gitee.com/zhaochuninhefei/fabric-ca-gm@v0.0.2/lib/server/operations/tls.go (about) 1 /* 2 Copyright IBM Corp All Rights Reserved. 3 4 SPDX-License-Identifier: Apache-2.0 5 */ 6 7 package operations 8 9 import ( 10 "io/ioutil" 11 12 tls "gitee.com/zhaochuninhefei/gmgo/gmtls" 13 "gitee.com/zhaochuninhefei/gmgo/x509" 14 ) 15 16 var ( 17 // DefaultTLSCipherSuites is the list of default cipher suites 18 DefaultTLSCipherSuites = []uint16{ 19 tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 20 tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, 21 tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 22 tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, 23 tls.TLS_RSA_WITH_AES_128_GCM_SHA256, 24 tls.TLS_RSA_WITH_AES_256_GCM_SHA384, 25 } 26 ) 27 28 // TLS contains the TLS configuration for the operations system serve 29 type TLS struct { 30 Enabled bool 31 CertFile string 32 KeyFile string 33 ClientCertRequired bool 34 ClientCACertFiles []string 35 } 36 37 // Config returns TLS configuration 38 func (t *TLS) Config() (*tls.Config, error) { 39 var tlsConfig *tls.Config 40 41 if t.Enabled { 42 cert, err := tls.LoadX509KeyPair(t.CertFile, t.KeyFile) 43 if err != nil { 44 return nil, err 45 } 46 caCertPool := x509.NewCertPool() 47 for _, caPath := range t.ClientCACertFiles { 48 caPem, err := ioutil.ReadFile(caPath) 49 if err != nil { 50 return nil, err 51 } 52 caCertPool.AppendCertsFromPEM(caPem) 53 } 54 tlsConfig = &tls.Config{ 55 Certificates: []tls.Certificate{cert}, 56 CipherSuites: DefaultTLSCipherSuites, 57 ClientCAs: caCertPool, 58 } 59 if t.ClientCertRequired { 60 tlsConfig.ClientAuth = tls.RequireAndVerifyClientCert 61 } else { 62 tlsConfig.ClientAuth = tls.VerifyClientCertIfGiven 63 } 64 } 65 66 return tlsConfig, nil 67 }