TUN-6780: Add support for certReload to also include support for client certificates

This commit is contained in:
João Oliveirinha 2022-09-19 12:47:18 +01:00
parent a0b6ba9b8d
commit b457cca1e5
2 changed files with 24 additions and 9 deletions

View File

@ -40,12 +40,21 @@ func NewCertReloader(certPath, keyPath string) (*CertReloader, error) {
}
// Cert returns the TLS certificate most recently read by the CertReloader.
// This method works as a direct utility method for tls.Config#Cert.
func (cr *CertReloader) Cert(clientHello *tls.ClientHelloInfo) (*tls.Certificate, error) {
cr.Lock()
defer cr.Unlock()
return cr.certificate, nil
}
// ClientCert returns the TLS certificate most recently read by the CertReloader.
// This method works as a direct utility method for tls.Config#ClientCert.
func (cr *CertReloader) ClientCert(certRequestInfo *tls.CertificateRequestInfo) (*tls.Certificate, error) {
cr.Lock()
defer cr.Unlock()
return cr.certificate, nil
}
// LoadCert loads a TLS certificate from the CertReloader's specified filepath.
// Call this after writing a new certificate to the disk (e.g. after renewing a certificate)
func (cr *CertReloader) LoadCert() error {

View File

@ -12,15 +12,16 @@ import (
// Config is the user provided parameters to create a tls.Config
type TLSParameters struct {
Cert string
Key string
GetCertificate *CertReloader
ClientCAs []string
RootCAs []string
ServerName string
CurvePreferences []tls.CurveID
MinVersion uint16 // min tls version. If zero, TLS1.0 is defined as minimum.
MaxVersion uint16 // max tls version. If zero, last TLS version is used defined as limit (currently TLS1.3)
Cert string
Key string
GetCertificate *CertReloader
GetClientCertificate *CertReloader
ClientCAs []string
RootCAs []string
ServerName string
CurvePreferences []tls.CurveID
MinVersion uint16 // min tls version. If zero, TLS1.0 is defined as minimum.
MaxVersion uint16 // max tls version. If zero, last TLS version is used defined as limit (currently TLS1.3)
}
// GetConfig returns a TLS configuration according to the Config set by the user.
@ -43,6 +44,11 @@ func GetConfig(p *TLSParameters) (*tls.Config, error) {
tlsconfig.GetCertificate = p.GetCertificate.Cert
}
if p.GetClientCertificate != nil {
// GetClientCertificate is called when using an HTTP client library and mTLS is required.
tlsconfig.GetClientCertificate = p.GetClientCertificate.ClientCert
}
if len(p.ClientCAs) > 0 {
// set of root certificate authorities that servers use if required to verify a client certificate
// by the policy in ClientAuth