smallstep-certificates/ca/tls_options.go

package ca

import (
	"crypto/tls"
	"crypto/x509"
)

// TLSOption defines the type of a function that modifies a tls.Config.
type TLSOption func(ctx *TLSOptionCtx) error

// TLSOptionCtx is the context modified on TLSOption methods.
type TLSOptionCtx struct {
	Client        *Client
	Config        *tls.Config
	OnRenewFunc   []TLSOption
	mutableConfig *mutableTLSConfig
}

// newTLSOptionCtx creates the TLSOption context.
func newTLSOptionCtx(c *Client, config *tls.Config) *TLSOptionCtx {
	return &TLSOptionCtx{
		Client:        c,
		Config:        config,
		mutableConfig: newMutableTLSConfig(),
	}
}

func (ctx *TLSOptionCtx) apply(options []TLSOption) error {
	for _, fn := range options {
		if err := fn(ctx); err != nil {
			return err
		}
	}

	// Initialize mutable config with the fully configured tls.Config
	ctx.mutableConfig.Init(ctx.Config)
	// Update tls.Config with mutable data
	if ctx.Config.RootCAs == nil && len(ctx.mutableConfig.mutRootCerts) > 0 {
		ctx.Config.RootCAs = x509.NewCertPool()
	}
	if ctx.Config.ClientCAs == nil && len(ctx.mutableConfig.mutClientCerts) > 0 {
		ctx.Config.ClientCAs = x509.NewCertPool()
	}
	for _, cert := range ctx.mutableConfig.mutRootCerts {
		ctx.Config.RootCAs.AddCert(cert)
	}
	for _, cert := range ctx.mutableConfig.mutClientCerts {
		ctx.Config.ClientCAs.AddCert(cert)
	}
	ctx.mutableConfig.Reload()
	return nil
}

func (ctx *TLSOptionCtx) applyRenew() error {
	for _, fn := range ctx.OnRenewFunc {
		if err := fn(ctx); err != nil {
			return err
		}
	}
	// Reload mutable config with the changes
	ctx.mutableConfig.Reload()
	return nil
}

// RequireAndVerifyClientCert is a tls.Config option used on servers to enforce
// a valid TLS client certificate. This is the default option for mTLS servers.
func RequireAndVerifyClientCert() TLSOption {
	return func(ctx *TLSOptionCtx) error {
		ctx.Config.ClientAuth = tls.RequireAndVerifyClientCert
		return nil
	}
}

// VerifyClientCertIfGiven is a tls.Config option used on on servers to validate
// a TLS client certificate if it is provided. It does not requires a certificate.
func VerifyClientCertIfGiven() TLSOption {
	return func(ctx *TLSOptionCtx) error {
		ctx.Config.ClientAuth = tls.VerifyClientCertIfGiven
		return nil
	}
}

// AddRootCA adds to the tls.Config RootCAs the given certificate. RootCAs
// defines the set of root certificate authorities that clients use when
// verifying server certificates.
func AddRootCA(cert *x509.Certificate) TLSOption {
	return func(ctx *TLSOptionCtx) error {
		if ctx.Config.RootCAs == nil {
			ctx.Config.RootCAs = x509.NewCertPool()
		}
		ctx.Config.RootCAs.AddCert(cert)
		ctx.mutableConfig.AddInmutableRootCACert(cert)
		return nil
	}
}

// AddClientCA adds to the tls.Config ClientCAs the given certificate. ClientCAs
// defines the set of root certificate authorities that servers use if required
// to verify a client certificate by the policy in ClientAuth.
func AddClientCA(cert *x509.Certificate) TLSOption {
	return func(ctx *TLSOptionCtx) error {
		if ctx.Config.ClientCAs == nil {
			ctx.Config.ClientCAs = x509.NewCertPool()
		}
		ctx.Config.ClientCAs.AddCert(cert)
		ctx.mutableConfig.AddInmutableClientCACert(cert)
		return nil
	}
}

