// LoadTLSConfig will load a certificate from config with all TLS based keys
// defined. If Certificate and CertificateKey are configured, client authentication
// will be configured. If no CAs are configured, the host CA will be used by go
// built-in TLS support.
func LoadTLSConfig(config *TLSConfig) (*transport.TLSConfig, error) {
if !config.IsEnabled() {
return nil, nil
}
fail := multierror.Errors{}
logFail := func(es ...error) {
for _, e := range es {
if e != nil {
fail = append(fail, e)
}
}
}
var cipherSuites []uint16
for _, suite := range config.CipherSuites {
cipherSuites = append(cipherSuites, uint16(suite))
}
var curves []tls.CurveID
for _, id := range config.CurveTypes {
curves = append(curves, tls.CurveID(id))
}
cert, err := loadCertificate(&config.Certificate)
logFail(err)
cas, errs := loadCertificateAuthorities(config.CAs)
logFail(errs...)
// fail, if any error occurred when loading certificate files
if err = fail.Err(); err != nil {
return nil, err
}
var certs []tls.Certificate
if cert != nil {
certs = []tls.Certificate{*cert}
}
// return config if no error occurred
return &transport.TLSConfig{
Versions: config.Versions,
Verification: config.VerificationMode,
Certificates: certs,
RootCAs: cas,
CipherSuites: cipherSuites,
CurvePreferences: curves,
}, nil
}
func (m *TLSConfig) Config(getKey func(string) (crypto.PrivateKey, error)) (cfg *tls.Config, err error) {
if m == nil {
return nil, nil
}
cfg = new(tls.Config)
for _, t := range m.Certificates {
key, err := getKey(t.KeyID)
if err != nil {
return nil, err
}
cfg.Certificates = append(cfg.Certificates, tls.Certificate{
Certificate: t.Certificate,
PrivateKey: key,
OCSPStaple: t.OCSPStaple,
})
}
cfg.RootCAs, err = certPool(m.RootCAs)
if err != nil {
return nil, err
}
cfg.NextProtos = m.NextProtos
cfg.ServerName = m.ServerName
cfg.ClientAuth = tls.ClientAuthType(m.ClientAuth)
cfg.ClientCAs, err = certPool(m.ClientCAs)
if err != nil {
return nil, err
}
for _, cs := range m.CipherSuites {
cfg.CipherSuites = append(cfg.CipherSuites, uint16(cs))
}
cfg.PreferServerCipherSuites = m.PreferServerCipherSuites
cfg.SessionTicketsDisabled = !m.SessionTicketsEnabled
if m.SessionTicketKeyID != "" {
stk, err := getKey(m.SessionTicketKeyID)
if err != nil {
return nil, err
}
stk32, ok := stk.([32]byte)
if !ok {
return nil, fmt.Errorf("SessionTicketKey must be [32]byte, got %T (%v)", stk, stk)
}
cfg.SessionTicketKey = stk32
}
cfg.MinVersion = uint16(m.MinVersion)
cfg.MaxVersion = uint16(m.MaxVersion)
for _, cid := range m.CurvePreferences {
cfg.CurvePreferences = append(cfg.CurvePreferences, tls.CurveID(cid))
}
return cfg, nil
}