func getInfoFromRemote(c cli.Config) (resp *info.Resp, err error) {
req := new(info.Req)
req.Label = c.Label
req.Profile = c.Profile
cert, err := helpers.LoadClientCertificate(c.MutualTLSCertFile, c.MutualTLSKeyFile)
if err != nil {
return
}
remoteCAs, err := helpers.LoadPEMCertPool(c.TLSRemoteCAs)
if err != nil {
return
}
serv := client.NewServerTLS(c.Remote, helpers.CreateTLSConfig(remoteCAs, cert))
reqJSON, _ := json.Marshal(req)
resp, err = serv.Info(reqJSON)
if err != nil {
return
}
_, err = helpers.ParseCertificatePEM([]byte(resp.Certificate))
if err != nil {
return
}
return
}
// NewCFSSL produces a new CFSSL root.
func NewCFSSL(metadata map[string]string) ([]*x509.Certificate, error) {
host, ok := metadata["host"]
if !ok {
return nil, errors.New("transport: CFSSL root provider requires a host")
}
label := metadata["label"]
profile := metadata["profile"]
cert, err := helpers.LoadClientCertificate(metadata["mutual-tls-cert"], metadata["mutual-tls-key"])
if err != nil {
return nil, err
}
remoteCAs, err := helpers.LoadPEMCertPool(metadata["tls-remote-ca"])
if err != nil {
return nil, err
}
srv := client.NewServerTLS(host, helpers.CreateTLSConfig(remoteCAs, cert))
data, err := json.Marshal(info.Req{Label: label, Profile: profile})
if err != nil {
return nil, err
}
resp, err := srv.Info(data)
if err != nil {
return nil, err
}
return helpers.ParseCertificatesPEM([]byte(resp.Certificate))
}
// SetClientCertKeyPairFromFile updates the properties to set client certificates for mutual
// authenticated TLS remote requests
func (p *Signing) SetClientCertKeyPairFromFile(certFile string, keyFile string) error {
if certFile != "" && keyFile != "" {
cert, err := helpers.LoadClientCertificate(certFile, keyFile)
if err != nil {
return err
}
for _, profile := range p.Profiles {
profile.ClientCert = cert
}
p.Default.ClientCert = cert
}
return nil
}
func TestNewMutualTLSServer(t *testing.T) {
cert, _ := helpers.LoadClientCertificate("../../helpers/testdata/ca.pem", "../../helpers/testdata/ca_key.pem")
s := NewServerTLS("https://nohost:8888", helpers.CreateTLSConfig(nil, cert))
if s == nil {
t.Fatalf("fatal error, empty server")
}
_, err := s.Sign([]byte{5, 5, 5, 5})
if err == nil {
t.Fatalf("expected error with sign function")
}
if !strings.Contains(err.Error(), "Post https://nohost:8888/api/v1/cfssl/sign: dial tcp: lookup nohost") {
t.Fatalf("no error message %v", err)
}
}
// NewCFSSLProvider takes the configuration information from an
// Identity (and an optional default remote), returning a CFSSL
// instance. There should be a profile in id called "cfssl", which
// should contain label and profile fields as needed.
func NewCFSSLProvider(id *core.Identity, defaultRemote client.Remote) (*CFSSL, error) {
if id == nil {
return nil, errors.New("transport: the identity hasn't been initialised. Has it been loaded from disk?")
}
cap := &CFSSL{
DefaultRemote: defaultRemote,
}
cfssl := id.Profiles["cfssl"]
if cfssl != nil {
cap.Label = cfssl["label"]
cap.Profile = cfssl["profile"]
if cap.DefaultRemote == nil {
cert, err := helpers.LoadClientCertificate(cfssl["mutual-tls-cert"], cfssl["mutual-tls-key"])
if err != nil {
return nil, err
}
remoteCAs, err := helpers.LoadPEMCertPool(cfssl["tls-remote-ca"])
if err != nil {
return nil, err
}
cap.DefaultRemote = client.NewServerTLS(cfssl["remote"], helpers.CreateTLSConfig(remoteCAs, cert))
}
cap.DefaultAuth.Type = cfssl["auth-type"]
cap.DefaultAuth.Key = cfssl["auth-key"]
}
err := cap.setRemoteAndAuth()
if err != nil {
return nil, err
}
return cap, nil
}
func TestNewMutualTLSServerGroup(t *testing.T) {
cert, _ := helpers.LoadClientCertificate("../../helpers/testdata/ca.pem", "../../helpers/testdata/ca_key.pem")
NewTLSServerGroup(t, cert)
}