Load identity certificate from disk in each connection.
This commit is contained in:
parent
a26d489abd
commit
f5d2f92099
3 changed files with 28 additions and 11 deletions
|
@ -60,7 +60,9 @@ func LoadClient() (*Client, error) {
|
|||
|
||||
// Prepare transport with information in defaults.json and identity.json
|
||||
tr := http.DefaultTransport.(*http.Transport).Clone()
|
||||
tr.TLSClientConfig = &tls.Config{}
|
||||
tr.TLSClientConfig = &tls.Config{
|
||||
GetClientCertificate: identity.GetClientCertificateFunc(),
|
||||
}
|
||||
|
||||
// RootCAs
|
||||
b, err = ioutil.ReadFile(defaults.Root)
|
||||
|
@ -72,13 +74,6 @@ func LoadClient() (*Client, error) {
|
|||
tr.TLSClientConfig.RootCAs = pool
|
||||
}
|
||||
|
||||
// Certificate
|
||||
crt, err := tls.LoadX509KeyPair(identity.Certificate, identity.Key)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("error loading certificate: %v", err)
|
||||
}
|
||||
tr.TLSClientConfig.Certificates = []tls.Certificate{crt}
|
||||
|
||||
return &Client{
|
||||
CaURL: caURL,
|
||||
Client: &http.Client{
|
||||
|
|
|
@ -185,11 +185,21 @@ func TestLoadClient(t *testing.T) {
|
|||
t.Errorf("LoadClient() = %#v, want %#v", got, tt.want)
|
||||
}
|
||||
} else {
|
||||
if !reflect.DeepEqual(got.CaURL, tt.want.CaURL) ||
|
||||
!reflect.DeepEqual(got.Client.Transport.(*http.Transport).TLSClientConfig.RootCAs, tt.want.Client.Transport.(*http.Transport).TLSClientConfig.RootCAs) ||
|
||||
!reflect.DeepEqual(got.Client.Transport.(*http.Transport).TLSClientConfig.Certificates, tt.want.Client.Transport.(*http.Transport).TLSClientConfig.Certificates) {
|
||||
gotTransport := got.Client.Transport.(*http.Transport)
|
||||
wantTransport := tt.want.Client.Transport.(*http.Transport)
|
||||
if gotTransport.TLSClientConfig.GetClientCertificate == nil {
|
||||
t.Error("LoadClient() transport does not define GetClientCertificate")
|
||||
} else if !reflect.DeepEqual(got.CaURL, tt.want.CaURL) || !reflect.DeepEqual(gotTransport.TLSClientConfig.RootCAs, wantTransport.TLSClientConfig.RootCAs) {
|
||||
t.Errorf("LoadClient() = %#v, want %#v", got, tt.want)
|
||||
} else {
|
||||
crt, err := gotTransport.TLSClientConfig.GetClientCertificate(nil)
|
||||
if err != nil {
|
||||
t.Errorf("LoadClient() GetClientCertificate error = %v", err)
|
||||
} else if !reflect.DeepEqual(*crt, wantTransport.TLSClientConfig.Certificates[0]) {
|
||||
t.Errorf("LoadClient() GetClientCertificate crt = %#v, want %#v", *crt, wantTransport.TLSClientConfig.Certificates[0])
|
||||
}
|
||||
}
|
||||
|
||||
}
|
||||
})
|
||||
}
|
||||
|
|
|
@ -203,6 +203,18 @@ func (i *Identity) TLSCertificate() (tls.Certificate, error) {
|
|||
}
|
||||
}
|
||||
|
||||
// GetClientCertificateFunc returns a method that can be used as the
|
||||
// GetClientCertificate property in a tls.Config.
|
||||
func (i *Identity) GetClientCertificateFunc() func(*tls.CertificateRequestInfo) (*tls.Certificate, error) {
|
||||
return func(*tls.CertificateRequestInfo) (*tls.Certificate, error) {
|
||||
crt, err := tls.LoadX509KeyPair(i.Certificate, i.Key)
|
||||
if err != nil {
|
||||
return nil, errors.Wrap(err, "error loading identity certificate")
|
||||
}
|
||||
return &crt, nil
|
||||
}
|
||||
}
|
||||
|
||||
// Renewer is that interface that a renew client must implement.
|
||||
type Renewer interface {
|
||||
GetRootCAs() *x509.CertPool
|
||||
|
|
Loading…
Reference in a new issue