Example #1
0
func getInfoFromRemote(c cli.Config) (resp *info.Resp, err error) {
	req := new(info.Req)
	req.Label = c.Label
	req.Profile = c.Profile

	cert, err := helpers.LoadClientCertificate(c.MutualTLSCertFile, c.MutualTLSKeyFile)
	if err != nil {
		return
	}
	remoteCAs, err := helpers.LoadPEMCertPool(c.TLSRemoteCAs)
	if err != nil {
		return
	}
	serv := client.NewServerTLS(c.Remote, helpers.CreateTLSConfig(remoteCAs, cert))
	reqJSON, _ := json.Marshal(req)
	resp, err = serv.Info(reqJSON)
	if err != nil {
		return
	}

	_, err = helpers.ParseCertificatePEM([]byte(resp.Certificate))
	if err != nil {
		return
	}

	return
}
Example #2
0
// NewCFSSL produces a new CFSSL root.
func NewCFSSL(metadata map[string]string) ([]*x509.Certificate, error) {
	host, ok := metadata["host"]
	if !ok {
		return nil, errors.New("transport: CFSSL root provider requires a host")
	}

	label := metadata["label"]
	profile := metadata["profile"]
	cert, err := helpers.LoadClientCertificate(metadata["mutual-tls-cert"], metadata["mutual-tls-key"])
	if err != nil {
		return nil, err
	}
	remoteCAs, err := helpers.LoadPEMCertPool(metadata["tls-remote-ca"])
	if err != nil {
		return nil, err
	}
	srv := client.NewServerTLS(host, helpers.CreateTLSConfig(remoteCAs, cert))
	data, err := json.Marshal(info.Req{Label: label, Profile: profile})
	if err != nil {
		return nil, err
	}

	resp, err := srv.Info(data)
	if err != nil {
		return nil, err
	}

	return helpers.ParseCertificatesPEM([]byte(resp.Certificate))
}
Example #3
0
// SetClientCertKeyPairFromFile updates the properties to set client certificates for mutual
// authenticated TLS remote requests
func (p *Signing) SetClientCertKeyPairFromFile(certFile string, keyFile string) error {
	if certFile != "" && keyFile != "" {
		cert, err := helpers.LoadClientCertificate(certFile, keyFile)
		if err != nil {
			return err
		}
		for _, profile := range p.Profiles {
			profile.ClientCert = cert
		}
		p.Default.ClientCert = cert
	}
	return nil
}
Example #4
0
func TestNewMutualTLSServer(t *testing.T) {
	cert, _ := helpers.LoadClientCertificate("../../helpers/testdata/ca.pem", "../../helpers/testdata/ca_key.pem")
	s := NewServerTLS("https://nohost:8888", helpers.CreateTLSConfig(nil, cert))
	if s == nil {
		t.Fatalf("fatal error, empty server")
	}
	_, err := s.Sign([]byte{5, 5, 5, 5})
	if err == nil {
		t.Fatalf("expected error with sign function")
	}
	if !strings.Contains(err.Error(), "Post https://nohost:8888/api/v1/cfssl/sign: dial tcp: lookup nohost") {
		t.Fatalf("no error message %v", err)
	}
}
Example #5
0
// NewCFSSLProvider takes the configuration information from an
// Identity (and an optional default remote), returning a CFSSL
// instance. There should be a profile in id called "cfssl", which
// should contain label and profile fields as needed.
func NewCFSSLProvider(id *core.Identity, defaultRemote client.Remote) (*CFSSL, error) {
	if id == nil {
		return nil, errors.New("transport: the identity hasn't been initialised. Has it been loaded from disk?")
	}

	cap := &CFSSL{
		DefaultRemote: defaultRemote,
	}

	cfssl := id.Profiles["cfssl"]
	if cfssl != nil {
		cap.Label = cfssl["label"]
		cap.Profile = cfssl["profile"]

		if cap.DefaultRemote == nil {
			cert, err := helpers.LoadClientCertificate(cfssl["mutual-tls-cert"], cfssl["mutual-tls-key"])
			if err != nil {
				return nil, err
			}
			remoteCAs, err := helpers.LoadPEMCertPool(cfssl["tls-remote-ca"])
			if err != nil {
				return nil, err
			}
			cap.DefaultRemote = client.NewServerTLS(cfssl["remote"], helpers.CreateTLSConfig(remoteCAs, cert))
		}

		cap.DefaultAuth.Type = cfssl["auth-type"]
		cap.DefaultAuth.Key = cfssl["auth-key"]
	}

	err := cap.setRemoteAndAuth()
	if err != nil {
		return nil, err
	}

	return cap, nil
}
Example #6
0
func TestNewMutualTLSServerGroup(t *testing.T) {
	cert, _ := helpers.LoadClientCertificate("../../helpers/testdata/ca.pem", "../../helpers/testdata/ca_key.pem")
	NewTLSServerGroup(t, cert)
}