func init() { // If running the tests takes a bizarrely long amount of time, // this code may be the problem. See // http://code.google.com/p/go/issues/detail?id=6626 . // As this slowness doesn't seem to affect real crypto (just key loading, // not key use),and the tests really need this, well... I guess // we'll just pay. In the meantime, for testing, I've cut this down // to 1024-bit keys, to reduce the wait time. Since these are // public anyhow, why use lots of bits? var wg sync.WaitGroup wg.Add(4) go func() { signing1, _ = tls.X509KeyPair(signing1_cert, signing1_key) wg.Done() }() go func() { node1_1, _ = tls.X509KeyPair(node1_1_cert, node1_1_key) wg.Done() }() go func() { node2_1, _ = tls.X509KeyPair(node2_1_cert, node2_1_key) wg.Done() }() go func() { node3_1, _ = tls.X509KeyPair(node3_1_cert, node3_1_key) wg.Done() }() wg.Wait() }
// Read will read a TLS cert and key from the given paths func (k *KeyReadWriter) Read() ([]byte, []byte, error) { k.mu.Lock() defer k.mu.Unlock() keyBlock, err := k.readKey() if err != nil { return nil, nil, err } if version, ok := keyBlock.Headers[versionHeader]; ok { if versionInt, err := strconv.ParseUint(version, 10, 64); err == nil { k.kekData.Version = versionInt } } delete(keyBlock.Headers, versionHeader) if k.headersObj != nil { newHeaders, err := k.headersObj.UnmarshalHeaders(keyBlock.Headers, k.kekData) if err != nil { return nil, nil, errors.Wrap(err, "unable to read TLS key headers") } k.headersObj = newHeaders } keyBytes := pem.EncodeToMemory(keyBlock) cert, err := ioutil.ReadFile(k.paths.Cert) // The cert is written to a temporary file first, then the key, and then // the cert gets renamed - so, if interrupted, it's possible to end up with // a cert that only exists in the temporary location. switch { case err == nil: _, err = tls.X509KeyPair(cert, keyBytes) case os.IsNotExist(err): //continue to try temp location break default: return nil, nil, err } // either the cert doesn't exist, or it doesn't match the key - try the temp file, if it exists if err != nil { var tempErr error tmpPaths := k.genTempPaths() cert, tempErr = ioutil.ReadFile(tmpPaths.Cert) if tempErr != nil { return nil, nil, err // return the original error } if _, tempErr := tls.X509KeyPair(cert, keyBytes); tempErr != nil { os.RemoveAll(tmpPaths.Cert) // nope, it doesn't match either - remove and return the original error return nil, nil, err } os.Rename(tmpPaths.Cert, k.paths.Cert) // try to move the temp cert back to the regular location } return cert, keyBytes, nil }
func verifyCertificates() error { _, err := tls.X509KeyPair([]byte(CACert), []byte(CAKey)) if err != nil { return fmt.Errorf("bad CA cert key pair: %v", err) } _, err = tls.X509KeyPair([]byte(ServerCert), []byte(ServerKey)) if err != nil { return fmt.Errorf("bad server cert key pair: %v", err) } return cert.Verify([]byte(ServerCert), []byte(CACert), time.Now()) }
func serverMethodSelected(method uint8, conn net.Conn) (net.Conn, error) { switch method { case MethodTLS: var cert tls.Certificate var err error if len(CertFile) == 0 || len(KeyFile) == 0 { cert, err = tls.X509KeyPair([]byte(rawCert), []byte(rawKey)) } else { cert, err = tls.LoadX509KeyPair(CertFile, KeyFile) } if err != nil { return nil, err } conn = tls.Server(conn, &tls.Config{Certificates: []tls.Certificate{cert}}) if err := svrTLSAuth(conn); err != nil { return nil, err } case MethodAES128, MethodAES192, MethodAES256, MethodDES, MethodBF, MethodCAST5, MethodRC4MD5, MethodRC4, MethodTable: cipher, err := shadowsocks.NewCipher(Methods[method], Password) if err != nil { return nil, err } conn = shadowsocks.NewConn(conn, cipher) case gosocks5.MethodNoAcceptable: return nil, gosocks5.ErrBadMethod } return conn, nil }
