func init() {
// If running the tests takes a bizarrely long amount of time,
// this code may be the problem. See
// http://code.google.com/p/go/issues/detail?id=6626 .
// As this slowness doesn't seem to affect real crypto (just key loading,
// not key use),and the tests really need this, well... I guess
// we'll just pay. In the meantime, for testing, I've cut this down
// to 1024-bit keys, to reduce the wait time. Since these are
// public anyhow, why use lots of bits?
var wg sync.WaitGroup
wg.Add(4)
go func() {
signing1, _ = tls.X509KeyPair(signing1_cert, signing1_key)
wg.Done()
}()
go func() {
node1_1, _ = tls.X509KeyPair(node1_1_cert, node1_1_key)
wg.Done()
}()
go func() {
node2_1, _ = tls.X509KeyPair(node2_1_cert, node2_1_key)
wg.Done()
}()
go func() {
node3_1, _ = tls.X509KeyPair(node3_1_cert, node3_1_key)
wg.Done()
}()
wg.Wait()
}
// Read will read a TLS cert and key from the given paths
func (k *KeyReadWriter) Read() ([]byte, []byte, error) {
k.mu.Lock()
defer k.mu.Unlock()
keyBlock, err := k.readKey()
if err != nil {
return nil, nil, err
}
if version, ok := keyBlock.Headers[versionHeader]; ok {
if versionInt, err := strconv.ParseUint(version, 10, 64); err == nil {
k.kekData.Version = versionInt
}
}
delete(keyBlock.Headers, versionHeader)
if k.headersObj != nil {
newHeaders, err := k.headersObj.UnmarshalHeaders(keyBlock.Headers, k.kekData)
if err != nil {
return nil, nil, errors.Wrap(err, "unable to read TLS key headers")
}
k.headersObj = newHeaders
}
keyBytes := pem.EncodeToMemory(keyBlock)
cert, err := ioutil.ReadFile(k.paths.Cert)
// The cert is written to a temporary file first, then the key, and then
// the cert gets renamed - so, if interrupted, it's possible to end up with
// a cert that only exists in the temporary location.
switch {
case err == nil:
_, err = tls.X509KeyPair(cert, keyBytes)
case os.IsNotExist(err): //continue to try temp location
break
default:
return nil, nil, err
}
// either the cert doesn't exist, or it doesn't match the key - try the temp file, if it exists
if err != nil {
var tempErr error
tmpPaths := k.genTempPaths()
cert, tempErr = ioutil.ReadFile(tmpPaths.Cert)
if tempErr != nil {
return nil, nil, err // return the original error
}
if _, tempErr := tls.X509KeyPair(cert, keyBytes); tempErr != nil {
os.RemoveAll(tmpPaths.Cert) // nope, it doesn't match either - remove and return the original error
return nil, nil, err
}
os.Rename(tmpPaths.Cert, k.paths.Cert) // try to move the temp cert back to the regular location
}
return cert, keyBytes, nil
}
func verifyCertificates() error {
_, err := tls.X509KeyPair([]byte(CACert), []byte(CAKey))
if err != nil {
return fmt.Errorf("bad CA cert key pair: %v", err)
}
_, err = tls.X509KeyPair([]byte(ServerCert), []byte(ServerKey))
if err != nil {
return fmt.Errorf("bad server cert key pair: %v", err)
}
return cert.Verify([]byte(ServerCert), []byte(CACert), time.Now())
}
func serverMethodSelected(method uint8, conn net.Conn) (net.Conn, error) {
switch method {
case MethodTLS:
var cert tls.Certificate
var err error
if len(CertFile) == 0 || len(KeyFile) == 0 {
cert, err = tls.X509KeyPair([]byte(rawCert), []byte(rawKey))
