[英]How gRPC's NewClientTLSFromCert generates TLS credentials from public key?
The google.golang.org/grpc/credentials
library has the following method. google.golang.org/grpc/credentials
库有以下方法。
// NewClientTLSFromCert constructs TLS credentials from the provided root
// certificate authority certificate(s) to validate server connections. If
// certificates to establish the identity of the client need to be included in
// the credentials (eg: for mTLS), use NewTLS instead, where a complete
// tls.Config can be specified.
// serverNameOverride is for testing only. If set to a non empty string,
// it will override the virtual host name of authority (e.g. :authority header
// field) in requests.
func NewClientTLSFromCert(cp *x509.CertPool, serverNameOverride string) TransportCredentials {
return NewTLS(&tls.Config{ServerName: serverNameOverride, RootCAs: cp})
}
I am confused about how it can generate TLS credentials from a public key (the certificate here).我对它如何从公钥(这里的证书)生成 TLS 凭证感到困惑。
How will this work?这将如何运作? If I generate credentials from a public cert, why would it be accepted on the server side whose TLS cert has been signed with the private key of the TLS CA?
如果我从公共证书生成凭据,为什么它会在其 TLS 证书已使用 TLS CA 的私钥签名的服务器端被接受?
What exactly happens here and how is the connection secured over here?这里到底发生了什么,这里的连接是如何保护的?
Transport "credentials" in gRPC are fully responsible for the handshake with the client/server. gRPC 中的传输“凭证”完全负责与客户端/服务器的握手。 That means they include configuration other than just "credentials" like private keys and other secrets.
这意味着它们包括配置,而不仅仅是像私钥和其他秘密这样的“凭证”。 For TLS here, it includes the root trust certificates to use when verifying the server's certificate.
对于此处的 TLS,它包括在验证服务器证书时要使用的根信任证书。 You can think of it as just "TLS configuration."
您可以将其视为“TLS 配置”。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.