240 lines
6.8 KiB
Go
240 lines
6.8 KiB
Go
package main
|
|
|
|
import "crypto/tls"
|
|
import "crypto/x509"
|
|
import "errors"
|
|
import "fmt"
|
|
import "io"
|
|
import "io/ioutil"
|
|
import "os"
|
|
|
|
import "gopkg.in/yaml.v3"
|
|
|
|
type ServerTLSConfig struct {
|
|
Enabled bool `yaml:"enabled"`
|
|
CertFile string `yaml:"cert-file"`
|
|
KeyFile string `yaml:"key-file"`
|
|
CertText string `yaml:"cert-text"`
|
|
KeyText string `yaml:"key-text"`
|
|
|
|
ClientAuthType string `yaml:"client-auth-type"`
|
|
ClientCACertFile string `yaml:"client-ca-cert-file"`
|
|
ClientCACertText string `yaml:"client-ca-cert-text"`
|
|
//CipherSuites []Cipher `yaml:"cipher_suites"`
|
|
//CurvePreferences []Curve `yaml:"curve_preferences"`
|
|
//MinVersion TLSVersion `yaml:"min-version"`
|
|
//MaxVersion TLSVersion `yaml:"max-version"`
|
|
//PreferServerCipherSuites bool `yaml:"prefer-server-cipher-suites"`
|
|
//ClientAllowedSans []string `yaml:"client-allowed-sans"`
|
|
}
|
|
|
|
type ClientTLSConfig struct {
|
|
Enabled bool `yaml:"enabled"`
|
|
CertFile string `yaml:"cert-file"`
|
|
KeyFile string `yaml:"key-file"`
|
|
CertText string `yaml:"cert-text"`
|
|
KeyText string `yaml:"key-text"`
|
|
ServerCACertFile string `yaml:"server-ca-cert-file"`
|
|
ServerCACertText string `yaml:"server-ca-cert-text"`
|
|
InsecureSkipVerify bool `yaml:"skip-verify"`
|
|
ServerName string `yaml:"server-name"`
|
|
}
|
|
|
|
type ServerConfig struct {
|
|
CTL struct {
|
|
TLS ServerTLSConfig `yaml:"tls"`
|
|
} `yaml:"ctl"`
|
|
|
|
RPC struct {
|
|
TLS ServerTLSConfig `yaml:"tls"`
|
|
} `yaml:"rpc"`
|
|
}
|
|
|
|
type ClientConfig struct {
|
|
CTL struct {
|
|
TLS ServerTLSConfig `yaml:"tls"`
|
|
} `yaml:"ctl"`
|
|
RPC struct {
|
|
TLS ClientTLSConfig `yaml:"tls"`
|
|
} `yaml:"rpc"`
|
|
}
|
|
|
|
|
|
func load_server_config(cfgfile string) (*ServerConfig, error) {
|
|
var cfg ServerConfig
|
|
var f *os.File
|
|
var yd *yaml.Decoder
|
|
var err error
|
|
|
|
f, err = os.Open(cfgfile)
|
|
if err != nil && errors.Is(err, io.EOF) {
|
|
return nil, err
|
|
}
|
|
|
|
yd = yaml.NewDecoder(f)
|
|
err = yd.Decode(&cfg)
|
|
f.Close()
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
return &cfg, nil
|
|
}
|
|
|
|
func load_client_config(cfgfile string) (*ClientConfig, error) {
|
|
var cfg ClientConfig
|
|
var f *os.File
|
|
var yd *yaml.Decoder
|
|
var err error
|
|
|
|
f, err = os.Open(cfgfile)
|
|
if err != nil && errors.Is(err, io.EOF) {
|
|
return nil, err
|
|
}
|
|
|
|
yd = yaml.NewDecoder(f)
|
|
err = yd.Decode(&cfg)
|
|
f.Close()
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
return &cfg, nil
|
|
}
|
|
|
|
|
|
func tls_string_to_client_auth_type(str string) tls.ClientAuthType {
|
|
switch str {
|
|
case tls.NoClientCert.String():
|
|
return tls.NoClientCert
|
|
case tls.RequestClientCert.String():
|
|
return tls.RequestClientCert
|
|
case tls.RequireAnyClientCert.String():
|
|
return tls.RequireAnyClientCert
|
|
case tls.VerifyClientCertIfGiven.String():
|
|
return tls.VerifyClientCertIfGiven
|
|
case tls.RequireAndVerifyClientCert.String():
|
|
return tls.RequireAndVerifyClientCert
|
|
default:
|
|
return tls.NoClientCert
|
|
}
|
|
}
|
|
|
|
// --------------------------------------------------------------------
|
|
|
|
func make_tls_server_config(cfg *ServerTLSConfig) (*tls.Config, error) {
|
|
var tlscfg *tls.Config
|
|
|
|
if cfg.Enabled {
|
|
var cert tls.Certificate
|
|
var cert_pool *x509.CertPool
|
|
var ok bool
|
|
var err error
|
|
|
|
if cfg.CertText != "" && cfg.KeyText != "" {
|
|
cert, err = tls.X509KeyPair([]byte(cfg.CertText), []byte(cfg.KeyText))
