kuma

1
package http
2

3
import (
4
	"crypto/tls"
5
	"crypto/x509"
6
	"net/http"
7
	"os"
8

9
	"github.com/pkg/errors"
10
)
11

12
func ConfigureMTLS(httpClient *http.Client, caCert string, clientCert string, clientKey string) error {
13
	transport := &http.Transport{
14
		TLSClientConfig: &tls.Config{
15
			MinVersion: tls.VersionTLS12,
16
		},
17
	}
18

19
	if caCert == "" {
20
		transport.TLSClientConfig.InsecureSkipVerify = true
21
	} else {
22
		certBytes, err := os.ReadFile(caCert)
23
		if err != nil {
24
			return errors.Wrap(err, "could not read CA cert")
25
		}
26
		certPool := x509.NewCertPool()
27
		if ok := certPool.AppendCertsFromPEM(certBytes); !ok {
28
			return errors.New("could not add certificate")
29
		}
30
		transport.TLSClientConfig.RootCAs = certPool
31
	}
32

33
	if clientKey != "" && clientCert != "" {
34
		cert, err := tls.LoadX509KeyPair(clientCert, clientKey)
35
		if err != nil {
36
			return errors.Wrap(err, "could not create key pair from client cert and client key")
37
		}
38
		transport.TLSClientConfig.Certificates = []tls.Certificate{cert}
39
	}
40

41
	httpClient.Transport = transport
42
	return nil
43
}
44