func startHttpsServer(t *testing.T) { if httpsAddr != "" { return } var err error pk, err = keyman.GeneratePK(2048) if err != nil { t.Fatalf("Unable to generate key: %s", err) } // Generate self-signed certificate cert, err = pk.TLSCertificateFor("tlsdialer", "localhost", time.Now().Add(1*time.Hour), true, nil) if err != nil { t.Fatalf("Unable to generate cert: %s", err) } keypair, err := tls.X509KeyPair(cert.PEMEncoded(), pk.PEMEncoded()) if err != nil { t.Fatalf("Unable to generate x509 key pair: %s", err) } l, err := tls.Listen("tcp", "localhost:0", &tls.Config{ Certificates: []tls.Certificate{keypair}, }) if err != nil { t.Fatalf("HTTP unable to listen: %v", err) } httpsAddr = l.Addr().String() doStartServer(t, l) }
func newServer(s *state.State, lis *net.TCPListener, cfg ServerConfig) (_ *Server, err error) { tlsCert, err := tls.X509KeyPair(cfg.Cert, cfg.Key) if err != nil { return nil, err } // TODO(rog) check that *srvRoot is a valid type for using // as an RPC server. tlsConfig := &tls.Config{ Certificates: []tls.Certificate{tlsCert}, MinVersion: tls.VersionTLS10, } srv := &Server{ state: s, statePool: state.NewStatePool(s), lis: newChangeCertListener(lis, cfg.CertChanged, tlsConfig), tag: cfg.Tag, dataDir: cfg.DataDir, logDir: cfg.LogDir, limiter: utils.NewLimiter(loginRateLimit), validator: cfg.Validator, adminApiFactories: map[int]adminApiFactory{ 3: newAdminApiV3, }, } srv.authCtxt, err = newAuthContext(s) if err != nil { return nil, errors.Trace(err) } go srv.run() return srv, nil }
func newServer(s *state.State, lis *net.TCPListener, cfg ServerConfig) (_ *Server, err error) { tlsCert, err := tls.X509KeyPair(cfg.Cert, cfg.Key) if err != nil { return nil, err } stPool := cfg.StatePool if stPool == nil { stPool = state.NewStatePool(s) } srv := &Server{ clock: cfg.Clock, newObserver: cfg.NewObserver, state: s, statePool: stPool, lis: newChangeCertListener(lis, cfg.CertChanged, tlsCert), tag: cfg.Tag, dataDir: cfg.DataDir, logDir: cfg.LogDir, limiter: utils.NewLimiter(loginRateLimit), validator: cfg.Validator, adminAPIFactories: map[int]adminAPIFactory{ 3: newAdminAPIV3, }, } srv.authCtxt, err = newAuthContext(s) if err != nil { return nil, errors.Trace(err) } go srv.run() return srv, nil }
func checkRouteCertificate(r diagnosticReporter, route routes.Route) { r.Debug("AGL0330", fmt.Sprintf("Checking certificate for route '%s'...", route.ObjectMeta.Name)) block, _ := pem.Decode([]byte(route.Spec.TLS.Certificate)) //verify hostname if block != nil { cert, err := x509.ParseCertificate(block.Bytes) if err != nil { r.Error("AGL0335", err, fmt.Sprintf("Unable to parse the certificate for route '%s': %s", route.ObjectMeta.Name, err)) return } r.Debug("AGL0340", fmt.Sprintf("Cert CommonName: '%s' Cert DNSNames: '%s'", cert.Subject.CommonName, cert.DNSNames)) if err := cert.VerifyHostname(route.Spec.Host); err != nil { r.Error("AGL0345", err, fmt.Sprintf("Route '%[1]s' certficate does not include route host '%[2]s'"+routeCertMissingHostName, route.ObjectMeta.Name, route.Spec.Host)) } } else { r.Error("AGL0350", errors.New("Unable to decode the TLS Certificate"), "Unable to decode the TLS Certificate") } //verify key matches cert r.Debug("AGL0355", fmt.Sprintf("Checking certificate matches key for route '%s'", route.ObjectMeta.Name)) _, err := tls.X509KeyPair([]byte(route.Spec.TLS.Certificate), []byte(route.Spec.TLS.Key)) if err != nil { r.Error("AGL0365", err, fmt.Sprintf("Route '%s' key and certificate do not match: %s. The router will be unable to pass traffic using this route.", route.ObjectMeta.Name, err)) } }
