2018-11-21 21:29:18 +00:00
|
|
|
package ca
|
|
|
|
|
|
|
|
|
|
import (
|
|
|
|
|
"crypto/tls"
|
|
|
|
|
"crypto/x509"
|
2019-01-23 22:33:16 +00:00
|
|
|
|
|
|
|
|
"github.com/smallstep/certificates/api"
|
2018-11-21 21:29:18 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
|
|
// TLSOption defines the type of a function that modifies a tls.Config.
|
2019-01-09 21:20:28 +00:00
|
|
|
type TLSOption func(ctx *TLSOptionCtx) error
|
2018-11-21 21:29:18 +00:00
|
|
|
|
2019-01-09 21:20:28 +00:00
|
|
|
// TLSOptionCtx is the context modified on TLSOption methods.
|
|
|
|
|
type TLSOptionCtx struct {
|
2019-01-23 03:54:12 +00:00
|
|
|
Client *Client
|
|
|
|
|
Config *tls.Config
|
2019-01-23 22:33:16 +00:00
|
|
|
Sign *api.SignResponse
|
2019-01-23 03:54:12 +00:00
|
|
|
OnRenewFunc []TLSOption
|
|
|
|
|
mutableConfig *mutableTLSConfig
|
2019-01-23 22:33:16 +00:00
|
|
|
hasRootCA bool
|
|
|
|
|
hasClientCA bool
|
2019-01-09 21:20:28 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// newTLSOptionCtx creates the TLSOption context.
|
2019-01-23 22:33:16 +00:00
|
|
|
func newTLSOptionCtx(c *Client, config *tls.Config, sign *api.SignResponse) *TLSOptionCtx {
|
2019-01-09 21:20:28 +00:00
|
|
|
return &TLSOptionCtx{
|
2019-01-23 03:54:12 +00:00
|
|
|
Client: c,
|
|
|
|
|
Config: config,
|
2019-01-23 22:33:16 +00:00
|
|
|
Sign: sign,
|
2019-01-23 03:54:12 +00:00
|
|
|
mutableConfig: newMutableTLSConfig(),
|
2019-01-12 03:08:08 +00:00
|
|
|
}
|
2019-01-09 21:20:28 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (ctx *TLSOptionCtx) apply(options []TLSOption) error {
|
|
|
|
|
for _, fn := range options {
|
|
|
|
|
if err := fn(ctx); err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
2019-01-08 01:48:56 +00:00
|
|
|
}
|
2019-01-23 03:54:12 +00:00
|
|
|
|
|
|
|
|
// Initialize mutable config with the fully configured tls.Config
|
|
|
|
|
ctx.mutableConfig.Init(ctx.Config)
|
2019-01-23 22:33:16 +00:00
|
|
|
|
|
|
|
|
// Build RootCAs and ClientCAs with given root certificate if necessary
|
|
|
|
|
if root, err := RootCertificate(ctx.Sign); err == nil {
|
|
|
|
|
if !ctx.hasRootCA {
|
|
|
|
|
if ctx.Config.RootCAs == nil {
|
|
|
|
|
ctx.Config.RootCAs = x509.NewCertPool()
|
|
|
|
|
}
|
|
|
|
|
ctx.Config.RootCAs.AddCert(root)
|
2019-02-06 01:33:16 +00:00
|
|
|
ctx.mutableConfig.AddImmutableRootCACert(root)
|
2019-01-23 22:33:16 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if !ctx.hasClientCA && ctx.Config.ClientAuth != tls.NoClientCert {
|
|
|
|
|
if ctx.Config.ClientCAs == nil {
|
|
|
|
|
ctx.Config.ClientCAs = x509.NewCertPool()
|
|
|
|
|
}
|
|
|
|
|
ctx.Config.ClientCAs.AddCert(root)
|
2019-02-06 01:33:16 +00:00
|
|
|
ctx.mutableConfig.AddImmutableClientCACert(root)
|
2019-01-23 22:33:16 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2019-01-23 03:54:12 +00:00
|
|
|
// Update tls.Config with mutable data
|
|
|
|
|
if ctx.Config.RootCAs == nil && len(ctx.mutableConfig.mutRootCerts) > 0 {
|
|
|
|
|
ctx.Config.RootCAs = x509.NewCertPool()
|
|
|
|
|
}
|
|
|
|
|
if ctx.Config.ClientCAs == nil && len(ctx.mutableConfig.mutClientCerts) > 0 {
|
|
|
|
|
ctx.Config.ClientCAs = x509.NewCertPool()
|
|
|
|
|
}
|
2019-01-23 22:33:16 +00:00
|
|
|
// Add mutable certificates
|
2019-01-23 03:54:12 +00:00
|
|
|
for _, cert := range ctx.mutableConfig.mutRootCerts {
|
|
|
|
|
ctx.Config.RootCAs.AddCert(cert)
