Add helpers to add direct support for mTLS.

Author: maraino

ca/bootstrap.go

@@ -90,6 +90,59 @@ func BootstrapServer(ctx context.Context, token string, base *http.Server) (*htt
 	return base, nil
 }
 
+// BootstrapServerWithMTLS is a helper function that using the given token
+// returns the given http.Server configured with a TLS certificate signed by the
+// Certificate Authority, this server will always require and verify a client
+// certificate. By default the server will kick off a routine that will renew
+// the certificate after 2/3rd of the certificate's lifetime has expired.
+//
+// Usage:
+//   // Default example with certificate rotation.
+//   srv, err := ca.BootstrapServerWithMTLS(context.Background(), token, &http.Server{
+//       Addr: ":443",
+//       Handler: handler,
+//   })
+//
+//   // Example canceling automatic certificate rotation.
+//   ctx, cancel := context.WithCancel(context.Background())
+//   defer cancel()
+//   srv, err := ca.BootstrapServerWithMTLS(ctx, token, &http.Server{
+//       Addr: ":443",
+//       Handler: handler,
+//   })
+//   if err != nil {
+//       return err
+//   }
+//   srv.ListenAndServeTLS("", "")
+func BootstrapServerWithMTLS(ctx context.Context, token string, base *http.Server) (*http.Server, error) {
+	if base.TLSConfig != nil {
+		return nil, errors.New("server TLSConfig is already set")
+	}
+
+	client, err := Bootstrap(token)
+	if err != nil {
+		return nil, err
+	}
+
+	req, pk, err := CreateSignRequest(token)
+	if err != nil {
+		return nil, err
+	}
+
+	sign, err := client.Sign(req)
+	if err != nil {
+		return nil, err
+	}
+
+	tlsConfig, err := client.GetServerMutualTLSConfig(ctx, sign, pk)
+	if err != nil {
+		return nil, err
+	}
+
+	base.TLSConfig = tlsConfig
+	return base, nil
+}
+
 // BootstrapClient is a helper function that using the given bootstrap token
 // return an http.Client configured with a Transport prepared to do TLS
 // connections using the client certificate returned by the certificate

ca/bootstrap_test.go

@@ -170,6 +170,52 @@ func TestBootstrapServer(t *testing.T) {
 	}
 }
 
+func TestBootstrapServerWithMTLS(t *testing.T) {
+	srv := startCABootstrapServer()
+	defer srv.Close()
+	token := func() string {
+		return generateBootstrapToken(srv.URL, "subject", "ef742f95dc0d8aa82d3cca4017af6dac3fce84290344159891952d18c53eefe7")
+	}
+	type args struct {
+		ctx   context.Context
+		token string
+		base  *http.Server
+	}
+	tests := []struct {
+		name    string
+		args    args
+		wantErr bool
+	}{
+		{"ok", args{context.Background(), token(), &http.Server{}}, false},
+		{"fail", args{context.Background(), "bad-token", &http.Server{}}, true},
+		{"fail with TLSConfig", args{context.Background(), token(), &http.Server{TLSConfig: &tls.Config{}}}, true},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got, err := BootstrapServerWithMTLS(tt.args.ctx, tt.args.token, tt.args.base)
+			if (err != nil) != tt.wantErr {
+				t.Errorf("BootstrapServerWithMTLS() error = %v, wantErr %v", err, tt.wantErr)
+				return
+			}
+			if tt.wantErr {
+				if got != nil {
+					t.Errorf("BootstrapServerWithMTLS() = %v, want nil", got)
+				}
+			} else {
+				expected := &http.Server{
+					TLSConfig: got.TLSConfig,
+				}
+				if !reflect.DeepEqual(got, expected) {
+					t.Errorf("BootstrapServerWithMTLS() = %v, want %v", got, expected)
+				}
+				if got.TLSConfig == nil || got.TLSConfig.ClientCAs == nil || got.TLSConfig.RootCAs == nil || got.TLSConfig.GetCertificate == nil || got.TLSConfig.GetClientCertificate == nil {
+					t.Errorf("BootstrapServerWithMTLS() invalid TLSConfig = %#v", got.TLSConfig)
+				}
+			}
+		})
+	}
+}
+
 func TestBootstrapClient(t *testing.T) {
 	srv := startCABootstrapServer()
 	defer srv.Close()