} else {
cert, err = tls.LoadX509KeyPair(CertFile, KeyFile)
}
if err != nil {
return nil, err
}
conn = tls.Server(conn, &tls.Config{Certificates: []tls.Certificate{cert}})
if err := svrTLSAuth(conn); err != nil {
return nil, err
}
case MethodAES128, MethodAES192, MethodAES256,
MethodDES, MethodBF, MethodCAST5, MethodRC4MD5, MethodRC4, MethodTable:
cipher, err := shadowsocks.NewCipher(Methods[method], Password)
if err != nil {
return nil, err
}
conn = shadowsocks.NewConn(conn, cipher)
case gosocks5.MethodNoAcceptable:
return nil, gosocks5.ErrBadMethod
}
return conn, nil
}
func startHttpsServer(t *testing.T) {
if httpsAddr != "" {
return
}
var err error
pk, err = keyman.GeneratePK(2048)
if err != nil {
t.Fatalf("Unable to generate key: %s", err)
}
// Generate self-signed certificate
cert, err = pk.TLSCertificateFor("tlsdialer", "localhost", time.Now().Add(1*time.Hour), true, nil)
if err != nil {
t.Fatalf("Unable to generate cert: %s", err)
}
keypair, err := tls.X509KeyPair(cert.PEMEncoded(), pk.PEMEncoded())
if err != nil {
t.Fatalf("Unable to generate x509 key pair: %s", err)
}
l, err := tls.Listen("tcp", "localhost:0", &tls.Config{
Certificates: []tls.Certificate{keypair},
})
if err != nil {
t.Fatalf("HTTP unable to listen: %v", err)
}
httpsAddr = l.Addr().String()
doStartServer(t, l)
}
func newServer(s *state.State, lis *net.TCPListener, cfg ServerConfig) (_ *Server, err error) {
tlsCert, err := tls.X509KeyPair(cfg.Cert, cfg.Key)
if err != nil {
return nil, err
}
// TODO(rog) check that *srvRoot is a valid type for using
// as an RPC server.
tlsConfig := &tls.Config{
Certificates: []tls.Certificate{tlsCert},
MinVersion: tls.VersionTLS10,
}
srv := &Server{
state: s,
statePool: state.NewStatePool(s),
lis: newChangeCertListener(lis, cfg.CertChanged, tlsConfig),
tag: cfg.Tag,
dataDir: cfg.DataDir,
logDir: cfg.LogDir,
limiter: utils.NewLimiter(loginRateLimit),
validator: cfg.Validator,
adminApiFactories: map[int]adminApiFactory{
3: newAdminApiV3,
},
}
srv.authCtxt, err = newAuthContext(s)
if err != nil {
return nil, errors.Trace(err)
}
go srv.run()
return srv, nil
}
func newServer(s *state.State, lis *net.TCPListener, cfg ServerConfig) (_ *Server, err error) {
tlsCert, err := tls.X509KeyPair(cfg.Cert, cfg.Key)
if err != nil {
return nil, err
}
stPool := cfg.StatePool
if stPool == nil {
stPool = state.NewStatePool(s)
}
srv := &Server{
clock: cfg.Clock,
newObserver: cfg.NewObserver,
state: s,
statePool: stPool,
lis: newChangeCertListener(lis, cfg.CertChanged, tlsCert),
tag: cfg.Tag,
dataDir: cfg.DataDir,
logDir: cfg.LogDir,
limiter: utils.NewLimiter(loginRateLimit),
validator: cfg.Validator,
adminAPIFactories: map[int]adminAPIFactory{
3: newAdminAPIV3,
},
}
srv.authCtxt, err = newAuthContext(s)
if err != nil {
return nil, errors.Trace(err)
}
go srv.run()
return srv, nil
}
func checkRouteCertificate(r diagnosticReporter, route routes.Route) {
r.Debug("AGL0330", fmt.Sprintf("Checking certificate for route '%s'...", route.ObjectMeta.Name))
block, _ := pem.Decode([]byte(route.Spec.TLS.Certificate))
//verify hostname
if block != nil {
cert, err := x509.ParseCertificate(block.Bytes)
if err != nil {
