/
tls.go
66 lines (62 loc) · 2.4 KB
/
tls.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
package main
import (
"crypto/tls"
"crypto/x509"
"errors"
"fmt"
"os"
)
// Failed to load CA cert.
var errFailedToAppendCACert = errors.New("failed to append CA cert to CA pool")
// Creates a new pool of x509 certificates from the list of file paths provided,
// appended to any system installed certificates.
func newCACertPool(cacerts []string) (*x509.CertPool, error) {
logger := logger.V(1).WithValues("cacerts", cacerts)
if len(cacerts) == 0 {
logger.V(0).Info("No CA certificate paths provided; returning nil for CA cert pool")
return nil, nil //nolint:nilnil // Returning nil is the correct choice here as it will trigger use of system CA pool
}
logger.V(0).Info("Building certificate pool from file(s)")
pool, err := x509.SystemCertPool()
if err != nil {
return nil, fmt.Errorf("failed to build new CA cert pool from SystemCertPool: %w", err)
}
for _, cacert := range cacerts {
ca, err := os.ReadFile(cacert)
if err != nil {
return nil, fmt.Errorf("failed to read from certificate file %s: %w", cacert, err)
}
if ok := pool.AppendCertsFromPEM(ca); !ok {
return nil, fmt.Errorf("failed to process CA cert %s: %w", cacert, errFailedToAppendCACert)
}
}
return pool, nil
}
// Creates a new TLS configuration from supplied arguments. If a certificate and
// key are provided, the loaded x509 certificate will be added as the certificate
// to present to remote side of TLS connections. An optional pool of CA certificates
// can be provided as ClientCA and/or RootCA verification.
func newTLSConfig(certFile, keyFile string, clientCAs, rootCAs *x509.CertPool) (*tls.Config, error) {
logger := logger.V(1).WithValues(TLSCertFlagName, certFile, TLSKeyFlagName, keyFile, "hasClientCAs", clientCAs != nil, "hasRootCAs", rootCAs != nil)
logger.V(0).Info("Preparing TLS configuration")
tlsConf := &tls.Config{
MinVersion: tls.VersionTLS12,
}
if certFile != "" && keyFile != "" {
logger.V(1).Info("Loading x509 certificate and key")
cert, err := tls.LoadX509KeyPair(certFile, keyFile)
if err != nil {
return nil, fmt.Errorf("failed to load certificate %s and key %s: %w", certFile, keyFile, err)
}
tlsConf.Certificates = []tls.Certificate{cert}
}
if clientCAs != nil {
logger.V(1).Info("Add x509 certificate pool to ClientCAs")
tlsConf.ClientCAs = clientCAs
}
if rootCAs != nil {
logger.V(1).Info("Add x509 certificate pool to RootCAs")
tlsConf.RootCAs = rootCAs
}
return tlsConf, nil
}