Commit 0e3c9c54 authored by Sietse Ringers's avatar Sietse Ringers
Browse files

refactor: fix code duplication in TLS parameter selection

parent edb21643
package cmd
import (
"crypto/tls"
"net/smtp"
"os"
"path/filepath"
......@@ -66,6 +67,18 @@ func configureIRMAServer() *server.Configuration {
}
}
func configureTLS() *tls.Config {
conf, err := server.TLSConf(
viper.GetString("tls-cert"),
viper.GetString("tls-cert-file"),
viper.GetString("tls-privkey"),
viper.GetString("tls-privkey-file"))
if err != nil {
die("", err)
}
return conf
}
func readConfig(cmd *cobra.Command, name, logname string, configpaths []string, productionDefaults map[string]interface{}) {
dashReplacer := strings.NewReplacer("-", "_")
viper.SetEnvKeyReplacer(dashReplacer)
......
......@@ -2,7 +2,6 @@ package cmd
import (
"context"
"crypto/tls"
"fmt"
"net/http"
"os"
......@@ -10,7 +9,6 @@ import (
"syscall"
irma "github.com/privacybydesign/irmago"
"github.com/privacybydesign/irmago/internal/common"
"github.com/privacybydesign/irmago/server"
"github.com/privacybydesign/irmago/server/keyshare/myirmaserver"
"github.com/sietseringers/cobra"
......@@ -27,14 +25,7 @@ var myirmadCmd = &cobra.Command{
fullAddr := fmt.Sprintf("%s:%d", viper.GetString("listen-addr"), viper.GetInt("port"))
// Load TLS configuration
TLSConfig, err := kesyharedTLS(
viper.GetString("tls-cert"),
viper.GetString("tls-cert-file"),
viper.GetString("tls-privkey"),
viper.GetString("tls-privkey-file"))
if err != nil {
die("", err)
}
TLSConfig := configureTLS()
// Create main server
myirmaServer, err := myirmaserver.New(conf)
......@@ -181,37 +172,3 @@ func configureMyirmad(cmd *cobra.Command) *myirmaserver.Configuration {
return conf
}
func myirmadTLS(cert, certfile, key, keyfile string) (*tls.Config, error) {
if cert == "" && certfile == "" && key == "" && keyfile == "" {
return nil, nil
}
var certbts, keybts []byte
var err error
if certbts, err = common.ReadKey(cert, certfile); err != nil {
return nil, err
}
if keybts, err = common.ReadKey(key, keyfile); err != nil {
return nil, err
}
cer, err := tls.X509KeyPair(certbts, keybts)
if err != nil {
return nil, err
}
return &tls.Config{
Certificates: []tls.Certificate{cer},
MinVersion: tls.VersionTLS12,
CurvePreferences: []tls.CurveID{tls.CurveP521, tls.CurveP384, tls.CurveP256},
PreferServerCipherSuites: true,
CipherSuites: []uint16{
tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
tls.TLS_RSA_WITH_AES_256_GCM_SHA384,
tls.TLS_RSA_WITH_AES_256_CBC_SHA,
},
}, nil
}
......@@ -2,7 +2,6 @@ package cmd
import (
"context"
"crypto/tls"
"fmt"
"net/http"
"os"
......@@ -10,7 +9,6 @@ import (
"syscall"
irma "github.com/privacybydesign/irmago"
"github.com/privacybydesign/irmago/internal/common"
"github.com/privacybydesign/irmago/server"
"github.com/privacybydesign/irmago/server/keyshare/keyshareserver"
"github.com/sietseringers/cobra"
......@@ -27,14 +25,7 @@ var keysharedCmd = &cobra.Command{
fullAddr := fmt.Sprintf("%s:%d", viper.GetString("listen-addr"), viper.GetInt("port"))
// Load TLS configuration
TLSConfig, err := kesyharedTLS(
viper.GetString("tls-cert"),
viper.GetString("tls-cert-file"),
viper.GetString("tls-privkey"),
viper.GetString("tls-privkey-file"))
if err != nil {
die("", err)
}
TLSConfig := configureTLS()
// Create main server
keyshareServer, err := keyshareserver.New(conf)
......@@ -166,37 +157,3 @@ func configureKeyshared(cmd *cobra.Command) *keyshareserver.Configuration {
return conf
}
func kesyharedTLS(cert, certfile, key, keyfile string) (*tls.Config, error) {
if cert == "" && certfile == "" && key == "" && keyfile == "" {
return nil, nil
}
var certbts, keybts []byte
var err error
if certbts, err = common.ReadKey(cert, certfile); err != nil {