r.Error("AGL0335", err, fmt.Sprintf("Unable to parse the certificate for route '%s': %s", route.ObjectMeta.Name, err))
return
}
r.Debug("AGL0340", fmt.Sprintf("Cert CommonName: '%s' Cert DNSNames: '%s'", cert.Subject.CommonName, cert.DNSNames))
if err := cert.VerifyHostname(route.Spec.Host); err != nil {
r.Error("AGL0345", err, fmt.Sprintf("Route '%[1]s' certficate does not include route host '%[2]s'"+routeCertMissingHostName, route.ObjectMeta.Name, route.Spec.Host))
}
} else {
r.Error("AGL0350", errors.New("Unable to decode the TLS Certificate"), "Unable to decode the TLS Certificate")
}
//verify key matches cert
r.Debug("AGL0355", fmt.Sprintf("Checking certificate matches key for route '%s'", route.ObjectMeta.Name))
_, err := tls.X509KeyPair([]byte(route.Spec.TLS.Certificate), []byte(route.Spec.TLS.Key))
if err != nil {
r.Error("AGL0365", err, fmt.Sprintf("Route '%s' key and certificate do not match: %s. The router will be unable to pass traffic using this route.", route.ObjectMeta.Name, err))
}
}
// TLSConfigFor returns a tls.Config that will provide the transport level security defined
// by the provided Config. Will return nil if no transport level security is requested.
func TLSConfigFor(c *Config) (*tls.Config, error) {
if !(c.HasCA() || c.HasCertAuth() || c.TLS.Insecure) {
return nil, nil
}
if c.HasCA() && c.TLS.Insecure {
return nil, fmt.Errorf("specifying a root certificates file with the insecure flag is not allowed")
}
if err := loadTLSFiles(c); err != nil {
return nil, err
}
tlsConfig := &tls.Config{
// Change default from SSLv3 to TLSv1.0 (because of POODLE vulnerability)
MinVersion: tls.VersionTLS10,
InsecureSkipVerify: c.TLS.Insecure,
}
if c.HasCA() {
tlsConfig.RootCAs = rootCertPool(c.TLS.CAData)
}
if c.HasCertAuth() {
cert, err := tls.X509KeyPair(c.TLS.CertData, c.TLS.KeyData)
if err != nil {
return nil, err
}
tlsConfig.Certificates = []tls.Certificate{cert}
}
return tlsConfig, nil
}
func GetTLSConfigMem(tlsClientCert string, tlsClientKey string, tlsRemoteCertPEM string) (*tls.Config, error) {
tlsConfig := initTLSConfig()
// Client authentication
if tlsClientCert != "" && tlsClientKey != "" {
cert, err := tls.X509KeyPair([]byte(tlsClientCert), []byte(tlsClientKey))
if err != nil {
return nil, err
}
tlsConfig.Certificates = []tls.Certificate{cert}
}
var tlsRemoteCert *x509.Certificate
if tlsRemoteCertPEM != "" {
// Ignore any content outside of the PEM bytes we care about
certBlock, _ := pem.Decode([]byte(tlsRemoteCertPEM))
var err error
tlsRemoteCert, err = x509.ParseCertificate(certBlock.Bytes)
if err != nil {
return nil, err
}
}
finalizeTLSConfig(tlsConfig, tlsRemoteCert)
return tlsConfig, nil
}
func TestTLSTimeout(t *testing.T) {
ln, err := net.Listen("tcp", "127.0.0.1:0")
if err != nil {
t.Fatalf("Listen failed: %v", err)
}
defer ln.Close()
cert, err := tls.X509KeyPair(localhostCert, localhostKey)
if err != nil {
t.Fatalf("Cert load failed: %v", err)
}
server := &smtpd.Server{
TLSConfig: &tls.Config{
Certificates: []tls.Certificate{cert},
},
ReadTimeout: time.Second * 2,
WriteTimeout: time.Second * 2,
}
go func() {
server.Serve(ln)
}()
c, err := smtp.Dial(ln.Addr().String())
