堆栈内存溢出
  简体   繁体   English

gRPC 的 NewClientTLSFromCert 如何从公钥生成 TLS 凭证?

[英]How gRPC's NewClientTLSFromCert generates TLS credentials from public key?

 原文  2023-01-22 14:57:45       ssl/ grpc/ grpc-go

问题描述

The google.golang.org/grpc/credentials library has the following method. google.golang.org/grpc/credentials库有以下方法。

// NewClientTLSFromCert constructs TLS credentials from the provided root
// certificate authority certificate(s) to validate server connections. If
// certificates to establish the identity of the client need to be included in
// the credentials (eg: for mTLS), use NewTLS instead, where a complete
// tls.Config can be specified.
// serverNameOverride is for testing only. If set to a non empty string,
// it will override the virtual host name of authority (e.g. :authority header
// field) in requests.
func NewClientTLSFromCert(cp *x509.CertPool, serverNameOverride string) TransportCredentials {
    return NewTLS(&tls.Config{ServerName: serverNameOverride, RootCAs: cp})
}

I am confused about how it can generate TLS credentials from a public key (the certificate here).我对它如何从公钥(这里的证书)生成 TLS 凭证感到困惑。

How will this work?这将如何运作? If I generate credentials from a public cert, why would it be accepted on the server side whose TLS cert has been signed with the private key of the TLS CA?如果我从公共证书生成凭据,为什么它会在其 TLS 证书已使用 TLS CA 的私钥签名的服务器端被接受?

What exactly happens here and how is the connection secured over here?这里到底发生了什么,这里的连接是如何保护的?

1 个解决方案

解决方案1
 0  2023-02-02 21:07:02

Transport "credentials" in gRPC are fully responsible for the handshake with the client/server. gRPC 中的传输“凭证”完全负责与客户端/服务器的握手。 That means they include configuration other than just "credentials" like private keys and other secrets.这意味着它们包括配置,而不仅仅是像私钥和其他秘密这样的“凭证”。 For TLS here, it includes the root trust certificates to use when verifying the server's certificate.对于此处的 TLS,它包括在验证服务器证书时要使用的根信任证书。 You can think of it as just "TLS configuration."您可以将其视为“TLS 配置”。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 拒绝基于 RSA 公钥大小的双向 TLS gRPC 连接 - Rejecting mutual TLS gRPC connection based on RSA public key size 客户端如何在ssl连接中生成公钥? - how client generates public key in ssl connection? 为#C gRPC 使用具有通用名称的 TLS 凭据 - Use TLS credentials with a common name for #C gRPC 类型错误返回 grpc tls 凭据的接口 - Type error returning an interface for grpc tls credentials TLS + NodeJS,如何在服务器端获取客户端的公钥字节 - TLS + NodeJS, how it is possible to get client's public key bytes on server side 如何确认来自 Go 客户端的 gRPC 流量是 TLS 加密的 - How to confirm gRPC traffic from Go client is TLS encrypted 如何使用 TLS 连接到 GRPC? - How do I connect to GRPC using TLS? 如何在 Istio 中同时启用 Mutual TLS 和 gRPC TLS,以便 Istio 可以收集指标,但 gRPC 认为连接是“安全的” - How to enable both Mutual TLS and gRPC TLS in Istio such that Istio can collect metrics, but gRPC considers the connection "Safe" SSL / TLS:如果服务器是公用密钥,为什么服务器将是唯一能够解密加密数字的服务器? - SSL/TLS: Why will the server be the only one to be able to decrypt the encrypted number if it's a public key? Java gRPC - TLS - 如何在客户端设置双向 TLS? - Java gRPC - TLS - how to set up mutual TLS on the client side?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM