Skip to content
Snippets Groups Projects
Select Git revision
  • master default protected
  • renovate/google.golang.org-genproto-googleapis-api-digest
  • renovate/golang.org-x-sys-0.x
  • renovate/google.golang.org-grpc-1.x
  • renovate/github.com-openconfig-gnmi-0.x
  • renovate/google.golang.org-protobuf-1.x
  • renovate/golangci-golangci-lint-1.x
  • renovate/github.com-grpc-ecosystem-grpc-gateway-v2-2.x
  • renovate/rabbitmq-4.x
  • renovate/mongo-8.x
  • renovate/code.fbi.h-da.de-danet-gnmi-target-digest
  • kai_masterthesis
  • martin-quipsec
  • etsi-20-bordernode-updated
  • request-health-checks-for-peers
  • 44-block-incoming-keys-if-exceeding-max-key-fill-level
  • add-inventory-manager
  • extend-intercom-with-aes-auth-tag
  • debug-ci
  • 32-enable-tls-for-all-local-settings-integration-tests-debug-etc
  • tud-testing-1
21 results
Blame Permalink
Code owners
Assign users and groups as approvers for specific file changes. Learn more.
tls.go 2.21 KiB 
package kmstls

import (
	"crypto/tls"
	"crypto/x509"
	"fmt"
	"os"

	"code.fbi.h-da.de/danet/quant/goKMS/config"
	"google.golang.org/grpc/credentials"
	"google.golang.org/grpc/credentials/insecure"
)

func GenerateGRPCServerTransportCredsBasedOnTLSFlag(tlsConfig config.TLSConfig) (credentials.TransportCredentials, error) {
	var gRPCTransportCreds credentials.TransportCredentials
	if tlsConfig.Active {
		tlsLibraryConfig, err := GenerateServerTLSLibraryConfig(tlsConfig)
		if err != nil {
			return nil, err
		}

		gRPCTransportCreds = credentials.NewTLS(tlsLibraryConfig)
	} else {
		gRPCTransportCreds = insecure.NewCredentials()
	}

	return gRPCTransportCreds, nil
}

func GenerateServerTLSLibraryConfig(tlsConfig config.TLSConfig) (*tls.Config, error) {
	cp := x509.NewCertPool()
	b, err := os.ReadFile(tlsConfig.CAFile)
	if err != nil {
		return nil, err
	}

	if !cp.AppendCertsFromPEM(b) {
		return nil, fmt.Errorf("credentials: failed to append certificates")
	}

	cert, err := tls.LoadX509KeyPair(tlsConfig.CertFile, tlsConfig.KeyFile)
	if err != nil {
		return nil, err
	}

	return &tls.Config{
		MinVersion:   tls.VersionTLS13,
		ClientCAs:    cp,
		Certificates: []tls.Certificate{cert},
		ClientAuth:   tls.RequireAndVerifyClientCert,
	}, nil
}

func GenerateGRPCClientTransportCredsBasedOnTLSFlag(tlsConfig config.TLSConfig) (credentials.TransportCredentials, error) {
	var gRPCTransportCreds credentials.TransportCredentials
	if tlsConfig.Active {
		tlsLibraryConfig, err := GenerateTLSLibraryConfig(tlsConfig)
		if err != nil {
			return nil, err
		}

		gRPCTransportCreds = credentials.NewTLS(tlsLibraryConfig)
	} else {
		gRPCTransportCreds = insecure.NewCredentials()
	}

	return gRPCTransportCreds, nil
}

func GenerateTLSLibraryConfig(tlsConfig config.TLSConfig) (*tls.Config, error) {
	cp := x509.NewCertPool()

	b, err := os.ReadFile(tlsConfig.CAFile)
	if err != nil {
		return nil, err
	}
	if !cp.AppendCertsFromPEM(b) {
		return nil, fmt.Errorf("credentials: failed to append certificates")
	}

	cert, err := tls.LoadX509KeyPair(tlsConfig.CertFile, tlsConfig.KeyFile)
	if err != nil {
		return nil, err
	}

	return &tls.Config{
		MinVersion:   tls.VersionTLS13,
		RootCAs:      cp,
		Certificates: []tls.Certificate{cert},
	}, nil
}