46 lines
999 B
Go
46 lines
999 B
Go
package apitls
|
|
|
|
import (
|
|
"crypto/tls"
|
|
"crypto/x509"
|
|
_ "embed"
|
|
"errors"
|
|
|
|
"github.com/abh/certman"
|
|
"go.ntppool.org/common/logger"
|
|
)
|
|
|
|
//go:embed ca.pem
|
|
var caBytes []byte
|
|
|
|
type CertificateProvider interface {
|
|
GetCertificate(hello *tls.ClientHelloInfo) (*tls.Certificate, error)
|
|
GetClientCertificate(certRequestInfo *tls.CertificateRequestInfo) (*tls.Certificate, error)
|
|
}
|
|
|
|
func CAPool() (*x509.CertPool, error) {
|
|
capool := x509.NewCertPool()
|
|
if !capool.AppendCertsFromPEM(caBytes) {
|
|
return nil, errors.New("credentials: failed to append certificates")
|
|
}
|
|
|
|
return capool, nil
|
|
}
|
|
|
|
// GetCertman sets up certman for the specified cert / key pair. It is
|
|
// used in the monitor-api and (for now) in the client
|
|
func GetCertman(certFile, keyFile string) (*certman.CertMan, error) {
|
|
|
|
cm, err := certman.New(certFile, keyFile)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
log := logger.NewStdLog("cm", false, nil)
|
|
cm.Logger(log)
|
|
err = cm.Watch()
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
return cm, nil
|
|
}
|