mirror of
https://github.com/siderolabs/talos.git
synced 2025-08-25 08:31:13 +02:00
64 lines
1.7 KiB
Go
64 lines
1.7 KiB
Go
package tls
|
|
|
|
import (
|
|
"crypto/tls"
|
|
"crypto/x509"
|
|
"fmt"
|
|
|
|
"github.com/autonomy/talos/internal/pkg/userdata"
|
|
)
|
|
|
|
// Type represents the TLS authentication type.
|
|
type Type int
|
|
|
|
const (
|
|
// Mutual configures the server's policy for TLS Client Authentication to
|
|
// mutual TLS.
|
|
Mutual Type = 1 << iota
|
|
// ServerOnly configures the server's policy for TLS Client Authentication
|
|
// to server only.
|
|
ServerOnly
|
|
)
|
|
|
|
// NewConfig initializes a TLS config for the specified type.
|
|
func NewConfig(t Type, data *userdata.OSSecurity) (config *tls.Config, err error) {
|
|
certPool := x509.NewCertPool()
|
|
if err != nil {
|
|
return nil, fmt.Errorf("could not read ca certificate: %s", err)
|
|
}
|
|
if ok := certPool.AppendCertsFromPEM(data.CA.Crt); !ok {
|
|
return nil, fmt.Errorf("failed to append client certs")
|
|
}
|
|
|
|
certificate, err := tls.X509KeyPair(data.Identity.Crt, data.Identity.Key)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("could not load server key pair: %s", err)
|
|
}
|
|
|
|
config = &tls.Config{
|
|
// Set the root certificate authorities to use the self-signed
|
|
// certificate.
|
|
RootCAs: certPool,
|
|
// Validate certificates against the provided CA.
|
|
ClientCAs: certPool,
|
|
// Present the certificate to the other side.
|
|
Certificates: []tls.Certificate{certificate},
|
|
// Perfect Forward Secrecy.
|
|
CurvePreferences: []tls.CurveID{tls.X25519},
|
|
CipherSuites: []uint16{tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384},
|
|
// Force the above cipher suites.
|
|
PreferServerCipherSuites: true,
|
|
// TLS 1.2
|
|
MinVersion: tls.VersionTLS12,
|
|
}
|
|
|
|
switch t {
|
|
case Mutual:
|
|
config.ClientAuth = tls.RequireAndVerifyClientCert
|
|
case ServerOnly:
|
|
config.ClientAuth = tls.NoClientCert
|
|
}
|
|
|
|
return config, nil
|
|
}
|