opensource/cocos
1
0
Fork 0
mirror of https://github.com/ultravioletrs/cocos.git synced 2026-06-23 04:10:25 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
Files
main
cocos/pkg/atls/tls_helpers.go
T
Danko Miladinovic 80bf813c48
CI / lint (push) Has been cancelled
Details
CI / test (agent) (push) Has been cancelled
Details
CI / test (cli) (push) Has been cancelled
Details
CI / test (cmd) (push) Has been cancelled
Details
CI / test (internal) (push) Has been cancelled
Details
CI / test (manager, true) (push) Has been cancelled
Details
CI / test (pkg) (push) Has been cancelled
Details
CI / upload-coverage (push) Has been cancelled
Details
NOISSUE - Post-handshake aTLS (#582) 
* initial post-handshake aTLS implementation

* add header

* rebased

* remove grpc.go and http.go

* fix authenticator issues

* add freshness nonce

---------

Co-authored-by: ultraviolet <cocosai@worker-52.local.pragmatic-it.com>
Co-authored-by: ultraviolet <cocosai@k8s-master.local.pragmatic-it.com>
2026-03-26 16:57:09 +01:00

105 lines
2.4 KiB
Go
Raw Permalink Blame History

// Copyright (c) Ultraviolet
// SPDX-License-Identifier: Apache-2.0
package atls
import (
"crypto/tls"
"crypto/x509"
"fmt"
"os"
"strings"
)
type tlsSetupResult struct {
config *tls.Config
mtls bool
}
func readFileOrData(input string) ([]byte, error) {
if len(input) < 1000 && !strings.Contains(input, "\n") {
data, err := os.ReadFile(input)
if err == nil {
return data, nil
}
return nil, err
}
return []byte(input), nil
}
func loadX509KeyPair(certFile, keyFile string) (tls.Certificate, error) {
cert, err := readFileOrData(certFile)
if err != nil {
return tls.Certificate{}, fmt.Errorf("failed to read cert: %w", err)
}
key, err := readFileOrData(keyFile)
if err != nil {
return tls.Certificate{}, fmt.Errorf("failed to read key: %w", err)
}
return tls.X509KeyPair(cert, key)
}
func loadCertFile(certFile string) ([]byte, error) {
if certFile == "" {
return []byte{}, nil
}
return readFileOrData(certFile)
}
func configureCertificateAuthorities(tlsConfig *tls.Config, serverCAFile, clientCAFile string) (bool, error) {
rootCA, err := loadCertFile(serverCAFile)
if err != nil {
return false, fmt.Errorf("failed to load server ca file: %w", err)
}
if len(rootCA) > 0 {
if tlsConfig.RootCAs == nil {
tlsConfig.RootCAs = x509.NewCertPool()
}
if !tlsConfig.RootCAs.AppendCertsFromPEM(rootCA) {
return false, fmt.Errorf("failed to append server ca to tls.Config")
}
}
clientCA, err := loadCertFile(clientCAFile)
if err != nil {
return false, fmt.Errorf("failed to load client ca file: %w", err)
}
if len(clientCA) == 0 {
return false, nil
}
if tlsConfig.ClientCAs == nil {
tlsConfig.ClientCAs = x509.NewCertPool()
}
if !tlsConfig.ClientCAs.AppendCertsFromPEM(clientCA) {
return false, fmt.Errorf("failed to append client ca to tls.Config")
}
return true, nil
}
func setupRegularTLS(certFile, keyFile, serverCAFile, clientCAFile string) (*tlsSetupResult, error) {
certificate, err := loadX509KeyPair(certFile, keyFile)
if err != nil {
return nil, fmt.Errorf("failed to load auth certificates: %w", err)
}
tlsConfig := &tls.Config{
MinVersion: tls.VersionTLS13,
ClientAuth: tls.NoClientCert,
Certificates: []tls.Certificate{certificate},
}
mtls, err := configureCertificateAuthorities(tlsConfig, serverCAFile, clientCAFile)
if err != nil {
return nil, err
}
if mtls {
tlsConfig.ClientAuth = tls.RequireAndVerifyClientCert
}
return &tlsSetupResult{config: tlsConfig, mtls: mtls}, nil
}
Reference in New Issue View Git Blame Copy Permalink