apitls helper

apitls/apitls.go

@@ -0,0 +1,45 @@
+package apitls
+
+import (
+	"crypto/tls"
+	"crypto/x509"
+	_ "embed"
+	"errors"
+
+	"github.com/abh/certman"
+	"go.ntppool.org/common/logger"
+)
+
+//go:embed ca.pem
+var caBytes []byte
+
+type CertificateProvider interface {
+	GetCertificate(hello *tls.ClientHelloInfo) (*tls.Certificate, error)
+	GetClientCertificate(certRequestInfo *tls.CertificateRequestInfo) (*tls.Certificate, error)
+}
+
+func CAPool() (*x509.CertPool, error) {
+	capool := x509.NewCertPool()
+	if !capool.AppendCertsFromPEM(caBytes) {
+		return nil, errors.New("credentials: failed to append certificates")
+	}
+
+	return capool, nil
+}
+
+// GetCertman sets up certman for the specified cert / key pair. It is
+// used in the monitor-api and (for now) in the client
+func GetCertman(certFile, keyFile string) (*certman.CertMan, error) {
+
+	cm, err := certman.New(certFile, keyFile)
+	if err != nil {
+		return nil, err
+	}
+	log := logger.NewStdLog("cm", false, nil)
+	cm.Logger(log)
+	err = cm.Watch()
+	if err != nil {
+		return nil, err
+	}
+	return cm, nil
+}

apitls/ca.pem

@@ -0,0 +1,45 @@
+# ca.ntppool.org root
+-----BEGIN CERTIFICATE-----
+MIIDPjCCAiagAwIBAgIUQVMc/U43K+90+J9fuNzHKWaxdM8wDQYJKoZIhvcNAQEL
+BQAwGTEXMBUGA1UEAxMOY2EubnRwcG9vbC5vcmcwHhcNMjEwODE5MDA1MzU2WhcN
+MzEwODE3MDA1NDI1WjAZMRcwFQYDVQQDEw5jYS5udHBwb29sLm9yZzCCASIwDQYJ
+KoZIhvcNAQEBBQADggEPADCCAQoCggEBAM2PR1iFODcYVZ6oepByjI6FZ8epM8r1
+0xaUgZn83O1tOjxqST3R5UYYajVorOVsHfFwCPNlR3idBi6GEPPXq6KIWbwoRCfZ
+bi7W2DvJG96RHXU1QlEZRp8KLsq8v3VGEeQl8J2N5BZVHcJVahvWR+hANMlvbKGk
+XqYClImPO7sCxppHIadVQsWimfxkiqAPzXnH4sUZsWOz0Z0mxJzgM/lbzfxKc/wI
+nE4OA2dY+SYjvwtnqoQk+GATp/SW9fi0naogXpAZQ66A3JHCojgc8UyuRZuritLT
+VFV1gXtJjT4e9PGlYOF0pAAQfZtToN5h35O9d8KQ3ANy0fi/PoRhiP8CAwEAAaN+
+MHwwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFO4g
+l4s+T/kutNRupAFOML56QNpyMB8GA1UdIwQYMBaAFO4gl4s+T/kutNRupAFOML56
+QNpyMBkGA1UdEQQSMBCCDmNhLm50cHBvb2wub3JnMA0GCSqGSIb3DQEBCwUAA4IB
+AQACZfcpV6SMyItG4h71x58sCvuLWGd35Q0EKh4jWqq+5VKjHJkxAer+Q9D4VU5Q
+ZoFIBRwDEXMd1O9wik8byc9DAYAIP96/iolPesCKygHBD5ijP7PPpZrT1bkYxa2M
+K07cBgMWiSJ7uIK4ts49/MOwwbvk3SSGcx+OgghNzlNRgt2l/kEU1BkMplkQO4m5
+EpgbpNPkonaOwA9MUvF4oWYzy7zICcUR9d1omCsy/9eA3pLNNoUIzkYp2NnWHooS
+sbGknkQhe7ONqV2bIIVkANdDVkzRfRfWCmZdbr0s1rbmJOHRbINW9oY7uB6oPp5g
+MQBzqrVek5I75ZU3lMajUICZ
+-----END CERTIFICATE-----
+
+# ca.ntppool.org -- servers sub CA
+-----BEGIN CERTIFICATE-----
+MIIDnjCCAoagAwIBAgIUW4mGdSTZaOd89zLzGzH2TMnYFxgwDQYJKoZIhvcNAQEL
+BQAwGTEXMBUGA1UEAxMOY2EubnRwcG9vbC5vcmcwHhcNMjEwODE5MDMwOTIyWhcN
+MjYwODE4MDMwOTUyWjAuMSwwKgYDVQQDEyNjYS5udHBwb29sLm9yZyBzdWItc3lz
+dGVtIGF1dGhvcml0eTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKfA
+y/z6C0L9T9i6kif9LPkjwOpAz69a+kDIVuuAC84NJgqLvEDEwRl4l/bpJR1MC509
+x4WUxIrAKinT2y1Olj+oEjTR+asvgXcxhjX5fup9ywDQW75om0ARDCUWg6gN5SX7
+NksZEMcHr7N48GyA76EpmRFU+yGt4rIpCo6EAG+lzhRdB6YS71zSHl1TQ6sZ4oIl
+JYPediXmG+TDvxJWlVOr/eKwgFruL6T/vQ/HTBpo04KTOEt2imnNYZPF2FjHMXP3
+3ql90VcqzYJI2/DhAa38bkB40Z3Jz8Zp0mvXMMfF0cEYqmnSXPYaiBFpRJjk742s
+zaya2+meE1P8+zQHiQcCAwEAAaOByDCBxTAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0T
+AQH/BAUwAwEB/zAdBgNVHQ4EFgQUilIROXDi5YJ2vdp6JaFbT+1P7GEwHwYDVR0j
+BBgwFoAU7iCXiz5P+S601G6kAU4wvnpA2nIwNQYIKwYBBQUHAQEEKTAnMCUGCCsG
+AQUFBzAChhlodHRwczovL2NhLm50cHBvb2wub3JnL2NhMCsGA1UdHwQkMCIwIKAe
+oByGGmh0dHBzOi8vY2EubnRwcG9vbC5vcmcvY3JsMA0GCSqGSIb3DQEBCwUAA4IB
+AQC+XthXZr1kGgfRxlP6sumbzeIFBcZgMoKlMUImjZjMdmov0ZwDAmdqO27GuhwU
+T5gVcp6D1EmgzYKTb2QgLr4pnfy28St8oF3UFD9GMZjJH4xrnE4emQqZhQBYrfSg
+KRbwZl5x9ZnYju433/6rBBfHnpoc9FyqtYF8V8OXprtiYBn/mT3gnM2otd3WJW+B
+ar9V59Au0kHSkJJR/y59TPOiXAHih2wHXTKSZgKtSI9Lgqb81TDtobY5Xf+xuMlb
+UxrW/IuQWHEC1p1hXHWYs1amxLCGFpH934uM3NladEaQaAvGOE6zYCbL54+xUvU4
+jcwQMhg44B7rPwJ5OS0d4x+G
+-----END CERTIFICATE-----