BuildConnectionString as <protocol>://<host>:<port>/<path>.

CastListenerToDeadline casts any net.Listener to DeadlineListener or throws ErrUnsupportedListener error.

ClientNameConstructorFunc returns CLIParamNameConstructorFunc with "_client_" suffix before parameter name.

DatabaseNameConstructorFunc returns CLIParamNameConstructorFunc with "_database_" suffix before parameter name.

Dial connectionString like protocol://path where protocol is any supported via net.Dial (tcp|unix).

GetClientIDFromAuthInfo extracts clientID data from credentials.AuthInfo if it's saved by SecureSession or TLS wrappers In second case will be used tlsExtractor to extract clientID from TLS metadata.

GetClientIDFromConnection extract clientID from conn if it's safeCloseConnection otherwise nil, false.

GetClientIDFromHTTPContext returns clientID if it was set into the context.

GetClientIDFromTLSConn extracts clientID from tls.Conn metadata using extractor.

GetConnectionFromHTTPContext return net.Conn or nil if not found.

GetDriverConnectionStringHost parses MySQL/PostgreSQL driver specific connection string to use as SNI PostgreSQL - postgresql://{user}:{password}@{host}:{port}/{dbname} MySQL - ({user}:{password}@tcp({host}:{port})/{dbname}.

IsClientBadRecordMacError return true if error related to bad MAC on client side.

IsClientUnknownCAError return true if client's certificate signed by unknown CA.

IsDatabaseUnknownCAError return true if error related to certificate's signature signed by unknown CA.

IsMissingClientCertificate return true if error related to missing client's certificate.

IsSNIError return true if error related to x509 error with SAN/SNI mismatch.

Listen returns listener for connection string.

ListenerFileDescriptor returns file descriptor if listener listens file.

NewCertVerifier creates a CertVerifier based on passed OCSP and CRL command line flags.

NewCertVerifierAll creates new CertVerifierAll, verifier that tries all internally contained verifiers.

NewCertVerifierFromConfigs creates a CertVerifier based on passed OCSP and CRL configs.

NewConnectionManager returns new ConnectionManager.

NewConnectionMetadataBuilder return ConnectionMetadataBuilder which build ConnectionMetadata implementation.

NewCRLConfig creates new CRLConfig.

NewCRLConfigByName return initialized CRLConfig config using flags registered with RegisterCertVerifierArgsForService.

NewDefaultCRLClient creates new DefaultCRLClient.

NewDefaultHexIdentifierConverter return new HexIdentifierConverter with sha512 as hash function used to fit output into acceptable size.

NewDefaultOCSPClient creates new DefaultOCSPClient.

NewDefaultTLSClientIDExtractor create new TLSClientIDExtractor implementation which use idExtractor and idConvertor to extract clientID.

NewHTTPServerConnectionWrapper returns new wrapped Listener.

NewIdentifierExtractorByType return new CertificateIdentifierExtractor by type.

NewLRUCRLCache creates new LRUCRLCache, able to store at most maxEntries values.

NewMetricConnectionCallback return initialized MetricConnectionCallback with proper connectionType.

NewOCSPConfig creates new OCSPConfig.

NewOCSPConfigByName return initialized OCSPConfig config using flags registered with RegisterCertVerifierArgsForService.

NewTLSAuthenticationConnectionWrapper returns new TLSConnectionWrapper which use separate TLS configs for each side.

NewTLSAuthenticationHTTP2ConnectionWrapper returns new TLSConnectionWrapper which use separate TLS configs for each side.

NewTLSClientIDExtractor create new TLSClientIDExtractor implementation which use idExtractor and idConvertor to extract clientID.

NewTLSConfig creates x509 TLS clientConfig from provided params, tried to load system CA certificate.

NewTLSConfigByName returns config related to flags registered via RegisterTLSArgsForService.

NewTLSConfigFromBaseArgs return new tls clientConfig with params passed by cli params.

NewTLSConnectionWrapper returns new TLSConnectionWrapper.

ProxyWithTracing reads data from connFrom, writes data to connTo and trace with OpenCensus.

RegisterCertVerifierArgs register CLI args which allow to get CertVerifier by NewCertVerifier().

RegisterCertVerifierArgsForService register CLI args which allow to get CertVerifier by NewCertVerifier() for specified service.

