From 356e7070eff0336c0ef4e0c4efdc97721af6e334 Mon Sep 17 00:00:00 2001
From: Venky Gopal <vnktshgopalg@gmail.com>
Date: Sun, 21 Jan 2024 09:26:40 -0500
Subject: [PATCH] Allow usage of externally supplied TLS config

---
 ca/ca.go | 36 +++++++++++++++++++++++++++++++-----
 1 file changed, 31 insertions(+), 5 deletions(-)

diff --git a/ca/ca.go b/ca/ca.go
index 7baf2419..cb91162b 100644
--- a/ca/ca.go
+++ b/ca/ca.go
@@ -46,6 +46,7 @@ type options struct {
 	sshHostPassword []byte
 	sshUserPassword []byte
 	database        db.AuthDB
+	tlsConfig		*tls.Config
 }
 
 func (o *options) apply(opts []Option) {
@@ -104,6 +105,14 @@ func WithDatabase(d db.AuthDB) Option {
 	}
 }
 
+// WithTLSConfig sets the TLS configuration to be used by the HTTP(s) server
+// spun by step-ca.
+func WithTLSConfig(t *tls.Config) Option {
+	return func(o* options) {
+		o.tlsConfig = t
+	}
+}
+
 // WithLinkedCAToken sets the token used to authenticate with the linkedca.
 func WithLinkedCAToken(token string) Option {
 	return func(o *options) {
@@ -172,9 +181,20 @@ func (ca *CA) Init(cfg *config.Config) (*CA, error) {
 	}
 	ca.auth = auth
 
-	tlsConfig, clientTLSConfig, err := ca.getTLSConfig(auth)
-	if err != nil {
-		return nil, err
+	var tlsConfig *tls.Config
+	var clientTLSConfig *tls.Config
+	if ca.opts.tlsConfig != nil {
+		// try using the tls Configuration supplied by the caller
+		log.Print("Using tls configuration supplied by the application")
+		tlsConfig = ca.opts.tlsConfig
+		clientTLSConfig = ca.opts.tlsConfig
+	} else {
+		// default to using the step-ca x509 Signer Interface
+		log.Print("Building new tls configuration using step-ca x509 Signer Interface")
+		tlsConfig, clientTLSConfig, err = ca.getTLSConfig(auth)
+		if err != nil {
+			return nil, err
+		}
 	}
 
 	webhookTransport.TLSClientConfig = clientTLSConfig
@@ -421,7 +441,10 @@ func (ca *CA) Run() error {
 // Stop stops the CA calling to the server Shutdown method.
 func (ca *CA) Stop() error {
 	close(ca.compactStop)
-	ca.renewer.Stop()
+	if ca.renewer != nil {
+		ca.renewer.Stop()
+	}
+
 	if err := ca.auth.Shutdown(); err != nil {
 		log.Printf("error stopping ca.Authority: %+v\n", err)
 	}
@@ -489,7 +512,10 @@ func (ca *CA) Reload() error {
 	// 2. Safely shutdown any internal resources (e.g. key manager)
 	// 3. Replace ca properties
 	// Do not replace ca.srv
-	ca.renewer.Stop()
+	if ca.renewer != nil {
+		ca.renewer.Stop()
+	}
+
 	ca.auth.CloseForReload()
 	ca.auth = newCA.auth
 	ca.config = newCA.config