-
Notifications
You must be signed in to change notification settings - Fork 479
/
tls.go
80 lines (68 loc) · 2.07 KB
/
tls.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
package pubsub
import (
"crypto/tls"
"crypto/x509"
"encoding/pem"
"errors"
"fmt"
)
// TLSProperties is a struct that contains the TLS properties.
type TLSProperties struct {
CACert string
ClientCert string
ClientKey string
}
const (
// CACert is the metadata key name for the CA certificate.
CACert = "caCert"
// ClientCert is the metadata key name for the client certificate.
ClientCert = "clientCert"
// ClientKey is the metadata key name for the client key.
ClientKey = "clientKey"
)
// TLS takes a metadata object and returns the TLSProperties configured.
func TLS(metadata map[string]string) (TLSProperties, error) {
cfg := TLSProperties{}
if val, ok := metadata[CACert]; ok && val != "" {
if !isValidPEM(val) {
return TLSProperties{}, errors.New("invalid caCert")
}
cfg.CACert = val
}
if val, ok := metadata[ClientCert]; ok && val != "" {
if !isValidPEM(val) {
return TLSProperties{}, errors.New("invalid clientCert")
}
cfg.ClientCert = val
}
if val, ok := metadata[ClientKey]; ok && val != "" {
if !isValidPEM(val) {
return TLSProperties{}, errors.New("invalid clientKey")
}
cfg.ClientKey = val
}
return cfg, nil
}
// ConvertTLSPropertiesToTLSConfig converts the TLSProperties to a tls.Config.
func ConvertTLSPropertiesToTLSConfig(properties TLSProperties) (*tls.Config, error) {
tlsConfig := new(tls.Config)
if properties.ClientCert != "" && properties.ClientKey != "" {
cert, err := tls.X509KeyPair([]byte(properties.ClientCert), []byte(properties.ClientKey))
if err != nil {
return tlsConfig, fmt.Errorf("unable to load client certificate and key pair. Err: %v", err)
}
tlsConfig.Certificates = []tls.Certificate{cert}
}
if properties.CACert != "" {
tlsConfig.RootCAs = x509.NewCertPool()
if ok := tlsConfig.RootCAs.AppendCertsFromPEM([]byte(properties.CACert)); !ok {
return tlsConfig, fmt.Errorf("unable to load CA certificate")
}
}
return tlsConfig, nil
}
// isValidPEM validates the provided input has PEM formatted block.
func isValidPEM(val string) bool {
block, _ := pem.Decode([]byte(val))
return block != nil
}