-
Notifications
You must be signed in to change notification settings - Fork 0
/
cfssl.go
62 lines (52 loc) · 1.48 KB
/
cfssl.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
package roots
import (
"crypto/x509"
"encoding/json"
"errors"
"github.com/ztdbp/cfssl/api/client"
"github.com/ztdbp/cfssl/helpers"
"github.com/ztdbp/cfssl/info"
"github.com/ztdbp/cfssl/log"
)
// This package contains CFSSL integration.
// NewCFSSL produces a new CFSSL root.
func NewCFSSL(metadata map[string]string) ([]*x509.Certificate, error) {
host, ok := metadata["host"]
if !ok {
return nil, errors.New("transport: CFSSL root provider requires a host")
}
label := metadata["label"]
profile := metadata["profile"]
cert, err := helpers.LoadClientCertificate(metadata["mutual-tls-cert"], metadata["mutual-tls-key"])
if err != nil {
return nil, err
}
remoteCAs, err := helpers.LoadPEMCertPool(metadata["tls-remote-ca"])
if err != nil {
return nil, err
}
srv := client.NewServerTLS(host, helpers.CreateTLSConfig(remoteCAs, cert))
data, err := json.Marshal(info.Req{Label: label, Profile: profile})
if err != nil {
return nil, err
}
resp, err := srv.Info(data)
if err != nil {
log.Errorf("请求 CA Server 错误: %v", err)
return nil, err
}
log.Debugf("CA Server 返回数据: %v", *resp)
certs, err := helpers.ParseCertificatesPEM([]byte(resp.Certificate))
if err != nil {
return nil, err
}
for _, rootCertStr := range resp.TrustCertificates {
rootCert, err := helpers.ParseCertificatePEM([]byte(rootCertStr))
if err != nil {
log.Warningf("trust 证书解析失败: %v", err)
continue
}
certs = append(certs, rootCert)
}
return certs, nil
}