-
Notifications
You must be signed in to change notification settings - Fork 0
/
execution.go
76 lines (70 loc) · 1.79 KB
/
execution.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
package server
import (
"crypto/tls"
"crypto/x509"
"os"
"strings"
)
func getClientAuthType(s string) tls.ClientAuthType {
//KIM: there are other cert types, but for the most part,
// these two are the only functional ones
switch strings.ToLower(s) {
default:
return tls.NoClientCert
case "RequireAndVerifyClientCert":
return tls.RequireAndVerifyClientCert
}
}
func getCertificates(c *Configuration) ([]tls.Certificate, error) {
var certificates []tls.Certificate
if c.CertFile != "" && c.KeyFile != "" {
bytesCert, err := os.ReadFile(c.CertFile)
if err != nil {
return nil, err
}
bytesKey, err := os.ReadFile(c.KeyFile)
if err != nil {
return nil, err
}
certificate, err := tls.X509KeyPair(bytesCert, bytesKey)
if err != nil {
return nil, err
}
certificates = append(certificates, certificate)
}
return certificates, nil
}
func getCaCert(c *Configuration, clientAuthType tls.ClientAuthType) (*x509.CertPool, error) {
caCertPool := x509.NewCertPool()
if c.CaCertificate != "" {
bytes, err := os.ReadFile(c.CaCertificate)
if err != nil {
return nil, err
}
caCertPool.AppendCertsFromPEM(bytes)
}
return caCertPool, nil
}
func getTlsConfig(c *Configuration) (*tls.Config, error) {
if !c.HttpsEnabled {
return &tls.Config{}, nil
}
clientAuthType := getClientAuthType(c.ClientAuthType)
caCertPool, err := getCaCert(c, clientAuthType)
if err != nil {
return nil, err
}
certificates, err := getCertificates(c)
if err != nil {
return nil, err
}
return &tls.Config{
// TLS versions below 1.2 are considered insecure
// see https://www.rfc-editor.org/rfc/rfc7525.txt for details
MinVersion: tls.VersionTLS12,
Certificates: certificates,
ClientCAs: caCertPool,
ServerName: c.CertificateServerName,
ClientAuth: clientAuthType,
}, nil
}