From 3b30409ceb803554d913652cf85af514ce423ca8 Mon Sep 17 00:00:00 2001 From: fayzal-g Date: Thu, 8 Jun 2023 17:23:54 +0100 Subject: [PATCH 1/5] Pass TLS certs and keys inline Signed-off-by: fayzal-g --- ...uth.requireanyclientcertkeyinline.good.yml | 56 ++++++++++++ .../web_config_noAuth_cert_empty.bad.yml | 3 + .../web_config_noAuth_key_empty.bad.yml | 3 + .../web_config_noAuth_tlsInline.good.yml | 89 +++++++++++++++++++ web/tls_config.go | 59 +++++++++--- web/tls_config_test.go | 33 +++++-- 6 files changed, 228 insertions(+), 15 deletions(-) create mode 100644 web/testdata/tls_config_noAuth.requireanyclientcertkeyinline.good.yml create mode 100644 web/testdata/web_config_noAuth_cert_empty.bad.yml create mode 100644 web/testdata/web_config_noAuth_key_empty.bad.yml create mode 100644 web/testdata/web_config_noAuth_tlsInline.good.yml diff --git a/web/testdata/tls_config_noAuth.requireanyclientcertkeyinline.good.yml b/web/testdata/tls_config_noAuth.requireanyclientcertkeyinline.good.yml new file mode 100644 index 00000000..5c56e85d --- /dev/null +++ b/web/testdata/tls_config_noAuth.requireanyclientcertkeyinline.good.yml @@ -0,0 +1,56 @@ +tls_server_config: + cert_file: "server.crt" + key: | + -----BEGIN PRIVATE KEY----- + MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQDT5dSL/8/jPIxx + 1EoIDobwkv9CHzYvNvjqa8GpZoUi9Rckaxnhw6SgKyKx4Wpe6LpIsyavesCk3XVF + boYz0e7K0mF+ydqD85429hZix5w/Mvs8TvN1zQOVggwdMgPyoVh4Q5ndqYoU02Tq + PY7xot/i8iKl1HosCKcbjZx9oIaFMvg08zQpJy5CCgFZwz6DNQCNFrtuK7NeAPGV + Vor82Pz/MRsJTJg53a6x8CczEhDHh+yCYvYceMyWpaaGE1aumdEb9Pu0qUvorMIv + 3jCCw4Zkry8NEeMd9cZM7DzrVLKHFY4AQhhhh6O9CErAMbC+hPUBXtrsGUr2wSn6 + LiWjNLcUSGWoTHh8uXoIdvidPL7mSqPTwwVsCsKkGeCm+1rYHpIsnC5hWvzmBy1F + /jsPEF7uR1Pb/V5T/RldhUA5GtiLjE7UuSQhLeXvXXUm+ClW5EQIXy9rJwPsNJ5q + 3wgZa5U4Rc+RL8uUDQKNTkcIhPvIDVHNdhALvSt0yvVklGDaywm5Dd6AS/g1afGO + qqrlKShGxJYbCfVePRK69yz2l6c+Wlu04eqBau1Dge3IaikNkjZd/4U5TVMPMBW/ + UIvAF7PuEsx6ONSBHvUGQb6XrnFZnXsGySrzUvFMbNsJrU6thtgHt6hs1pevNie2 + lMNV+mOOjmp0AzbQ1ULxjdQluZLwlwIDAQABAoICAQCxGs9jlBQ1YU4hdcXKphmy + yan/ogavv8qcZCQhakasyRzmm32ubM8T7/m3oyg821eXm+Uhlf+dzFtQBOi2NyjW + 7LAAQMYas2vxlA1x0lSNnhbOeU6Tjx8HvwJRBJS4HpLLMfVQh3uZnHYkMf9fhzqJ + fMfowoa6dyD0ro+1kI3elpNN7lgSbWUEXUhztfRxxcMIKY/OrUflsfQ5VXQlkVck + E+78/r/c3aQ9pPOeg+LyYnETKZN6iJy27Q0Z0uAIXxefvksC3N1NQ9eqGpOBN9sE + HEe/LMwfJmTvtiPUrZ3pueJN5PBr0+rO/Dc+HEoVcxs0Yguoehtl0l07dYaPumep + TmXdrKvCkwM5cwnbXSWrCpqMS8Medb3zWvNnWO/mjRwTZyhmNdscjh3Ilvo+YCus + wM8HJFD4FuMtL3GtIfoKeszppACTkOOYiViGHmKUiQaSEwF7nhuIQqgN3ULCP7Z5 + mhL2RhLWacPfATITNkm4g2o16mFohZ9HPZSkPGm8rw7yhB1s2emoocXsms2iR1oa + mggNnUS3m87Z/HmOEyObIQZtYf1ZNuVAGGP4kmhhtNfMTmq3CPYM3oMRR1nb8Ci8 + zYwjEIvLYuDVlZFff4+IA7tCBZPichieoioaxutnYtO+nvuzDRiitL4my2EcXeE7 + tcIunkP9u5BNiXsfNcy3gQKCAQEA3X9eZ/IPF9Rrsjwtqkt7Oxn/uJ8JCotVBLnq + SCd7sCSaM06jUzMjMoj4SYyjzBYLycH/q+euT4UoPdPMKCfwx2NgR87MfuehWzwG + pmPbAbLJtLmZ+M/Bz5QzGS3J3f4qYxLptLHX971JgtTdcJhOAc+p/Elt3l43d/fr + sMVrZ8hqHlXmA6WuwqHjHnGP1ML6xFfsjDZ2jQ3VEV17XKtinucgitvkVuHYmtdQ + wm/yrM8vDkyglgk47j9CyfQdL10elBxe32WY5B0g9TmhIMypmlJk7inPPnAqJ4TF + JJBMvZOB9cJAjrtsDN3tAW/1q+wPF1HLwurqTLluZEc5MVjaOQKCAQEA9OenKlxB + 5HiANjH0riaokFDtjC27iHoeBkbEt+CyegGXVHEotVcKnG+N4Tw/GXcS9m33vu/X + Lmeowp/Z2BKxB7xvw81jQh8gEoUHFlH6DgksTPjVVSEa4wnESrqlFjRquBexpU6e + X//xVD72b0txAqJvpvtbxZC41WIwUBTBkHDlj2hegEzUvgzdO92FPRUDrAgB0wSv + 05U6fh1/4c3XTHqIHK4/gxiVRmjnpEdjEbOZsfbN8LGQK2eq4FkIS870VKigUZ/U + m2YB+8PKKyqKdXpWQHMZ9QvXoU9AwMw4Q+NEk4a/ZrnnMo59voKP1Qoqhd/rEAP7 + xa1AMOAl2DhhTwKCAQBdY4Z6bSTP91AxJg5a7thWYu/e967oMzb1dy3AnmUYL1aU + q2NRgQ4mEHofCJ1HP0RZHOKfqF9mR85fwx0hETYD23KM1DSEjUULIpPrM87zOF6z + RE4XCgG9c87XnuauIqvceezvssxMOBL2hqmW/6BkQxp4tL0ONMtOWcmWDqbqayXT + BISmpQS6K2eHPnpWSp9QiYHC3HO/pUVgvPl2aQx70xd1dKEhwLeDEaWLVYgMNI6y + iLxshhbq3OFcJQDpJ2ntKMkXh86e32k1+8Zj/ebEmljT0ez/dmtPnjtA31Z71+XD + qNNvWraD9k4nfP0oL69tNZ+j30hKcSSKQz1qAPyBAoIBAGBaI3KPCX2Ryx+HV/SM + URU2Qb883uM66EUf4pVVWeKWbatTOejebdZOLUvIICsspdE+QpJkWgxvy/2GVnak + I/IfOPmX/M0u4bdnjvpBFlgfU8aUv5nWhHV+ijO8aubpiHMVH1ciLz0lvRSgEOSI + kdWvgq33houb/Jw3HTrkb6McR7S8IzHnCGwdM40yAhGeCuvL2qvi1CoyM+kaQg3c + pi/4pURjaalyKoihDUGctGVqe7WAnFVuBoKNLrVFUfZBXe9QyIJUl5jr8SvUQ93n + xsGhd/2zSysVlahpPdicgCZ1a61+/h60VTmWxfIF/ACdF03EYv7SEmQbXX3dMgZ3 + aBECggEBALXqdEIkb9pBhwCvUHFG+c/IKBhS6j7BUj9PrZ3MATPXHo6Iy09d/dlV + psFQzWVvBmf3pcI0MEi7xdUMSN0jhZ8xp1owDlOQSM8DCQPFLaC38sfhZNThIfz0 + Q+fWYPe1lkRBtMVSokN1PtE5zETHlUKkh3fdQs0wihX4Wikc64rjCgXqXc8ng8Lk + NCUNBY/7pNfrEm0Zxz+8CvmRaBbL4OT2/hFsdcMiO3P24mCdAPgJ4v97pr8KxRHe + SmOyiSdaAyXHr/6+3KgO5pX8YUn9WiTF2hxo4SG3NQuuva0SBZT9B8iFXt1uFUtP + Rri7hsjysanKPyaPM1oofbRyWApMyRo= + -----END PRIVATE KEY----- + client_auth_type: "RequireAnyClientCert" diff --git a/web/testdata/web_config_noAuth_cert_empty.bad.yml b/web/testdata/web_config_noAuth_cert_empty.bad.yml new file mode 100644 index 00000000..cb8ca1c7 --- /dev/null +++ b/web/testdata/web_config_noAuth_cert_empty.bad.yml @@ -0,0 +1,3 @@ +tls_server_config: + cert: "" + key_file: "server.key" diff --git a/web/testdata/web_config_noAuth_key_empty.bad.yml b/web/testdata/web_config_noAuth_key_empty.bad.yml new file mode 100644 index 00000000..c9f5b238 --- /dev/null +++ b/web/testdata/web_config_noAuth_key_empty.bad.yml @@ -0,0 +1,3 @@ +tls_server_config: + cert_file: "server.crt" + key: "" diff --git a/web/testdata/web_config_noAuth_tlsInline.good.yml b/web/testdata/web_config_noAuth_tlsInline.good.yml new file mode 100644 index 00000000..872da881 --- /dev/null +++ b/web/testdata/web_config_noAuth_tlsInline.good.yml @@ -0,0 +1,89 @@ +tls_server_config: + cert: | + -----BEGIN CERTIFICATE----- + MIIFsDCCA5igAwIBAgIRAMMSh5NoexSCjSvDRf1fpgMwDQYJKoZIhvcNAQELBQAw + aTELMAkGA1UEBhMCVVMxEzARBgNVBAoTClByb21ldGhldXMxKTAnBgNVBAsTIFBy + b21ldGhldXMgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MRowGAYDVQQDExFQcm9tZXRo + ZXVzIFRMUyBDQTAgFw0yMjA3MDgwOTE1MDdaGA8yMDcyMDYyNTA5MTUwN1owNjEL + MAkGA1UEBhMCVVMxEzARBgNVBAoTClByb21ldGhldXMxEjAQBgNVBAMTCWxvY2Fs + aG9zdDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBANPl1Iv/z+M8jHHU + SggOhvCS/0IfNi82+OprwalmhSL1FyRrGeHDpKArIrHhal7oukizJq96wKTddUVu + hjPR7srSYX7J2oPznjb2FmLHnD8y+zxO83XNA5WCDB0yA/KhWHhDmd2pihTTZOo9 + jvGi3+LyIqXUeiwIpxuNnH2ghoUy+DTzNCknLkIKAVnDPoM1AI0Wu24rs14A8ZVW + ivzY/P8xGwlMmDndrrHwJzMSEMeH7IJi9hx4zJalpoYTVq6Z0Rv0+7SpS+iswi/e + MILDhmSvLw0R4x31xkzsPOtUsocVjgBCGGGHo70ISsAxsL6E9QFe2uwZSvbBKfou + JaM0txRIZahMeHy5egh2+J08vuZKo9PDBWwKwqQZ4Kb7WtgekiycLmFa/OYHLUX+ + Ow8QXu5HU9v9XlP9GV2FQDka2IuMTtS5JCEt5e9ddSb4KVbkRAhfL2snA+w0nmrf + CBlrlThFz5Evy5QNAo1ORwiE+8gNUc12EAu9K3TK9WSUYNrLCbkN3oBL+DVp8Y6q + quUpKEbElhsJ9V49Err3LPaXpz5aW7Th6oFq7UOB7chqKQ2SNl3/hTlNUw8wFb9Q + i8AXs+4SzHo41IEe9QZBvpeucVmdewbJKvNS8Uxs2wmtTq2G2Ae3qGzWl682J7aU + w1X6Y46OanQDNtDVQvGN1CW5kvCXAgMBAAGjgYMwgYAwDgYDVR0PAQH/BAQDAgUg + MB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATAMBgNVHRMBAf8EAjAAMB8G + A1UdIwQYMBaAFMaaHh5g0+YopeLd1IkizXyK9K/zMCAGA1UdEQQZMBeCCWxvY2Fs + aG9zdIcEfwAAAYcEfwAAADANBgkqhkiG9w0BAQsFAAOCAgEAUXL/lzbgbs6whVrE + 3wkp0oDGVZ0Jti1hpeQk7Slt3PHsgu9OQOSGcv9QHs0ybhkDWZQjoCH6Nurx5QaY + GnpNQjylfy3zAziO0c7C1uXf7Z9AEMQwbOHFLefnvq86MtnwJ7sadQo+ViwtMgOW + He4YhkTyu2CqK8GFXRQUNm/SunffXp5zErPCNQURh4hrDUGlXPzyxgx1DyqFvF4S + X8IpsoED3d7cbEL7E9dgXNl7wuy3qoPi9P9KydFTIELBGt1oco980S1attSM9159 + t9iUIUMT4EdzmZxpIyJMCD+Lz9Y3zWVyz7DTqFWOtAtmhM4lu44K4S4d/JfAGEal + 3h3SMCbBPKwpsloO4r9TeGi2f+T7hfiFMdCezEyG8sXrObCDyVudyUnXnxDkZ5TQ + NOzqJaUJHeKzb+Z9WSovce3Pb8ok3GoDugmwqyjuN/rz/0jsDTJm18I6HHtONbUp + AIV/H/4+Kewc+Ztv97J7MeQB/2VKcY3vpZpMSEkg2ummRhXUfi0haxfoSCKvRwiD + BElUVtwHTsn3OBnKMGcBt32iLVsvbb/0AtNpohznPdQT7dqDVguejmwHn/fc4u4Q + vfAay/ACARti9XKGplQi7xn+OoYcAVPLYitYBRNEc6t+4f3EKehrDIMRCnxOFBVX + 9Dnm1DebturSQQEOuX5rP15lG1I= + -----END CERTIFICATE----- + key: | + -----BEGIN PRIVATE KEY----- + MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQDT5dSL/8/jPIxx + 1EoIDobwkv9CHzYvNvjqa8GpZoUi9Rckaxnhw6SgKyKx4Wpe6LpIsyavesCk3XVF + boYz0e7K0mF+ydqD85429hZix5w/Mvs8TvN1zQOVggwdMgPyoVh4Q5ndqYoU02Tq + PY7xot/i8iKl1HosCKcbjZx9oIaFMvg08zQpJy5CCgFZwz6DNQCNFrtuK7NeAPGV + Vor82Pz/MRsJTJg53a6x8CczEhDHh+yCYvYceMyWpaaGE1aumdEb9Pu0qUvorMIv + 3jCCw4Zkry8NEeMd9cZM7DzrVLKHFY4AQhhhh6O9CErAMbC+hPUBXtrsGUr2wSn6 + LiWjNLcUSGWoTHh8uXoIdvidPL7mSqPTwwVsCsKkGeCm+1rYHpIsnC5hWvzmBy1F + /jsPEF7uR1Pb/V5T/RldhUA5GtiLjE7UuSQhLeXvXXUm+ClW5EQIXy9rJwPsNJ5q + 3wgZa5U4Rc+RL8uUDQKNTkcIhPvIDVHNdhALvSt0yvVklGDaywm5Dd6AS/g1afGO + qqrlKShGxJYbCfVePRK69yz2l6c+Wlu04eqBau1Dge3IaikNkjZd/4U5TVMPMBW/ + UIvAF7PuEsx6ONSBHvUGQb6XrnFZnXsGySrzUvFMbNsJrU6thtgHt6hs1pevNie2 + lMNV+mOOjmp0AzbQ1ULxjdQluZLwlwIDAQABAoICAQCxGs9jlBQ1YU4hdcXKphmy + yan/ogavv8qcZCQhakasyRzmm32ubM8T7/m3oyg821eXm+Uhlf+dzFtQBOi2NyjW + 7LAAQMYas2vxlA1x0lSNnhbOeU6Tjx8HvwJRBJS4HpLLMfVQh3uZnHYkMf9fhzqJ + fMfowoa6dyD0ro+1kI3elpNN7lgSbWUEXUhztfRxxcMIKY/OrUflsfQ5VXQlkVck + E+78/r/c3aQ9pPOeg+LyYnETKZN6iJy27Q0Z0uAIXxefvksC3N1NQ9eqGpOBN9sE + HEe/LMwfJmTvtiPUrZ3pueJN5PBr0+rO/Dc+HEoVcxs0Yguoehtl0l07dYaPumep + TmXdrKvCkwM5cwnbXSWrCpqMS8Medb3zWvNnWO/mjRwTZyhmNdscjh3Ilvo+YCus + wM8HJFD4FuMtL3GtIfoKeszppACTkOOYiViGHmKUiQaSEwF7nhuIQqgN3ULCP7Z5 + mhL2RhLWacPfATITNkm4g2o16mFohZ9HPZSkPGm8rw7yhB1s2emoocXsms2iR1oa + mggNnUS3m87Z/HmOEyObIQZtYf1ZNuVAGGP4kmhhtNfMTmq3CPYM3oMRR1nb8Ci8 + zYwjEIvLYuDVlZFff4+IA7tCBZPichieoioaxutnYtO+nvuzDRiitL4my2EcXeE7 + tcIunkP9u5BNiXsfNcy3gQKCAQEA3X9eZ/IPF9Rrsjwtqkt7Oxn/uJ8JCotVBLnq + SCd7sCSaM06jUzMjMoj4SYyjzBYLycH/q+euT4UoPdPMKCfwx2NgR87MfuehWzwG + pmPbAbLJtLmZ+M/Bz5QzGS3J3f4qYxLptLHX971JgtTdcJhOAc+p/Elt3l43d/fr + sMVrZ8hqHlXmA6WuwqHjHnGP1ML6xFfsjDZ2jQ3VEV17XKtinucgitvkVuHYmtdQ + wm/yrM8vDkyglgk47j9CyfQdL10elBxe32WY5B0g9TmhIMypmlJk7inPPnAqJ4TF + JJBMvZOB9cJAjrtsDN3tAW/1q+wPF1HLwurqTLluZEc5MVjaOQKCAQEA9OenKlxB + 5HiANjH0riaokFDtjC27iHoeBkbEt+CyegGXVHEotVcKnG+N4Tw/GXcS9m33vu/X + Lmeowp/Z2BKxB7xvw81jQh8gEoUHFlH6DgksTPjVVSEa4wnESrqlFjRquBexpU6e + X//xVD72b0txAqJvpvtbxZC41WIwUBTBkHDlj2hegEzUvgzdO92FPRUDrAgB0wSv + 05U6fh1/4c3XTHqIHK4/gxiVRmjnpEdjEbOZsfbN8LGQK2eq4FkIS870VKigUZ/U + m2YB+8PKKyqKdXpWQHMZ9QvXoU9AwMw4Q+NEk4a/ZrnnMo59voKP1Qoqhd/rEAP7 + xa1AMOAl2DhhTwKCAQBdY4Z6bSTP91AxJg5a7thWYu/e967oMzb1dy3AnmUYL1aU + q2NRgQ4mEHofCJ1HP0RZHOKfqF9mR85fwx0hETYD23KM1DSEjUULIpPrM87zOF6z + RE4XCgG9c87XnuauIqvceezvssxMOBL2hqmW/6BkQxp4tL0ONMtOWcmWDqbqayXT + BISmpQS6K2eHPnpWSp9QiYHC3HO/pUVgvPl2aQx70xd1dKEhwLeDEaWLVYgMNI6y + iLxshhbq3OFcJQDpJ2ntKMkXh86e32k1+8Zj/ebEmljT0ez/dmtPnjtA31Z71+XD + qNNvWraD9k4nfP0oL69tNZ+j30hKcSSKQz1qAPyBAoIBAGBaI3KPCX2Ryx+HV/SM + URU2Qb883uM66EUf4pVVWeKWbatTOejebdZOLUvIICsspdE+QpJkWgxvy/2GVnak + I/IfOPmX/M0u4bdnjvpBFlgfU8aUv5nWhHV+ijO8aubpiHMVH1ciLz0lvRSgEOSI + kdWvgq33houb/Jw3HTrkb6McR7S8IzHnCGwdM40yAhGeCuvL2qvi1CoyM+kaQg3c + pi/4pURjaalyKoihDUGctGVqe7WAnFVuBoKNLrVFUfZBXe9QyIJUl5jr8SvUQ93n + xsGhd/2zSysVlahpPdicgCZ1a61+/h60VTmWxfIF/ACdF03EYv7SEmQbXX3dMgZ3 + aBECggEBALXqdEIkb9pBhwCvUHFG+c/IKBhS6j7BUj9PrZ3MATPXHo6Iy09d/dlV + psFQzWVvBmf3pcI0MEi7xdUMSN0jhZ8xp1owDlOQSM8DCQPFLaC38sfhZNThIfz0 + Q+fWYPe1lkRBtMVSokN1PtE5zETHlUKkh3fdQs0wihX4Wikc64rjCgXqXc8ng8Lk + NCUNBY/7pNfrEm0Zxz+8CvmRaBbL4OT2/hFsdcMiO3P24mCdAPgJ4v97pr8KxRHe + SmOyiSdaAyXHr/6+3KgO5pX8YUn9WiTF2hxo4SG3NQuuva0SBZT9B8iFXt1uFUtP + Rri7hsjysanKPyaPM1oofbRyWApMyRo= + -----END PRIVATE KEY----- + client_auth_type: "VerifyClientCertIfGiven" \ No newline at end of file diff --git a/web/tls_config.go b/web/tls_config.go index 4ef31a3f..b0624f7c 100644 --- a/web/tls_config.go +++ b/web/tls_config.go @@ -43,6 +43,9 @@ type Config struct { } type TLSConfig struct { + TLSCert string `yaml:"cert"` + TLSKey string `yaml:"key"` + ClientCAsText string `yaml:"client_ca"` TLSCertPath string `yaml:"cert_file"` TLSKeyPath string `yaml:"key_file"` ClientAuth string `yaml:"client_auth_type"` @@ -132,22 +135,54 @@ func getTLSConfig(configPath string) (*tls.Config, error) { return ConfigToTLSConfig(&c.TLSConfig) } -// ConfigToTLSConfig generates the golang tls.Config from the TLSConfig struct. -func ConfigToTLSConfig(c *TLSConfig) (*tls.Config, error) { - if c.TLSCertPath == "" && c.TLSKeyPath == "" && c.ClientAuth == "" && c.ClientCAs == "" { - return nil, errNoTLSConfig +func validateTLSPaths(c *TLSConfig) error { + if c.TLSCertPath == "" && c.TLSCert == "" && + c.TLSKeyPath == "" && c.TLSKey == "" && + c.ClientCAs == "" && c.ClientCAsText == "" && + c.ClientAuth == "" { + return errNoTLSConfig } - if c.TLSCertPath == "" { - return nil, errors.New("missing cert_file") + if c.TLSCertPath == "" && c.TLSCert == "" { + return errors.New("missing at most one of cert or cert_file") } - if c.TLSKeyPath == "" { - return nil, errors.New("missing key_file") + if c.TLSKeyPath == "" && c.TLSKey == "" { + return errors.New("missing at most one of key or key_file") + } + + return nil +} + +// ConfigToTLSConfig generates the golang tls.Config from the TLSConfig struct. +func ConfigToTLSConfig(c *TLSConfig) (*tls.Config, error) { + if err := validateTLSPaths(c); err != nil { + return nil, err } loadCert := func() (*tls.Certificate, error) { - cert, err := tls.LoadX509KeyPair(c.TLSCertPath, c.TLSKeyPath) + var certData, keyData []byte + var err error + + if c.TLSCertPath != "" { + certData, err = os.ReadFile(c.TLSCertPath) + if err != nil { + return nil, fmt.Errorf("failed to read cert_file (%s): %s", c.TLSCertPath, err) + } + } else { + certData = []byte(c.TLSCert) + } + + if c.TLSKeyPath != "" { + keyData, err = os.ReadFile(c.TLSKeyPath) + if err != nil { + return nil, fmt.Errorf("failed to read key_file (%s): %s", c.TLSKeyPath, err) + } + } else { + keyData = []byte(c.TLSKey) + } + + cert, err := tls.X509KeyPair(certData, keyData) if err != nil { return nil, fmt.Errorf("failed to load X509KeyPair: %w", err) } @@ -193,6 +228,10 @@ func ConfigToTLSConfig(c *TLSConfig) (*tls.Config, error) { } clientCAPool.AppendCertsFromPEM(clientCAFile) cfg.ClientCAs = clientCAPool + } else if c.ClientCAsText != "" { + clientCAPool := x509.NewCertPool() + clientCAPool.AppendCertsFromPEM([]byte(c.ClientCAsText)) + cfg.ClientCAs = clientCAPool } if c.ClientAllowedSans != nil { @@ -215,7 +254,7 @@ func ConfigToTLSConfig(c *TLSConfig) (*tls.Config, error) { return nil, errors.New("Invalid ClientAuth: " + c.ClientAuth) } - if c.ClientCAs != "" && cfg.ClientAuth == tls.NoClientCert { + if (c.ClientCAs != "" || c.ClientCAsText != "") && cfg.ClientAuth == tls.NoClientCert { return nil, errors.New("Client CA's have been configured without a Client Auth Policy") } diff --git a/web/tls_config_test.go b/web/tls_config_test.go index b2479338..e113c96f 100644 --- a/web/tls_config_test.go +++ b/web/tls_config_test.go @@ -51,8 +51,8 @@ var ( "Invalid ClientAuth": regexp.MustCompile(`invalid ClientAuth`), "TLS handshake": regexp.MustCompile(`tls`), "HTTP Request to HTTPS server": regexp.MustCompile(`HTTP`), - "Invalid CertPath": regexp.MustCompile(`missing cert_file`), - "Invalid KeyPath": regexp.MustCompile(`missing key_file`), + "Invalid Cert or CertPath": regexp.MustCompile(`missing at most one of cert or cert_file`), + "Invalid Key or KeyPath": regexp.MustCompile(`missing at most one of key or key_file`), "ClientCA set without policy": regexp.MustCompile(`Client CA's have been configured without a Client Auth Policy`), "Bad password": regexp.MustCompile(`hashedSecret too short to be a bcrypted password`), "Unauthorized": regexp.MustCompile(`Unauthorized`), @@ -127,17 +127,27 @@ func TestYAMLFiles(t *testing.T) { { Name: `invalid config yml (cert path empty)`, YAMLConfigPath: "testdata/web_config_noAuth_certPath_empty.bad.yml", - ExpectedError: ErrorMap["Invalid CertPath"], + ExpectedError: ErrorMap["Invalid Cert or CertPath"], + }, + { + Name: `invalid config yml (cert empty)`, + YAMLConfigPath: "testdata/web_config_noAuth_cert_empty.bad.yml", + ExpectedError: