traefik/pkg/types/tls.go

108 lines
2.9 KiB
Go
Raw Normal View History

package types
import (
"context"
"crypto/tls"
"crypto/x509"
"errors"
"fmt"
"os"
"github.com/traefik/traefik/v2/pkg/log"
)
// +k8s:deepcopy-gen=true
// ClientTLS holds TLS specific configurations as client
2020-05-11 12:06:07 +02:00
// CA, Cert and Key can be either path or file contents.
type ClientTLS struct {
CA string `description:"TLS CA" json:"ca,omitempty" toml:"ca,omitempty" yaml:"ca,omitempty"`
// Deprecated: TLS client authentication is a server side option (see https://github.com/golang/go/blob/740a490f71d026bb7d2d13cb8fa2d6d6e0572b70/src/crypto/tls/common.go#L634).
2020-10-30 12:44:05 +01:00
CAOptional bool `description:"TLS CA.Optional" json:"caOptional,omitempty" toml:"caOptional,omitempty" yaml:"caOptional,omitempty" export:"true"`
2019-07-01 11:30:05 +02:00
Cert string `description:"TLS cert" json:"cert,omitempty" toml:"cert,omitempty" yaml:"cert,omitempty"`
Key string `description:"TLS key" json:"key,omitempty" toml:"key,omitempty" yaml:"key,omitempty" loggable:"false"`
2020-10-30 12:44:05 +01:00
InsecureSkipVerify bool `description:"TLS insecure skip verify" json:"insecureSkipVerify,omitempty" toml:"insecureSkipVerify,omitempty" yaml:"insecureSkipVerify,omitempty" export:"true"`
}
2020-05-11 12:06:07 +02:00
// CreateTLSConfig creates a TLS config from ClientTLS structures.
2022-09-12 17:40:09 +02:00
func (c *ClientTLS) CreateTLSConfig(ctx context.Context) (*tls.Config, error) {
if c == nil {
log.FromContext(ctx).Warnf("clientTLS is nil")
return nil, nil
}
2022-09-12 17:40:09 +02:00
if c.CAOptional {
log.FromContext(ctx).Warn("CAOptional is deprecated, TLS client authentication is a server side option.")
}
// Not initialized, to rely on system bundle.
var caPool *x509.CertPool
2022-09-12 17:40:09 +02:00
if c.CA != "" {
var ca []byte
2022-09-12 17:40:09 +02:00
if _, errCA := os.Stat(c.CA); errCA == nil {
var err error
2022-09-12 17:40:09 +02:00
ca, err = os.ReadFile(c.CA)
if err != nil {
2020-05-11 12:06:07 +02:00
return nil, fmt.Errorf("failed to read CA. %w", err)
}
} else {
2022-09-12 17:40:09 +02:00
ca = []byte(c.CA)
}
caPool = x509.NewCertPool()
if !caPool.AppendCertsFromPEM(ca) {
return nil, errors.New("failed to parse CA")
}
}
2022-09-12 17:40:09 +02:00
hasCert := len(c.Cert) > 0
hasKey := len(c.Key) > 0
if hasCert != hasKey {
return nil, errors.New("both TLS cert and key must be defined")
}
if !hasCert || !hasKey {
return &tls.Config{
RootCAs: caPool,
2022-09-12 17:40:09 +02:00
InsecureSkipVerify: c.InsecureSkipVerify,
}, nil
}
2022-09-12 17:40:09 +02:00
cert, err := loadKeyPair(c.Cert, c.Key)
if err != nil {
return nil, err
}
return &tls.Config{
Certificates: []tls.Certificate{cert},
RootCAs: caPool,
2022-09-12 17:40:09 +02:00
InsecureSkipVerify: c.InsecureSkipVerify,
}, nil
}
func loadKeyPair(cert, key string) (tls.Certificate, error) {
keyPair, err := tls.X509KeyPair([]byte(cert), []byte(key))
if err == nil {
return keyPair, nil
}
_, err = os.Stat(cert)
if err != nil {
return tls.Certificate{}, errors.New("cert file does not exist")
}
_, err = os.Stat(key)
if err != nil {
return tls.Certificate{}, errors.New("key file does not exist")
}
keyPair, err = tls.LoadX509KeyPair(cert, key)
if err != nil {
return tls.Certificate{}, err
}
return keyPair, nil
}