Mariano Cano
parent
bacbf85aa3
commit
25eba1a96c
4 changed files with 286 additions and 74 deletions
109
ca/mutable_tls_config.go
Normal file
109
ca/mutable_tls_config.go
Normal file
|
|
@ -0,0 +1,109 @@
|
|||
package ca
|
||||
|
||||
import (
|
||||
"crypto/tls"
|
||||
"crypto/x509"
|
||||
"sync"
|
||||
|
||||
"github.com/smallstep/certificates/api"
|
||||
)
|
||||
|
||||
// mutableTLSConfig allows to use a tls.Config with mutable cert pools.
|
||||
type mutableTLSConfig struct {
|
||||
sync.RWMutex
|
||||
config *tls.Config
|
||||
clientCerts []*x509.Certificate
|
||||
rootCerts []*x509.Certificate
|
||||
mutClientCerts []*x509.Certificate
|
||||
mutRootCerts []*x509.Certificate
|
||||
}
|
||||
|
||||
// newMutableTLSConfig creates a new mutableTLSConfig using the passed one as
|
||||
// the base one.
|
||||
func newMutableTLSConfig() *mutableTLSConfig {
|
||||
return &mutableTLSConfig{
|
||||
clientCerts: []*x509.Certificate{},
|
||||
rootCerts: []*x509.Certificate{},
|
||||
mutClientCerts: []*x509.Certificate{},
|
||||
mutRootCerts: []*x509.Certificate{},
|
||||
}
|
||||
}
|
||||
|
||||
// Init initializes the mutable tls.Config with the given tls.Config.
|
||||
func (c *mutableTLSConfig) Init(base *tls.Config) {
|
||||
c.Lock()
|
||||
c.config = base.Clone()
|
||||
c.Unlock()
|
||||
}
|
||||
|
||||
// TLSConfig returns the updated tls.Config it it has changed. It's is used in
|
||||
// the tls.Config GetConfigForClient.
|
||||
func (c *mutableTLSConfig) TLSConfig() (config *tls.Config) {
|
||||
c.RLock()
|
||||
config = c.config
|
||||
c.RUnlock()
|
||||
return
|
||||
}
|
||||
|
||||
// Reload reloads the tls.Config with the new CAs.
|
||||
func (c *mutableTLSConfig) Reload() {
|
||||
// Prepare new pools
|
||||
c.RLock()
|
||||
rootCAs := x509.NewCertPool()
|
||||
clientCAs := x509.NewCertPool()
|
||||
// Fixed certs
|
||||
for _, cert := range c.rootCerts {
|
||||
rootCAs.AddCert(cert)
|
||||
}
|
||||
for _, cert := range c.clientCerts {
|
||||
clientCAs.AddCert(cert)
|
||||
}
|
||||
// Mutable certs
|
||||
for _, cert := range c.mutRootCerts {
|
||||
rootCAs.AddCert(cert)
|
||||
}
|
||||
for _, cert := range c.mutClientCerts {
|
||||
clientCAs.AddCert(cert)
|
||||
}
|
||||
c.RUnlock()
|
||||
|
||||
// Set new pool
|
||||
c.Lock()
|
||||
c.config.RootCAs = rootCAs
|
||||
c.config.ClientCAs = clientCAs
|
||||
c.mutRootCerts = []*x509.Certificate{}
|
||||
c.mutClientCerts = []*x509.Certificate{}
|
||||
c.Unlock()
|
||||
}
|
||||
|
||||
// AddFixedClientCACert add an in-mutable cert to ClientCAs.
|
||||
func (c *mutableTLSConfig) AddInmutableClientCACert(cert *x509.Certificate) {
|
||||
c.Lock()
|
||||
c.clientCerts = append(c.clientCerts, cert)
|
||||
c.Unlock()
|
||||
}
|
||||
|
||||
// AddInmutableRootCACert add an in-mutable cert to RootCas.
|
||||
func (c *mutableTLSConfig) AddInmutableRootCACert(cert *x509.Certificate) {
|
||||
c.Lock()
|
||||
c.rootCerts = append(c.rootCerts, cert)
|
||||
c.Unlock()
|
||||
}
|
||||
|
||||
// AddClientCAs add mutable certs to ClientCAs.
|
||||
func (c *mutableTLSConfig) AddClientCAs(certs []api.Certificate) {
|
||||
c.Lock()
|
||||
for _, cert := range certs {
|
||||
c.mutClientCerts = append(c.mutClientCerts, cert.Certificate)
|
||||
}
|
||||
c.Unlock()
|
||||
}
|
||||
|
||||
// AddRootCAs add mutable certs to RootCAs.
|
||||
func (c *mutableTLSConfig) AddRootCAs(certs []api.Certificate) {
|
||||
c.Lock()
|
||||
for _, cert := range certs {
|
||||
c.mutRootCerts = append(c.mutRootCerts, cert.Certificate)
|
||||
}
|
||||
c.Unlock()
|
||||
}
|
||||
Loading…
Add table
Add a link
Reference in a new issue