// TLSConfigFor returns a tls.Config that will provide the transport level security defined // by the provided Config. Will return nil if no transport level security is requested. func TLSConfigFor(c *Config) (*tls.Config, error) { if !(c.HasCA() || c.HasCertAuth() || c.TLS.Insecure) { return nil, nil } if c.HasCA() && c.TLS.Insecure { return nil, fmt.Errorf("specifying a root certificates file with the insecure flag is not allowed") } if err := loadTLSFiles(c); err != nil { return nil, err } tlsConfig := &tls.Config{ // Change default from SSLv3 to TLSv1.0 (because of POODLE vulnerability) MinVersion: tls.VersionTLS10, InsecureSkipVerify: c.TLS.Insecure, } if c.HasCA() { tlsConfig.RootCAs = rootCertPool(c.TLS.CAData) } if c.HasCertAuth() { cert, err := tls.X509KeyPair(c.TLS.CertData, c.TLS.KeyData) if err != nil { return nil, err } tlsConfig.Certificates = []tls.Certificate{cert} } return tlsConfig, nil }
func GetTLSConfigMem(tlsClientCert string, tlsClientKey string, tlsRemoteCertPEM string) (*tls.Config, error) { tlsConfig := initTLSConfig() // Client authentication if tlsClientCert != "" && tlsClientKey != "" { cert, err := tls.X509KeyPair([]byte(tlsClientCert), []byte(tlsClientKey)) if err != nil { return nil, err } tlsConfig.Certificates = []tls.Certificate{cert} } var tlsRemoteCert *x509.Certificate if tlsRemoteCertPEM != "" { // Ignore any content outside of the PEM bytes we care about certBlock, _ := pem.Decode([]byte(tlsRemoteCertPEM)) var err error tlsRemoteCert, err = x509.ParseCertificate(certBlock.Bytes) if err != nil { return nil, err } } finalizeTLSConfig(tlsConfig, tlsRemoteCert) return tlsConfig, nil }
func TestTLSTimeout(t *testing.T) { ln, err := net.Listen("tcp", "127.0.0.1:0") if err != nil { t.Fatalf("Listen failed: %v", err) } defer ln.Close() cert, err := tls.X509KeyPair(localhostCert, localhostKey) if err != nil { t.Fatalf("Cert load failed: %v", err) } server := &smtpd.Server{ TLSConfig: &tls.Config{ Certificates: []tls.Certificate{cert}, }, ReadTimeout: time.Second * 2, WriteTimeout: time.Second * 2, } go func() { server.Serve(ln) }() c, err := smtp.Dial(ln.Addr().String()) if err != nil { t.Fatalf("Dial failed: %v", err) } if err := c.StartTLS(&tls.Config{InsecureSkipVerify: true}); err != nil { t.Fatalf("STARTTLS failed: %v", err) } time.Sleep(time.Second) if err := c.Mail("*****@*****.**"); err != nil { t.Fatalf("MAIL failed: %v", err) } time.Sleep(time.Second) if err := c.Rcpt("*****@*****.**"); err != nil { t.Fatalf("RCPT failed: %v", err) } time.Sleep(time.Second) if err := c.Rcpt("*****@*****.**"); err != nil { t.Fatalf("RCPT failed: %v", err) } time.Sleep(time.Second) if err := c.Quit(); err != nil { t.Fatalf("Quit failed: %v", err) } }
func TestTLSDial(t *testing.T) { if testing.Short() { t.Skip("skipping syslog test during -short") } certificate, err := tls.X509KeyPair([]byte(cert), []byte(key)) caCert := x509.NewCertPool() ok := caCert.AppendCertsFromPEM([]byte(caPem)) if !ok { t.Fatalf("failed to parse root certificate") } srvCfg := &tls.Config{InsecureSkipVerify: true, Certificates: []tls.Certificate{certificate}, RootCAs: caCert} clientCfg := &tls.Config{ClientCAs: caCert, InsecureSkipVerify: true} done := make(chan string) addr, sock, srvWG := startServer("tcp", "", done, srvCfg) defer srvWG.Wait() defer sock.Close() f, err := Dial("tcp", addr, (LOG_LOCAL7|LOG_DEBUG)+1, "syslog_test", clientCfg) if f != nil { t.Fatalf("Should have trapped bad priority") } f, err = Dial("tcp", addr, -1, "syslog_test", clientCfg) if f != nil { t.Fatalf("Should have trapped bad priority") } l, err := Dial("tcp", addr, LOG_USER|LOG_ERR, "syslog_test", clientCfg) if err != nil { t.Fatalf("Dial() failed: %s", err) } l.Close() }
