mirror of
https://github.com/mainflux/mainflux.git
synced 2025-04-28 13:48:49 +08:00
57 lines
1.2 KiB
Go
57 lines
1.2 KiB
Go
package tls
|
|
|
|
import (
|
|
"crypto/tls"
|
|
"crypto/x509"
|
|
"io/ioutil"
|
|
"net"
|
|
|
|
"github.com/mainflux/mainflux/pkg/errors"
|
|
)
|
|
|
|
var (
|
|
errTLSdetails = errors.New("failed to get TLS details of connection")
|
|
errParseRoot = errors.New("failed to parse root certificate")
|
|
)
|
|
|
|
// LoadTLSCfg return a TLS configuration that can be used in TLS servers
|
|
func LoadTLSCfg(ca, crt, key string) (*tls.Config, error) {
|
|
caCertPEM, err := ioutil.ReadFile(ca)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
roots := x509.NewCertPool()
|
|
if ok := roots.AppendCertsFromPEM(caCertPEM); !ok {
|
|
return nil, errParseRoot
|
|
}
|
|
|
|
cert, err := tls.LoadX509KeyPair(crt, key)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
return &tls.Config{
|
|
Certificates: []tls.Certificate{cert},
|
|
ClientAuth: tls.RequireAndVerifyClientCert,
|
|
ClientCAs: roots,
|
|
}, nil
|
|
}
|
|
|
|
// ClientCert returns client certificate
|
|
func ClientCert(conn net.Conn) (x509.Certificate, error) {
|
|
switch connVal := conn.(type) {
|
|
case *tls.Conn:
|
|
if err := connVal.Handshake(); err != nil {
|
|
return x509.Certificate{}, err
|
|
}
|
|
state := connVal.ConnectionState()
|
|
if state.Version == 0 {
|
|
return x509.Certificate{}, errTLSdetails
|
|
}
|
|
cert := *state.PeerCertificates[0]
|
|
return cert, nil
|
|
default:
|
|
return x509.Certificate{}, nil
|
|
}
|
|
}
|