ErrorMap["Invalid Cert or CertPath"], }, { Name: `invalid config yml (key path empty)`, YAMLConfigPath: "testdata/web_config_noAuth_keyPath_empty.bad.yml", - ExpectedError: ErrorMap["Invalid KeyPath"], + ExpectedError: ErrorMap["Invalid Key or KeyPath"], + }, + { + Name: `invalid config yml (key empty)`, + YAMLConfigPath: "testdata/web_config_noAuth_key_empty.bad.yml", + ExpectedError: ErrorMap["Invalid Key or KeyPath"], }, { Name: `invalid config yml (cert path and key path empty)`, YAMLConfigPath: "testdata/web_config_noAuth_certPath_keyPath_empty.bad.yml", - ExpectedError: ErrorMap["Invalid CertPath"], + ExpectedError: ErrorMap["Invalid Cert or CertPath"], }, { Name: `invalid config yml (cert path invalid)`, @@ -215,6 +225,12 @@ func TestServerBehaviour(t *testing.T) { UseTLSClient: true, ExpectedError: nil, }, + { + Name: `valid tls config yml (cert and key inline) and tls client`, + YAMLConfigPath: "testdata/web_config_noAuth_tlsInline.good.yml", + UseTLSClient: true, + ExpectedError: nil, + }, { Name: `valid tls config yml with TLS 1.1 client`, YAMLConfigPath: "testdata/web_config_noAuth.good.yml", @@ -328,6 +344,13 @@ func TestServerBehaviour(t *testing.T) { ClientCertificate: "client_selfsigned", ExpectedError: nil, }, + { + Name: `valid tls config yml (cert from file, key inline) and tls client with RequireAnyClientCert (present certificate)`, + YAMLConfigPath: "testdata/tls_config_noAuth.requireanyclientcert.good.yml", + UseTLSClient: true, + ClientCertificate: "client_selfsigned", + ExpectedError: nil, + }, { Name: `valid tls config yml and tls client with RequireAndVerifyClientCert`, YAMLConfigPath: "testdata/tls_config_noAuth.requireandverifyclientcert.good.yml", From 2d00d7b30005130ea05e381ea61f21ec190911ba Mon Sep 17 00:00:00 2001 From: fayzal-g Date: Thu, 8 Jun 2023 17:45:55 +0100 Subject: [PATCH 2/5] Change error msg Signed-off-by: fayzal-g --- web/tls_config.go | 4 ++-- web/tls_config_test.go | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/web/tls_config.go b/web/tls_config.go index b0624f7c..11a68bd0 100644 --- a/web/tls_config.go +++ b/web/tls_config.go @@ -144,11 +144,11 @@ func validateTLSPaths(c *TLSConfig) error { } if c.TLSCertPath == "" && c.TLSCert == "" { - return errors.New("missing at most one of cert or cert_file") + return errors.New("missing one of cert or cert_file") } if c.TLSKeyPath == "" && c.TLSKey == "" { - return errors.New("missing at most one of key or key_file") + return errors.New("missing one of key or key_file") } return nil diff --git a/web/tls_config_test.go b/web/tls_config_test.go index e113c96f..6ca20673 100644 --- a/web/tls_config_test.go +++ b/web/tls_config_test.go @@ -51,8 +51,8 @@ var ( "Invalid ClientAuth": regexp.MustCompile(`invalid ClientAuth`), "TLS handshake": regexp.MustCompile(`tls`), "HTTP Request to HTTPS server": regexp.MustCompile(`HTTP`), - "Invalid Cert or CertPath": regexp.MustCompile(`missing at most one of cert or cert_file`), - "Invalid Key or KeyPath": regexp.MustCompile(`missing at most one of key or key_file`), + "Invalid Cert or CertPath": regexp.MustCompile(`missing one