Class: Spiffe::Workload::TLSConfig

Inherits:
Object
  • Object
show all
Defined in:
lib/spiffe/workload/tls_config.rb

Overview

TLS configuration helper for SPIFFE

Class Method Summary collapse

Class Method Details

.create_auto_updating_context(client, verify_mode: OpenSSL::SSL::VERIFY_PEER) ⇒ OpenSSL::SSL::SSLContext

Create an SSL context that automatically updates with SVID rotation

Parameters:

  • client (Client)

    The workload API client

  • verify_mode (Integer) (defaults to: OpenSSL::SSL::VERIFY_PEER)

    OpenSSL verify mode

Returns:

  • (OpenSSL::SSL::SSLContext) 


28
29
30
31
32
33
34
35
36
37
38
39
40
 
# File 'lib/spiffe/workload/tls_config.rb', line 28

def self.create_auto_updating_context(client, verify_mode: OpenSSL::SSL::VERIFY_PEER)
  context = create_context(client.x509_svid, verify_mode: verify_mode)
  
  # Register callback to update context on rotation
  client.on_x509_svid_update do |new_svid|
    context.cert = new_svid.leaf_certificate
    context.key = new_svid.private_key
    context.extra_chain_cert = new_svid.cert_chain[1..-1] if new_svid.cert_chain.length > 1
    context.cert_store = new_svid.trust_bundle
  end
  
  context
end

.create_context(svid, verify_mode: OpenSSL::SSL::VERIFY_PEER) ⇒ OpenSSL::SSL::SSLContext

Create an SSL context from an X.509 SVID

Parameters:

  • svid (X509SVID)

    The SVID to use

  • verify_mode (Integer) (defaults to: OpenSSL::SSL::VERIFY_PEER)

    OpenSSL verify mode

Returns:

  • (OpenSSL::SSL::SSLContext) 


13
14
15
16
17
18
19
20
21
22
 
# File 'lib/spiffe/workload/tls_config.rb', line 13

def self.create_context(svid, verify_mode: OpenSSL::SSL::VERIFY_PEER)
  context = OpenSSL::SSL::SSLContext.new
  context.cert = svid.leaf_certificate
  context.key = svid.private_key
  context.extra_chain_cert = svid.cert_chain[1..-1] if svid.cert_chain.length > 1
  context.cert_store = svid.trust_bundle
  context.verify_mode = verify_mode
  context.min_version = OpenSSL::SSL::TLS1_2_VERSION
  context
end