Add client certificate fields to the configuration struct

Add relevant logic
2024-11-22 12:24:25 +00:00 · 2015-09-30 19:06:55 +02:00 · 2015-09-30 19:06:55 +02:00 · 7321b43f67
commit 7321b43f67
parent 5eb5959c93
1 changed files with 62 additions and 32 deletions
--- a/app/app.go
+++ b/app/app.go
@ -2,6 +2,8 @@ package app

 import (
 	"crypto/rand"
+	"crypto/tls"
+	"crypto/x509"
 	"encoding/base64"
 	"errors"
 	"io/ioutil"
@ -45,6 +47,9 @@ type Options struct {
 	EnableTLS                           bool                   `hcl:"enable_tls"`
 	TLSCrtFile                          string                 `hcl:"tls_crt_file"`
 	TLSKeyFile                          string                 `hcl:"tls_key_file"`
+	EnableClientCertificate             bool                   `hcl:"enable_client_certificate"`
+	ClientCAFile                        string                 `hcl:"client_ca_file"`
+	EnableClientCertificateVerification bool                   `hcl:"enable_client_certificate_verification"`
 	TitleFormat                         string                 `hcl:"title_format"`
 	EnableReconnect                     bool                   `hcl:"enable_reconnect"`
 	ReconnectTime                       int                    `hcl:"reconnect_time"`
@ -64,6 +69,9 @@ var DefaultOptions = Options{
 	EnableTLS:                           false,
 	TLSCrtFile:                          "~/.gotty.crt",
 	TLSKeyFile:                          "~/.gotty.key",
+	EnableClientCertificate:             false,
+	ClientCAFile:                        "~/.gotty.ca.crt",
+	EnableClientCertificateVerification: false,
 	TitleFormat:                         "GoTTY - {{ .Command }} ({{ .Hostname }})",
 	EnableReconnect:                     false,
 	ReconnectTime:                       10,
@ -195,6 +203,28 @@ func (app *App) Run() error {
 		keyFile := ExpandHomeDir(app.options.TLSKeyFile)
 		log.Printf("TLS crt file: " + crtFile)
 		log.Printf("TLS key file: " + keyFile)
+		if app.options.EnableClientCertificate {
+			caFile := ExpandHomeDir(app.options.ClientCAFile)
+			log.Printf("Client CA file: " + caFile)
+			caCert, err := ioutil.ReadFile(caFile)
+			if err != nil {
+				return errors.New("Cannot open CA file " + caFile)
+			}
+			caCertPool := x509.NewCertPool()
+			if !caCertPool.AppendCertsFromPEM(caCert) {
+				return errors.New("Cannot parse CA file data in " + caFile)
+			}
+			tlsVerifyPolicy := tls.RequireAnyClientCert
+			if app.options.EnableClientCertificateVerification {
+				log.Print("Enabling verification of client certificate")
+				tlsVerifyPolicy = tls.RequireAndVerifyClientCert
+			}
+			tlsConfig := &tls.Config{
+				ClientCAs:  caCertPool,
+				ClientAuth: tlsVerifyPolicy,
+			}
+			app.server.TLSConfig = tlsConfig
+		}
 		err = app.server.ListenAndServeTLS(crtFile, keyFile)
 	} else {
 		err = app.server.ListenAndServe()