// AddRootsToRootCAs does a roots request and adds to the tls.Config RootCAs all
// the certificates in the response. RootCAs defines the set of root certificate
// authorities that clients use when verifying server certificates.
//
// BootstrapServer and BootstrapClient methods include this option by default.
func AddRootsToRootCAs() TLSOption {
	// var once sync.Once
	fn := func(ctx *TLSOptionCtx) error {
		certs, err := ctx.Client.Roots()
		if err != nil {
			return err
		}
		if ctx.mutableConfig == nil {
			if ctx.Config.RootCAs == nil {
				ctx.Config.RootCAs = x509.NewCertPool()
			}
			for _, cert := range certs.Certificates {
				ctx.Config.RootCAs.AddCert(cert.Certificate)
			}
		} else {
			ctx.mutableConfig.AddRootCAs(certs.Certificates)
		}
		return nil
	}
	return func(ctx *TLSOptionCtx) error {
		ctx.OnRenewFunc = append(ctx.OnRenewFunc, fn)
		return fn(ctx)
	}
}

// AddRootsToClientCAs does a roots request and adds to the tls.Config ClientCAs
// all the certificates in the response. ClientCAs defines the set of root
// certificate authorities that servers use if required to verify a client
// certificate by the policy in ClientAuth.
//
// BootstrapServer method includes this option by default.
func AddRootsToClientCAs() TLSOption {
	// var once sync.Once
	fn := func(ctx *TLSOptionCtx) error {
		certs, err := ctx.Client.Roots()
		if err != nil {
			return err
		}
		if ctx.mutableConfig == nil {
			if ctx.Config.ClientCAs == nil {
				ctx.Config.ClientCAs = x509.NewCertPool()
			}
			for _, cert := range certs.Certificates {
				ctx.Config.ClientCAs.AddCert(cert.Certificate)
			}
		} else {
			ctx.mutableConfig.AddClientCAs(certs.Certificates)
		}
		return nil
	}
	return func(ctx *TLSOptionCtx) error {
		ctx.OnRenewFunc = append(ctx.OnRenewFunc, fn)
		return fn(ctx)
	}
}

// AddFederationToRootCAs does a federation request and adds to the tls.Config
// RootCAs all the certificates in the response. RootCAs defines the set of root
// certificate authorities that clients use when verifying server certificates.
func AddFederationToRootCAs() TLSOption {
	fn := func(ctx *TLSOptionCtx) error {
		certs, err := ctx.Client.Federation()
		if err != nil {
			return err
		}
		if ctx.mutableConfig == nil {
			if ctx.Config.RootCAs == nil {
				ctx.Config.RootCAs = x509.NewCertPool()
			}
			for _, cert := range certs.Certificates {
				ctx.Config.RootCAs.AddCert(cert.Certificate)
			}
		} else {
			ctx.mutableConfig.AddRootCAs(certs.Certificates)
		}
		return nil
	}
	return func(ctx *TLSOptionCtx) error {
		ctx.OnRenewFunc = append(ctx.OnRenewFunc, fn)
		return fn(ctx)
	}
}

// AddFederationToClientCAs does a federation request and adds to the tls.Config
// ClientCAs all the certificates in the response. ClientCAs defines the set of
// root certificate authorities that servers use if required to verify a client
// certificate by the policy in ClientAuth.
func AddFederationToClientCAs() TLSOption {
	fn := func(ctx *TLSOptionCtx) error {
		certs, err := ctx.Client.Federation()
		if err != nil {
			return err
		}
		if ctx.mutableConfig == nil {
			if ctx.Config.ClientCAs == nil {
				ctx.Config.ClientCAs = x509.NewCertPool()
			}
			for _, cert := range certs.Certificates {
				ctx.Config.ClientCAs.AddCert(cert.Certificate)
			}
		} else {
			ctx.mutableConfig.AddClientCAs(certs.Certificates)
		}
		return nil
	}
	return func(ctx *TLSOptionCtx) error {
		ctx.OnRenewFunc = append(ctx.OnRenewFunc, fn)
		return fn(ctx)
	}
}