return nil, err
}
if keybts, err = common.ReadKey(key, keyfile); err != nil {
return nil, err
}
cer, err := tls.X509KeyPair(certbts, keybts)
if err != nil {
return nil, err
}
return &tls.Config{
Certificates: []tls.Certificate{cer},
MinVersion: tls.VersionTLS12,
CurvePreferences: []tls.CurveID{tls.CurveP521, tls.CurveP384, tls.CurveP256},
PreferServerCipherSuites: true,
CipherSuites: []uint16{
tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
tls.TLS_RSA_WITH_AES_256_GCM_SHA384,
tls.TLS_RSA_WITH_AES_256_CBC_SHA,
},
}, nil
}
......@@ -2,6 +2,7 @@ package server
import (
"crypto/rsa"
"crypto/tls"
"encoding/json"
"fmt"
"regexp"
......@@ -371,3 +372,43 @@ func (conf *Configuration) verifyJwtPrivateKey() error {
func ReplacePortString(url string, port int) string {
return regexp.MustCompile("(https?://[^/]*):port").ReplaceAllString(url, "$1:"+strconv.Itoa(port))
}
func TLSConf(cert, certfile, key, keyfile string) (*tls.Config, error) {
if cert == "" && certfile == "" && key == "" && keyfile == "" {
return nil, nil
}
var certbts, keybts []byte
var err error
if certbts, err = common.ReadKey(cert, certfile); err != nil {
return nil, err
}
if keybts, err = common.ReadKey(key, keyfile); err != nil {
return nil, err
}
cer, err := tls.X509KeyPair(certbts, keybts)
if err != nil {
return nil, err
}
return &tls.Config{
Certificates: []tls.Certificate{cer},
MinVersion: tls.VersionTLS12,
// Safe according to https://safecurves.cr.yp.to/; fairly widely supported according to
// https://en.wikipedia.org/wiki/Comparison_of_TLS_implementations#Supported_elliptic_curves
CurvePreferences: []tls.CurveID{tls.X25519},
PreferServerCipherSuites: true,
CipherSuites: []uint16{
tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
tls.TLS_RSA_WITH_AES_128_GCM_SHA256,
tls.TLS_RSA_WITH_AES_256_GCM_SHA384,
},
}, nil
}
......@@ -358,51 +358,11 @@ func (conf *Configuration) validatePermissionSet(requestor string, requestorperm
}
func (conf *Configuration) clientTlsConfig() (*tls.Config, error) {
return conf.readTlsConf(conf.ClientTlsCertificate, conf.ClientTlsCertificateFile, conf.ClientTlsPrivateKey, conf.ClientTlsPrivateKeyFile)
return server.TLSConf(conf.ClientTlsCertificate, conf.ClientTlsCertificateFile, conf.ClientTlsPrivateKey, conf.ClientTlsPrivateKeyFile)
}
func (conf *Configuration) tlsConfig() (*tls.Config, error) {
return conf.readTlsConf(conf.TlsCertificate, conf.TlsCertificateFile, conf.TlsPrivateKey, conf.TlsPrivateKeyFile)
}
func (conf *Configuration) readTlsConf(cert, certfile, key, keyfile string) (*tls.Config, error) {
if cert == "" && certfile == "" && key == "" && keyfile == "" {
return nil, nil
}
var certbts, keybts []byte
var err error
if certbts, err = common.ReadKey(cert, certfile); err != nil {
return nil, err
}
if keybts, err = common.ReadKey(key, keyfile); err != nil {
return nil, err
}
cer, err := tls.X509KeyPair(certbts, keybts)
if err != nil {
return nil, err
}
return &tls.Config{
Certificates: []tls.Certificate{cer},
MinVersion: tls.VersionTLS12,
// Safe according to https://safecurves.cr.yp.to/; fairly widely supported according to
// https://en.wikipedia.org/wiki/Comparison_of_TLS_implementations#Supported_elliptic_curves
CurvePreferences: []tls.CurveID{tls.X25519},
PreferServerCipherSuites: true,
CipherSuites: []uint16{
tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
tls.TLS_RSA_WITH_AES_128_GCM_SHA256,
tls.TLS_RSA_WITH_AES_256_GCM_SHA384,
},
}, nil
return server.TLSConf(conf.TlsCertificate, conf.TlsCertificateFile, conf.TlsPrivateKey, conf.TlsPrivateKeyFile)
}
func (conf *Configuration) separateClientServer() bool {
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment