github.com/vieux/docker@v0.6.3-0.20161004191708-e097c2a938c7/pkg/tlsconfig/config.go

github.com/vieux/docker@v0.6.3-0.20161004191708-e097c2a938c7/pkg/tlsconfig/config.go (about)

     1  // Package tlsconfig provides primitives to retrieve secure-enough TLS configurations for both clients and servers.
     2  //
     3  // As a reminder from https://golang.org/pkg/crypto/tls/#Config:
     4  //	A Config structure is used to configure a TLS client or server. After one has been passed to a TLS function it must not be modified.
     5  //	A Config may be reused; the tls package will also not modify it.
     6  package tlsconfig
     7  
     8  import (
     9  	"crypto/tls"
    10  	"crypto/x509"
    11  	"fmt"
    12  	"io/ioutil"
    13  	"os"
    14  
    15  	"github.com/Sirupsen/logrus"
    16  )
    17  
    18  // Options represents the information needed to create client and server TLS configurations.
    19  type Options struct {
    20  	CAFile string
    21  
    22  	// If either CertFile or KeyFile is empty, Client() will not load them
    23  	// preventing the client from authenticating to the server.
    24  	// However, Server() requires them and will error out if they are empty.
    25  	CertFile string
    26  	KeyFile  string
    27  
    28  	// client-only option
    29  	InsecureSkipVerify bool
    30  	// server-only option
    31  	ClientAuth tls.ClientAuthType
    32  }
    33  
    34  // Extra (server-side) accepted CBC cipher suites - will phase out in the future
    35  var acceptedCBCCiphers = []uint16{
    36  	tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
    37  	tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
    38  	tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
    39  	tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
    40  	tls.TLS_RSA_WITH_AES_256_CBC_SHA,
    41  	tls.TLS_RSA_WITH_AES_128_CBC_SHA,
    42  }
    43  
    44  // Client TLS cipher suites (dropping CBC ciphers for client preferred suite set)
    45  var clientCipherSuites = []uint16{
    46  	tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
    47  	tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
    48  }
    49  
    50  // DefaultServerAcceptedCiphers should be uses by code which already has a crypto/tls
    51  // options struct but wants to use a commonly accepted set of TLS cipher suites, with
    52  // known weak algorithms removed.
    53  var DefaultServerAcceptedCiphers = append(clientCipherSuites, acceptedCBCCiphers...)
    54  
    55  // ServerDefault returns a secure-enough TLS configuration for the server TLS configuration.
    56  func ServerDefault() *tls.Config {
    57  	return &tls.Config{
    58  		// Avoid fallback to SSL protocols < TLS1.0
    59  		MinVersion:               tls.VersionTLS10,
    60  		PreferServerCipherSuites: true,
    61  		CipherSuites:             DefaultServerAcceptedCiphers,
    62  	}
    63  }
    64  
    65  // ClientDefault returns a secure-enough TLS configuration for the client TLS configuration.
    66  func ClientDefault() *tls.Config {
    67  	return &tls.Config{
    68  		// Prefer TLS1.2 as the client minimum
    69  		MinVersion:   tls.VersionTLS12,
    70  		CipherSuites: clientCipherSuites,
    71  	}
    72  }
    73  
    74  // certPool returns an X.509 certificate pool from `caFile`, the certificate file.
    75  func certPool(caFile string) (*x509.CertPool, error) {
    76  	// If we should verify the server, we need to load a trusted ca
    77  	certPool := x509.NewCertPool()
    78  	pem, err := ioutil.ReadFile(caFile)
    79  	if err != nil {
    80  		return nil, fmt.Errorf("Could not read CA certificate %q: %v", caFile, err)
    81  	}
    82  	if !certPool.AppendCertsFromPEM(pem) {
    83  		return nil, fmt.Errorf("failed to append certificates from PEM file: %q", caFile)
    84  	}
    85  	logrus.Debugf("Trusting %d certs", len(certPool.Subjects()))
    86  	return certPool, nil
    87  }
    88  
    89  // Client returns a TLS configuration meant to be used by a client.
    90  func Client(options Options) (*tls.Config, error) {
    91  	tlsConfig := ClientDefault()
    92  	tlsConfig.InsecureSkipVerify = options.InsecureSkipVerify
    93  	if !options.InsecureSkipVerify && options.CAFile != "" {
    94  		CAs, err := certPool(options.CAFile)
    95  		if err != nil {
    96  			return nil, err
    97  		}
    98  		tlsConfig.RootCAs = CAs
    99  	}
   100  
   101  	if options.CertFile != "" || options.KeyFile != "" {
   102  		tlsCert, err := tls.LoadX509KeyPair(options.CertFile, options.KeyFile)
   103  		if err != nil {
   104  			return nil, fmt.Errorf("Could not load X509 key pair: %v. Make sure the key is not encrypted", err)
   105  		}
   106  		tlsConfig.Certificates = []tls.Certificate{tlsCert}
   107  	}
   108  
   109  	return tlsConfig, nil
   110  }
   111  
   112  // Server returns a TLS configuration meant to be used by a server.
   113  func Server(options Options) (*tls.Config, error) {
   114  	tlsConfig := ServerDefault()
   115  	tlsConfig.ClientAuth = options.ClientAuth
   116  	tlsCert, err := tls.LoadX509KeyPair(options.CertFile, options.KeyFile)
   117  	if err != nil {
   118  		if os.IsNotExist(err) {
   119  			return nil, fmt.Errorf("Could not load X509 key pair (cert: %q, key: %q): %v", options.CertFile, options.KeyFile, err)
   120  		}
   121  		return nil, fmt.Errorf("Error reading X509 key pair (cert: %q, key: %q): %v. Make sure the key is not encrypted.", options.CertFile, options.KeyFile, err)
   122  	}
   123  	tlsConfig.Certificates = []tls.Certificate{tlsCert}
   124  	if options.ClientAuth >= tls.VerifyClientCertIfGiven {
   125  		CAs, err := certPool(options.CAFile)
   126  		if err != nil {
   127  			return nil, err
   128  		}
   129  		tlsConfig.ClientCAs = CAs
   130  	}
   131  	return tlsConfig, nil
   132  }