// AddRootsToCAs does a roots request and adds the resulting certs to the
// tls.Config RootCAs and ClientCAs. Combines the functionality of
// AddRootsToRootCAs and AddRootsToClientCAs.
func AddRootsToCAs() TLSOption {
	fn := func(ctx *TLSOptionCtx) error {
		certs, err := ctx.Client.Roots()
		if err != nil {
			return err
		}
		if ctx.mutableConfig == nil {
			if ctx.Config.RootCAs == nil {
				ctx.Config.RootCAs = x509.NewCertPool()
			}
			if ctx.Config.ClientCAs == nil {
				ctx.Config.ClientCAs = x509.NewCertPool()
			}
			for _, cert := range certs.Certificates {
				ctx.Config.RootCAs.AddCert(cert.Certificate)
				ctx.Config.ClientCAs.AddCert(cert.Certificate)
			}
		} else {
			ctx.mutableConfig.AddRootCAs(certs.Certificates)
			ctx.mutableConfig.AddClientCAs(certs.Certificates)
		}
		return nil
	}
	return func(ctx *TLSOptionCtx) error {
		ctx.OnRenewFunc = append(ctx.OnRenewFunc, fn)
		return fn(ctx)
	}
}

// AddFederationToCAs does a federation request and adds the resulting certs to the
// tls.Config RootCAs and ClientCAs. Combines the functionality of
// AddFederationToRootCAs and AddFederationToClientCAs.
func AddFederationToCAs() TLSOption {
	fn := func(ctx *TLSOptionCtx) error {
		certs, err := ctx.Client.Federation()
		if err != nil {
			return err
		}
		if ctx.mutableConfig == nil {
			if ctx.Config.RootCAs == nil {
				ctx.Config.RootCAs = x509.NewCertPool()
			}
			if ctx.Config.ClientCAs == nil {
				ctx.Config.ClientCAs = x509.NewCertPool()
			}
			for _, cert := range certs.Certificates {
				ctx.Config.RootCAs.AddCert(cert.Certificate)
				ctx.Config.ClientCAs.AddCert(cert.Certificate)
			}
		} else {
			ctx.mutableConfig.AddRootCAs(certs.Certificates)
			ctx.mutableConfig.AddClientCAs(certs.Certificates)
		}
		return nil
	}
	return func(ctx *TLSOptionCtx) error {
		ctx.OnRenewFunc = append(ctx.OnRenewFunc, fn)
		return fn(ctx)
	}
}
Use mTLS by default on SDK methods. Add options to modify the tls.Config for different configurations. Fixes #7 6 years ago			`package ca`

			`import (`
			`"crypto/tls"`
			`"crypto/x509"`
			`)`

			`// TLSOption defines the type of a function that modifies a tls.Config.`
Update root certificates on renew. 5 years ago			`type TLSOption func(ctx *TLSOptionCtx) error`
Use mTLS by default on SDK methods. Add options to modify the tls.Config for different configurations. Fixes #7 6 years ago
Update root certificates on renew. 5 years ago			`// TLSOptionCtx is the context modified on TLSOption methods.`
			`type TLSOptionCtx struct {`
WIP on the safely rotate of root and federated certificates. Fixes #23 5 years ago			`Client *Client`
			`Config *tls.Config`
			`OnRenewFunc []TLSOption`
			`mutableConfig *mutableTLSConfig`
Update root certificates on renew. 5 years ago			`}`

			`// newTLSOptionCtx creates the TLSOption context.`
Remove mTLS client requirement in /roots and /federation 5 years ago			`func newTLSOptionCtx(c Client, config tls.Config) *TLSOptionCtx {`
Update root certificates on renew. 5 years ago			`return &TLSOptionCtx{`
WIP on the safely rotate of root and federated certificates. Fixes #23 5 years ago			`Client: c,`
			`Config: config,`
			`mutableConfig: newMutableTLSConfig(),`
Remove mTLS client requirement in /roots and /federation 5 years ago			`}`
Update root certificates on renew. 5 years ago			`}`

