/
certificate.go
65 lines (52 loc) · 1.48 KB
/
certificate.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
package swish
import (
"crypto/tls"
"crypto/x509"
"encoding/base64"
"encoding/pem"
"fmt"
"golang.org/x/crypto/pkcs12"
)
func newTLSClientConfig(configuration *Configuration) (*tls.Config, error) {
caPool, err := createCertPool(configuration.Environment.Certificate)
if err != nil {
return nil, err
}
rpCert, err := createCertLeaf(configuration)
if err != nil {
return nil, err
}
// #nosec:G402
clientCfg := &tls.Config{
Certificates: []tls.Certificate{*rpCert},
ClientCAs: caPool,
RootCAs: caPool,
}
return clientCfg, nil
}
func createCertPool(base64EncodedCertificate string) (*x509.CertPool, error) {
certificate, err := base64.StdEncoding.DecodeString(base64EncodedCertificate)
if err != nil {
return nil, fmt.Errorf("could not decode the certificate. %w", err)
}
caPool := x509.NewCertPool()
if !caPool.AppendCertsFromPEM(certificate) {
return nil, fmt.Errorf("could not append CA Certificate to pool. Invalid base64EncodedCertificate")
}
return caPool, nil
}
func createCertLeaf(configuration *Configuration) (*tls.Certificate, error) {
blocks, err := pkcs12.ToPEM(configuration.Pkcs12.Content, configuration.Pkcs12.Password)
if err != nil {
return nil, fmt.Errorf("unable to load pkcs12 %w", err)
}
var pemData []byte
for _, b := range blocks {
pemData = append(pemData, pem.EncodeToMemory(b)...)
}
cert, err := tls.X509KeyPair(pemData, pemData)
if err != nil {
return nil, fmt.Errorf("unable to load pkcs12 %w", err)
}
return &cert, nil
}