2021-01-04 17:28:55 +07:00
package utils
import (
"crypto/tls"
"crypto/x509"
"fmt"
"io/ioutil"
"path"
"strings"
"github.com/authelia/authelia/internal/configuration/schema"
2021-01-10 18:10:45 +07:00
"github.com/authelia/authelia/internal/logging"
2021-01-04 17:28:55 +07:00
)
// NewTLSConfig generates a tls.Config from a schema.TLSConfig and a x509.CertPool.
func NewTLSConfig ( config * schema . TLSConfig , defaultMinVersion uint16 , certPool * x509 . CertPool ) ( tlsConfig * tls . Config ) {
minVersion , err := TLSStringToTLSConfigVersion ( config . MinimumVersion )
if err != nil {
minVersion = defaultMinVersion
}
return & tls . Config {
ServerName : config . ServerName ,
InsecureSkipVerify : config . SkipVerify , //nolint:gosec // Informed choice by user. Off by default.
MinVersion : minVersion ,
RootCAs : certPool ,
}
}
//nolint:gocyclo // TODO: Remove in 4.28. Should be able to remove the nolint during the removal of deprecated config.
// NewX509CertPool generates a x509.CertPool from the system PKI and the directory specified.
func NewX509CertPool ( directory string , config * schema . Configuration ) ( certPool * x509 . CertPool , errors [ ] error , nonFatalErrors [ ] error ) {
certPool , err := x509 . SystemCertPool ( )
if err != nil {
2021-03-05 11:18:31 +07:00
nonFatalErrors = append ( nonFatalErrors , fmt . Errorf ( "could not load system certificate pool which may result in untrusted certificate issues: %v" , err ) )
2021-01-04 17:28:55 +07:00
certPool = x509 . NewCertPool ( )
}
2021-01-10 18:10:45 +07:00
logger := logging . Logger ( )
logger . Tracef ( "Starting scan of directory %s for certificates" , directory )
2021-01-04 17:28:55 +07:00
if directory != "" {
certsFileInfo , err := ioutil . ReadDir ( directory )
if err != nil {
errors = append ( errors , fmt . Errorf ( "could not read certificates from directory %v" , err ) )
} else {
for _ , certFileInfo := range certsFileInfo {
nameLower := strings . ToLower ( certFileInfo . Name ( ) )
2021-01-10 18:10:45 +07:00
if ! certFileInfo . IsDir ( ) && ( strings . HasSuffix ( nameLower , ".cer" ) || strings . HasSuffix ( nameLower , ".crt" ) || strings . HasSuffix ( nameLower , ".pem" ) ) {
certPath := path . Join ( directory , certFileInfo . Name ( ) )
logger . Tracef ( "Found possible cert %s, attempting to add it to the pool" , certPath )
certBytes , err := ioutil . ReadFile ( certPath )
2021-01-04 17:28:55 +07:00
if err != nil {
errors = append ( errors , fmt . Errorf ( "could not read certificate %v" , err ) )
} else if ok := certPool . AppendCertsFromPEM ( certBytes ) ; ! ok {
errors = append ( errors , fmt . Errorf ( "could not import certificate %s" , certFileInfo . Name ( ) ) )
}
}
}
}
}
2021-01-10 18:10:45 +07:00
logger . Tracef ( "Finished scan of directory %s for certificates" , directory )
2021-01-04 17:28:55 +07:00
// Deprecated. Maps deprecated values to the new ones. TODO: Remove in 4.28.
if config != nil && config . Notifier != nil && config . Notifier . SMTP != nil && config . Notifier . SMTP . TrustedCert != "" {
nonFatalErrors = append ( nonFatalErrors , fmt . Errorf ( "defining the trusted cert in the SMTP notifier is deprecated and will be removed in 4.28.0, please use the global certificates_directory instead" ) )
if exists , _ := FileExists ( config . Notifier . SMTP . TrustedCert ) ; exists {
pem , err := ioutil . ReadFile ( config . Notifier . SMTP . TrustedCert )
if err != nil {
errors = append ( errors , fmt . Errorf ( "failed to read legacy SMTP trusted_cert (see the new certificates_directory option) certificate %s with error: %s" , config . Notifier . SMTP . TrustedCert , err ) )
} else if ok := certPool . AppendCertsFromPEM ( pem ) ; ! ok {
errors = append ( errors , fmt . Errorf ( "could not import legacy SMTP trusted_cert (see the new certificates_directory option) certificate %s" , config . Notifier . SMTP . TrustedCert ) )
}
} else {
errors = append ( errors , fmt . Errorf ( "could not import legacy SMTP trusted_cert (see the new certificates_directory option) certificate %s (file does not exist)" , config . Notifier . SMTP . TrustedCert ) )
}
}
return certPool , errors , nonFatalErrors
}
// TLSStringToTLSConfigVersion returns a go crypto/tls version for a tls.Config based on string input.
func TLSStringToTLSConfigVersion ( input string ) ( version uint16 , err error ) {
switch strings . ToUpper ( input ) {
case "TLS1.3" , TLS13 :
return tls . VersionTLS13 , nil
case "TLS1.2" , TLS12 :
return tls . VersionTLS12 , nil
case "TLS1.1" , TLS11 :
return tls . VersionTLS11 , nil
case "TLS1.0" , TLS10 :
return tls . VersionTLS10 , nil
}
return 0 , ErrTLSVersionNotSupported
}