			`func (ctx *TLSOptionCtx) apply(options []TLSOption) error {`
			`for _, fn := range options {`
			`if err := fn(ctx); err != nil {`
			`return err`
			`}`
Add mTLS request to get all the root CAs, not the federated ones. 6 years ago			`}`
WIP on the safely rotate of root and federated certificates. Fixes #23 5 years ago
			`// Initialize mutable config with the fully configured tls.Config`
			`ctx.mutableConfig.Init(ctx.Config)`
			`// Update tls.Config with mutable data`
			`if ctx.Config.RootCAs == nil && len(ctx.mutableConfig.mutRootCerts) > 0 {`
			`ctx.Config.RootCAs = x509.NewCertPool()`
			`}`
			`if ctx.Config.ClientCAs == nil && len(ctx.mutableConfig.mutClientCerts) > 0 {`
			`ctx.Config.ClientCAs = x509.NewCertPool()`
			`}`
			`for _, cert := range ctx.mutableConfig.mutRootCerts {`
			`ctx.Config.RootCAs.AddCert(cert)`
			`}`
			`for _, cert := range ctx.mutableConfig.mutClientCerts {`
			`ctx.Config.ClientCAs.AddCert(cert)`
			`}`
			`ctx.mutableConfig.Reload()`
Update root certificates on renew. 5 years ago			`return nil`
			`}`
Add mTLS request to get all the root CAs, not the federated ones. 6 years ago
Remove mTLS client requirement in /roots and /federation 5 years ago			`func (ctx *TLSOptionCtx) applyRenew() error {`
Update root certificates on renew. 5 years ago			`for _, fn := range ctx.OnRenewFunc {`
			`if err := fn(ctx); err != nil {`
Use mTLS by default on SDK methods. Add options to modify the tls.Config for different configurations. Fixes #7 6 years ago			`return err`
			`}`
			`}`
WIP on the safely rotate of root and federated certificates. Fixes #23 5 years ago			`// Reload mutable config with the changes`
			`ctx.mutableConfig.Reload()`
Use mTLS by default on SDK methods. Add options to modify the tls.Config for different configurations. Fixes #7 6 years ago			`return nil`
			`}`

			`// RequireAndVerifyClientCert is a tls.Config option used on servers to enforce`
			`// a valid TLS client certificate. This is the default option for mTLS servers.`
			`func RequireAndVerifyClientCert() TLSOption {`
Update root certificates on renew. 5 years ago			`return func(ctx *TLSOptionCtx) error {`
			`ctx.Config.ClientAuth = tls.RequireAndVerifyClientCert`
Use mTLS by default on SDK methods. Add options to modify the tls.Config for different configurations. Fixes #7 6 years ago			`return nil`
			`}`
			`}`

			`// VerifyClientCertIfGiven is a tls.Config option used on on servers to validate`
			`// a TLS client certificate if it is provided. It does not requires a certificate.`
			`func VerifyClientCertIfGiven() TLSOption {`
Update root certificates on renew. 5 years ago			`return func(ctx *TLSOptionCtx) error {`
			`ctx.Config.ClientAuth = tls.VerifyClientCertIfGiven`
Use mTLS by default on SDK methods. Add options to modify the tls.Config for different configurations. Fixes #7 6 years ago			`return nil`
			`}`
			`}`