|
|
|
|
|
}
|
|
|
|
|
for _, cert := range ctx.mutableConfig.mutClientCerts {
|
|
|
|
|
ctx.Config.ClientCAs.AddCert(cert)
|
|
|
|
|
}
|
|
|
|
|
ctx.mutableConfig.Reload()
|
2019-01-09 21:20:28 +00:00
|
|
|
return nil
|
|
|
|
|
}
|
2019-01-08 01:48:56 +00:00
|
|
|
|
2019-01-12 03:08:08 +00:00
|
|
|
func (ctx *TLSOptionCtx) applyRenew() error {
|
2019-01-09 21:20:28 +00:00
|
|
|
for _, fn := range ctx.OnRenewFunc {
|
|
|
|
|
if err := fn(ctx); err != nil {
|
2018-11-21 21:29:18 +00:00
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
}
|
2019-01-23 03:54:12 +00:00
|
|
|
// Reload mutable config with the changes
|
|
|
|
|
ctx.mutableConfig.Reload()
|
2018-11-21 21:29:18 +00:00
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// RequireAndVerifyClientCert is a tls.Config option used on servers to enforce
|
|
|
|
|
// a valid TLS client certificate. This is the default option for mTLS servers.
|
|
|
|
|
func RequireAndVerifyClientCert() TLSOption {
|
2019-01-09 21:20:28 +00:00
|
|
|
return func(ctx *TLSOptionCtx) error {
|
|
|
|
|
ctx.Config.ClientAuth = tls.RequireAndVerifyClientCert
|
2018-11-21 21:29:18 +00:00
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// VerifyClientCertIfGiven is a tls.Config option used on on servers to validate
|
|
|
|
|
// a TLS client certificate if it is provided. It does not requires a certificate.
|
|
|
|
|
func VerifyClientCertIfGiven() TLSOption {
|
2019-01-09 21:20:28 +00:00
|
|
|
return func(ctx *TLSOptionCtx) error {
|
|
|
|
|
ctx.Config.ClientAuth = tls.VerifyClientCertIfGiven
|
2018-11-21 21:29:18 +00:00
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// AddRootCA adds to the tls.Config RootCAs the given certificate. RootCAs
|
|
|
|
|
// defines the set of root certificate authorities that clients use when
|
|
|
|
|
// verifying server certificates.
|
|
|
|
|
func AddRootCA(cert *x509.Certificate) TLSOption {
|
2019-01-09 21:20:28 +00:00
|
|
|
return func(ctx *TLSOptionCtx) error {
|
|
|
|
|
if ctx.Config.RootCAs == nil {
|
|
|
|
|
ctx.Config.RootCAs = x509.NewCertPool()
|
2018-11-21 21:29:18 +00:00
|
|
|
}
|
2019-01-09 21:20:28 +00:00
|
|
|
ctx.Config.RootCAs.AddCert(cert)
|
2019-02-06 01:33:16 +00:00
|
|
|
ctx.mutableConfig.AddImmutableRootCACert(cert)
|
2018-11-21 21:29:18 +00:00
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// AddClientCA adds to the tls.Config ClientCAs the given certificate. ClientCAs
|
|
|
|
|
// defines the set of root certificate authorities that servers use if required
|
|
|
|
|
// to verify a client certificate by the policy in ClientAuth.
|
|
|
|
|
func AddClientCA(cert *x509.Certificate) TLSOption {
|
2019-01-09 21:20:28 +00:00
|
|
|
return func(ctx *TLSOptionCtx) error {
|
|
|
|
|
if ctx.Config.ClientCAs == nil {
|
|
|
|
|
ctx.Config.ClientCAs = x509.NewCertPool()
|
2019-01-05 01:51:32 +00:00
|
|
|
}
|
2019-01-09 21:20:28 +00:00
|
|
|
ctx.Config.ClientCAs.AddCert(cert)
|
2019-02-06 01:33:16 +00:00
|
|
|
ctx.mutableConfig.AddImmutableClientCACert(cert)
|
2019-01-05 01:51:32 +00:00
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2019-01-08 01:48:56 +00:00
|
|
|
// AddRootsToRootCAs does a roots request and adds to the tls.Config RootCAs all
|
|
|
|
|
// the certificates in the response. RootCAs defines the set of root certificate
|
|
|
|
|
// authorities that clients use when verifying server certificates.