if err != nil {
t.Fatalf("Dial failed: %v", err)
}
if err := c.StartTLS(&tls.Config{InsecureSkipVerify: true}); err != nil {
t.Fatalf("STARTTLS failed: %v", err)
}
time.Sleep(time.Second)
if err := c.Mail("*****@*****.**"); err != nil {
t.Fatalf("MAIL failed: %v", err)
}
time.Sleep(time.Second)
if err := c.Rcpt("*****@*****.**"); err != nil {
t.Fatalf("RCPT failed: %v", err)
}
time.Sleep(time.Second)
if err := c.Rcpt("*****@*****.**"); err != nil {
t.Fatalf("RCPT failed: %v", err)
}
time.Sleep(time.Second)
if err := c.Quit(); err != nil {
t.Fatalf("Quit failed: %v", err)
}
}
func TestTLSDial(t *testing.T) {
if testing.Short() {
t.Skip("skipping syslog test during -short")
}
certificate, err := tls.X509KeyPair([]byte(cert), []byte(key))
caCert := x509.NewCertPool()
ok := caCert.AppendCertsFromPEM([]byte(caPem))
if !ok {
t.Fatalf("failed to parse root certificate")
}
srvCfg := &tls.Config{InsecureSkipVerify: true, Certificates: []tls.Certificate{certificate}, RootCAs: caCert}
clientCfg := &tls.Config{ClientCAs: caCert, InsecureSkipVerify: true}
done := make(chan string)
addr, sock, srvWG := startServer("tcp", "", done, srvCfg)
defer srvWG.Wait()
defer sock.Close()
f, err := Dial("tcp", addr, (LOG_LOCAL7|LOG_DEBUG)+1, "syslog_test", clientCfg)
if f != nil {
t.Fatalf("Should have trapped bad priority")
}
f, err = Dial("tcp", addr, -1, "syslog_test", clientCfg)
if f != nil {
t.Fatalf("Should have trapped bad priority")
}
l, err := Dial("tcp", addr, LOG_USER|LOG_ERR, "syslog_test", clientCfg)
if err != nil {
t.Fatalf("Dial() failed: %s", err)
}
l.Close()
}
func createTLSClient(socket net.Conn, config *APNSConfig) (net.Conn, error) {
x509Cert, err := tls.X509KeyPair(config.CertificateBytes, config.KeyBytes)
if err != nil {
//failed to validate key pair
return nil, err
}
tlsConf := &tls.Config{
Certificates: []tls.Certificate{x509Cert},
ServerName: config.GatewayHost,
InsecureSkipVerify: config.UseInsecureSkipVerify,
}
tlsSocket := tls.Client(socket, tlsConf)
tlsSocket.SetDeadline(time.Now().Add(time.Duration(config.TlsTimeout) * time.Second))
err = tlsSocket.Handshake()
if err != nil {
//failed to handshake with tls information
return nil, err
}
//hooray! we're connected
//reset the deadline so it doesn't fail subsequent writes
tlsSocket.SetDeadline(time.Time{})
return tlsSocket, nil
}
func (t *RawCertificate) Certificate() (*tls.Certificate, error) {
if t.IsNil() {
return nil, errors.New("nil certificate")
}
cert, err := tls.X509KeyPair(t.Cert, t.Key)
return &cert, err
}
// newServerTLSConfig creates a server TLSConfig from the supplied byte strings containing
// - the certificate of this node (should be signed by the CA),
// - the private key of this node.
// - the certificate of the cluster CA,
func newServerTLSConfig(certPEM, keyPEM, caPEM []byte) (*tls.Config, error) {
cert, err := tls.X509KeyPair(certPEM, keyPEM)
if err != nil {
return nil, err
}
certPool := x509.NewCertPool()
if ok := certPool.AppendCertsFromPEM(caPEM); !ok {
err = util.Error("failed to parse PEM data to pool")
return nil, err
}
return &tls.Config{
Certificates: []tls.Certificate{cert},
// Verify client certs if passed.