func createTLSClient(socket net.Conn, config *APNSConfig) (net.Conn, error) { x509Cert, err := tls.X509KeyPair(config.CertificateBytes, config.KeyBytes) if err != nil { //failed to validate key pair return nil, err } tlsConf := &tls.Config{ Certificates: []tls.Certificate{x509Cert}, ServerName: config.GatewayHost, InsecureSkipVerify: config.UseInsecureSkipVerify, } tlsSocket := tls.Client(socket, tlsConf) tlsSocket.SetDeadline(time.Now().Add(time.Duration(config.TlsTimeout) * time.Second)) err = tlsSocket.Handshake() if err != nil { //failed to handshake with tls information return nil, err } //hooray! we're connected //reset the deadline so it doesn't fail subsequent writes tlsSocket.SetDeadline(time.Time{}) return tlsSocket, nil }
func (t *RawCertificate) Certificate() (*tls.Certificate, error) { if t.IsNil() { return nil, errors.New("nil certificate") } cert, err := tls.X509KeyPair(t.Cert, t.Key) return &cert, err }
// newServerTLSConfig creates a server TLSConfig from the supplied byte strings containing // - the certificate of this node (should be signed by the CA), // - the private key of this node. // - the certificate of the cluster CA, func newServerTLSConfig(certPEM, keyPEM, caPEM []byte) (*tls.Config, error) { cert, err := tls.X509KeyPair(certPEM, keyPEM) if err != nil { return nil, err } certPool := x509.NewCertPool() if ok := certPool.AppendCertsFromPEM(caPEM); !ok { err = util.Error("failed to parse PEM data to pool") return nil, err } return &tls.Config{ Certificates: []tls.Certificate{cert}, // Verify client certs if passed. ClientAuth: tls.VerifyClientCertIfGiven, RootCAs: certPool, ClientCAs: certPool, // Use the default cipher suite from golang (RC4 is going away in 1.5). // Prefer the server-specified suite. PreferServerCipherSuites: true, // TLS 1.1 and 1.2 support is crappy out there. Let's use 1.0. MinVersion: tls.VersionTLS10, // Should we disable session resumption? This may break forward secrecy. // SessionTicketsDisabled: true, }, nil }
func newServer(s *state.State, lis *net.TCPListener, cfg ServerConfig) (_ *Server, err error) { logger.Infof("listening on %q", lis.Addr()) srv := &Server{ state: s, statePool: state.NewStatePool(s), addr: lis.Addr().(*net.TCPAddr), // cannot fail tag: cfg.Tag, dataDir: cfg.DataDir, logDir: cfg.LogDir, limiter: utils.NewLimiter(loginRateLimit), validator: cfg.Validator, adminApiFactories: map[int]adminApiFactory{ 0: newAdminApiV0, 1: newAdminApiV1, 2: newAdminApiV2, }, } srv.authCtxt = newAuthContext(srv) tlsCert, err := tls.X509KeyPair(cfg.Cert, cfg.Key) if err != nil { return nil, err } // TODO(rog) check that *srvRoot is a valid type for using // as an RPC server. tlsConfig := tls.Config{ Certificates: []tls.Certificate{tlsCert}, } changeCertListener := newChangeCertListener(lis, cfg.CertChanged, tlsConfig) go srv.run(changeCertListener) return srv, nil }
