2021-01-04 10:28:55 +00:00
|
|
|
package utils
|
|
|
|
|
|
|
|
import (
|
|
|
|
"crypto/tls"
|
|
|
|
"crypto/x509"
|
|
|
|
"fmt"
|
|
|
|
"io/ioutil"
|
|
|
|
"path"
|
|
|
|
"strings"
|
|
|
|
|
|
|
|
"github.com/authelia/authelia/internal/configuration/schema"
|
2021-01-10 11:10:45 +00:00
|
|
|
"github.com/authelia/authelia/internal/logging"
|
2021-01-04 10:28:55 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
// NewTLSConfig generates a tls.Config from a schema.TLSConfig and a x509.CertPool.
|
|
|
|
func NewTLSConfig(config *schema.TLSConfig, defaultMinVersion uint16, certPool *x509.CertPool) (tlsConfig *tls.Config) {
|
|
|
|
minVersion, err := TLSStringToTLSConfigVersion(config.MinimumVersion)
|
|
|
|
if err != nil {
|
|
|
|
minVersion = defaultMinVersion
|
|
|
|
}
|
|
|
|
|
|
|
|
return &tls.Config{
|
|
|
|
ServerName: config.ServerName,
|
|
|
|
InsecureSkipVerify: config.SkipVerify, //nolint:gosec // Informed choice by user. Off by default.
|
|
|
|
MinVersion: minVersion,
|
|
|
|
RootCAs: certPool,
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// NewX509CertPool generates a x509.CertPool from the system PKI and the directory specified.
|
2021-04-16 01:44:37 +00:00
|
|
|
func NewX509CertPool(directory string) (certPool *x509.CertPool, errors []error, nonFatalErrors []error) {
|
2021-01-04 10:28:55 +00:00
|
|
|
certPool, err := x509.SystemCertPool()
|
|
|
|
if err != nil {
|
2021-03-05 04:18:31 +00:00
|
|
|
nonFatalErrors = append(nonFatalErrors, fmt.Errorf("could not load system certificate pool which may result in untrusted certificate issues: %v", err))
|
2021-01-04 10:28:55 +00:00
|
|
|
certPool = x509.NewCertPool()
|
|
|
|
}
|
|
|
|
|
2021-01-10 11:10:45 +00:00
|
|
|
logger := logging.Logger()
|
|
|
|
|
|
|
|
logger.Tracef("Starting scan of directory %s for certificates", directory)
|
|
|
|
|
2021-01-04 10:28:55 +00:00
|
|
|
if directory != "" {
|
|
|
|
certsFileInfo, err := ioutil.ReadDir(directory)
|
|
|
|
if err != nil {
|
|
|
|
errors = append(errors, fmt.Errorf("could not read certificates from directory %v", err))
|
|
|
|
} else {
|
|
|
|
for _, certFileInfo := range certsFileInfo {
|
|
|
|
nameLower := strings.ToLower(certFileInfo.Name())
|
|
|
|
|
2021-01-10 11:10:45 +00:00
|
|
|
if !certFileInfo.IsDir() && (strings.HasSuffix(nameLower, ".cer") || strings.HasSuffix(nameLower, ".crt") || strings.HasSuffix(nameLower, ".pem")) {
|
|
|
|
certPath := path.Join(directory, certFileInfo.Name())
|
|
|
|
|
|
|
|
logger.Tracef("Found possible cert %s, attempting to add it to the pool", certPath)
|
|
|
|
|
|
|
|
certBytes, err := ioutil.ReadFile(certPath)
|
2021-01-04 10:28:55 +00:00
|
|
|
if err != nil {
|
|
|
|
errors = append(errors, fmt.Errorf("could not read certificate %v", err))
|
|
|
|
} else if ok := certPool.AppendCertsFromPEM(certBytes); !ok {
|
|
|
|
errors = append(errors, fmt.Errorf("could not import certificate %s", certFileInfo.Name()))
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2021-01-10 11:10:45 +00:00
|
|
|
logger.Tracef("Finished scan of directory %s for certificates", directory)
|
|
|
|
|
2021-01-04 10:28:55 +00:00
|
|
|
return certPool, errors, nonFatalErrors
|
|
|
|
}
|
|
|
|
|
|
|
|
// TLSStringToTLSConfigVersion returns a go crypto/tls version for a tls.Config based on string input.
|
|
|
|
func TLSStringToTLSConfigVersion(input string) (version uint16, err error) {
|
|
|
|
switch strings.ToUpper(input) {
|
|
|
|
case "TLS1.3", TLS13:
|
|
|
|
return tls.VersionTLS13, nil
|
|
|
|
case "TLS1.2", TLS12:
|
|
|
|
return tls.VersionTLS12, nil
|
|
|
|
case "TLS1.1", TLS11:
|
|
|
|
return tls.VersionTLS11, nil
|
|
|
|
case "TLS1.0", TLS10:
|
|
|
|
return tls.VersionTLS10, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
return 0, ErrTLSVersionNotSupported
|
|
|
|
}
|