|
2019-01-08 02:55:40 +00:00
|
|
|
//
|
|
|
|
|
// BootstrapServer and BootstrapClient methods include this option by default.
|
2019-01-08 01:48:56 +00:00
|
|
|
func AddRootsToRootCAs() TLSOption {
|
2019-01-23 03:54:12 +00:00
|
|
|
// var once sync.Once
|
2019-01-09 21:20:28 +00:00
|
|
|
fn := func(ctx *TLSOptionCtx) error {
|
2019-01-12 03:08:08 +00:00
|
|
|
certs, err := ctx.Client.Roots()
|
2019-01-08 01:48:56 +00:00
|
|
|
if err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
2019-01-23 22:33:16 +00:00
|
|
|
ctx.hasRootCA = true
|
|
|
|
|
ctx.mutableConfig.AddRootCAs(certs.Certificates)
|
2019-01-08 01:48:56 +00:00
|
|
|
return nil
|
|
|
|
|
}
|
2019-01-09 21:20:28 +00:00
|
|
|
return func(ctx *TLSOptionCtx) error {
|
|
|
|
|
ctx.OnRenewFunc = append(ctx.OnRenewFunc, fn)
|
|
|
|
|
return fn(ctx)
|
|
|
|
|
}
|
2019-01-08 01:48:56 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// AddRootsToClientCAs does a roots request and adds to the tls.Config ClientCAs
|
|
|
|
|
// all the certificates in the response. ClientCAs defines the set of root
|
|
|
|
|
// certificate authorities that servers use if required to verify a client
|
|
|
|
|
// certificate by the policy in ClientAuth.
|
2019-01-08 02:55:40 +00:00
|
|
|
//
|
|
|
|
|
// BootstrapServer method includes this option by default.
|
2019-01-08 01:48:56 +00:00
|
|
|
func AddRootsToClientCAs() TLSOption {
|
2019-01-23 03:54:12 +00:00
|
|
|
// var once sync.Once
|
2019-01-09 21:20:28 +00:00
|
|
|
fn := func(ctx *TLSOptionCtx) error {
|
2019-01-12 03:08:08 +00:00
|
|
|
certs, err := ctx.Client.Roots()
|
2019-01-08 01:48:56 +00:00
|
|
|
if err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
2019-01-23 22:33:16 +00:00
|
|
|
ctx.hasClientCA = true
|
|
|
|
|
ctx.mutableConfig.AddClientCAs(certs.Certificates)
|
2019-01-08 01:48:56 +00:00
|
|
|
return nil
|
|
|
|
|
}
|
2019-01-09 21:20:28 +00:00
|
|
|
return func(ctx *TLSOptionCtx) error {
|
|
|
|
|
ctx.OnRenewFunc = append(ctx.OnRenewFunc, fn)
|
|
|
|
|
return fn(ctx)
|
|
|
|
|
}
|
2019-01-08 01:48:56 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// AddFederationToRootCAs does a federation request and adds to the tls.Config
|
|
|
|
|
// RootCAs all the certificates in the response. RootCAs defines the set of root
|
|
|
|
|
// certificate authorities that clients use when verifying server certificates.
|
|
|
|
|
func AddFederationToRootCAs() TLSOption {
|
2019-01-09 21:20:28 +00:00
|
|
|
fn := func(ctx *TLSOptionCtx) error {
|
2019-01-12 03:08:08 +00:00
|
|
|
certs, err := ctx.Client.Federation()
|
2019-01-05 01:51:32 +00:00
|
|
|
if err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
2019-01-23 22:33:16 +00:00
|
|
|
ctx.mutableConfig.AddRootCAs(certs.Certificates)
|
2019-01-05 01:51:32 +00:00
|
|
|
return nil
|
|
|
|
|
}
|
2019-01-09 21:20:28 +00:00
|
|
|
return func(ctx *TLSOptionCtx) error {
|
|
|
|
|
ctx.OnRenewFunc = append(ctx.OnRenewFunc, fn)
|
|
|
|
|
return fn(ctx)
|
|
|
|
|
}
|
2019-01-05 01:51:32 +00:00
|
|
|
}
|
|
|
|
|
|
2019-01-08 01:48:56 +00:00
|
|
|
// AddFederationToClientCAs does a federation request and adds to the tls.Config
|
2019-01-05 01:51:32 +00:00
|
|
|
// ClientCAs all the certificates in the response. ClientCAs defines the set of
|
|
|
|
|
// root certificate authorities that servers use if required to verify a client
|
|
|
|
|
// certificate by the policy in ClientAuth.
