github.com/cloud-foundations/dominator@v0.0.0-20221004181915-6e4fee580046/lib/srpc/setupserver/impl.go (about) 1 package setupserver 2 3 import ( 4 "crypto/tls" 5 "crypto/x509" 6 "flag" 7 "fmt" 8 "io/ioutil" 9 "os" 10 "path" 11 12 "github.com/Cloud-Foundations/Dominator/lib/srpc" 13 ) 14 15 var ( 16 caFile = flag.String("CAfile", "/etc/ssl/CA.pem", 17 "Name of file containing the root of trust for identity and methods") 18 certFile = flag.String("certFile", 19 path.Join("/etc/ssl", getDirname(), "cert.pem"), 20 "Name of file containing the SSL certificate") 21 identityCaFile = flag.String("identityCAfile", "/etc/ssl/IdentityCA.pem", 22 "Name of file containing the root of trust for identity only") 23 keyFile = flag.String("keyFile", 24 path.Join("/etc/ssl", getDirname(), "key.pem"), 25 "Name of file containing the SSL key") 26 ) 27 28 func getDirname() string { 29 return path.Base(os.Args[0]) 30 } 31 32 func setupTls(setupServer bool) error { 33 // Load certificates and key. 34 cert, err := tls.LoadX509KeyPair(*certFile, *keyFile) 35 if err != nil { 36 return fmt.Errorf("unable to load keypair: %s", err) 37 } 38 if setupServer { 39 caData, err := ioutil.ReadFile(*caFile) 40 if err != nil { 41 return fmt.Errorf("unable to load CA file: \"%s\": %s", 42 *caFile, err) 43 } 44 caCertPool := x509.NewCertPool() 45 if !caCertPool.AppendCertsFromPEM(caData) { 46 return fmt.Errorf("unable to parse CA file") 47 } 48 serverConfig := new(tls.Config) 49 serverConfig.ClientAuth = tls.RequireAndVerifyClientCert 50 serverConfig.MinVersion = tls.VersionTLS12 51 serverConfig.ClientCAs = caCertPool 52 serverConfig.Certificates = append(serverConfig.Certificates, cert) 53 if *identityCaFile != "" { 54 identityCaData, err := ioutil.ReadFile(*identityCaFile) 55 if err != nil { 56 if !os.IsNotExist(err) { 57 return fmt.Errorf("unable to load CA file: \"%s\": %s", 58 *caFile, err) 59 } 60 } else { 61 srpc.RegisterFullAuthCA(caCertPool) 62 caCertPool := x509.NewCertPool() 63 if !caCertPool.AppendCertsFromPEM(caData) { 64 return fmt.Errorf("unable to parse CA file") 65 } 66 if !caCertPool.AppendCertsFromPEM(identityCaData) { 67 return fmt.Errorf("unable to parse identity CA file") 68 } 69 serverConfig.ClientCAs = caCertPool 70 } 71 } 72 srpc.RegisterServerTlsConfig(serverConfig, true) 73 } 74 // Setup client. 75 clientConfig := new(tls.Config) 76 clientConfig.InsecureSkipVerify = true 77 clientConfig.MinVersion = tls.VersionTLS12 78 clientConfig.Certificates = append(clientConfig.Certificates, cert) 79 srpc.RegisterClientTlsConfig(clientConfig) 80 return nil 81 }