diff --git a/utils/go.mod b/utils/go.mod index c0a7080..5359286 100644 --- a/utils/go.mod +++ b/utils/go.mod @@ -3,3 +3,7 @@ module github.com/tx7do/kratos-bootstrap/utils go 1.23 toolchain go1.23.3 + +require github.com/tx7do/kratos-bootstrap/api v0.0.8 + +require google.golang.org/protobuf v1.35.2 // indirect diff --git a/utils/go.sum b/utils/go.sum index e69de29..0e27272 100644 --- a/utils/go.sum +++ b/utils/go.sum @@ -0,0 +1,6 @@ +github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI= +github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= +github.com/tx7do/kratos-bootstrap/api v0.0.8 h1:vANpul/s5B8qttkTUSLmNxoygotrQ6tEZoDda3wzY9g= +github.com/tx7do/kratos-bootstrap/api v0.0.8/go.mod h1:hNGBb78xPrNSBv0E91JDlubqlHm/lc146Rk52iP308U= +google.golang.org/protobuf v1.35.2 h1:8Ar7bF+apOIoThw1EdZl0p1oWvMqTHmpA2fRTyZO8io= +google.golang.org/protobuf v1.35.2/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE= diff --git a/utils/tls.go b/utils/tls.go index 59c75a5..2f9b0b9 100644 --- a/utils/tls.go +++ b/utils/tls.go @@ -7,6 +7,8 @@ import ( "fmt" "log" "os" + + conf "github.com/tx7do/kratos-bootstrap/api/gen/go/conf/v1" ) // 双向验证:server端提供证书(cert和key),还必须配置cerfiles即CA根证书,因为需要验证client端提供的证书。另外client也端必须提供一样的内容,即client端的证书(cert/key)以供server端验证,并且提供CA根证书验证server端提供的证书。 @@ -52,7 +54,7 @@ func LoadServerTlsConfigFile(keyFile, certFile, caFile string, insecureSkipVerif return &cfg, nil } -func LoadServerTlsConfig(keyPEMBlock, certPEMBlock, caPEMBlock []byte, insecureSkipVerify bool) (*tls.Config, error) { +func LoadServerTlsConfigString(keyPEMBlock, certPEMBlock, caPEMBlock []byte, insecureSkipVerify bool) (*tls.Config, error) { if len(keyPEMBlock) == 0 || len(certPEMBlock) == 0 { return nil, fmt.Errorf("KeyPEMBlock and CertPEMBlock must both be present[key: %v, cert: %v]", keyPEMBlock, certPEMBlock) } @@ -87,6 +89,33 @@ func LoadServerTlsConfig(keyPEMBlock, certPEMBlock, caPEMBlock []byte, insecureS return &cfg, nil } +func LoadServerTlsConfig(cfg *conf.TLS) (*tls.Config, error) { + var tlsCfg *tls.Config + var err error + + if cfg.File != nil { + if tlsCfg, err = LoadServerTlsConfigFile( + cfg.File.GetKeyPath(), + cfg.File.GetCertPath(), + cfg.File.GetCaPath(), + cfg.InsecureSkipVerify, + ); err != nil { + return nil, err + } + } else if cfg.Config != nil { + if tlsCfg, err = LoadServerTlsConfigString( + cfg.Config.GetKeyPem(), + cfg.Config.GetCertPem(), + cfg.Config.GetCaPem(), + cfg.InsecureSkipVerify, + ); err != nil { + return nil, err + } + } + + return tlsCfg, err +} + // LoadClientTlsConfigFile 创建客户端端TLS证书认证配置 // keyFile 客户端私钥文件路径 // certFile 客户端证书文件路径 @@ -122,7 +151,7 @@ func LoadClientTlsConfigFile(keyFile, certFile, caFile string) (*tls.Config, err return &cfg, nil } -func LoadClientTlsConfig(keyPEMBlock, certPEMBlock, caPEMBlock []byte) (*tls.Config, error) { +func LoadClientTlsConfigString(keyPEMBlock, certPEMBlock, caPEMBlock []byte) (*tls.Config, error) { if len(keyPEMBlock) == 0 || len(certPEMBlock) == 0 { return nil, fmt.Errorf("KeyPEMBlock and CertPEMBlock must both be present[key: %v, cert: %v]", keyPEMBlock, certPEMBlock) } @@ -153,6 +182,31 @@ func LoadClientTlsConfig(keyPEMBlock, certPEMBlock, caPEMBlock []byte) (*tls.Con return &cfg, nil } +func LoadClientTlsConfig(cfg *conf.TLS) (*tls.Config, error) { + var tlsCfg *tls.Config + var err error + + if cfg.File != nil { + if tlsCfg, err = LoadClientTlsConfigFile( + cfg.File.GetKeyPath(), + cfg.File.GetCertPath(), + cfg.File.GetCaPath(), + ); err != nil { + return nil, err + } + } else if cfg.Config != nil { + if tlsCfg, err = LoadClientTlsConfigString( + cfg.Config.GetKeyPem(), + cfg.Config.GetCertPem(), + cfg.Config.GetCaPem(), + ); err != nil { + return nil, err + } + } + + return tlsCfg, err +} + // newCertPool creates x509 certPool with provided CA file func newCertPoolWithCaFile(caFile string) (*x509.CertPool, error) { pemByte, err := os.ReadFile(caFile)