-
Notifications
You must be signed in to change notification settings - Fork 0
/
tls.go
39 lines (31 loc) · 1.08 KB
/
tls.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
package client
import (
"crypto/tls"
"crypto/x509"
"fmt"
"github.com/canonical/lxd/shared"
)
// TLSClientConfig returns a TLS configuration suitable for establishing horizontal and vertical connections.
// clientCert contains the private key pair for the client. remoteCert is the public
// key of the server we are connecting to.
func TLSClientConfig(clientCert *shared.CertInfo, remoteCert *x509.Certificate) (*tls.Config, error) {
if clientCert == nil {
return nil, fmt.Errorf("Invalid client certificate")
}
if remoteCert == nil {
return nil, fmt.Errorf("Invalid remote public key")
}
keypair := clientCert.KeyPair()
config := shared.InitTLSConfig()
config.Certificates = []tls.Certificate{keypair}
// Add the public key to the CA pool to make it trusted.
config.RootCAs = x509.NewCertPool()
remoteCert.IsCA = true
remoteCert.KeyUsage = x509.KeyUsageCertSign
config.RootCAs.AddCert(remoteCert)
// Always use public key DNS name rather than server cert, so that it matches.
if len(remoteCert.DNSNames) > 0 {
config.ServerName = remoteCert.DNSNames[0]
}
return config, nil
}