ClientAuth: tls.VerifyClientCertIfGiven,
RootCAs: certPool,
ClientCAs: certPool,
// Use the default cipher suite from golang (RC4 is going away in 1.5).
// Prefer the server-specified suite.
PreferServerCipherSuites: true,
// TLS 1.1 and 1.2 support is crappy out there. Let's use 1.0.
MinVersion: tls.VersionTLS10,
// Should we disable session resumption? This may break forward secrecy.
// SessionTicketsDisabled: true,
}, nil
}
func newServer(s *state.State, lis *net.TCPListener, cfg ServerConfig) (_ *Server, err error) {
logger.Infof("listening on %q", lis.Addr())
srv := &Server{
state: s,
statePool: state.NewStatePool(s),
addr: lis.Addr().(*net.TCPAddr), // cannot fail
tag: cfg.Tag,
dataDir: cfg.DataDir,
logDir: cfg.LogDir,
limiter: utils.NewLimiter(loginRateLimit),
validator: cfg.Validator,
adminApiFactories: map[int]adminApiFactory{
0: newAdminApiV0,
1: newAdminApiV1,
2: newAdminApiV2,
},
}
srv.authCtxt = newAuthContext(srv)
tlsCert, err := tls.X509KeyPair(cfg.Cert, cfg.Key)
if err != nil {
return nil, err
}
// TODO(rog) check that *srvRoot is a valid type for using
// as an RPC server.
tlsConfig := tls.Config{
Certificates: []tls.Certificate{tlsCert},
}
changeCertListener := newChangeCertListener(lis, cfg.CertChanged, tlsConfig)
go srv.run(changeCertListener)
return srv, nil
}
func listenForCoordinator() {
tlsCert, tlsKey := metadataValue("tls-cert"), metadataValue("tls-key")
if (tlsCert == "") != (tlsKey == "") {
log.Fatalf("tls-cert and tls-key must both be supplied, or neither.")
}
log.Printf("Listening on %s ...", *listenAddr)
ln, err := net.Listen("tcp", *listenAddr)
if err != nil {
log.Fatalf("Failed to listen on %s: %v", *listenAddr, err)
}
ln = tcpKeepAliveListener{ln.(*net.TCPListener)}
var srv http.Server
if tlsCert != "" {
cert, err := tls.X509KeyPair([]byte(tlsCert), []byte(tlsKey))
if err != nil {
log.Fatalf("TLS cert error: %v", err)
}
tlsConf := &tls.Config{
Certificates: []tls.Certificate{cert},
}
ln = tls.NewListener(ln, tlsConf)
}
log.Fatalf("Serve: %v", srv.Serve(ln))
}
func Init(listenAddr string, supervisorPort uint16, cpuIncr, memIncr uint, resDuration time.Duration) error {
var err error
err = LoadEnvs()
if err != nil {
return err
}
CPUSharesIncrement = cpuIncr
MemoryLimitIncrement = memIncr
atlantis.Tracker.ResultDuration = resDuration
// init rpc stuff here
lAddr = listenAddr
lPort = strings.Split(lAddr, ":")[1]
supervisor.Init(fmt.Sprintf("%d", supervisorPort))
manager.Init(lPort)
manager := new(ManagerRPC)
server = rpc.NewServer()
server.Register(manager)
config := &tls.Config{}
config.InsecureSkipVerify = true
config.Certificates = make([]tls.Certificate, 1)
config.Certificates[0], err = tls.X509KeyPair(crypto.SERVER_CERT, crypto.SERVER_KEY)
l, err = tls.Listen("tcp", lAddr, config)
return err
}
func getTLSConfig(clientCertPEMData, clientKeyPEMData []byte) (*tls.Config, error) {
certPool := x509.NewCertPool()
certChainPath := os.Getenv("ORCHARD_HOST_CA")
if certChainPath != "" {
certChainData, err := ioutil.ReadFile(certChainPath)
if err != nil {
return nil, err
}
certPool.AppendCertsFromPEM(certChainData)
} else {
certPool.AppendCertsFromPEM([]byte(orchardCerts))
}
clientCert, err := tls.X509KeyPair(clientCertPEMData, clientKeyPEMData)
if err != nil {
return nil, err
}
config := new(tls.Config)
config.RootCAs = certPool
config.Certificates = []tls.Certificate{clientCert}
config.BuildNameToCertificate()
return config, nil
}
// If http.ListenandServe return an error,
// it will throws a panic.
