	"net"
	"strings"
	"sync"

	"github.com/pkg/errors"
	"google.golang.org/grpc/credentials"
	)

	var (
	// alpnProtoStr is the specified application level protocols for gRPC.
	alpnProtoStr = []string{"h2"}
	)

	// MutableTLSCreds is the credentials required for authenticating a connection using TLS.
	type MutableTLSCreds struct {
	// Mutex for the tls config
	sync.Mutex
	// TLS configuration
	config *tls.Config
	// TLS Credentials
	tlsCreds credentials.TransportCredentials
	// store the subject for easy access
	subject pkix.Name
	}

	// Info implements the credentials.TransportCredentials interface
	func (c *MutableTLSCreds) Info() credentials.ProtocolInfo {
	return credentials.ProtocolInfo{
	SecurityProtocol: "tls",
	SecurityVersion: "1.2",
	}
	}

	// Clone returns new MutableTLSCreds created from underlying *tls.Config.
	// It panics if validation of underlying config fails.
	func (c *MutableTLSCreds) Clone() credentials.TransportCredentials {
	c.Lock()
	newCfg, err := NewMutableTLS(c.config.Clone())
	if err != nil {
	panic("validation error on Clone")
	}
	c.Unlock()
	return newCfg
	}

	// OverrideServerName overrides *tls.Config.ServerName.
	func (c *MutableTLSCreds) OverrideServerName(name string) error {
	c.Lock()
	c.config.ServerName = name
	c.Unlock()
	return nil
	}

	// GetRequestMetadata implements the credentials.TransportCredentials interface
	func (c *MutableTLSCreds) GetRequestMetadata(ctx context.Context, uri ...string) (map[string]string, error) {
	return nil, nil
	}

	// RequireTransportSecurity implements the credentials.TransportCredentials interface
	func (c *MutableTLSCreds) RequireTransportSecurity() bool {
	return true
	}

	// ClientHandshake implements the credentials.TransportCredentials interface
	func (c *MutableTLSCreds) ClientHandshake(ctx context.Context, addr string, rawConn net.Conn) (net.Conn, credentials.AuthInfo, error) {
	// borrow all the code from the original TLS credentials
	c.Lock()
	if c.config.ServerName == "" {
	colonPos := strings.LastIndex(addr, ":")
	if colonPos == -1 {
	colonPos = len(addr)
	}
	c.config.ServerName = addr[:colonPos]
	}

	conn := tls.Client(rawConn, c.config)
	// Need to allow conn.Handshake to have access to config,
	// would create a deadlock otherwise
	c.Unlock()
	var err error
	errChannel := make(chan error, 1)
	go func() {
	errChannel <- conn.Handshake()
	}()
	select {
	case err = <-errChannel:
	case <-ctx.Done():
	err = ctx.Err()
	}
	if err != nil {
	rawConn.Close()
	return nil, nil, err
	}
	return conn, nil, nil
	}

	// ServerHandshake implements the credentials.TransportCredentials interface
	func (c *MutableTLSCreds) ServerHandshake(rawConn net.Conn) (net.Conn, credentials.AuthInfo, error) {
	c.Lock()
	conn := tls.Server(rawConn, c.config)
	c.Unlock()
	if err := conn.Handshake(); err != nil {
	rawConn.Close()
	return nil, nil, err
	}

	return conn, credentials.TLSInfo{State: conn.ConnectionState()}, nil
	}

	// loadNewTLSConfig replaces the currently loaded TLS config with a new one
	func (c MutableTLSCreds) loadNewTLSConfig(newConfig tls.Config) error {
	newSubject, err := GetAndValidateCertificateSubject(newConfig.Certificates)
	if err != nil {
	return err
	}

	c.Lock()
	defer c.Unlock()
	c.subject = newSubject
	c.config = newConfig

	return nil
	}

	// Config returns the current underlying TLS config.
	func (c MutableTLSCreds) Config() tls.Config {
	c.Lock()
	defer c.Unlock()

	return c.config
	}

	// Role returns the OU for the certificate encapsulated in this TransportCredentials
	func (c *MutableTLSCreds) Role() string {
	c.Lock()
	defer c.Unlock()

	return c.subject.OrganizationalUnit[0]
	}

	// Organization returns the O for the certificate encapsulated in this TransportCredentials
	func (c *MutableTLSCreds) Organization() string {
	c.Lock()
	defer c.Unlock()

	return c.subject.Organization[0]
	}

	// NodeID returns the CN for the certificate encapsulated in this TransportCredentials
	func (c *MutableTLSCreds) NodeID() string {
	c.Lock()
	defer c.Unlock()

	return c.subject.CommonName
	}

	// NewMutableTLS uses c to construct a mutable TransportCredentials based on TLS.
	func NewMutableTLS(c tls.Config) (MutableTLSCreds, error) {
	originalTC := credentials.NewTLS(c)

	if len(c.Certificates) < 1 {
	return nil, errors.New("invalid configuration: needs at least one certificate")
	}

	subject, err := GetAndValidateCertificateSubject(c.Certificates)
	if err != nil {
	return nil, err
	}

	tc := &MutableTLSCreds{config: c, tlsCreds: originalTC, subject: subject}
	tc.config.NextProtos = alpnProtoStr

	return tc, nil
	}

	// GetAndValidateCertificateSubject is a helper method to retrieve and validate the subject
	// from the x509 certificate underlying a tls.Certificate
	func GetAndValidateCertificateSubject(certs []tls.Certificate) (pkix.Name, error) {
	for i := range certs {
	cert := &certs[i]
	x509Cert, err := x509.ParseCertificate(cert.Certificate[0])
	if err != nil {
	continue
	}
	if len(x509Cert.Subject.OrganizationalUnit) < 1 {
	return pkix.Name{}, errors.New("no OU found in certificate subject")
	}

	if len(x509Cert.Subject.Organization) < 1 {
	return pkix.Name{}, errors.New("no organization found in certificate subject")
	}
	if x509Cert.Subject.CommonName == "" {
	return pkix.Name{}, errors.New("no valid subject names found for TLS configuration")
	}

	return x509Cert.Subject, nil
	}

	return pkix.Name{}, errors.New("no valid certificates found for TLS configuration")
	}