hydroxide-push/config/tls.go

package config

import (
	"crypto/tls"
	"crypto/x509"
	"fmt"
	"io/ioutil"
)

func TLS(certPath string, keyPath string, clientCAPath string) (*tls.Config, error) {
	tlsConfig := &tls.Config{}

	if certPath != "" && keyPath != "" {
		cert, err := tls.LoadX509KeyPair(certPath, keyPath)
		if err != nil {
			return nil, fmt.Errorf("error: unable load key pair: %s", err)
		}

		tlsConfig.Certificates = []tls.Certificate{cert}
	}

	if clientCAPath != "" {
		data, err := ioutil.ReadFile(clientCAPath)
		if err != nil {
			return nil, fmt.Errorf("error: unable read CA file: %s", err)
		}

		pool := x509.NewCertPool()
		pool.AppendCertsFromPEM(data)

		tlsConfig.ClientCAs = pool
		tlsConfig.ClientAuth = tls.RequireAndVerifyClientCert
	}

	return tlsConfig, nil
}
Add support for TLS listeners Support for -tls-cert and -tls-key to point to a certificate and key to encrypt communications between the user and hydroxide. Support for -tls-client-ca to ask client to present a certificate signed by the provided CA. Closes: https://github.com/emersion/hydroxide/issues/13 2021-02-24 10:48:29 +02:00			`package config`

			`import (`
			`"crypto/tls"`
			`"crypto/x509"`
			`"fmt"`
			`"io/ioutil"`
			`)`

			`func TLS(certPath string, keyPath string, clientCAPath string) (*tls.Config, error) {`
			`tlsConfig := &tls.Config{}`

			`if certPath != "" && keyPath != "" {`
			`cert, err := tls.LoadX509KeyPair(certPath, keyPath)`
			`if err != nil {`
			`return nil, fmt.Errorf("error: unable load key pair: %s", err)`
			`}`

			`tlsConfig.Certificates = []tls.Certificate{cert}`
			`}`

			`if clientCAPath != "" {`
			`data, err := ioutil.ReadFile(clientCAPath)`
			`if err != nil {`
			`return nil, fmt.Errorf("error: unable read CA file: %s", err)`
			`}`

			`pool := x509.NewCertPool()`
			`pool.AppendCertsFromPEM(data)`

			`tlsConfig.ClientCAs = pool`
			`tlsConfig.ClientAuth = tls.RequireAndVerifyClientCert`
			`}`

			`return tlsConfig, nil`
			`}`