seaweedfs/weed/security/tls.go

69 lines
1.7 KiB
Go
Raw Normal View History

2019-02-18 20:11:52 +00:00
package security
import (
"crypto/tls"
"crypto/x509"
"io/ioutil"
2020-02-23 05:23:30 +00:00
"github.com/spf13/viper"
2019-02-18 20:11:52 +00:00
"google.golang.org/grpc"
"google.golang.org/grpc/credentials"
2020-02-23 05:23:30 +00:00
"github.com/chrislusf/seaweedfs/weed/glog"
2019-02-18 20:11:52 +00:00
)
func LoadServerTLS(config *viper.Viper, component string) grpc.ServerOption {
if config == nil {
return nil
}
// load cert/key, ca cert
cert, err := tls.LoadX509KeyPair(config.GetString(component+".cert"), config.GetString(component+".key"))
if err != nil {
2020-02-23 05:23:30 +00:00
glog.V(1).Infof("load cert/key error: %v", err)
2019-02-18 20:11:52 +00:00
return nil
}
caCert, err := ioutil.ReadFile(config.GetString(component + ".ca"))
2019-02-18 20:11:52 +00:00
if err != nil {
2020-02-23 05:23:30 +00:00
glog.V(1).Infof("read ca cert file error: %v", err)
2019-02-18 20:11:52 +00:00
return nil
}
caCertPool := x509.NewCertPool()
caCertPool.AppendCertsFromPEM(caCert)
ta := credentials.NewTLS(&tls.Config{
Certificates: []tls.Certificate{cert},
ClientCAs: caCertPool,
ClientAuth: tls.RequireAndVerifyClientCert,
})
return grpc.Creds(ta)
}
func LoadClientTLS(config *viper.Viper, component string) grpc.DialOption {
if config == nil {
return grpc.WithInsecure()
}
// load cert/key, cacert
cert, err := tls.LoadX509KeyPair(config.GetString(component+".cert"), config.GetString(component+".key"))
if err != nil {
2020-02-23 05:23:30 +00:00
glog.V(1).Infof("load cert/key error: %v", err)
2019-02-18 20:11:52 +00:00
return grpc.WithInsecure()
}
caCert, err := ioutil.ReadFile(config.GetString(component + ".ca"))
2019-02-18 20:11:52 +00:00
if err != nil {
2020-02-23 05:23:30 +00:00
glog.V(1).Infof("read ca cert file error: %v", err)
2019-02-18 20:11:52 +00:00
return grpc.WithInsecure()
}
caCertPool := x509.NewCertPool()
caCertPool.AppendCertsFromPEM(caCert)
ta := credentials.NewTLS(&tls.Config{
Certificates: []tls.Certificate{cert},
RootCAs: caCertPool,
InsecureSkipVerify: true,
})
return grpc.WithTransportCredentials(ta)
}