func wsListener() {
if err := func() error {
httpServeMux := http.NewServeMux()
httpServeMux.Handle("/pub", websocket.Handler(WsHandle))
var (
l net.Listener
err error
)
if Conf.Tls {
tlsConf := new(tls.Config)
tlsConf.Certificates = make([]tls.Certificate, 1)
tlsConf.Certificates[0], err = tls.X509KeyPair(Conf.Cert, Conf.Key)
if err != nil {
return err
}
l, err = tls.Listen("tcp", Conf.WebSocket_addr, tlsConf)
if err != nil {
return err
}
return http.Serve(l, httpServeMux)
} else {
return http.ListenAndServe(Conf.WebSocket_addr, httpServeMux)
}
}(); err != nil {
panic(err)
}
}
// startServingTLS creates and registers a secure listener and begins serving traffic.
func (s *TestHttpService) startServingTLS(addr string, cert []byte, key []byte, caCert []byte, handler http.Handler) error {
tlsCert, err := tls.X509KeyPair(append(cert, caCert...), key)
if err != nil {
return err
}
cfg := &tls.Config{
Certificates: []tls.Certificate{tlsCert},
}
listener, err := tls.Listen("tcp", addr, cfg)
if err != nil {
return err
}
s.listeners = append(s.listeners, listener)
glog.Infof("Started, serving TLS at %s\n", listener.Addr().String())
go func() {
if err := http.Serve(listener, handler); err != nil {
glog.Errorf("HTTPS server failed: %v", err)
}
}()
return nil
}
func handleHandshake(w http.ResponseWriter, r *http.Request, callback func(rootCertPEM, serverCertPEM, serverKeyPEM []byte)) {
if r.Method != "POST" {
http.Error(w, "I only respond to POSTs", http.StatusNotImplemented)
return
}
rootCertPEM := []byte(r.FormValue(RootCert))
serverCertPEM := []byte(r.FormValue(ServerCert))
serverKeyPEM := []byte(r.FormValue(ServerKey))
// verify that these values are valid
for _, v := range [][]byte{rootCertPEM, serverCertPEM, serverKeyPEM} {
if len(v) == 0 {
http.Error(w, "Post requires root cert, server cert and server key", http.StatusInternalServerError)
return
}
}
if _, err := tls.X509KeyPair(serverCertPEM, serverKeyPEM); err != nil {
http.Error(w, "Invalid server key pair: "+err.Error(), http.StatusBadRequest)
return
}
if _, err := parseCert(rootCertPEM); err != nil {
http.Error(w, "Invalid root cert: "+err.Error(), http.StatusBadRequest)
return
}
w.WriteHeader(http.StatusOK)
callback(rootCertPEM, serverCertPEM, serverKeyPEM)
}
func serveHTTP() {
parsedAddr := fmt.Sprintf("%s:%d", host, port)
if development {
log.Println("Listening for WebSocket connections without TLS on " + parsedAddr)
log.Fatal(http.ListenAndServe(parsedAddr, nil))
return
}
// Requires cert.pem and cert.key to be present. See cert_setup.sh
log.Println("Listening for WebSocket connections with TLS on " + parsedAddr)
certificate, err := tls.X509KeyPair(
[]byte(os.Getenv("WS_CERT")),
[]byte(os.Getenv("WS_KEY")),
)
if err != nil {
log.Fatal(err)
}
listener, err := tls.Listen(
"tcp",
parsedAddr,
&tls.Config{Certificates: []tls.Certificate{certificate}},
)
if err != nil {
log.Fatal(err)
}
log.Fatal(http.Serve(listener, nil))
}
// IssueAndSaveNewCertificates generates a new key-pair, signs it with the local root-ca, and returns a
// tls certificate
func (rca *RootCA) IssueAndSaveNewCertificates(kw KeyWriter, cn, ou, org string) (*tls.Certificate, error) {
csr, key, err := GenerateNewCSR()
if err != nil {
