tls.go 3.2 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110
  1. /*
  2. Copyright © The ESO Authors
  3. Licensed under the Apache License, Version 2.0 (the "License");
  4. you may not use this file except in compliance with the License.
  5. You may obtain a copy of the License at
  6. https://www.apache.org/licenses/LICENSE-2.0
  7. Unless required by applicable law or agreed to in writing, software
  8. distributed under the License is distributed on an "AS IS" BASIS,
  9. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  10. See the License for the specific language governing permissions and
  11. limitations under the License.
  12. */
  13. package server
  14. import (
  15. "crypto/tls"
  16. "crypto/x509"
  17. "fmt"
  18. "os"
  19. )
  20. const (
  21. // DefaultCertDir is the default directory for provider TLS assets.
  22. DefaultCertDir = "/etc/provider/certs"
  23. // DefaultCACertFile is the default CA certificate filename.
  24. DefaultCACertFile = "ca.crt"
  25. // DefaultCertFile is the default server certificate filename.
  26. DefaultCertFile = "tls.crt"
  27. // DefaultKeyFile is the default server key filename.
  28. DefaultKeyFile = "tls.key"
  29. )
  30. // TLSConfig holds configuration for provider server TLS.
  31. type TLSConfig struct {
  32. CertDir string
  33. CACertFile string
  34. CertFile string
  35. KeyFile string
  36. }
  37. // DefaultTLSConfig returns a TLSConfig with default values.
  38. // Values can be overridden via TLS_CERT_DIR, TLS_CA_CERT_FILE, TLS_CERT_FILE, and TLS_KEY_FILE.
  39. func DefaultTLSConfig() *TLSConfig {
  40. return &TLSConfig{
  41. CertDir: getEnvOrDefault("TLS_CERT_DIR", DefaultCertDir),
  42. CACertFile: getEnvOrDefault("TLS_CA_CERT_FILE", DefaultCACertFile),
  43. CertFile: getEnvOrDefault("TLS_CERT_FILE", DefaultCertFile),
  44. KeyFile: getEnvOrDefault("TLS_KEY_FILE", DefaultKeyFile),
  45. }
  46. }
  47. // LoadTLSConfig loads TLS configuration for a provider server.
  48. // This enables mTLS, requiring and verifying client certificates.
  49. func LoadTLSConfig(config *TLSConfig) (*tls.Config, error) {
  50. // Load server certificate and key
  51. certPath := fmt.Sprintf("%s/%s", config.CertDir, config.CertFile)
  52. keyPath := fmt.Sprintf("%s/%s", config.CertDir, config.KeyFile)
  53. cert, err := tls.LoadX509KeyPair(certPath, keyPath)
  54. if err != nil {
  55. return nil, fmt.Errorf("failed to load server certificate: %w", err)
  56. }
  57. // Load CA certificate for client verification
  58. caPath := fmt.Sprintf("%s/%s", config.CertDir, config.CACertFile)
  59. // #nosec G304 -- TLSConfig paths are explicit operator-provided mount points.
  60. caCert, err := os.ReadFile(caPath)
  61. if err != nil {
  62. return nil, fmt.Errorf("failed to load CA certificate: %w", err)
  63. }
  64. caCertPool := x509.NewCertPool()
  65. if !caCertPool.AppendCertsFromPEM(caCert) {
  66. return nil, fmt.Errorf("failed to parse CA certificate")
  67. }
  68. return &tls.Config{
  69. Certificates: []tls.Certificate{cert},
  70. ClientCAs: caCertPool,
  71. ClientAuth: tls.RequireAndVerifyClientCert,
  72. MinVersion: tls.VersionTLS12, // TLS 1.2 minimum for compatibility
  73. }, nil
  74. }
  75. // TLSVersionName returns a human-readable name for a TLS version.
  76. func TLSVersionName(version uint16) string {
  77. switch version {
  78. case tls.VersionTLS10:
  79. return "TLS 1.0"
  80. case tls.VersionTLS11:
  81. return "TLS 1.1"
  82. case tls.VersionTLS12:
  83. return "TLS 1.2"
  84. case tls.VersionTLS13:
  85. return "TLS 1.3"
  86. default:
  87. return "Unknown"
  88. }
  89. }
  90. func getEnvOrDefault(key, defaultValue string) string {
  91. if value := os.Getenv(key); value != "" {
  92. return value
  93. }
  94. return defaultValue
  95. }