132 lines
3.4 KiB
Go
132 lines
3.4 KiB
Go
/*
|
|
Copyright NetFoundry Inc.
|
|
|
|
Licensed under the Apache License, Version 2.0 (the "License");
|
|
you may not use this file except in compliance with the License.
|
|
You may obtain a copy of the License at
|
|
|
|
https://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
Unless required by applicable law or agreed to in writing, software
|
|
distributed under the License is distributed on an "AS IS" BASIS,
|
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
See the License for the specific language governing permissions and
|
|
limitations under the License.
|
|
*/
|
|
|
|
package rest_util
|
|
|
|
import (
|
|
"crypto/tls"
|
|
"crypto/x509"
|
|
"encoding/base64"
|
|
"fmt"
|
|
"github.com/fullsailor/pkcs7"
|
|
"io"
|
|
)
|
|
|
|
// VerifyController will attempt to use the provided x509.CertPool to connect to the provided controller.
|
|
// If successful true an no error will be returned.
|
|
func VerifyController(controllerAddr string, caPool *x509.CertPool) (bool, error) {
|
|
tlsConfig, err := NewTlsConfig()
|
|
|
|
if err != nil {
|
|
return false, err
|
|
}
|
|
|
|
tlsConfig.RootCAs = caPool
|
|
|
|
httpClient, err := NewHttpClientWithTlsConfig(tlsConfig)
|
|
|
|
if err != nil {
|
|
return false, err
|
|
}
|
|
|
|
_, err = httpClient.Get(controllerAddr + "/edge/client/v1/versions")
|
|
|
|
if err != nil {
|
|
return false, err
|
|
}
|
|
|
|
return true, nil
|
|
}
|
|
|
|
// GetControllerWellKnownCasWithTlsConfig will attempt to connect to a controller and retrieve its PKCS11 well-known CA
|
|
// bundle with a specific TLS config.
|
|
func GetControllerWellKnownCasWithTlsConfig(controllerAddr string, tlsConfig *tls.Config) ([]*x509.Certificate, error) {
|
|
httpClient, err := NewHttpClientWithTlsConfig(tlsConfig)
|
|
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
resp, err := httpClient.Get(fmt.Sprintf("%v/.well-known/est/cacerts", controllerAddr))
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
defer func() { _ = resp.Body.Close() }()
|
|
encoded, err := io.ReadAll(resp.Body)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
certData, err := base64.StdEncoding.DecodeString(string(encoded))
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
certs, err := pkcs7.Parse(certData)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
return certs.Certificates, nil
|
|
}
|
|
|
|
// GetControllerWellKnownCas will attempt to connect to a controller and retrieve its PKCS11 well-known CA bundle.
|
|
func GetControllerWellKnownCas(controllerAddr string) ([]*x509.Certificate, error) {
|
|
tlsConfig, err := NewTlsConfig()
|
|
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
tlsConfig.InsecureSkipVerify = true
|
|
|
|
return GetControllerWellKnownCasWithTlsConfig(controllerAddr, tlsConfig)
|
|
}
|
|
|
|
// GetControllerWellKnownCaPoolWithTlsConfig will attempt to connect to a controller and retrieve its PKCS11 well-known
|
|
// CA bundle as an x509.CertPool using a pre-configured TLS config.
|
|
func GetControllerWellKnownCaPoolWithTlsConfig(controllerAddr string, tlsConfig *tls.Config) (*x509.CertPool, error) {
|
|
certs, err := GetControllerWellKnownCasWithTlsConfig(controllerAddr, tlsConfig)
|
|
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
pool := x509.NewCertPool()
|
|
|
|
for _, cert := range certs {
|
|
pool.AddCert(cert)
|
|
}
|
|
|
|
return pool, nil
|
|
}
|
|
|
|
// GetControllerWellKnownCaPool will attempt to connect to a controller and retrieve its PKCS11 well-known CA bundle as
|
|
// an x509.CertPool.
|
|
func GetControllerWellKnownCaPool(controllerAddr string) (*x509.CertPool, error) {
|
|
certs, err := GetControllerWellKnownCas(controllerAddr)
|
|
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
pool := x509.NewCertPool()
|
|
|
|
for _, cert := range certs {
|
|
pool.AddCert(cert)
|
|
}
|
|
|
|
return pool, nil
|
|
}
|