TUN-6780: Add support for certReload to also include support for client certificates

This commit is contained in:
João Oliveirinha 2022-09-19 12:47:18 +01:00
parent a0b6ba9b8d
commit b457cca1e5
2 changed files with 24 additions and 9 deletions

View File

@ -40,12 +40,21 @@ func NewCertReloader(certPath, keyPath string) (*CertReloader, error) {
} }
// Cert returns the TLS certificate most recently read by the CertReloader. // Cert returns the TLS certificate most recently read by the CertReloader.
// This method works as a direct utility method for tls.Config#Cert.
func (cr *CertReloader) Cert(clientHello *tls.ClientHelloInfo) (*tls.Certificate, error) { func (cr *CertReloader) Cert(clientHello *tls.ClientHelloInfo) (*tls.Certificate, error) {
cr.Lock() cr.Lock()
defer cr.Unlock() defer cr.Unlock()
return cr.certificate, nil return cr.certificate, nil
} }
// ClientCert returns the TLS certificate most recently read by the CertReloader.
// This method works as a direct utility method for tls.Config#ClientCert.
func (cr *CertReloader) ClientCert(certRequestInfo *tls.CertificateRequestInfo) (*tls.Certificate, error) {
cr.Lock()
defer cr.Unlock()
return cr.certificate, nil
}
// LoadCert loads a TLS certificate from the CertReloader's specified filepath. // LoadCert loads a TLS certificate from the CertReloader's specified filepath.
// Call this after writing a new certificate to the disk (e.g. after renewing a certificate) // Call this after writing a new certificate to the disk (e.g. after renewing a certificate)
func (cr *CertReloader) LoadCert() error { func (cr *CertReloader) LoadCert() error {

View File

@ -15,6 +15,7 @@ type TLSParameters struct {
Cert string Cert string
Key string Key string
GetCertificate *CertReloader GetCertificate *CertReloader
GetClientCertificate *CertReloader
ClientCAs []string ClientCAs []string
RootCAs []string RootCAs []string
ServerName string ServerName string
@ -43,6 +44,11 @@ func GetConfig(p *TLSParameters) (*tls.Config, error) {
tlsconfig.GetCertificate = p.GetCertificate.Cert tlsconfig.GetCertificate = p.GetCertificate.Cert
} }
if p.GetClientCertificate != nil {
// GetClientCertificate is called when using an HTTP client library and mTLS is required.
tlsconfig.GetClientCertificate = p.GetClientCertificate.ClientCert
}
if len(p.ClientCAs) > 0 { if len(p.ClientCAs) > 0 {
// set of root certificate authorities that servers use if required to verify a client certificate // set of root certificate authorities that servers use if required to verify a client certificate
// by the policy in ClientAuth // by the policy in ClientAuth