load default CA from ca.pem

2023-03-21 18:28:05 +08:00 · 2023-03-21 18:28:05 +08:00 · 18fa84b51f
commit 18fa84b51f
parent a39800270b
2 changed files with 31 additions and 12 deletions
--- a/config/parsing/tls.go
+++ b/config/parsing/tls.go
@ -34,7 +34,7 @@ func BuildDefaultTLSConfig(cfg *config.TLSConfig) {
 		}
 	}

-	tlsConfig, err := tls_util.LoadConfig(cfg.CertFile, cfg.KeyFile, cfg.CAFile)
+	tlsConfig, err := tls_util.LoadDefaultConfig(cfg.CertFile, cfg.KeyFile, cfg.CAFile)
 	if err != nil {
 		// generate random self-signed certificate.
 		cert, err := genCertificate(cfg.Validity, cfg.Organization, cfg.CommonName)
--- a/internal/util/tls/tls.go
+++ b/internal/util/tls/tls.go
@ -7,9 +7,37 @@ import (
 	"io/ioutil"
 	"net"
 	"time"
+
+	"github.com/go-gost/core/logger"
 )

-func LoadConfig(certFile, keyFile, caFile string) (*tls.Config, error) {
+// LoadDefaultConfig loads the certificate from cert & key files and optional CA file.
+func LoadDefaultConfig(certFile, keyFile, caFile string) (*tls.Config, error) {
+	cert, err := tls.LoadX509KeyPair(certFile, keyFile)
+	if err != nil {
+		return nil, err
+	}
+
+	cfg := &tls.Config{Certificates: []tls.Certificate{cert}}
+
+	pool, err := loadCA(caFile)
+	if err != nil {
+		logger.Default().Debugf("load default CA(%s): %v", caFile, err)
+	}
+	if pool != nil {
+		cfg.ClientCAs = pool
+		cfg.ClientAuth = tls.RequireAndVerifyClientCert
+	}
+
+	return cfg, nil
+}
+
+// LoadServerConfig loads the certificate from cert & key files and client CA file.
+func LoadServerConfig(certFile, keyFile, caFile string) (*tls.Config, error) {
+	if certFile == "" && keyFile == "" {
+		return nil, nil
+	}
+
 	cert, err := tls.LoadX509KeyPair(certFile, keyFile)
 	if err != nil {
 		return nil, err
@ -29,16 +57,7 @@ func LoadConfig(certFile, keyFile, caFile string) (*tls.Config, error) {
 	return cfg, nil
 }

-// LoadServerConfig loads the certificate from cert & key files and optional client CA file.
-func LoadServerConfig(certFile, keyFile, caFile string) (*tls.Config, error) {
-	if certFile == "" && keyFile == "" {
-		return nil, nil
-	}
-
-	return LoadConfig(certFile, keyFile, caFile)
-}
-
-// LoadClientConfig loads the certificate from cert & key files and optional CA file.
+// LoadClientConfig loads the certificate from cert & key files and CA file.
 func LoadClientConfig(certFile, keyFile, caFile string, verify bool, serverName string) (*tls.Config, error) {
 	var cfg *tls.Config