RegisterTLSArgsForService register CLI args tls_ca|tls_key|tls_cert|tls_auth and flags for certificate verifier which allow to get tls.Config by NewTLSConfigByName function.

RegisterTLSBaseArgs register CLI args tls_ca|tls_key|tls_cert|tls_auth which allow to get tls.Config by NewTLSConfigFromBaseArgs function.

SetClientIDToHTTPContext returns new context with the clientID.

SetConnectionToHTTPContext set connection to context and may be used as ConnContext callback for http.Server.

SetTLSBaseArgs set global TLS flags from args.ServiceExtractor.

SNIOrHostname return sni value if != "".

SplitConnectionString to host, port.

UnwrapSafeCloseConnection return wrapped Conn implementation or conn from parameter as is.

UnwrapSafeCloseListener return wrapped listener or listener from parameter as is.

ValidateClientsAuthenticationCertificate check that peer's certificate acceptable to use for authentication purpose Check that KeyUsage has DigitalSignature mask or ClientAuth set in ExtKeyUsage list, deny CA certificates to use for peer authentication.

set of suggestions to TLS/x509 related errors.

set of suggestions to TLS/x509 related errors.

set of suggestions to TLS/x509 related errors.

CrlCacheSizeMax is max value for `--tls_crl_cache_size`.

CrlCacheTimeMax is max value for `--tls_crl_cache_time`.

set of suggestions to TLS/x509 related errors.

CrlDefaultCacheSize is default value for `--tls_crl_cache_size`.

CrlDisableCacheSize will disable caching if set in `--tls_crl_cache_size`.

CrlDisableCacheTime will disable caching if set in `--tls_crl_cache_time`.

Ignore CRL distribution points listed in certificate.

If certificate contains CRL distribution point(s), use them, _before_ trying configured URL.

If certificate contains CRL distribution point(s), use them, and don't use configured URL in this case.

If certificate contains CRL distribution point(s), use them, _after_ trying configured URL.

CrlHTTPClientDefaultTimeout is default timeout for HTTP client used to fetch CRLs.

set of suggestions to TLS/x509 related errors.

set of suggestions to TLS/x509 related errors.

Set of constants with.

DefaultNetworkTimeout default timeout for network related communication.

Custom connection schemes, used in AcraTranslator.

Custom connection schemes, used in AcraTranslator.

Set of constants with.

Set of constants with.

set of suggestions to TLS/x509 related errors.

Ignore OCSP servers listed in certificates.

Query servers listed in certificate before the one from config.

Query servers listed in certificate and don't perform further requests if one respons with "ok, valid".

Use OCSP servers listed in certificate (if any), try them after the one configured from CLI/config.

OcspHTTPClientDefaultTimeout is default timeout for HTTP client used to perform OCSP queries.

Allow certificates not known by OCSP server(s).

Deny certificates now known by OCSP server(s).

Effect of denyUnknown + all available OCSP servers (the one from config and those listed in certificate) should respond, otherwise deny the certificate.

SerialEncodeBase is base in which certificate serial is encoded, for being a key in map of revoked certificates.

CrlFromCertValuesList contains all possible values for flag `--tls_crl_from_cert`.

Set of errors related to peer certificate validation.

Errors returned by CRL verifier.

ErrCantExtractClientID used when can't extract ClientID from gRPC connection handshake.

Errors common for OCSP and CRL verifiers.

Errors common for OCSP and CRL verifiers.

ErrEmptyIdentifier used when passed empty identifier with zero length.

ErrEmptyTLSConfig if not TLS clientConfig found.

Errors returned by CRL verifier.

Errors returned by CRL verifier.

Errors returned by CRL verifier.

ErrIncorrectGRPCConnectionAuthInfo used if gRPC connection AuthState has unsupported type.

Errors returned by OCSP verifier.

Errors returned by CRL verifier.

Errors returned by CRL verifier.

Errors returned by CRL verifier.

Errors returned by OCSP verifier.

Errors returned by OCSP verifier.

ErrInvalidIdentifierExtractorType return when used invalid value of identifier extractor type.

ErrInvalidTLSConfiguration used for invalid configurations for TLS connections.

ErrListenerNotSet used if net.Listener wasn't set to HTTPServerConnectionWrapper.

Set of errors related to peer certificate validation.

