mirror of https://github.com/docker/docs.git
96 lines
2.5 KiB
Go
96 lines
2.5 KiB
Go
package utils
|
|
|
|
import (
|
|
"crypto/rand"
|
|
"crypto/tls"
|
|
"crypto/x509"
|
|
"fmt"
|
|
"os"
|
|
|
|
"github.com/docker/notary/trustmanager"
|
|
)
|
|
|
|
// ConfigureServerTLS specifies a set of ciphersuites, the server cert and key,
|
|
// and optionally client authentication. Note that a tls configuration is
|
|
// constructed that either requires and verifies client authentication or
|
|
// doesn't deal with client certs at all. Nothing in the middle.
|
|
func ConfigureServerTLS(serverCert string, serverKey string, clientAuth bool, caCertDir string) (*tls.Config, error) {
|
|
keypair, err := tls.LoadX509KeyPair(serverCert, serverKey)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
tlsConfig := &tls.Config{
|
|
MinVersion: tls.VersionTLS12,
|
|
PreferServerCipherSuites: true,
|
|
CipherSuites: []uint16{
|
|
tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
|
|
tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
|
|
tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
|
|
tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
|
|
tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
|
|
tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
|
|
tls.TLS_RSA_WITH_AES_128_CBC_SHA,
|
|
tls.TLS_RSA_WITH_AES_256_CBC_SHA,
|
|
},
|
|
Certificates: []tls.Certificate{keypair},
|
|
Rand: rand.Reader,
|
|
}
|
|
|
|
if clientAuth {
|
|
tlsConfig.ClientAuth = tls.RequireAndVerifyClientCert
|
|
}
|
|
|
|
if caCertDir != "" {
|
|
// Check to see if the given directory exists
|
|
fi, err := os.Stat(caCertDir)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
if !fi.IsDir() {
|
|
return nil, fmt.Errorf("No such directory: %s", caCertDir)
|
|
}
|
|
|
|
certStore, err := trustmanager.NewX509FileStore(caCertDir)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
if certStore.Empty() {
|
|
return nil, fmt.Errorf("No certificates in %s", caCertDir)
|
|
}
|
|
tlsConfig.ClientCAs = certStore.GetCertificatePool()
|
|
}
|
|
|
|
return tlsConfig, nil
|
|
}
|
|
|
|
// ConfigureClientTLS generates a tls configuration for clients using the
|
|
// provided.
|
|
func ConfigureClientTLS(rootCA string, skipVerify bool, clientCert string, clientKey string) (*tls.Config, error) {
|
|
tlsConfig := &tls.Config{
|
|
InsecureSkipVerify: skipVerify,
|
|
MinVersion: tls.VersionTLS12,
|
|
}
|
|
|
|
if rootCA != "" {
|
|
rootCert, err := trustmanager.LoadCertFromFile(rootCA)
|
|
if err != nil {
|
|
return nil, fmt.Errorf(
|
|
"Could not load root ca file. %s", err.Error())
|
|
}
|
|
rootPool := x509.NewCertPool()
|
|
rootPool.AddCert(rootCert)
|
|
tlsConfig.RootCAs = rootPool
|
|
}
|
|
|
|
if clientCert != "" && clientKey != "" {
|
|
keypair, err := tls.LoadX509KeyPair(clientCert, clientKey)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
tlsConfig.Certificates = []tls.Certificate{keypair}
|
|
}
|
|
|
|
return tlsConfig, nil
|
|
}
|