func listenForCoordinator() { tlsCert, tlsKey := metadataValue("tls-cert"), metadataValue("tls-key") if (tlsCert == "") != (tlsKey == "") { log.Fatalf("tls-cert and tls-key must both be supplied, or neither.") } log.Printf("Listening on %s ...", *listenAddr) ln, err := net.Listen("tcp", *listenAddr) if err != nil { log.Fatalf("Failed to listen on %s: %v", *listenAddr, err) } ln = tcpKeepAliveListener{ln.(*net.TCPListener)} var srv http.Server if tlsCert != "" { cert, err := tls.X509KeyPair([]byte(tlsCert), []byte(tlsKey)) if err != nil { log.Fatalf("TLS cert error: %v", err) } tlsConf := &tls.Config{ Certificates: []tls.Certificate{cert}, } ln = tls.NewListener(ln, tlsConf) } log.Fatalf("Serve: %v", srv.Serve(ln)) }
func Init(listenAddr string, supervisorPort uint16, cpuIncr, memIncr uint, resDuration time.Duration) error { var err error err = LoadEnvs() if err != nil { return err } CPUSharesIncrement = cpuIncr MemoryLimitIncrement = memIncr atlantis.Tracker.ResultDuration = resDuration // init rpc stuff here lAddr = listenAddr lPort = strings.Split(lAddr, ":")[1] supervisor.Init(fmt.Sprintf("%d", supervisorPort)) manager.Init(lPort) manager := new(ManagerRPC) server = rpc.NewServer() server.Register(manager) config := &tls.Config{} config.InsecureSkipVerify = true config.Certificates = make([]tls.Certificate, 1) config.Certificates[0], err = tls.X509KeyPair(crypto.SERVER_CERT, crypto.SERVER_KEY) l, err = tls.Listen("tcp", lAddr, config) return err }
func getTLSConfig(clientCertPEMData, clientKeyPEMData []byte) (*tls.Config, error) { certPool := x509.NewCertPool() certChainPath := os.Getenv("ORCHARD_HOST_CA") if certChainPath != "" { certChainData, err := ioutil.ReadFile(certChainPath) if err != nil { return nil, err } certPool.AppendCertsFromPEM(certChainData) } else { certPool.AppendCertsFromPEM([]byte(orchardCerts)) } clientCert, err := tls.X509KeyPair(clientCertPEMData, clientKeyPEMData) if err != nil { return nil, err } config := new(tls.Config) config.RootCAs = certPool config.Certificates = []tls.Certificate{clientCert} config.BuildNameToCertificate() return config, nil }
// If http.ListenandServe return an error, // it will throws a panic. func wsListener() { if err := func() error { httpServeMux := http.NewServeMux() httpServeMux.Handle("/pub", websocket.Handler(WsHandle)) var ( l net.Listener err error ) if Conf.Tls { tlsConf := new(tls.Config) tlsConf.Certificates = make([]tls.Certificate, 1) tlsConf.Certificates[0], err = tls.X509KeyPair(Conf.Cert, Conf.Key) if err != nil { return err } l, err = tls.Listen("tcp", Conf.WebSocket_addr, tlsConf) if err != nil { return err } return http.Serve(l, httpServeMux) } else { return http.ListenAndServe(Conf.WebSocket_addr, httpServeMux) } }(); err != nil { panic(err) } }
// startServingTLS creates and registers a secure listener and begins serving traffic. func (s *TestHttpService) startServingTLS(addr string, cert []byte, key []byte, caCert []byte, handler http.Handler) error { tlsCert, err := tls.X509KeyPair(append(cert, caCert...), key) if err != nil { return err } cfg := &tls.Config{ Certificates: []tls.Certificate{tlsCert}, } listener, err := tls.Listen("tcp", addr, cfg) if err != nil { return err } s.listeners = append(s.listeners, listener) glog.Infof("Started, serving TLS at %s\n", listener.Addr().String()) go func() { if err := http.Serve(listener, handler); err != nil { glog.Errorf("HTTPS server failed: %v", err) } }() return nil }
