example: add mutual TLS example #5194
Conversation
this was done by copying existing certs from testdata/x509/ to
examples/data/x509 with the following shell commands:
src=testdata/x509
tgt=examples/data/x509
cp ${src}/client_ca_cert.pem ${tgt}/client_ca_cert.pem
cp ${src}/client1_cert.pem ${tgt}/client_cert.pem
cp ${src}/client1_key.pem ${tgt}/client_key.pem
sding3
force-pushed
the
add-mtls-example
branch
from
3e0608d to
b87ad15
Compare
examples/data/data.go
Outdated
| for _, p := range certPaths { | ||
| caBytes, err := ioutil.ReadFile(p) | ||
| if err != nil { | ||
| return nil, fmt.Errorf("failed to read cert %s: %v", p, err) |
examples/data/data.go
Outdated
| } | ||
| ok := certPool.AppendCertsFromPEM(caBytes) | ||
| if !ok { | ||
| return nil, fmt.Errorf("failed to parse %s", p) |
examples/data/data.go
Outdated
| ok := certPool.AppendCertsFromPEM(caBytes) | ||
| if !ok { |
There was a problem hiding this comment.
Could you please combine these two lines.
| @@ -0,0 +1,31 @@ | |||
| # Mutual TLS | |||
|
|
|||
| In mutual TLS, the client and the server authenticates each other. gRPC allows | |||
There was a problem hiding this comment.
Nit: s/authenticates/authenticate/
| * | ||
| */ | ||
|
|
||
| // The client demonstrates how to supply an OAuth2 token for every RPC. |
There was a problem hiding this comment.
Comment needs updating.
Something like
// Binary client is an example client which connects to the server using mTLS.
|
|
||
| func main() { | ||
| flag.Parse() | ||
| fmt.Printf("server starting on port %d...\n", *port) |
There was a problem hiding this comment.
Prefer log.Infof instead of fmt.Printf.
| flag.Parse() | ||
| fmt.Printf("server starting on port %d...\n", *port) | ||
|
|
||
| serverCert, err := tls.LoadX509KeyPair(data.Path("x509/server_cert.pem"), data.Path("x509/server_key.pem")) |
| log.Fatalf("failed to load key pair: %s", err) | ||
| } | ||
|
|
||
| trustedClientCAs := x509.NewCertPool() |
| } | ||
|
|
||
| trustedClientCAs := x509.NewCertPool() | ||
| trustedClientCAs, err = data.NewCertPool(data.Path("x509/client_ca_cert.pem")) |
There was a problem hiding this comment.
s/trustedClientCAs/{ca|roots}/
| type ecServer struct { | ||
| pb.UnimplementedEchoServer | ||
| } | ||
|
|
||
| func (s *ecServer) UnaryEcho(ctx context.Context, req *pb.EchoRequest) (*pb.EchoResponse, error) { | ||
| return &pb.EchoResponse{Message: req.Message}, nil | ||
| } |
There was a problem hiding this comment.
Prefer moving this to be above main.
|
@sding3 : Thank you for the PR. Do you happen to know what signing algorithm is used in the certificates? Starting Go 1.18, support for SHA1 signatures is being dropped. We recently changed all our certificates to use SHA256 signatures. |
|
#5002 says following regarding the location of the example: And I think that sounds better than |
Yeah, I can move them to |
Sorry, I wanted to |
Yeah, they are signed with |
|
I've made updates and ready for you to take another look. |
| @@ -0,0 +1,74 @@ | |||
| /* | |||
| * | |||
| * Copyright 2018 gRPC authors. | |||
|
@menghanl : Do you mind taking a look (for the second review). |
examples/data/data.go
Outdated
| // NewCertPool returns a x509.CertPool given the absolute paths of a list of | ||
| // PEM certificates, or an error if any failure is encountered when loading | ||
| // the said certificates. | ||
| func NewCertPool(certPaths ...string) (*x509.CertPool, error) { |
There was a problem hiding this comment.
I don't think this function belongs here. The data package is only to solve problems caused by relative paths.
I think it would be OK to do this inline in both client and server.
It would be easier to read, and it isn't a long function anyway.
There was a problem hiding this comment.
Ok, inlined in d66ce1d
sding3
force-pushed
the
add-mtls-example
branch
from
c8a774b to
d66ce1d
Compare
This update adds an example for mutual TLS.
Fixes #5002.
RELEASE NOTES: none