mirror of
https://github.com/status-im/consul.git
synced 2025-01-12 23:05:28 +00:00
6681be918a
This PR adds the option to set in-memory certificates to the API client instead of requiring the certificate to be stored on disk in a file. This allows us to define API client TLS options per Consul secret backend in Vault. Related issue hashicorp/vault#4800
124 lines
2.8 KiB
Go
124 lines
2.8 KiB
Go
package rootcerts
|
|
|
|
import (
|
|
"crypto/tls"
|
|
"crypto/x509"
|
|
"errors"
|
|
"fmt"
|
|
"io/ioutil"
|
|
"os"
|
|
"path/filepath"
|
|
)
|
|
|
|
// Config determines where LoadCACerts will load certificates from. When CAFile,
|
|
// CACertificate and CAPath are blank, this library's functions will either load
|
|
// system roots explicitly and return them, or set the CertPool to nil to allow
|
|
// Go's standard library to load system certs.
|
|
type Config struct {
|
|
// CAFile is a path to a PEM-encoded certificate file or bundle. Takes
|
|
// precedence over CACertificate and CAPath.
|
|
CAFile string
|
|
|
|
// CACertificate is a PEM-encoded certificate or bundle. Takes precedence
|
|
// over CAPath.
|
|
CACertificate []byte
|
|
|
|
// CAPath is a path to a directory populated with PEM-encoded certificates.
|
|
CAPath string
|
|
}
|
|
|
|
// ConfigureTLS sets up the RootCAs on the provided tls.Config based on the
|
|
// Config specified.
|
|
func ConfigureTLS(t *tls.Config, c *Config) error {
|
|
if t == nil {
|
|
return nil
|
|
}
|
|
pool, err := LoadCACerts(c)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
t.RootCAs = pool
|
|
return nil
|
|
}
|
|
|
|
// LoadCACerts loads a CertPool based on the Config specified.
|
|
func LoadCACerts(c *Config) (*x509.CertPool, error) {
|
|
if c == nil {
|
|
c = &Config{}
|
|
}
|
|
if c.CAFile != "" {
|
|
return LoadCAFile(c.CAFile)
|
|
}
|
|
if len(c.CACertificate) != 0 {
|
|
return AppendCertificate(c.CACertificate)
|
|
}
|
|
if c.CAPath != "" {
|
|
return LoadCAPath(c.CAPath)
|
|
}
|
|
|
|
return LoadSystemCAs()
|
|
}
|
|
|
|
// LoadCAFile loads a single PEM-encoded file from the path specified.
|
|
func LoadCAFile(caFile string) (*x509.CertPool, error) {
|
|
pool := x509.NewCertPool()
|
|
|
|
pem, err := ioutil.ReadFile(caFile)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("Error loading CA File: %s", err)
|
|
}
|
|
|
|
ok := pool.AppendCertsFromPEM(pem)
|
|
if !ok {
|
|
return nil, fmt.Errorf("Error loading CA File: Couldn't parse PEM in: %s", caFile)
|
|
}
|
|
|
|
return pool, nil
|
|
}
|
|
|
|
// AppendCertificate appends an in-memory PEM-encoded certificate or bundle and returns a pool.
|
|
func AppendCertificate(ca []byte) (*x509.CertPool, error) {
|
|
pool := x509.NewCertPool()
|
|
|
|
ok := pool.AppendCertsFromPEM(ca)
|
|
if !ok {
|
|
return nil, errors.New("Error appending CA: Couldn't parse PEM")
|
|
}
|
|
|
|
return pool, nil
|
|
}
|
|
|
|
// LoadCAPath walks the provided path and loads all certificates encounted into
|
|
// a pool.
|
|
func LoadCAPath(caPath string) (*x509.CertPool, error) {
|
|
pool := x509.NewCertPool()
|
|
walkFn := func(path string, info os.FileInfo, err error) error {
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
if info.IsDir() {
|
|
return nil
|
|
}
|
|
|
|
pem, err := ioutil.ReadFile(path)
|
|
if err != nil {
|
|
return fmt.Errorf("Error loading file from CAPath: %s", err)
|
|
}
|
|
|
|
ok := pool.AppendCertsFromPEM(pem)
|
|
if !ok {
|
|
return fmt.Errorf("Error loading CA Path: Couldn't parse PEM in: %s", path)
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
err := filepath.Walk(caPath, walkFn)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
return pool, nil
|
|
}
|