func handleHandshake(w http.ResponseWriter, r *http.Request, callback func(rootCertPEM, serverCertPEM, serverKeyPEM []byte)) { if r.Method != "POST" { http.Error(w, "I only respond to POSTs", http.StatusNotImplemented) return } rootCertPEM := []byte(r.FormValue(RootCert)) serverCertPEM := []byte(r.FormValue(ServerCert)) serverKeyPEM := []byte(r.FormValue(ServerKey)) // verify that these values are valid for _, v := range [][]byte{rootCertPEM, serverCertPEM, serverKeyPEM} { if len(v) == 0 { http.Error(w, "Post requires root cert, server cert and server key", http.StatusInternalServerError) return } } if _, err := tls.X509KeyPair(serverCertPEM, serverKeyPEM); err != nil { http.Error(w, "Invalid server key pair: "+err.Error(), http.StatusBadRequest) return } if _, err := parseCert(rootCertPEM); err != nil { http.Error(w, "Invalid root cert: "+err.Error(), http.StatusBadRequest) return } w.WriteHeader(http.StatusOK) callback(rootCertPEM, serverCertPEM, serverKeyPEM) }
func serveHTTP() { parsedAddr := fmt.Sprintf("%s:%d", host, port) if development { log.Println("Listening for WebSocket connections without TLS on " + parsedAddr) log.Fatal(http.ListenAndServe(parsedAddr, nil)) return } // Requires cert.pem and cert.key to be present. See cert_setup.sh log.Println("Listening for WebSocket connections with TLS on " + parsedAddr) certificate, err := tls.X509KeyPair( []byte(os.Getenv("WS_CERT")), []byte(os.Getenv("WS_KEY")), ) if err != nil { log.Fatal(err) } listener, err := tls.Listen( "tcp", parsedAddr, &tls.Config{Certificates: []tls.Certificate{certificate}}, ) if err != nil { log.Fatal(err) } log.Fatal(http.Serve(listener, nil)) }
// IssueAndSaveNewCertificates generates a new key-pair, signs it with the local root-ca, and returns a // tls certificate func (rca *RootCA) IssueAndSaveNewCertificates(kw KeyWriter, cn, ou, org string) (*tls.Certificate, error) { csr, key, err := GenerateNewCSR() if err != nil { return nil, errors.Wrap(err, "error when generating new node certs") } if !rca.CanSign() { return nil, ErrNoValidSigner } // Obtain a signed Certificate certChain, err := rca.ParseValidateAndSignCSR(csr, cn, ou, org) if err != nil { return nil, errors.Wrap(err, "failed to sign node certificate") } // Create a valid TLSKeyPair out of the PEM encoded private key and certificate tlsKeyPair, err := tls.X509KeyPair(certChain, key) if err != nil { return nil, err } if err := kw.Write(certChain, key, nil); err != nil { return nil, err } return &tlsKeyPair, nil }
// TLSConfigFor returns a tls.Config that will provide the transport level security defined // by the provided Config. Will return nil if no transport level security is requested. func TLSConfigFor(c *Config) (*tls.Config, error) { if !(c.HasCA() || c.HasCertAuth() || c.TLS.Insecure) { return nil, nil } if c.HasCA() && c.TLS.Insecure { return nil, fmt.Errorf("specifying a root certificates file with the insecure flag is not allowed") } if err := loadTLSFiles(c); err != nil { return nil, err } tlsConfig := &tls.Config{ // Can't use SSLv3 because of POODLE and BEAST // Can't use TLSv1.0 because of POODLE and BEAST using CBC cipher // Can't use TLSv1.1 because of RC4 cipher usage MinVersion: tls.VersionTLS12, InsecureSkipVerify: c.TLS.Insecure, } if c.HasCA() { tlsConfig.RootCAs = rootCertPool(c.TLS.CAData) } if c.HasCertAuth() { cert, err := tls.X509KeyPair(c.TLS.CertData, c.TLS.KeyData) if err != nil { return nil, err } tlsConfig.Certificates = []tls.Certificate{cert} } return tlsConfig, nil }
func (s *ClientSuite) TestOpen(c *gc.C) { cfg := syslog.RawConfig{ Enabled: true, Host: "a.b.c:9876", CACert: coretesting.CACert, ClientCert: coretesting.ServerCert, ClientKey: coretesting.ServerKey, } senderOpener := &stubSenderOpener{ stub: s.stub, ReturnOpen: s.sender, } client, err := syslog.OpenForSender(cfg, senderOpener) c.Assert(err, jc.ErrorIsNil) s.stub.CheckCallNames(c, "DialFunc", "Open") clientCert, err := tls.X509KeyPair([]byte(coretesting.ServerCert), []byte(coretesting.ServerKey)) c.Assert(err, jc.ErrorIsNil) rootCAs := x509.NewCertPool() rootCAs.AddCert(coretesting.CACertX509) tlsConfig := &tls.Config{ Certificates: []tls.Certificate{clientCert}, RootCAs: rootCAs, } s.stub.CheckCall(c, 0, "DialFunc", tlsConfig, time.Duration(0)) c.Check(client.Sender, gc.Equals, s.sender) }
