I think the built-in NewServerTLSFromCert should do what you want. See the example here: https://grpc.io/docs/guides/auth.html#with-server-authentication-ssltls
Or the raw API docs: https://godoc.org/google.golang.org/grpc/credentials#NewServerTLSFromCert The gRPC documentation isn't super clear about how you should use these, but if the default configuration doesn't do what you want, you can call NewTLS with your own tls.Config that contains the options you want (e.g. the root certificate that you want to trust, etc). Hope that helps, Evan Jones On Friday, October 19, 2018 at 4:50:19 PM UTC-4, Ismael Farfan wrote: > > I gave up and just call something like the verify example in the x509 > package from the secure functions. > https://golang.org/pkg/crypto/x509/#Certificate.Verify > > It's not the optimum or what I wanted, but it's better than calling > exec.Command("openssl...") > > Regards > -Ismael > > > El vie., 19 de oct. de 2018 a la(s) 08:10, Ismael Farfan > ([email protected] <javascript:>) escribió: > > > > Hello everyone > > > > I'm a little bit in a loss on how to do this, I want to do what this guy > does in this post using RequireAndVerifyClientCert, but with gRPC: > > > > "Getting the Server to Trust the Client" > > https://ericchiang.github.io/post/go-tls/ > > > > I already have CA root and key (pem) files in the server. > > Potential users can create Certificate Sign Requests with "openssl req > -new...." > > I can sign / approve / provide temporary CSR with "openssl x509 > -req...." > > I can check that certs are valid and haven't _expired_ with "openssl > verify...." > > > > > > So the question is: > > How can I make it so that only clients connecting with a certificate > signed with the root CA can call [some] functions? > > > > > > If it's to much o a pain to restrict only some functions, restricting > the whole gRPC server also works for me. > > > > The authentication overview guide says it's possible to extend or > customize authentication methods, but it seems like such means > (MetadataCredentialsPlugin) aren't available in golang yet. > > https://grpc.io/docs/guides/auth.html > > > > Any ideas? > > -Ismael > > > > -- > > You received this message because you are subscribed to the Google > Groups "grpc.io" group. > > To unsubscribe from this group and stop receiving emails from it, send > an email to [email protected] <javascript:>. > > To post to this group, send email to [email protected] > <javascript:>. > > Visit this group at https://groups.google.com/group/grpc-io. > > To view this discussion on the web visit > https://groups.google.com/d/msgid/grpc-io/48e78671-f576-4823-a2a4-b87ca053ed9e%40googlegroups.com. > > > > For more options, visit https://groups.google.com/d/optout. > > > > -- > Do not let me induce you to satisfy my curiosity, from an expectation, > that I shall gratify yours. What I may judge proper to conceal, does > not concern myself alone. > -- You received this message because you are subscribed to the Google Groups "grpc.io" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/grpc-io. To view this discussion on the web visit https://groups.google.com/d/msgid/grpc-io/b832be3e-54c5-4788-bb70-c94a3a0e5d87%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