return nil, errors.Wrap(err, "error when generating new node certs")
}
if !rca.CanSign() {
return nil, ErrNoValidSigner
}
// Obtain a signed Certificate
certChain, err := rca.ParseValidateAndSignCSR(csr, cn, ou, org)
if err != nil {
return nil, errors.Wrap(err, "failed to sign node certificate")
}
// Create a valid TLSKeyPair out of the PEM encoded private key and certificate
tlsKeyPair, err := tls.X509KeyPair(certChain, key)
if err != nil {
return nil, err
}
if err := kw.Write(certChain, key, nil); err != nil {
return nil, err
}
return &tlsKeyPair, nil
}
// TLSConfigFor returns a tls.Config that will provide the transport level security defined
// by the provided Config. Will return nil if no transport level security is requested.
func TLSConfigFor(c *Config) (*tls.Config, error) {
if !(c.HasCA() || c.HasCertAuth() || c.TLS.Insecure) {
return nil, nil
}
if c.HasCA() && c.TLS.Insecure {
return nil, fmt.Errorf("specifying a root certificates file with the insecure flag is not allowed")
}
if err := loadTLSFiles(c); err != nil {
return nil, err
}
tlsConfig := &tls.Config{
// Can't use SSLv3 because of POODLE and BEAST
// Can't use TLSv1.0 because of POODLE and BEAST using CBC cipher
// Can't use TLSv1.1 because of RC4 cipher usage
MinVersion: tls.VersionTLS12,
InsecureSkipVerify: c.TLS.Insecure,
}
if c.HasCA() {
tlsConfig.RootCAs = rootCertPool(c.TLS.CAData)
}
if c.HasCertAuth() {
cert, err := tls.X509KeyPair(c.TLS.CertData, c.TLS.KeyData)
if err != nil {
return nil, err
}
tlsConfig.Certificates = []tls.Certificate{cert}
}
return tlsConfig, nil
}
func (s *ClientSuite) TestOpen(c *gc.C) {
cfg := syslog.RawConfig{
Enabled: true,
Host: "a.b.c:9876",
CACert: coretesting.CACert,
ClientCert: coretesting.ServerCert,
ClientKey: coretesting.ServerKey,
}
senderOpener := &stubSenderOpener{
stub: s.stub,
ReturnOpen: s.sender,
}
client, err := syslog.OpenForSender(cfg, senderOpener)
c.Assert(err, jc.ErrorIsNil)
s.stub.CheckCallNames(c, "DialFunc", "Open")
clientCert, err := tls.X509KeyPair([]byte(coretesting.ServerCert), []byte(coretesting.ServerKey))
c.Assert(err, jc.ErrorIsNil)
rootCAs := x509.NewCertPool()
rootCAs.AddCert(coretesting.CACertX509)
tlsConfig := &tls.Config{
Certificates: []tls.Certificate{clientCert},
RootCAs: rootCAs,
}
s.stub.CheckCall(c, 0, "DialFunc", tlsConfig, time.Duration(0))
c.Check(client.Sender, gc.Equals, s.sender)
}
func GetTLSCertificateConfig(certFile, keyFile string) (*TLSCertificateConfig, error) {
if len(certFile) == 0 {
return nil, errors.New("certFile missing")
}
if len(keyFile) == 0 {
return nil, errors.New("keyFile missing")
}
certPEMBlock, err := ioutil.ReadFile(certFile)
if err != nil {
return nil, err
}
certs, err := cmdutil.CertificatesFromPEM(certPEMBlock)
if err != nil {
return nil, fmt.Errorf("Error reading %s: %s", certFile, err)
}
keyPEMBlock, err := ioutil.ReadFile(keyFile)
if err != nil {
return nil, err
}
keyPairCert, err := tls.X509KeyPair(certPEMBlock, keyPEMBlock)
if err != nil {
return nil, err
}
key := keyPairCert.PrivateKey
return &TLSCertificateConfig{certs, key}, nil
}
// NewServer serves the given state by accepting requests on the given
// listener, using the given certificate and key (in PEM format) for
// authentication.
