gitee.com/zhaochuninhefei/fabric-ca-gm@v0.0.2/lib/server/operations/tls.go (about)

     1  /*
     2  Copyright IBM Corp All Rights Reserved.
     3  
     4  SPDX-License-Identifier: Apache-2.0
     5  */
     6  
     7  package operations
     8  
     9  import (
    10  	"io/ioutil"
    11  
    12  	tls "gitee.com/zhaochuninhefei/gmgo/gmtls"
    13  	"gitee.com/zhaochuninhefei/gmgo/x509"
    14  )
    15  
    16  var (
    17  	// DefaultTLSCipherSuites is the list of default cipher suites
    18  	DefaultTLSCipherSuites = []uint16{
    19  		tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
    20  		tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
    21  		tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
    22  		tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
    23  		tls.TLS_RSA_WITH_AES_128_GCM_SHA256,
    24  		tls.TLS_RSA_WITH_AES_256_GCM_SHA384,
    25  	}
    26  )
    27  
    28  // TLS contains the TLS configuration for the operations system serve
    29  type TLS struct {
    30  	Enabled            bool
    31  	CertFile           string
    32  	KeyFile            string
    33  	ClientCertRequired bool
    34  	ClientCACertFiles  []string
    35  }
    36  
    37  // Config returns TLS configuration
    38  func (t *TLS) Config() (*tls.Config, error) {
    39  	var tlsConfig *tls.Config
    40  
    41  	if t.Enabled {
    42  		cert, err := tls.LoadX509KeyPair(t.CertFile, t.KeyFile)
    43  		if err != nil {
    44  			return nil, err
    45  		}
    46  		caCertPool := x509.NewCertPool()
    47  		for _, caPath := range t.ClientCACertFiles {
    48  			caPem, err := ioutil.ReadFile(caPath)
    49  			if err != nil {
    50  				return nil, err
    51  			}
    52  			caCertPool.AppendCertsFromPEM(caPem)
    53  		}
    54  		tlsConfig = &tls.Config{
    55  			Certificates: []tls.Certificate{cert},
    56  			CipherSuites: DefaultTLSCipherSuites,
    57  			ClientCAs:    caCertPool,
    58  		}
    59  		if t.ClientCertRequired {
    60  			tlsConfig.ClientAuth = tls.RequireAndVerifyClientCert
    61  		} else {
    62  			tlsConfig.ClientAuth = tls.VerifyClientCertIfGiven
    63  		}
    64  	}
    65  
    66  	return tlsConfig, nil
    67  }