tls.go

package kmstls

import (
	"crypto/tls"
	"crypto/x509"
	"fmt"
	"os"

	"code.fbi.h-da.de/danet/quant/goKMS/config"
	"google.golang.org/grpc/credentials"
	"google.golang.org/grpc/credentials/insecure"
)

func GenerateGRPCServerTransportCredsBasedOnTLSFlag(tlsData config.TLSConfig) (credentials.TransportCredentials, error) {
	var gRPCTransportCreds credentials.TransportCredentials
	if tlsData.Active {
		creds, err := generateGRPCServerTransportCredsWithTLS(tlsData.CAFile, tlsData.CertFile, tlsData.KeyFile)
		if err != nil {
			return nil, err
		}

		gRPCTransportCreds = creds
	} else {
		gRPCTransportCreds = insecure.NewCredentials()
	}

	return gRPCTransportCreds, nil
}

func generateGRPCServerTransportCredsWithTLS(caFile, certFile, keyFile string) (credentials.TransportCredentials, error) {
	cp := x509.NewCertPool()
	b, err := os.ReadFile(caFile)
	if err != nil {
		return nil, err
	}

	if !cp.AppendCertsFromPEM(b) {
		return nil, fmt.Errorf("credentials: failed to append certificates")
	}

	cert, err := tls.LoadX509KeyPair(certFile, keyFile)
	if err != nil {
		return nil, err
	}

	tlsConfig := &tls.Config{
		MinVersion:   tls.VersionTLS13,
		ClientCAs:    cp,
		Certificates: []tls.Certificate{cert},
		ClientAuth:   tls.RequireAndVerifyClientCert,
	}

	return credentials.NewTLS(tlsConfig), nil
}

func GenerateGRPCClientTransportCredsBasedOnTLSFlag(tlsConfig config.TLSConfig) (credentials.TransportCredentials, error) {
	var gRPCTransportCreds credentials.TransportCredentials
	if tlsConfig.Active {
		creds, err := generateGRPCClientTransportCredsWithTLS(tlsConfig.CAFile, tlsConfig.CertFile, tlsConfig.KeyFile)
		if err != nil {
			return nil, err
		}

		gRPCTransportCreds = creds
	} else {
		gRPCTransportCreds = insecure.NewCredentials()
	}

	return gRPCTransportCreds, nil
}

func generateGRPCClientTransportCredsWithTLS(caFile, certFile, keyFile string) (credentials.TransportCredentials, error) {
	cp := x509.NewCertPool()

	b, err := os.ReadFile(caFile)
	if err != nil {
		return nil, err
	}
	if !cp.AppendCertsFromPEM(b) {
		return nil, fmt.Errorf("credentials: failed to append certificates")
	}

	cert, err := tls.LoadX509KeyPair(certFile, keyFile)
	if err != nil {
		return nil, err
	}

	tlsConfig := &tls.Config{
		MinVersion:   tls.VersionTLS13,
		RootCAs:      cp,
		Certificates: []tls.Certificate{cert},
	}

	return credentials.NewTLS(tlsConfig), nil
}

func GenerateTlsLibraryConfig(tlsConfig config.TLSConfig) (*tls.Config, error) {
	caCert, err := os.ReadFile(tlsConfig.CAFile)
	if err != nil {
		return nil, err
	}
	caCertPool := x509.NewCertPool()
	if !caCertPool.AppendCertsFromPEM(caCert) {
		return nil, fmt.Errorf("credentials: failed to append certificates")
	}

	cert, err := tls.LoadX509KeyPair(tlsConfig.CertFile, tlsConfig.KeyFile)
	if err != nil {
		return nil, err
	}

	return &tls.Config{
		MinVersion:   tls.VersionTLS13,
		RootCAs:      caCertPool,
		Certificates: []tls.Certificate{cert},
	}, nil
}