diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-05-05 12:08:03 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-05-05 12:08:18 +0000 |
commit | 5da14042f70711ea5cf66e034699730335462f66 (patch) | |
tree | 0f6354ccac934ed87a2d555f45be4c831cf92f4a /src/go/collectors/go.d.plugin/pkg/tlscfg/config.go | |
parent | Releasing debian version 1.44.3-2. (diff) | |
download | netdata-5da14042f70711ea5cf66e034699730335462f66.tar.xz netdata-5da14042f70711ea5cf66e034699730335462f66.zip |
Merging upstream version 1.45.3+dfsg.
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to '')
-rw-r--r-- | src/go/collectors/go.d.plugin/pkg/tlscfg/config.go | 77 |
1 files changed, 77 insertions, 0 deletions
diff --git a/src/go/collectors/go.d.plugin/pkg/tlscfg/config.go b/src/go/collectors/go.d.plugin/pkg/tlscfg/config.go new file mode 100644 index 000000000..60e152e0f --- /dev/null +++ b/src/go/collectors/go.d.plugin/pkg/tlscfg/config.go @@ -0,0 +1,77 @@ +// SPDX-License-Identifier: GPL-3.0-or-later + +package tlscfg + +import ( + "crypto/tls" + "crypto/x509" + "fmt" + "os" +) + +// TLSConfig represents the standard client TLS configuration. +type TLSConfig struct { + // TLSCA specifies the certificate authority to use when verifying server certificates. + TLSCA string `yaml:"tls_ca" json:"tls_ca"` + + // TLSCert specifies tls certificate file. + TLSCert string `yaml:"tls_cert" json:"tls_cert"` + + // TLSKey specifies tls key file. + TLSKey string `yaml:"tls_key" json:"tls_key"` + + // InsecureSkipVerify controls whether a client verifies the server's certificate chain and host name. + InsecureSkipVerify bool `yaml:"tls_skip_verify" json:"tls_skip_verify"` +} + +// NewTLSConfig creates a tls.Config, may be nil without an error if TLS is not configured. +func NewTLSConfig(cfg TLSConfig) (*tls.Config, error) { + if cfg.TLSCA == "" && cfg.TLSKey == "" && cfg.TLSCert == "" && !cfg.InsecureSkipVerify { + return nil, nil + } + + tlsConfig := &tls.Config{ + InsecureSkipVerify: cfg.InsecureSkipVerify, + Renegotiation: tls.RenegotiateNever, + } + + if cfg.TLSCA != "" { + pool, err := loadCertPool([]string{cfg.TLSCA}) + if err != nil { + return nil, err + } + tlsConfig.RootCAs = pool + } + + if cfg.TLSCert != "" && cfg.TLSKey != "" { + cert, err := loadCertificate(cfg.TLSCert, cfg.TLSKey) + if err != nil { + return nil, err + } + tlsConfig.Certificates = []tls.Certificate{cert} + } + + return tlsConfig, nil +} + +func loadCertPool(certFiles []string) (*x509.CertPool, error) { + pool := x509.NewCertPool() + for _, certFile := range certFiles { + pem, err := os.ReadFile(certFile) + if err != nil { + return nil, fmt.Errorf("could not read certificate %q: %v", certFile, err) + } + if !pool.AppendCertsFromPEM(pem) { + return nil, fmt.Errorf("could not parse any PEM certificates %q: %v", certFile, err) + } + } + return pool, nil +} + +func loadCertificate(certFile, keyFile string) (tls.Certificate, error) { + cert, err := tls.LoadX509KeyPair(certFile, keyFile) + if err != nil { + return tls.Certificate{}, fmt.Errorf("could not load keypair %s:%s: %v", certFile, keyFile, err) + } + return cert, nil +} |