github.com/cloud-foundations/dominator@v0.0.0-20221004181915-6e4fee580046/lib/srpc/setupserver/impl.go

github.com/cloud-foundations/dominator@v0.0.0-20221004181915-6e4fee580046/lib/srpc/setupserver/impl.go (about)

     1  package setupserver
     2  
     3  import (
     4  	"crypto/tls"
     5  	"crypto/x509"
     6  	"flag"
     7  	"fmt"
     8  	"io/ioutil"
     9  	"os"
    10  	"path"
    11  
    12  	"github.com/Cloud-Foundations/Dominator/lib/srpc"
    13  )
    14  
    15  var (
    16  	caFile = flag.String("CAfile", "/etc/ssl/CA.pem",
    17  		"Name of file containing the root of trust for identity and methods")
    18  	certFile = flag.String("certFile",
    19  		path.Join("/etc/ssl", getDirname(), "cert.pem"),
    20  		"Name of file containing the SSL certificate")
    21  	identityCaFile = flag.String("identityCAfile", "/etc/ssl/IdentityCA.pem",
    22  		"Name of file containing the root of trust for identity only")
    23  	keyFile = flag.String("keyFile",
    24  		path.Join("/etc/ssl", getDirname(), "key.pem"),
    25  		"Name of file containing the SSL key")
    26  )
    27  
    28  func getDirname() string {
    29  	return path.Base(os.Args[0])
    30  }
    31  
    32  func setupTls(setupServer bool) error {
    33  	// Load certificates and key.
    34  	cert, err := tls.LoadX509KeyPair(*certFile, *keyFile)
    35  	if err != nil {
    36  		return fmt.Errorf("unable to load keypair: %s", err)
    37  	}
    38  	if setupServer {
    39  		caData, err := ioutil.ReadFile(*caFile)
    40  		if err != nil {
    41  			return fmt.Errorf("unable to load CA file: \"%s\": %s",
    42  				*caFile, err)
    43  		}
    44  		caCertPool := x509.NewCertPool()
    45  		if !caCertPool.AppendCertsFromPEM(caData) {
    46  			return fmt.Errorf("unable to parse CA file")
    47  		}
    48  		serverConfig := new(tls.Config)
    49  		serverConfig.ClientAuth = tls.RequireAndVerifyClientCert
    50  		serverConfig.MinVersion = tls.VersionTLS12
    51  		serverConfig.ClientCAs = caCertPool
    52  		serverConfig.Certificates = append(serverConfig.Certificates, cert)
    53  		if *identityCaFile != "" {
    54  			identityCaData, err := ioutil.ReadFile(*identityCaFile)
    55  			if err != nil {
    56  				if !os.IsNotExist(err) {
    57  					return fmt.Errorf("unable to load CA file: \"%s\": %s",
    58  						*caFile, err)
    59  				}
    60  			} else {
    61  				srpc.RegisterFullAuthCA(caCertPool)
    62  				caCertPool := x509.NewCertPool()
    63  				if !caCertPool.AppendCertsFromPEM(caData) {
    64  					return fmt.Errorf("unable to parse CA file")
    65  				}
    66  				if !caCertPool.AppendCertsFromPEM(identityCaData) {
    67  					return fmt.Errorf("unable to parse identity CA file")
    68  				}
    69  				serverConfig.ClientCAs = caCertPool
    70  			}
    71  		}
    72  		srpc.RegisterServerTlsConfig(serverConfig, true)
    73  	}
    74  	// Setup client.
    75  	clientConfig := new(tls.Config)
    76  	clientConfig.InsecureSkipVerify = true
    77  	clientConfig.MinVersion = tls.VersionTLS12
    78  	clientConfig.Certificates = append(clientConfig.Certificates, cert)
    79  	srpc.RegisterClientTlsConfig(clientConfig)
    80  	return nil
    81  }