5
5
"crypto/x509"
6
6
"fmt"
7
7
"io/ioutil"
8
+
9
+ "github.com/pkg/errors"
8
10
)
9
11
10
12
type TLSConfig struct {
@@ -21,88 +23,78 @@ type TLSConfig struct {
21
23
}
22
24
23
25
func (cfg TLSConfig ) TLSConfig () (* tls.Config , error ) {
24
- var tlsconf * tls.Config
25
26
var err error
26
- if cfg .Cert != "" && cfg .Key != "" {
27
- tlsconf , err = LoadFromValues (cfg .Cert , cfg .Key , cfg .CA )
28
- } else if cfg .CertFile != "" && cfg .KeyFile != "" {
29
- tlsconf , err = LoadFromFiles (cfg .CertFile , cfg .KeyFile , cfg .CAFiles )
30
- }
31
27
32
- if err != nil {
33
- return nil , err
28
+ tlsConf := & tls.Config {
29
+ MinVersion : tls .VersionTLS12 ,
30
+ InsecureSkipVerify : cfg .Insecure ,
34
31
}
35
32
36
- if tlsconf != nil {
37
- tlsconf .InsecureSkipVerify = cfg .Insecure
33
+ // Load CA
34
+ if cfg .CA != "" {
35
+ tlsConf .RootCAs , err = LoadCAFromValue (cfg .CA )
36
+ } else if len (cfg .CAFiles ) > 0 {
37
+ tlsConf .RootCAs , err = LoadCAFromFiles (cfg .CAFiles )
38
+ } else {
39
+ tlsConf .RootCAs , err = x509 .SystemCertPool ()
38
40
}
39
41
40
- return tlsconf , nil
41
- }
42
+ if err != nil {
43
+ return nil , errors .Wrap (err , "Error setting up Root CA pool" )
44
+ }
42
45
43
- func LoadFromValues (certPEM , keyPEM , ca string ) (* tls.Config , error ) {
44
- var pool * x509.CertPool
45
- // If no CA cert if provided, use system pool
46
- if ca == "" {
47
- p , err := x509 .SystemCertPool ()
48
- if err != nil {
49
- return nil , err
50
- }
51
- pool = p
52
- } else {
53
- pool = x509 .NewCertPool ()
54
- if ! pool .AppendCertsFromPEM ([]byte (ca )) {
55
- return nil , fmt .Errorf ("Failed to add CA cert" )
56
- }
46
+ // Load Certs if any
47
+ var cert tls.Certificate
48
+ if cfg .Cert != "" && cfg .Key != "" {
49
+ cert , err = LoadCertFromValues (cfg .Cert , cfg .Key )
50
+ tlsConf .Certificates = append (tlsConf .Certificates , cert )
51
+ } else if cfg .CertFile != "" && cfg .KeyFile != "" {
52
+ cert , err = LoadCertFromFiles (cfg .CertFile , cfg .KeyFile )
53
+ tlsConf .Certificates = append (tlsConf .Certificates , cert )
57
54
}
58
55
59
- cert , err := tls .X509KeyPair ([]byte (certPEM ), []byte (keyPEM ))
60
56
if err != nil {
61
- return nil , err
57
+ return nil , errors . Wrap ( err , "Error loading certificate KeyPair" )
62
58
}
63
59
64
- tlsConfig := & tls. Config {
65
- RootCAs : pool ,
66
- Certificates : []tls. Certificate { cert },
67
- MinVersion : tls . VersionTLS12 ,
60
+ // Backwards compatibility: if TLS is not explicitly enabled, return nil if no certificate was provided
61
+ // Old code disabled TLS by not providing a certificate, which returned nil when calling TLSConfig()
62
+ if ! cfg . Enabled && len ( tlsConf . Certificates ) == 0 {
63
+ return nil , nil
68
64
}
69
65
70
- return tlsConfig , nil
66
+ return tlsConf , nil
67
+ }
68
+
69
+ func LoadCertFromValues (certPEM , keyPEM string ) (tls.Certificate , error ) {
70
+ return tls .X509KeyPair ([]byte (certPEM ), []byte (keyPEM ))
71
71
}
72
72
73
- func LoadFromFiles (certFile , keyFile string , cafiles []string ) (* tls.Config , error ) {
74
- var pool * x509.CertPool
75
- if len (cafiles ) == 0 {
76
- p , err := x509 .SystemCertPool ()
73
+ func LoadCertFromFiles (certFile , keyFile string ) (tls.Certificate , error ) {
74
+ return tls .LoadX509KeyPair (certFile , keyFile )
75
+ }
76
+
77
+ func LoadCAFromFiles (cafiles []string ) (* x509.CertPool , error ) {
78
+ pool := x509 .NewCertPool ()
79
+
80
+ for _ , caFile := range cafiles {
81
+ caData , err := ioutil .ReadFile (caFile )
77
82
if err != nil {
78
83
return nil , err
79
84
}
80
- pool = p
81
- } else {
82
- pool = x509 .NewCertPool ()
83
-
84
- for _ , caFile := range cafiles {
85
- caData , err := ioutil .ReadFile (caFile )
86
- if err != nil {
87
- return nil , err
88
- }
89
85
90
- if ! pool .AppendCertsFromPEM (caData ) {
91
- return nil , fmt .Errorf ("Failed to add CA cert at %s" , caFile )
92
- }
86
+ if ! pool .AppendCertsFromPEM (caData ) {
87
+ return nil , fmt .Errorf ("Failed to add CA cert at %s" , caFile )
93
88
}
94
89
}
95
90
96
- cert , err := tls .LoadX509KeyPair (certFile , keyFile )
97
- if err != nil {
98
- return nil , err
99
- }
91
+ return pool , nil
92
+ }
100
93
101
- tlsConfig := & tls. Config {
102
- RootCAs : pool ,
103
- Certificates : []tls. Certificate { cert },
104
- MinVersion : tls . VersionTLS12 ,
94
+ func LoadCAFromValue ( ca string ) ( * x509. CertPool , error ) {
95
+ pool := x509 . NewCertPool ()
96
+ if ! pool . AppendCertsFromPEM ([] byte ( ca )) {
97
+ return nil , fmt . Errorf ( "Failed to add CA cert" )
105
98
}
106
-
107
- return tlsConfig , nil
99
+ return pool , nil
108
100
}
0 commit comments