| /* |
| * Licensed to the Apache Software Foundation (ASF) under one or more |
| * contributor license agreements. See the NOTICE file distributed with |
| * this work for additional information regarding copyright ownership. |
| * The ASF licenses this file to You under the Apache License, Version 2.0 |
| * (the "License"); you may not use this file except in compliance with |
| * the License. You may obtain a copy of the License at |
| * |
| * http://www.apache.org/licenses/LICENSE-2.0 |
| * |
| * Unless required by applicable law or agreed to in writing, software |
| * distributed under the License is distributed on an "AS IS" BASIS, |
| * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| * See the License for the specific language governing permissions and |
| * limitations under the License. |
| */ |
| |
| package getty |
| |
| import ( |
| "crypto/tls" |
| "crypto/x509" |
| "fmt" |
| "os" |
| ) |
| |
| import ( |
| perrors "github.com/pkg/errors" |
| ) |
| |
| // TlsConfigBuilder tls config builder interface |
| type TlsConfigBuilder interface { |
| BuildTlsConfig() (*tls.Config, error) |
| } |
| |
| // ServerTlsConfigBuilder impl TlsConfigBuilder for server |
| type ServerTlsConfigBuilder struct { |
| ServerKeyCertChainPath string |
| ServerPrivateKeyPath string |
| ServerKeyPassword string |
| ServerTrustCertCollectionPath string |
| } |
| |
| // BuildTlsConfig impl TlsConfigBuilder method |
| func (s *ServerTlsConfigBuilder) BuildTlsConfig() (*tls.Config, error) { |
| var ( |
| err error |
| certPem []byte |
| certificate tls.Certificate |
| certPool *x509.CertPool |
| config *tls.Config |
| ) |
| if certificate, err = tls.LoadX509KeyPair(s.ServerKeyCertChainPath, s.ServerPrivateKeyPath); err != nil { |
| log.Error(fmt.Sprintf("tls.LoadX509KeyPair(certs{%s}, privateKey{%s}) = err:%+v", |
| s.ServerKeyCertChainPath, s.ServerPrivateKeyPath, perrors.WithStack(err))) |
| return nil, err |
| } |
| config = &tls.Config{ |
| InsecureSkipVerify: true, // do not verify peer certs |
| ClientAuth: tls.RequireAnyClientCert, |
| Certificates: []tls.Certificate{certificate}, |
| } |
| |
| if s.ServerTrustCertCollectionPath != "" { |
| certPem, err = os.ReadFile(s.ServerTrustCertCollectionPath) |
| if err != nil { |
| log.Error(fmt.Errorf("os.ReadFile(certFile{%s}) = err:%+v", s.ServerTrustCertCollectionPath, perrors.WithStack(err))) |
| return nil, err |
| } |
| certPool = x509.NewCertPool() |
| if ok := certPool.AppendCertsFromPEM(certPem); !ok { |
| log.Error("failed to parse root certificate file") |
| return nil, err |
| } |
| config.ClientCAs = certPool |
| config.ClientAuth = tls.RequireAnyClientCert |
| config.InsecureSkipVerify = false |
| } |
| return config, nil |
| } |
| |
| // ClientTlsConfigBuilder impl TlsConfigBuilder for client |
| type ClientTlsConfigBuilder struct { |
| ClientKeyCertChainPath string |
| ClientPrivateKeyPath string |
| ClientKeyPassword string |
| ClientTrustCertCollectionPath string |
| } |
| |
| // BuildTlsConfig impl TlsConfigBuilder method |
| func (c *ClientTlsConfigBuilder) BuildTlsConfig() (*tls.Config, error) { |
| cert, err := tls.LoadX509KeyPair(c.ClientKeyCertChainPath, c.ClientPrivateKeyPath) |
| if err != nil { |
| log.Error(fmt.Sprintf("Unable to load X509 Key Pair %v", err)) |
| return nil, err |
| } |
| certBytes, err := os.ReadFile(c.ClientTrustCertCollectionPath) |
| if err != nil { |
| log.Error(fmt.Sprintf("Unable to read pem file: %s", c.ClientTrustCertCollectionPath)) |
| return nil, err |
| } |
| clientCertPool := x509.NewCertPool() |
| ok := clientCertPool.AppendCertsFromPEM(certBytes) |
| if !ok { |
| log.Error("failed to parse root certificate") |
| return nil, err |
| } |
| return &tls.Config{ |
| RootCAs: clientCertPool, |
| Certificates: []tls.Certificate{cert}, |
| InsecureSkipVerify: true, |
| }, nil |
| } |