ErrNilListener used if listener is nil.

Set of errors related to peer certificate validation.

Errors returned by OCSP verifier.

Errors returned by OCSP verifier.

Errors returned by OCSP verifier.

Errors returned by CRL verifier.

Errors returned by CRL verifier.

Errors returned by CRL verifier.

ErrUnsupportedListener represents net.Listener type unknown to Acra.

IdentifierExtractorTypesList list of all acceptable types for IdentifierExtractor.

OcspFromCertValuesList contains all possible values for flag `--tls_ocsp_from_cert`.

OcspRequiredValuesList contains all possible values for flag `--tls_ocsp_required`.

CallbackError returned from OnConnection callbacks.

CertVerifierAll is an implementation of CertVerifier that requires all verifiers to return success.

ClientIDToContextCallback is a callback that sets the ClientID into the connection context.

ConnectionManager counts connections and close them.

ConnectionMetadataBuilder builds connection metadata.

ConnectionMetric used to track connection time of life.

ConnectionToContextCallback callback implements OnConnectionContextCallback interface and store connection in context.

CRLCacheItem is combination of fetched+parsed+verified CRL with fetch time.

CRLConfig contains configuration related to certificate validation using CRL.

CRLError error wrapper to recognize CRL related errors.

DefaultCRLClient is a default implementation of CRLClient (as opposed to stub ones used in tests).

DefaultCRLVerifier is a default implementation of CRLVerifier.

DefaultOCSPClient is a default implementation of OCSPClient.

DefaultOCSPVerifier is a default OCSP verifier.

DistinguishedNameExtractor implementation for CertificateIdentifierExtractor interface, which return CommonName as client's identifier.

HexIdentifierConverter converts identifiers to hex value as string in lower case.

HTTPServerConnectionChainWrapper wraps net.Listener and allow to register callbacks that will be called on every new connection after listener.Accept and implements http.Server.ConnContext handler signature and allow register callbacks that will be called on every new connection internally in http.Server.

LRUCRLCache is an implementation of CRLCache that uses LRU cache inside.

MetricConnectionCallback callback used for new incoming connections from gRPC or http.Server connection handlers and wraps new connections with time tracking of lifetime on Close calls.

OCSPConfig contains configuration related to certificate validation using OCSP.

RawConnectionWrapper doesn't add any encryption above connection.

SafeCloseConnectionCallback callback that wraps connections with connection that call Close only once.

SerialNumberExtractor implementation for CertificateIdentifierExtractor interface, which return SerialNumber of certificate as client's identifier.

TLSConnectionWrapper for wrapping connection into TLS encryption.

CertificateIdentifierExtractor interface for implementations which should return identifier used for client's identification.

CertVerifier is a generic certificate verifier.

ConnectionCallback used to call callbacks on new accepted connections.

ConnectionContextCallback used to call callbacks for http.Server.ConnContext calls.

ConnectionMetadata connection metadata.

ConnectionTimeoutWrapper interface.

ConnectionWrapper interface.

CRLCache is used to store fetched CRLs to avoid downloading the same URL more than once, stores parsed and verified CRLs.

CRLClient is used to fetch CRL from some URL.

DeadlineListener is extended net.Listener interface with SetDeadline method that added for abstraction of calling SetDeadline between two listener types (TcpListener and UnixListener) that support this method.

GRPCConnectionClientIDExtractor extract clientID from connection AuthInfo encapsulated in request context.

GRPCConnectionWrapper interface implements credentials.TransportCredentials and allows to register callbacks for new connections after ServerHandshake call.

HTTPServerConnectionWrapper implements net.Listener interface and allow to.

IdentifierConverter converts identifiers from x509 certificates to clientID format acceptable by keystore, pass keystore.ValidateID check.

ListenerWithFileDescriptor listens to file.

ListenerWrapper interface allows to access wrapped listener by another listener implementation.

OCSPClient is used to perform OCSP queries to some URL.

OnServerHandshakeCallback interface used for callbacks on every ServerHandshake call in grpc connection handler.

TLSClientIDExtractor complex component for extracting clientID from certificates using certificate identifier extractor and convertor.

WrappedConnection interface implemented by connection wrappers to access to wrapped connection.

CLIParamNameConstructorFunc func compiles final parameter name for specified service name.