mosn

tls_extend.go
144 строки · 3.7 Кб
Перенос по словам
1
package main
2

3
import (
4
	"crypto/x509"
5
	"time"
6

7
	v2 "mosn.io/mosn/pkg/config/v2"
8
	"mosn.io/mosn/pkg/log"
9
	mosntls "mosn.io/mosn/pkg/mtls"
10
	"mosn.io/mosn/pkg/mtls/certtool"
11
	"mosn.io/mosn/pkg/mtls/crypto/tls"
12
	"mosn.io/mosn/pkg/types"
13
)
14

15
// Test tls config hooks extension
16
// use tls/util to create certificate
17
// just verify ca only, ignore the san(dns\ip) verify
18
type tlsConfigHooks struct {
19
	root        *x509.CertPool
20
	cert        tls.Certificate
21
	defaultHook mosntls.ConfigHooks
22
}
23

24
func (hook *tlsConfigHooks) verifyPeerCertificate(roots *x509.CertPool, certs []*x509.Certificate, t time.Time) error {
25
	intermediates := x509.NewCertPool()
26
	for _, cert := range certs[1:] {
27
		intermediates.AddCert(cert)
28
	}
29
	opts := x509.VerifyOptions{
30
		Roots:         roots,
31
		CurrentTime:   t,
32
		Intermediates: intermediates,
33
	}
34
	leaf := certs[0]
35
	_, err := leaf.Verify(opts)
36
	return err
37

38
}
39

40
func (hook *tlsConfigHooks) GetClientAuth(cfg *v2.TLSConfig) tls.ClientAuthType {
41
	return hook.defaultHook.GetClientAuth(cfg)
42
}
43

44
func (hook *tlsConfigHooks) GenerateHashValue(cfg *tls.Config) *types.HashValue {
45
	return hook.defaultHook.GenerateHashValue(cfg)
46
}
47

48
func (hook *tlsConfigHooks) GetCertificate(certIndex, keyIndex string) (tls.Certificate, error) {
49
	return hook.cert, nil
50
}
51

52
func (hook *tlsConfigHooks) GetX509Pool(caIndex string) (*x509.CertPool, error) {
53
	return hook.root, nil
54
}
55

56
func (hook *tlsConfigHooks) ServerHandshakeVerify(cfg *tls.Config) func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
57
	return func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
58
		certs := make([]*x509.Certificate, 0, len(rawCerts))
59
		for _, asn1Data := range rawCerts {
60
			cert, err := x509.ParseCertificate(asn1Data)
61
			if err != nil {
62
				return err
63
			}
64
			certs = append(certs, cert)
65
		}
66
		if cfg.ClientAuth >= tls.VerifyClientCertIfGiven && len(certs) > 0 {
67
			var t time.Time
68
			if cfg.Time != nil {
69
				t = cfg.Time()
70
			} else {
71
				t = time.Now()
72
			}
73
			return hook.verifyPeerCertificate(cfg.ClientCAs, certs, t)
74
		}
75
		return nil
76
	}
77
}
78

79
func (hook *tlsConfigHooks) ClientHandshakeVerify(cfg *tls.Config) func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
80
	return func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
81
		certs := make([]*x509.Certificate, 0, len(rawCerts))
82
		for _, asn1Data := range rawCerts {
83
			cert, err := x509.ParseCertificate(asn1Data)
84
			if err != nil {
85
				return err
86
			}
87
			certs = append(certs, cert)
88
		}
89
		var t time.Time
90
		if cfg.Time != nil {
91
			t = cfg.Time()
92
		} else {
93
			t = time.Now()
94
		}
95
		return hook.verifyPeerCertificate(cfg.RootCAs, certs, t)
96
	}
97
}
98

99
type tlsConfigHooksFactory struct {
100
	root *x509.CertPool
101
	cert tls.Certificate
102
}
103

104
func (f *tlsConfigHooksFactory) CreateConfigHooks(config map[string]interface{}) mosntls.ConfigHooks {
105
	return &tlsConfigHooks{
106
		f.root,
107
		f.cert,
108
		mosntls.DefaultConfigHooks(),
109
	}
110
}
111

112
func createCert() (tls.Certificate, error) {
113
	var cert tls.Certificate
114
	priv, err := certtool.GeneratePrivateKey("P256")
115
	if err != nil {
116
		return cert, err
117
	}
118
	tmpl, err := certtool.CreateTemplate("test", false, nil)
119
	if err != nil {
120
		return cert, err
121
	}
122
	// No SAN
123
	tmpl.IPAddresses = nil
124
	c, err := certtool.SignCertificate(tmpl, priv)
125
	if err != nil {
126
		return cert, err
127
	}
128
	return tls.X509KeyPair([]byte(c.CertPem), []byte(c.KeyPem))
129
}
130

131
func init() {
132
	// init extension
133
	root := certtool.GetRootCA()
134
	pool := x509.NewCertPool()
135
	pool.AppendCertsFromPEM([]byte(root.CertPem))
136
	cert, err := createCert()
137
	if err != nil {
138
		log.DefaultLogger.Fatalf("init tls extension failed: %v", err)
139
	}
140
	factory := &tlsConfigHooksFactory{pool, cert}
141
	if err := mosntls.Register("mosn-integrate-test-tls", factory); err != nil {
142
		log.DefaultLogger.Fatalf("register tls extension failed: %v", err)
143
	}
144
}
145
mosn

Использование cookies