			`// AddRootCA adds to the tls.Config RootCAs the given certificate. RootCAs`
			`// defines the set of root certificate authorities that clients use when`
			`// verifying server certificates.`
			`func AddRootCA(cert *x509.Certificate) TLSOption {`
Update root certificates on renew. 5 years ago			`return func(ctx *TLSOptionCtx) error {`
			`if ctx.Config.RootCAs == nil {`
			`ctx.Config.RootCAs = x509.NewCertPool()`
Use mTLS by default on SDK methods. Add options to modify the tls.Config for different configurations. Fixes #7 6 years ago			`}`
Update root certificates on renew. 5 years ago			`ctx.Config.RootCAs.AddCert(cert)`
WIP on the safely rotate of root and federated certificates. Fixes #23 5 years ago			`ctx.mutableConfig.AddInmutableRootCACert(cert)`
Use mTLS by default on SDK methods. Add options to modify the tls.Config for different configurations. Fixes #7 6 years ago			`return nil`
			`}`
			`}`

			`// AddClientCA adds to the tls.Config ClientCAs the given certificate. ClientCAs`
			`// defines the set of root certificate authorities that servers use if required`
			`// to verify a client certificate by the policy in ClientAuth.`
			`func AddClientCA(cert *x509.Certificate) TLSOption {`
Update root certificates on renew. 5 years ago			`return func(ctx *TLSOptionCtx) error {`
			`if ctx.Config.ClientCAs == nil {`
			`ctx.Config.ClientCAs = x509.NewCertPool()`
Add initial support for federated root certificates. 6 years ago			`}`
Update root certificates on renew. 5 years ago			`ctx.Config.ClientCAs.AddCert(cert)`
WIP on the safely rotate of root and federated certificates. Fixes #23 5 years ago			`ctx.mutableConfig.AddInmutableClientCACert(cert)`
Add initial support for federated root certificates. 6 years ago			`return nil`
			`}`
			`}`

Add mTLS request to get all the root CAs, not the federated ones. 6 years ago			`// AddRootsToRootCAs does a roots request and adds to the tls.Config RootCAs all`
			`// the certificates in the response. RootCAs defines the set of root certificate`
			`// authorities that clients use when verifying server certificates.`
Add all root certificates by default on bootstrap methods. 6 years ago			`//`
			`// BootstrapServer and BootstrapClient methods include this option by default.`
Add mTLS request to get all the root CAs, not the federated ones. 6 years ago			`func AddRootsToRootCAs() TLSOption {`
WIP on the safely rotate of root and federated certificates. Fixes #23 5 years ago			`// var once sync.Once`
Update root certificates on renew. 5 years ago			`fn := func(ctx *TLSOptionCtx) error {`
Remove mTLS client requirement in /roots and /federation 5 years ago			`certs, err := ctx.Client.Roots()`
Add mTLS request to get all the root CAs, not the federated ones. 6 years ago			`if err != nil {`
			`return err`
			`}`
WIP on the safely rotate of root and federated certificates. Fixes #23 5 years ago			`if ctx.mutableConfig == nil {`
			`if ctx.Config.RootCAs == nil {`
			`ctx.Config.RootCAs = x509.NewCertPool()`
			`}`
			`for _, cert := range certs.Certificates {`
			`ctx.Config.RootCAs.AddCert(cert.Certificate)`
			`}`
			`} else {`
			`ctx.mutableConfig.AddRootCAs(certs.Certificates)`
Add mTLS request to get all the root CAs, not the federated ones. 6 years ago			`}`
			`return nil`
			`}`
Update root certificates on renew. 5 years ago			`return func(ctx *TLSOptionCtx) error {`
			`ctx.OnRenewFunc = append(ctx.OnRenewFunc, fn)`
			`return fn(ctx)`
			`}`
Add mTLS request to get all the root CAs, not the federated ones. 6 years ago			`}`