|
|
} else if cfg.CertFile != "" && cfg.KeyFile != "" {
|
|
cert, err = tls.LoadX509KeyPair(cfg.CertFile, cfg.KeyFile)
|
|
} else {
|
|
// use the embedded certificate
|
|
cert, err = tls.X509KeyPair(hodu_tls_cert_text, hodul_tls_key_text)
|
|
}
|
|
if err != nil {
|
|
return nil, fmt.Errorf("failed to load key pair - %s", err)
|
|
}
|
|
|
|
cert_pool = x509.NewCertPool()
|
|
if cfg.ClientCACertText != "" {
|
|
ok = cert_pool.AppendCertsFromPEM([]byte(cfg.ClientCACertText))
|
|
if !ok {
|
|
return nil, fmt.Errorf("failed to append certificate to pool")
|
|
}
|
|
} else if cfg.ClientCACertFile != "" {
|
|
var text []byte
|
|
text, err = ioutil.ReadFile(cfg.ClientCACertFile)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("failed to load ca certficate file %s - %s", cfg.ClientCACertFile, err.Error())
|
|
}
|
|
ok = cert_pool.AppendCertsFromPEM(text)
|
|
if !ok {
|
|
return nil, fmt.Errorf("failed to append certificate to pool")
|
|
}
|
|
} else {
|
|
ok = cert_pool.AppendCertsFromPEM(hodu_tls_cert_text)
|
|
if !ok {
|
|
return nil, fmt.Errorf("failed to append certificate to pool")
|
|
}
|
|
}
|
|
|
|
tlscfg = &tls.Config{
|
|
Certificates: []tls.Certificate{cert},
|
|
// If multiple certificates are configured, we may have to implement GetCertificate
|
|
// GetCertificate: func (chi *tls.ClientHelloInfo) (*Certificate, error) { return cert, nil }
|
|
ClientAuth: tls_string_to_client_auth_type(cfg.ClientAuthType),
|
|
ClientCAs: cert_pool, // trusted CA certs for client certificate verification
|
|
}
|
|
}
|
|
|
|
return tlscfg, nil
|
|
}
|
|
|
|
// --------------------------------------------------------------------
|
|
|
|
func make_tls_client_config(cfg *ClientTLSConfig) (*tls.Config, error) {
|
|
var tlscfg *tls.Config
|
|
|
|
if cfg.Enabled {
|
|
var cert tls.Certificate
|
|
var cert_pool *x509.CertPool
|
|
var ok bool
|
|
var err error
|
|
|
|
if cfg.CertText != "" && cfg.KeyText != "" {
|
|
cert, err = tls.X509KeyPair([]byte(cfg.CertText), []byte(cfg.KeyText))
|
|
} else if cfg.CertFile != "" && cfg.KeyFile != "" {
|
|
cert, err = tls.LoadX509KeyPair(cfg.CertFile, cfg.KeyFile)
|
|
} else {
|
|
// use the embedded certificate
|
|
cert, err = tls.X509KeyPair(hodu_tls_cert_text, hodul_tls_key_text)
|
|
}
|
|
if err != nil {
|
|
return nil, fmt.Errorf("failed to load key pair - %s", err)
|
|
}
|
|
|
|
cert_pool = x509.NewCertPool()
|
|
if cfg.ServerCACertText != "" {
|
|
ok = cert_pool.AppendCertsFromPEM([]byte(cfg.ServerCACertText))
|
|
if !ok {
|
|
return nil, fmt.Errorf("failed to append certificate to pool")
|
|
}
|
|
} else if cfg.ServerCACertFile != "" {
|
|
var text []byte
|
|
text, err = ioutil.ReadFile(cfg.ServerCACertFile)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("failed to load ca certficate file %s - %s", cfg.ServerCACertFile, err.Error())
|
|
}
|
|
ok = cert_pool.AppendCertsFromPEM(text)
|
|
if !ok {
|
|
return nil, fmt.Errorf("failed to append certificate to pool")
|
|
}
|
|
} else {
|
|
// trust the embedded certificate if not explicitly specified
|
|
ok = cert_pool.AppendCertsFromPEM(hodu_tls_cert_text)
|
|
if !ok {
|
|
return nil, fmt.Errorf("failed to append certificate to pool")
|
|
}
|
|
}
|
|
|
|
if cfg.ServerName == "" { cfg.ServerName = HODU_NAME }
|
|
tlscfg = &tls.Config{
|
|
//Certificates: []tls.Certificate{cert},
|
|
GetClientCertificate: func(cri *tls.CertificateRequestInfo) (*tls.Certificate, error) { return &cert, nil },
|
|
RootCAs: cert_pool,
|
|
InsecureSkipVerify: cfg.InsecureSkipVerify,
|
|
ServerName: cfg.ServerName,
|
|
}
|
|
}
|
|
|
|
return tlscfg, nil
|
|
}
|