4974e062d0
Auth is not automatically enabled because this requires some bootstrapping to work. I'll leave this for some future work. In the meantime people can use the current code similar to how they used the node-cli code to inject their own auth.
84 lines
2.5 KiB
Go
84 lines
2.5 KiB
Go
package nodeutil
|
|
|
|
import (
|
|
"crypto/tls"
|
|
"crypto/x509"
|
|
"fmt"
|
|
"io/ioutil"
|
|
)
|
|
|
|
// WithTLSConfig returns a NodeOpt which creates a base TLSConfig with the default cipher suites and tls min verions.
|
|
// The tls config can be modified through functional options.
|
|
func WithTLSConfig(opts ...func(*tls.Config) error) NodeOpt {
|
|
return func(cfg *NodeConfig) error {
|
|
tlsCfg := &tls.Config{
|
|
MinVersion: tls.VersionTLS12,
|
|
PreferServerCipherSuites: true,
|
|
CipherSuites: DefaultServerCiphers(),
|
|
ClientAuth: tls.RequestClientCert,
|
|
}
|
|
for _, o := range opts {
|
|
if err := o(tlsCfg); err != nil {
|
|
return err
|
|
}
|
|
}
|
|
|
|
cfg.TLSConfig = tlsCfg
|
|
return nil
|
|
}
|
|
}
|
|
|
|
// WithCAFromPath makes a TLS config option to set up client auth using the path to a PEM encoded CA cert.
|
|
func WithCAFromPath(p string) func(*tls.Config) error {
|
|
return func(cfg *tls.Config) error {
|
|
pem, err := ioutil.ReadFile(p)
|
|
if err != nil {
|
|
return fmt.Errorf("error reading ca cert pem: %w", err)
|
|
}
|
|
cfg.ClientAuth = tls.RequireAndVerifyClientCert
|
|
return WithCACert(pem)(cfg)
|
|
}
|
|
}
|
|
|
|
// WithKeyPairFromPath make sa TLS config option which loads the key pair paths from disk and appends them to the tls config.
|
|
func WithKeyPairFromPath(cert, key string) func(*tls.Config) error {
|
|
return func(cfg *tls.Config) error {
|
|
cert, err := tls.LoadX509KeyPair(cert, key)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
cfg.Certificates = append(cfg.Certificates, cert)
|
|
return nil
|
|
}
|
|
}
|
|
|
|
// WithCACert makes a TLS config opotion which appends the provided PEM encoded bytes the tls config's cert pool.
|
|
// If a cert pool is not defined on the tls config an empty one will be created.
|
|
func WithCACert(pem []byte) func(*tls.Config) error {
|
|
return func(cfg *tls.Config) error {
|
|
if cfg.ClientCAs == nil {
|
|
cfg.ClientCAs = x509.NewCertPool()
|
|
}
|
|
if !cfg.ClientCAs.AppendCertsFromPEM(pem) {
|
|
return fmt.Errorf("could not parse ca cert pem")
|
|
}
|
|
return nil
|
|
}
|
|
}
|
|
|
|
// DefaultServerCiphers is the list of accepted TLS ciphers, with known weak ciphers elided
|
|
// Note this list should be a moving target.
|
|
func DefaultServerCiphers() []uint16 {
|
|
return []uint16{
|
|
tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
|
|
tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
|
|
tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
|
|
tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
|
|
|
|
tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
|
|
tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
|
|
tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
|
|
tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
|
|
}
|
|
}
|