			`// AddRootsToClientCAs does a roots request and adds to the tls.Config ClientCAs`
			`// all the certificates in the response. ClientCAs defines the set of root`
			`// certificate authorities that servers use if required to verify a client`
			`// certificate by the policy in ClientAuth.`
Add all root certificates by default on bootstrap methods. 6 years ago			`//`
			`// BootstrapServer method includes this option by default.`
Add mTLS request to get all the root CAs, not the federated ones. 6 years ago			`func AddRootsToClientCAs() TLSOption {`
WIP on the safely rotate of root and federated certificates. Fixes #23 5 years ago			`// var once sync.Once`
Update root certificates on renew. 5 years ago			`fn := func(ctx *TLSOptionCtx) error {`
Remove mTLS client requirement in /roots and /federation 5 years ago			`certs, err := ctx.Client.Roots()`
Add mTLS request to get all the root CAs, not the federated ones. 6 years ago			`if err != nil {`
			`return err`
			`}`
WIP on the safely rotate of root and federated certificates. Fixes #23 5 years ago			`if ctx.mutableConfig == nil {`
			`if ctx.Config.ClientCAs == nil {`
			`ctx.Config.ClientCAs = x509.NewCertPool()`
			`}`
			`for _, cert := range certs.Certificates {`
			`ctx.Config.ClientCAs.AddCert(cert.Certificate)`
			`}`
			`} else {`
			`ctx.mutableConfig.AddClientCAs(certs.Certificates)`
Add mTLS request to get all the root CAs, not the federated ones. 6 years ago			`}`
			`return nil`
			`}`
Update root certificates on renew. 5 years ago			`return func(ctx *TLSOptionCtx) error {`
			`ctx.OnRenewFunc = append(ctx.OnRenewFunc, fn)`
			`return fn(ctx)`
			`}`
Add mTLS request to get all the root CAs, not the federated ones. 6 years ago			`}`

			`// AddFederationToRootCAs does a federation request and adds to the tls.Config`
			`// RootCAs all the certificates in the response. RootCAs defines the set of root`
			`// certificate authorities that clients use when verifying server certificates.`
			`func AddFederationToRootCAs() TLSOption {`
Update root certificates on renew. 5 years ago			`fn := func(ctx *TLSOptionCtx) error {`
Remove mTLS client requirement in /roots and /federation 5 years ago			`certs, err := ctx.Client.Federation()`
Add initial support for federated root certificates. 6 years ago			`if err != nil {`
			`return err`
			`}`
WIP on the safely rotate of root and federated certificates. Fixes #23 5 years ago			`if ctx.mutableConfig == nil {`
			`if ctx.Config.RootCAs == nil {`
			`ctx.Config.RootCAs = x509.NewCertPool()`
			`}`
			`for _, cert := range certs.Certificates {`
			`ctx.Config.RootCAs.AddCert(cert.Certificate)`
			`}`
			`} else {`
			`ctx.mutableConfig.AddRootCAs(certs.Certificates)`
Add initial support for federated root certificates. 6 years ago			`}`
			`return nil`
			`}`
Update root certificates on renew. 5 years ago			`return func(ctx *TLSOptionCtx) error {`
			`ctx.OnRenewFunc = append(ctx.OnRenewFunc, fn)`
			`return fn(ctx)`
			`}`
Add initial support for federated root certificates. 6 years ago			`}`

Add mTLS request to get all the root CAs, not the federated ones. 6 years ago			`// AddFederationToClientCAs does a federation request and adds to the tls.Config`
Add initial support for federated root certificates. 6 years ago			`// ClientCAs all the certificates in the response. ClientCAs defines the set of`
			`// root certificate authorities that servers use if required to verify a client`
			`// certificate by the policy in ClientAuth.`
Add mTLS request to get all the root CAs, not the federated ones. 6 years ago			`func AddFederationToClientCAs() TLSOption {`
Update root certificates on renew. 5 years ago			`fn := func(ctx *TLSOptionCtx) error {`
Remove mTLS client requirement in /roots and /federation 5 years ago			`certs, err := ctx.Client.Federation()`
Update root certificates on renew. 5 years ago			`if err != nil {`
			`return err`
			`}`
WIP on the safely rotate of root and federated certificates. Fixes #23 5 years ago			`if ctx.mutableConfig == nil {`
			`if ctx.Config.ClientCAs == nil {`
			`ctx.Config.ClientCAs = x509.NewCertPool()`
			`}`
			`for _, cert := range certs.Certificates {`
			`ctx.Config.ClientCAs.AddCert(cert.Certificate)`
			`}`
			`} else {`
			`ctx.mutableConfig.AddClientCAs(certs.Certificates)`
Update root certificates on renew. 5 years ago			`}`
			`return nil`
			`}`
			`return func(ctx *TLSOptionCtx) error {`
			`ctx.OnRenewFunc = append(ctx.OnRenewFunc, fn)`
			`return fn(ctx)`
			`}`
			`}`

