Example #1
0
File: tls.go Project: ruflin/beats
// LoadTLSConfig will load a certificate from config with all TLS based keys
// defined. If Certificate and CertificateKey are configured, client authentication
// will be configured. If no CAs are configured, the host CA will be used by go
// built-in TLS support.
func LoadTLSConfig(config *TLSConfig) (*transport.TLSConfig, error) {
	if !config.IsEnabled() {
		return nil, nil
	}

	fail := multierror.Errors{}
	logFail := func(es ...error) {
		for _, e := range es {
			if e != nil {
				fail = append(fail, e)
			}
		}
	}

	var cipherSuites []uint16
	for _, suite := range config.CipherSuites {
		cipherSuites = append(cipherSuites, uint16(suite))
	}

	var curves []tls.CurveID
	for _, id := range config.CurveTypes {
		curves = append(curves, tls.CurveID(id))
	}

	cert, err := loadCertificate(&config.Certificate)
	logFail(err)

	cas, errs := loadCertificateAuthorities(config.CAs)
	logFail(errs...)

	// fail, if any error occurred when loading certificate files
	if err = fail.Err(); err != nil {
		return nil, err
	}

	var certs []tls.Certificate
	if cert != nil {
		certs = []tls.Certificate{*cert}
	}

	// return config if no error occurred
	return &transport.TLSConfig{
		Versions:         config.Versions,
		Verification:     config.VerificationMode,
		Certificates:     certs,
		RootCAs:          cas,
		CipherSuites:     cipherSuites,
		CurvePreferences: curves,
	}, nil
}
Example #2
0
func (m *TLSConfig) Config(getKey func(string) (crypto.PrivateKey, error)) (cfg *tls.Config, err error) {
	if m == nil {
		return nil, nil
	}
	cfg = new(tls.Config)
	for _, t := range m.Certificates {
		key, err := getKey(t.KeyID)
		if err != nil {
			return nil, err
		}
		cfg.Certificates = append(cfg.Certificates, tls.Certificate{
			Certificate: t.Certificate,
			PrivateKey:  key,
			OCSPStaple:  t.OCSPStaple,
		})
	}
	cfg.RootCAs, err = certPool(m.RootCAs)
	if err != nil {
		return nil, err
	}
	cfg.NextProtos = m.NextProtos
	cfg.ServerName = m.ServerName
	cfg.ClientAuth = tls.ClientAuthType(m.ClientAuth)
	cfg.ClientCAs, err = certPool(m.ClientCAs)
	if err != nil {
		return nil, err
	}
	for _, cs := range m.CipherSuites {
		cfg.CipherSuites = append(cfg.CipherSuites, uint16(cs))
	}
	cfg.PreferServerCipherSuites = m.PreferServerCipherSuites
	cfg.SessionTicketsDisabled = !m.SessionTicketsEnabled
	if m.SessionTicketKeyID != "" {
		stk, err := getKey(m.SessionTicketKeyID)
		if err != nil {
			return nil, err
		}
		stk32, ok := stk.([32]byte)
		if !ok {
			return nil, fmt.Errorf("SessionTicketKey must be [32]byte, got %T (%v)", stk, stk)
		}
		cfg.SessionTicketKey = stk32
	}
	cfg.MinVersion = uint16(m.MinVersion)
	cfg.MaxVersion = uint16(m.MaxVersion)
	for _, cid := range m.CurvePreferences {
		cfg.CurvePreferences = append(cfg.CurvePreferences, tls.CurveID(cid))
	}
	return cfg, nil
}