of cert or cert_file`), + "Invalid Key or KeyPath": regexp.MustCompile(`missing one of key or key_file`), "ClientCA set without policy": regexp.MustCompile(`Client CA's have been configured without a Client Auth Policy`), "Bad password": regexp.MustCompile(`hashedSecret too short to be a bcrypted password`), "Unauthorized": regexp.MustCompile(`Unauthorized`), From 953f8e3dd6c8726ff1c662a56e4e3fea3801db6e Mon Sep 17 00:00:00 2001 From: fayzal-g Date: Wed, 14 Jun 2023 10:18:09 +0100 Subject: [PATCH 3/5] Use Secret type for key Signed-off-by: fayzal-g --- web/tls_config.go | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/web/tls_config.go b/web/tls_config.go index 11a68bd0..61383bce 100644 --- a/web/tls_config.go +++ b/web/tls_config.go @@ -43,19 +43,19 @@ type Config struct { } type TLSConfig struct { - TLSCert string `yaml:"cert"` - TLSKey string `yaml:"key"` - ClientCAsText string `yaml:"client_ca"` - TLSCertPath string `yaml:"cert_file"` - TLSKeyPath string `yaml:"key_file"` - ClientAuth string `yaml:"client_auth_type"` - ClientCAs string `yaml:"client_ca_file"` - CipherSuites []Cipher `yaml:"cipher_suites"` - CurvePreferences []Curve `yaml:"curve_preferences"` - MinVersion TLSVersion `yaml:"min_version"` - MaxVersion TLSVersion `yaml:"max_version"` - PreferServerCipherSuites bool `yaml:"prefer_server_cipher_suites"` - ClientAllowedSans []string `yaml:"client_allowed_sans"` + TLSCert string `yaml:"cert"` + TLSKey config_util.Secret `yaml:"key"` + ClientCAsText string `yaml:"client_ca"` + TLSCertPath string `yaml:"cert_file"` + TLSKeyPath string `yaml:"key_file"` + ClientAuth string `yaml:"client_auth_type"` + ClientCAs string `yaml:"client_ca_file"` + CipherSuites []Cipher `yaml:"cipher_suites"` + CurvePreferences []Curve `yaml:"curve_preferences"` + MinVersion TLSVersion `yaml:"min_version"` + MaxVersion TLSVersion `yaml:"max_version"` + PreferServerCipherSuites bool `yaml:"prefer_server_cipher_suites"` + ClientAllowedSans []string `yaml:"client_allowed_sans"` } type FlagConfig struct { From 448bd14770a78a2ae06238cded543a285dd18ec5 Mon Sep 17 00:00:00 2001 From: fayzal-g Date: Wed, 14 Jun 2023 13:17:33 +0100 Subject: [PATCH 4/5] Update web-configuration docs Signed-off-by: fayzal-g --- docs/web-configuration.md | 28 +++++++++++++++---- .../web_config_noAuth_tlsInline.good.yml | 2 +- 2 files changed, 24 insertions(+), 6 deletions(-) diff --git a/docs/web-configuration.md b/docs/web-configuration.md index 4042fd0a..ee03d64f 100644 --- a/docs/web-configuration.md +++ b/docs/web-configuration.md @@ -23,6 +23,24 @@ Generic placeholders are defined as follows: ``` tls_server_config: + # Certificate for server to use to authenticate to client. + # Expected to be passed as a PEM encoded sequence of bytes as a string. + # + # NOTE: When passing the cert inline, cert_file should not be specified below. + cert: + + # Key for server to use to authenticate to client. + # Expected to be passed as a PEM encoded sequence of bytes as a string. + # + # NOTE: When passing the key inline, key_file should not be specified below. + key: + + # CA certificate for client