			`// AddRootsToCAs does a roots request and adds the resulting certs to the`
			`// tls.Config RootCAs and ClientCAs. Combines the functionality of`
			`// AddRootsToRootCAs and AddRootsToClientCAs.`
			`func AddRootsToCAs() TLSOption {`
			`fn := func(ctx *TLSOptionCtx) error {`
Remove mTLS client requirement in /roots and /federation 5 years ago			`certs, err := ctx.Client.Roots()`
Add initial support for federated root certificates. 6 years ago			`if err != nil {`
			`return err`
			`}`
WIP on the safely rotate of root and federated certificates. Fixes #23 5 years ago			`if ctx.mutableConfig == nil {`
			`if ctx.Config.RootCAs == nil {`
			`ctx.Config.RootCAs = x509.NewCertPool()`
			`}`
			`if ctx.Config.ClientCAs == nil {`
			`ctx.Config.ClientCAs = x509.NewCertPool()`
			`}`
			`for _, cert := range certs.Certificates {`
			`ctx.Config.RootCAs.AddCert(cert.Certificate)`
			`ctx.Config.ClientCAs.AddCert(cert.Certificate)`
			`}`
			`} else {`
			`ctx.mutableConfig.AddRootCAs(certs.Certificates)`
			`ctx.mutableConfig.AddClientCAs(certs.Certificates)`
Use mTLS by default on SDK methods. Add options to modify the tls.Config for different configurations. Fixes #7 6 years ago			`}`
			`return nil`
			`}`
Update root certificates on renew. 5 years ago			`return func(ctx *TLSOptionCtx) error {`
			`ctx.OnRenewFunc = append(ctx.OnRenewFunc, fn)`
			`return fn(ctx)`
			`}`
			`}`

			`// AddFederationToCAs does a federation request and adds the resulting certs to the`
			`// tls.Config RootCAs and ClientCAs. Combines the functionality of`
			`// AddFederationToRootCAs and AddFederationToClientCAs.`
			`func AddFederationToCAs() TLSOption {`
			`fn := func(ctx *TLSOptionCtx) error {`
Remove mTLS client requirement in /roots and /federation 5 years ago			`certs, err := ctx.Client.Federation()`
Update root certificates on renew. 5 years ago			`if err != nil {`
			`return err`
			`}`
WIP on the safely rotate of root and federated certificates. Fixes #23 5 years ago			`if ctx.mutableConfig == nil {`
			`if ctx.Config.RootCAs == nil {`
			`ctx.Config.RootCAs = x509.NewCertPool()`
			`}`
			`if ctx.Config.ClientCAs == nil {`
			`ctx.Config.ClientCAs = x509.NewCertPool()`
			`}`
			`for _, cert := range certs.Certificates {`
			`ctx.Config.RootCAs.AddCert(cert.Certificate)`
			`ctx.Config.ClientCAs.AddCert(cert.Certificate)`
			`}`
			`} else {`
			`ctx.mutableConfig.AddRootCAs(certs.Certificates)`
			`ctx.mutableConfig.AddClientCAs(certs.Certificates)`
Update root certificates on renew. 5 years ago			`}`
			`return nil`
			`}`
			`return func(ctx *TLSOptionCtx) error {`
			`ctx.OnRenewFunc = append(ctx.OnRenewFunc, fn)`
			`return fn(ctx)`
			`}`
Use mTLS by default on SDK methods. Add options to modify the tls.Config for different configurations. Fixes #7 6 years ago			`}`