frp/pkg/transport/tls.go

package transport

import (
	"crypto/rand"
	"crypto/rsa"
	"crypto/tls"
	"crypto/x509"
	"encoding/pem"
	"math/big"
	"os"
)

func newCustomTLSKeyPair(certfile, keyfile string) (*tls.Certificate, error) {
	tlsCert, err := tls.LoadX509KeyPair(certfile, keyfile)
	if err != nil {
		return nil, err
	}
	return &tlsCert, nil
}

func newRandomTLSKeyPair() *tls.Certificate {
	key, err := rsa.GenerateKey(rand.Reader, 1024)
	if err != nil {
		panic(err)
	}
	template := x509.Certificate{SerialNumber: big.NewInt(1)}
	certDER, err := x509.CreateCertificate(
		rand.Reader,
		&template,
		&template,
		&key.PublicKey,
		key)
	if err != nil {
		panic(err)
	}
	keyPEM := pem.EncodeToMemory(&pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(key)})
	certPEM := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: certDER})

	tlsCert, err := tls.X509KeyPair(certPEM, keyPEM)
	if err != nil {
		panic(err)
	}
	return &tlsCert
}

// Only support one ca file to add
func newCertPool(caPath string) (*x509.CertPool, error) {
	pool := x509.NewCertPool()

	caCrt, err := os.ReadFile(caPath)
	if err != nil {
		return nil, err
	}

	pool.AppendCertsFromPEM(caCrt)

	return pool, nil
}

func NewServerTLSConfig(certPath, keyPath, caPath string) (*tls.Config, error) {
	var base = &tls.Config{}

	if certPath == "" || keyPath == "" {
		// server will generate tls conf by itself
		cert := newRandomTLSKeyPair()
		base.Certificates = []tls.Certificate{*cert}
	} else {
		cert, err := newCustomTLSKeyPair(certPath, keyPath)
		if err != nil {
			return nil, err
		}

		base.Certificates = []tls.Certificate{*cert}
	}

	if caPath != "" {
		pool, err := newCertPool(caPath)
		if err != nil {
			return nil, err
		}

		base.ClientAuth = tls.RequireAndVerifyClientCert
		base.ClientCAs = pool
	}

	return base, nil
}

func NewClientTLSConfig(certPath, keyPath, caPath, serverName string) (*tls.Config, error) {
	var base = &tls.Config{}

	if certPath == "" || keyPath == "" {
		// client will not generate tls conf by itself
	} else {
		cert, err := newCustomTLSKeyPair(certPath, keyPath)
		if err != nil {
			return nil, err
		}

		base.Certificates = []tls.Certificate{*cert}
	}

	if caPath != "" {
		pool, err := newCertPool(caPath)
		if err != nil {
			return nil, err
		}

		base.RootCAs = pool
		base.ServerName = serverName
		base.InsecureSkipVerify = false
	} else {
		base.InsecureSkipVerify = true
	}

	return base, nil
}
Add tls configuration to both client and server (#1974) 2020-09-18 19:58:58 +08:00			`package transport`

			`import (`
			`"crypto/rand"`
			`"crypto/rsa"`
			`"crypto/tls"`
			`"crypto/x509"`
			`"encoding/pem"`
			`"math/big"`
refactor: move from io/ioutil to io and os package (#2592) 2021-09-29 10:33:57 +08:00			`"os"`
Add tls configuration to both client and server (#1974) 2020-09-18 19:58:58 +08:00			`)`

			`func newCustomTLSKeyPair(certfile, keyfile string) (*tls.Certificate, error) {`
			`tlsCert, err := tls.LoadX509KeyPair(certfile, keyfile)`
			`if err != nil {`
			`return nil, err`
			`}`
			`return &tlsCert, nil`
			`}`

			`func newRandomTLSKeyPair() *tls.Certificate {`
			`key, err := rsa.GenerateKey(rand.Reader, 1024)`
			`if err != nil {`
			`panic(err)`
			`}`
			`template := x509.Certificate{SerialNumber: big.NewInt(1)}`
			`certDER, err := x509.CreateCertificate(`
			`rand.Reader,`
			`&template,`
			`&template,`
			`&key.PublicKey,`
			`key)`
			`if err != nil {`
			`panic(err)`
			`}`
			`keyPEM := pem.EncodeToMemory(&pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(key)})`
			`certPEM := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: certDER})`

			`tlsCert, err := tls.X509KeyPair(certPEM, keyPEM)`
			`if err != nil {`
			`panic(err)`
			`}`
			`return &tlsCert`
			`}`

modify gitignore;fix a typo (#2237) 2021-02-07 14:07:20 +08:00			`// Only support one ca file to add`
Add tls configuration to both client and server (#1974) 2020-09-18 19:58:58 +08:00			`func newCertPool(caPath string) (*x509.CertPool, error) {`
			`pool := x509.NewCertPool()`

refactor: move from io/ioutil to io and os package (#2592) 2021-09-29 10:33:57 +08:00			`caCrt, err := os.ReadFile(caPath)`
Add tls configuration to both client and server (#1974) 2020-09-18 19:58:58 +08:00			`if err != nil {`
			`return nil, err`
			`}`

			`pool.AppendCertsFromPEM(caCrt)`

			`return pool, nil`
			`}`

			`func NewServerTLSConfig(certPath, keyPath, caPath string) (*tls.Config, error) {`
			`var base = &tls.Config{}`

			`if certPath == "" \|\| keyPath == "" {`
			`// server will generate tls conf by itself`
			`cert := newRandomTLSKeyPair()`
			`base.Certificates = []tls.Certificate{*cert}`
			`} else {`
			`cert, err := newCustomTLSKeyPair(certPath, keyPath)`
			`if err != nil {`
			`return nil, err`
			`}`

			`base.Certificates = []tls.Certificate{*cert}`
			`}`

			`if caPath != "" {`
			`pool, err := newCertPool(caPath)`
			`if err != nil {`
			`return nil, err`
			`}`

			`base.ClientAuth = tls.RequireAndVerifyClientCert`
			`base.ClientCAs = pool`
			`}`

			`return base, nil`
			`}`

add more e2e test (#2505) 2021-08-02 13:07:28 +08:00			`func NewClientTLSConfig(certPath, keyPath, caPath, serverName string) (*tls.Config, error) {`
Add tls configuration to both client and server (#1974) 2020-09-18 19:58:58 +08:00			`var base = &tls.Config{}`

			`if certPath == "" \|\| keyPath == "" {`
			`// client will not generate tls conf by itself`
			`} else {`
			`cert, err := newCustomTLSKeyPair(certPath, keyPath)`
			`if err != nil {`
			`return nil, err`
			`}`

			`base.Certificates = []tls.Certificate{*cert}`
			`}`

			`if caPath != "" {`
			`pool, err := newCertPool(caPath)`
			`if err != nil {`
			`return nil, err`
			`}`

			`base.RootCAs = pool`
add more e2e test (#2505) 2021-08-02 13:07:28 +08:00			`base.ServerName = serverName`
Add tls configuration to both client and server (#1974) 2020-09-18 19:58:58 +08:00			`base.InsecureSkipVerify = false`
			`} else {`
			`base.InsecureSkipVerify = true`
			`}`

			`return base, nil`
			`}`