|
2019-01-08 01:48:56 +00:00
|
|
|
func AddFederationToClientCAs() TLSOption {
|
2019-01-09 21:20:28 +00:00
|
|
|
fn := func(ctx *TLSOptionCtx) error {
|
2019-01-12 03:08:08 +00:00
|
|
|
certs, err := ctx.Client.Federation()
|
2019-01-09 21:20:28 +00:00
|
|
|
if err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
2019-01-23 22:33:16 +00:00
|
|
|
ctx.mutableConfig.AddClientCAs(certs.Certificates)
|
2019-01-09 21:20:28 +00:00
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
return func(ctx *TLSOptionCtx) error {
|
|
|
|
|
ctx.OnRenewFunc = append(ctx.OnRenewFunc, fn)
|
|
|
|
|
return fn(ctx)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// AddRootsToCAs does a roots request and adds the resulting certs to the
|
|
|
|
|
// tls.Config RootCAs and ClientCAs. Combines the functionality of
|
|
|
|
|
// AddRootsToRootCAs and AddRootsToClientCAs.
|
|
|
|
|
func AddRootsToCAs() TLSOption {
|
|
|
|
|
fn := func(ctx *TLSOptionCtx) error {
|
2019-01-12 03:08:08 +00:00
|
|
|
certs, err := ctx.Client.Roots()
|
2019-01-05 01:51:32 +00:00
|
|
|
if err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
2019-01-23 22:33:16 +00:00
|
|
|
ctx.hasRootCA = true
|
|
|
|
|
ctx.hasClientCA = true
|
|
|
|
|
ctx.mutableConfig.AddRootCAs(certs.Certificates)
|
|
|
|
|
ctx.mutableConfig.AddClientCAs(certs.Certificates)
|
2018-11-21 21:29:18 +00:00
|
|
|
return nil
|
|
|
|
|
}
|
2019-01-09 21:20:28 +00:00
|
|
|
return func(ctx *TLSOptionCtx) error {
|
|
|
|
|
ctx.OnRenewFunc = append(ctx.OnRenewFunc, fn)
|
|
|
|
|
return fn(ctx)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// AddFederationToCAs does a federation request and adds the resulting certs to the
|
|
|
|
|
// tls.Config RootCAs and ClientCAs. Combines the functionality of
|
|
|
|
|
// AddFederationToRootCAs and AddFederationToClientCAs.
|
|
|
|
|
func AddFederationToCAs() TLSOption {
|
|
|
|
|
fn := func(ctx *TLSOptionCtx) error {
|
2019-01-12 03:08:08 +00:00
|
|
|
certs, err := ctx.Client.Federation()
|
2019-01-09 21:20:28 +00:00
|
|
|
if err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
2019-01-23 03:54:12 +00:00
|
|
|
if ctx.mutableConfig == nil {
|
|
|
|
|
if ctx.Config.RootCAs == nil {
|
|
|
|
|
ctx.Config.RootCAs = x509.NewCertPool()
|
|
|
|
|
}
|
|
|
|
|
if ctx.Config.ClientCAs == nil {
|
|
|
|
|
ctx.Config.ClientCAs = x509.NewCertPool()
|
|
|
|
|
}
|
|
|
|
|
for _, cert := range certs.Certificates {
|
|
|
|
|
ctx.Config.RootCAs.AddCert(cert.Certificate)
|
|
|
|
|
ctx.Config.ClientCAs.AddCert(cert.Certificate)
|
|
|
|
|
}
|
|
|
|
|
} else {
|
|
|
|
|
ctx.mutableConfig.AddRootCAs(certs.Certificates)
|
|
|
|
|
ctx.mutableConfig.AddClientCAs(certs.Certificates)
|
2019-01-09 21:20:28 +00:00
|
|
|
}
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
return func(ctx *TLSOptionCtx) error {
|
|
|
|
|
ctx.OnRenewFunc = append(ctx.OnRenewFunc, fn)
|
|
|
|
|
return fn(ctx)
|
|
|
|
|
}
|
2018-11-21 21:29:18 +00:00
|
|
|
}
|