ca/tls.go

@@ -19,7 +19,7 @@ import (
 
 // GetClientTLSConfig returns a tls.Config for client use configured with the
 // sign certificate, and a new certificate pool with the sign root certificate.
-// The certificate will automatically rotate before expiring.
+// The client certificate will automatically rotate before expiring.
 func (c *Client) GetClientTLSConfig(ctx context.Context, sign *api.SignResponse, pk crypto.PrivateKey) (*tls.Config, error) {
 	cert, err := TLSCertificate(sign, pk)
 	if err != nil {
@@ -32,16 +32,14 @@ func (c *Client) GetClientTLSConfig(ctx context.Context, sign *api.SignResponse,
 
 	tlsConfig := getDefaultTLSConfig(sign)
 	// Note that with GetClientCertificate tlsConfig.Certificates is not used.
+	// Without tlsConfig.Certificates there's not need to use tlsConfig.BuildNameToCertificate()
 	tlsConfig.GetClientCertificate = renewer.GetClientCertificate
 	tlsConfig.PreferServerCipherSuites = true
 	// Build RootCAs with given root certificate
 	if pool := c.getCertPool(sign); pool != nil {
 		tlsConfig.RootCAs = pool
 	}
 
-	// Parse Certificates and build NameToCertificate
-	tlsConfig.BuildNameToCertificate()
-
 	// Update renew function with transport
 	tr, err := getDefaultTransport(tlsConfig)
 	if err != nil {
@@ -56,7 +54,8 @@ func (c *Client) GetClientTLSConfig(ctx context.Context, sign *api.SignResponse,
 
 // GetServerTLSConfig returns a tls.Config for server use configured with the
 // sign certificate, and a new certificate pool with the sign root certificate.
-// The certificate will automatically rotate before expiring.
+// The returned tls.Config will only verify the client certificate if provided.
+// The server certificate will automatically rotate before expiring.
 func (c *Client) GetServerTLSConfig(ctx context.Context, sign *api.SignResponse, pk crypto.PrivateKey) (*tls.Config, error) {
 	cert, err := TLSCertificate(sign, pk)
 	if err != nil {
@@ -70,6 +69,7 @@ func (c *Client) GetServerTLSConfig(ctx context.Context, sign *api.SignResponse,
 	tlsConfig := getDefaultTLSConfig(sign)
 	// Note that GetCertificate will only be called if the client supplies SNI
 	// information or if tlsConfig.Certificates is empty.
+	// Without tlsConfig.Certificates there's not need to use tlsConfig.BuildNameToCertificate()
 	tlsConfig.GetCertificate = renewer.GetCertificate
 	tlsConfig.GetClientCertificate = renewer.GetClientCertificate
 	tlsConfig.PreferServerCipherSuites = true
@@ -93,6 +93,19 @@ func (c *Client) GetServerTLSConfig(ctx context.Context, sign *api.SignResponse,
 	return tlsConfig, nil
 }
 
+// GetServerMutualTLSConfig returns a tls.Config for server use configured with
+// the sign certificate, and a new certificate pool with the sign root certificate.
+// The returned tls.Config will always require and verify a client certificate.
+// The server certificate will automatically rotate before expiring.
+func (c *Client) GetServerMutualTLSConfig(ctx context.Context, sign *api.SignResponse, pk crypto.PrivateKey) (*tls.Config, error) {
+	tlsConfig, err := c.GetServerTLSConfig(ctx, sign, pk)
+	if err != nil {
+		return nil, err
+	}
+	tlsConfig.ClientAuth = tls.RequireAndVerifyClientCert
+	return tlsConfig, nil
+}
+
 // Transport returns an http.Transport configured to use the client certificate from the sign response.
 func (c *Client) Transport(ctx context.Context, sign *api.SignResponse, pk crypto.PrivateKey) (*http.Transport, error) {
 	tlsConfig, err := c.GetClientTLSConfig(ctx, sign, pk)