|
16 | 16 | * |
17 | 17 | */ |
18 | 18 |
|
19 | | -// Package advancedtls is a utility library containing functions to construct |
20 | | -// credentials.TransportCredentials that can perform credential reloading and |
21 | | -// custom verification check. |
| 19 | +// Package advancedtls provides gRPC transport credentials that allow easy |
| 20 | +// configuration of advanced TLS features. The APIs here give the user more |
| 21 | +// customizable control to fit their security landscape, thus the "advanced" |
| 22 | +// moniker. This package provides both interfaces and generally useful |
| 23 | +// implementations of those interfaces, for example periodic credential |
| 24 | +// reloading, support for certificate revocation lists, and customizable |
| 25 | +// certificate verification behaviors. If the provided implementations do not |
| 26 | +// fit a given use case, a custom implementation of the interface can be |
| 27 | +// injected. |
22 | 28 | package advancedtls |
23 | 29 |
|
24 | 30 | import ( |
@@ -119,8 +125,9 @@ type GetRootCAsResults = RootCertificates |
119 | 125 |
|
120 | 126 | // RootCertificateOptions contains options to obtain root trust certificates |
121 | 127 | // for both the client and the server. |
122 | | -// At most one option could be set. If none of them are set, we |
123 | | -// use the system default trust certificates. |
| 128 | +// At most one field should be set. If none of them are set, we use the system |
| 129 | +// default trust certificates. Setting more than one field will result in |
| 130 | +// undefined behavior. |
124 | 131 | type RootCertificateOptions struct { |
125 | 132 | // If RootCertificates is set, it will be used every time when verifying |
126 | 133 | // the peer certificates, without performing root certificate reloading. |
@@ -153,18 +160,18 @@ func (o RootCertificateOptions) nonNilFieldCount() int { |
153 | 160 |
|
154 | 161 | // IdentityCertificateOptions contains options to obtain identity certificates |
155 | 162 | // for both the client and the server. |
156 | | -// At most one option could be set. |
| 163 | +// At most one field should be set. Setting more than one field will result in undefined behavior. |
157 | 164 | type IdentityCertificateOptions struct { |
158 | 165 | // If Certificates is set, it will be used every time when needed to present |
159 | | - //identity certificates, without performing identity certificate reloading. |
| 166 | + // identity certificates, without performing identity certificate reloading. |
160 | 167 | Certificates []tls.Certificate |
161 | 168 | // If GetIdentityCertificatesForClient is set, it will be invoked to obtain |
162 | 169 | // identity certs for every new connection. |
163 | | - // This field MUST be set on client side. |
| 170 | + // This field is only relevant when set on the client side. |
164 | 171 | GetIdentityCertificatesForClient func(*tls.CertificateRequestInfo) (*tls.Certificate, error) |
165 | 172 | // If GetIdentityCertificatesForServer is set, it will be invoked to obtain |
166 | 173 | // identity certs for every new connection. |
167 | | - // This field MUST be set on server side. |
| 174 | + // This field is only relevant when set on the server side. |
168 | 175 | GetIdentityCertificatesForServer func(*tls.ClientHelloInfo) ([]*tls.Certificate, error) |
169 | 176 | // If IdentityProvider is set, we will use the identity certs from the |
170 | 177 | // Provider's KeyMaterial() call in the new connections. The Provider must |
|
0 commit comments