certificate authentication to the server. + # Expected to be passed as a PEM encoded sequence of bytes as a string. + # + # NOTE: When passing the client_ca inline, client_ca_file should not be specified below. + [ client_ca: ] + # Certificate and key files for server to use to authenticate to client. cert_file: key_file: @@ -37,14 +55,14 @@ tls_server_config: # CA certificate for client certificate authentication to the server. [ client_ca_file: ] - - # Verify that the client certificate has a Subject Alternate Name (SAN) - # which is an exact match to an entry in this list, else terminate the - # connection. SAN match can be one or multiple of the following: DNS, + + # Verify that the client certificate has a Subject Alternate Name (SAN) + # which is an exact match to an entry in this list, else terminate the + # connection. SAN match can be one or multiple of the following: DNS, # IP, e-mail, or URI address from https://pkg.go.dev/crypto/x509#Certificate. [ client_allowed_sans: [ - ] ] - + # Minimum TLS version that is acceptable. [ min_version: | default = "TLS12" ] diff --git a/web/testdata/web_config_noAuth_tlsInline.good.yml b/web/testdata/web_config_noAuth_tlsInline.good.yml index 872da881..fe6ac95f 100644 --- a/web/testdata/web_config_noAuth_tlsInline.good.yml +++ b/web/testdata/web_config_noAuth_tlsInline.good.yml @@ -86,4 +86,4 @@ tls_server_config: SmOyiSdaAyXHr/6+3KgO5pX8YUn9WiTF2hxo4SG3NQuuva0SBZT9B8iFXt1uFUtP Rri7hsjysanKPyaPM1oofbRyWApMyRo= -----END PRIVATE KEY----- - client_auth_type: "VerifyClientCertIfGiven" \ No newline at end of file + client_auth_type: "VerifyClientCertIfGiven" From 6192b917cbe09abce256834e43e2e541af845927 Mon Sep 17 00:00:00 2001 From: fayzal-g Date: Wed, 14 Jun 2023 13:27:41 +0100 Subject: [PATCH 5/5] Make docs clearer Signed-off-by: fayzal-g --- docs/web-configuration.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/docs/web-configuration.md b/docs/web-configuration.md index ee03d64f..a7823349 100644 --- a/docs/web-configuration.md +++ b/docs/web-configuration.md @@ -26,19 +26,19 @@ tls_server_config: # Certificate for server to use to authenticate to client. # Expected to be passed as a PEM encoded sequence of bytes as a string. # - # NOTE: When passing the cert inline, cert_file should not be specified below. - cert: + # NOTE: If passing the cert inline, cert_file should not be specified below. + [ cert: ] # Key for server to use to authenticate to client. # Expected to be passed as a PEM encoded sequence of bytes as a string. # - # NOTE: When passing the key inline, key_file should not be specified below. - key: + # NOTE: If passing the key inline, key_file should not be specified below. + [ key: ] # CA certificate for client certificate authentication to the server. # Expected to be passed as a PEM encoded sequence of bytes as a string. # - # NOTE: When passing the client_ca inline, client_ca_file should not be specified below. + # NOTE: If passing the client_ca inline, client_ca_file should not be specified below. [ client_ca: ] # Certificate and key files for server to use to authenticate to client.