func NewServer(s *state.State, lis net.Listener, cfg ServerConfig) (*Server, error) {
logger.Infof("listening on %q", lis.Addr())
tlsCert, err := tls.X509KeyPair(cfg.Cert, cfg.Key)
if err != nil {
return nil, err
}
_, listeningPort, err := net.SplitHostPort(lis.Addr().String())
if err != nil {
return nil, err
}
srv := &Server{
state: s,
addr: net.JoinHostPort("localhost", listeningPort),
dataDir: cfg.DataDir,
logDir: cfg.LogDir,
limiter: utils.NewLimiter(loginRateLimit),
validator: cfg.Validator,
}
// TODO(rog) check that *srvRoot is a valid type for using
// as an RPC server.
lis = tls.NewListener(lis, &tls.Config{
Certificates: []tls.Certificate{tlsCert},
})
go srv.run(lis)
return srv, nil
}
// StartTLS starts TLS on a server from NewUnstartedServer.
func (s *Server) StartTLS() {
if s.URL != "" {
panic("Server already started")
}
cert, err := tls.X509KeyPair(localhostCert, localhostKey)
if err != nil {
panic(fmt.Sprintf("httptest: NewTLSServer: %v", err))
}
existingConfig := s.TLS
s.TLS = new(tls.Config)
if existingConfig != nil {
*s.TLS = *existingConfig
}
if s.TLS.NextProtos == nil {
s.TLS.NextProtos = []string{"http/1.1"}
}
if len(s.TLS.Certificates) == 0 {
s.TLS.Certificates = []tls.Certificate{cert}
}
tlsListener := tls.NewListener(s.Listener, s.TLS)
s.Listener = &historyListener{Listener: tlsListener}
s.URL = "https://" + s.Listener.Addr().String()
s.wrapHandler()
go s.Config.Serve(s.Listener)
}
func (d *pgDataStore) addCertWithTx(tx *pgx.Tx, c *router.Certificate) error {
c.Cert = strings.Trim(c.Cert, " \n")
c.Key = strings.Trim(c.Key, " \n")
if _, err := tls.X509KeyPair([]byte(c.Cert), []byte(c.Key)); err != nil {
return httphelper.JSONError{
Code: httphelper.ValidationErrorCode,
Message: "Certificate invalid: " + err.Error(),
}
}
tlsCertSHA256 := sha256.Sum256([]byte(c.Cert))
if err := tx.QueryRow("select_certificate_by_sha", tlsCertSHA256[:]).Scan(&c.ID, &c.CreatedAt, &c.UpdatedAt); err != nil {
if err := tx.QueryRow("insert_certificate", c.Cert, c.Key, tlsCertSHA256[:]).Scan(&c.ID, &c.CreatedAt, &c.UpdatedAt); err != nil {
return err
}
}
for _, rid := range c.Routes {
if _, err := tx.Exec("delete_route_certificate_by_route_id", rid); err != nil {
return err
}
if _, err := tx.Exec("insert_route_certificate", rid, c.ID); err != nil {
return err
}
}
return nil
}
