59 lines
1.2 KiB
Go
59 lines
1.2 KiB
Go
package config
|
|
|
|
import (
|
|
"crypto/tls"
|
|
"crypto/x509"
|
|
"fmt"
|
|
"io/ioutil"
|
|
)
|
|
|
|
func SetupTLSConfig(cfg TLSConfig) (*tls.Config, error) {
|
|
var err error
|
|
tlsConfig := &tls.Config{}
|
|
// Load key pair for the server.
|
|
if cfg.CertFile != "" && cfg.KeyFile != "" {
|
|
tlsConfig.Certificates = make([]tls.Certificate, 1)
|
|
tlsConfig.Certificates[0], err = tls.LoadX509KeyPair(
|
|
cfg.CertFile,
|
|
cfg.KeyFile,
|
|
)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
}
|
|
|
|
if cfg.CAFile != "" {
|
|
b, err := ioutil.ReadFile(cfg.CAFile)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
ca := x509.NewCertPool()
|
|
ok := ca.AppendCertsFromPEM(b)
|
|
if !ok {
|
|
return nil, fmt.Errorf(
|
|
"failed to parse root certificate: %q",
|
|
cfg.CAFile,
|
|
)
|
|
}
|
|
if cfg.Server {
|
|
tlsConfig.ClientCAs = ca
|
|
tlsConfig.ClientAuth = tls.RequireAndVerifyClientCert
|
|
} else {
|
|
tlsConfig.RootCAs = ca
|
|
}
|
|
tlsConfig.ServerName = cfg.ServerAddress
|
|
}
|
|
|
|
return tlsConfig, nil
|
|
|
|
}
|
|
|
|
type TLSConfig struct {
|
|
CertFile string
|
|
KeyFile string
|
|
CAFile string
|
|
ServerAddress string
|
|
// If this is true, the server validates the authenticity of client certificates.
|
|
// Meaning we can use mutual TLS authentication.
|
|
Server bool
|
|
}
|