func GetTLSCertificateConfig(certFile, keyFile string) (*TLSCertificateConfig, error) { if len(certFile) == 0 { return nil, errors.New("certFile missing") } if len(keyFile) == 0 { return nil, errors.New("keyFile missing") } certPEMBlock, err := ioutil.ReadFile(certFile) if err != nil { return nil, err } certs, err := cmdutil.CertificatesFromPEM(certPEMBlock) if err != nil { return nil, fmt.Errorf("Error reading %s: %s", certFile, err) } keyPEMBlock, err := ioutil.ReadFile(keyFile) if err != nil { return nil, err } keyPairCert, err := tls.X509KeyPair(certPEMBlock, keyPEMBlock) if err != nil { return nil, err } key := keyPairCert.PrivateKey return &TLSCertificateConfig{certs, key}, nil }
// NewServer serves the given state by accepting requests on the given // listener, using the given certificate and key (in PEM format) for // authentication. func NewServer(s *state.State, lis net.Listener, cfg ServerConfig) (*Server, error) { logger.Infof("listening on %q", lis.Addr()) tlsCert, err := tls.X509KeyPair(cfg.Cert, cfg.Key) if err != nil { return nil, err } _, listeningPort, err := net.SplitHostPort(lis.Addr().String()) if err != nil { return nil, err } srv := &Server{ state: s, addr: net.JoinHostPort("localhost", listeningPort), dataDir: cfg.DataDir, logDir: cfg.LogDir, limiter: utils.NewLimiter(loginRateLimit), validator: cfg.Validator, } // TODO(rog) check that *srvRoot is a valid type for using // as an RPC server. lis = tls.NewListener(lis, &tls.Config{ Certificates: []tls.Certificate{tlsCert}, }) go srv.run(lis) return srv, nil }
// StartTLS starts TLS on a server from NewUnstartedServer. func (s *Server) StartTLS() { if s.URL != "" { panic("Server already started") } cert, err := tls.X509KeyPair(localhostCert, localhostKey) if err != nil { panic(fmt.Sprintf("httptest: NewTLSServer: %v", err)) } existingConfig := s.TLS s.TLS = new(tls.Config) if existingConfig != nil { *s.TLS = *existingConfig } if s.TLS.NextProtos == nil { s.TLS.NextProtos = []string{"http/1.1"} } if len(s.TLS.Certificates) == 0 { s.TLS.Certificates = []tls.Certificate{cert} } tlsListener := tls.NewListener(s.Listener, s.TLS) s.Listener = &historyListener{Listener: tlsListener} s.URL = "https://" + s.Listener.Addr().String() s.wrapHandler() go s.Config.Serve(s.Listener) }
func (d *pgDataStore) addCertWithTx(tx *pgx.Tx, c *router.Certificate) error { c.Cert = strings.Trim(c.Cert, " \n") c.Key = strings.Trim(c.Key, " \n") if _, err := tls.X509KeyPair([]byte(c.Cert), []byte(c.Key)); err != nil { return httphelper.JSONError{ Code: httphelper.ValidationErrorCode, Message: "Certificate invalid: " + err.Error(), } } tlsCertSHA256 := sha256.Sum256([]byte(c.Cert)) if err := tx.QueryRow("select_certificate_by_sha", tlsCertSHA256[:]).Scan(&c.ID, &c.CreatedAt, &c.UpdatedAt); err != nil { if err := tx.QueryRow("insert_certificate", c.Cert, c.Key, tlsCertSHA256[:]).Scan(&c.ID, &c.CreatedAt, &c.UpdatedAt); err != nil { return err } } for _, rid := range c.Routes { if _, err := tx.Exec("delete_route_certificate_by_route_id", rid); err != nil { return err } if _, err := tx.Exec("insert_route_certificate", rid, c.ID); err != nil { return err } } return nil }