Use mTLS by default on SDK methods.

Add options to modify the tls.Config for different configurations.
Fixes smallstep#7

Author: maraino

ca/bootstrap.go

@@ -43,6 +43,12 @@ func Bootstrap(token string) (*Client, error) {
 // Authority. By default the server will kick off a routine that will renew the
 // certificate after 2/3rd of the certificate's lifetime has expired.
 //
+// Without any extra option the server will be configured for mTLS, it will
+// require and verify clients certificates, but options can be used to drop this
+// requirement, the most common will be only verify the certs if given with
+// ca.VerifyClientCertIfGiven(), or add extra CAs with
+// ca.AddClientCA(*x509.Certificate).
+//
 // Usage:
 //   // Default example with certificate rotation.
 //   srv, err := ca.BootstrapServer(context.Background(), token, &http.Server{
@@ -61,60 +67,7 @@ func Bootstrap(token string) (*Client, error) {
 //       return err
 //   }
 //   srv.ListenAndServeTLS("", "")
-func BootstrapServer(ctx context.Context, token string, base *http.Server) (*http.Server, error) {
-	if base.TLSConfig != nil {
-		return nil, errors.New("server TLSConfig is already set")
-	}
-
-	client, err := Bootstrap(token)
-	if err != nil {
-		return nil, err
-	}
-
-	req, pk, err := CreateSignRequest(token)
-	if err != nil {
-		return nil, err
-	}
-
-	sign, err := client.Sign(req)
-	if err != nil {
-		return nil, err
-	}
-
-	tlsConfig, err := client.GetServerTLSConfig(ctx, sign, pk)
-	if err != nil {
-		return nil, err
-	}
-
-	base.TLSConfig = tlsConfig
-	return base, nil
-}
-
-// BootstrapServerWithMTLS is a helper function that using the given token
-// returns the given http.Server configured with a TLS certificate signed by the
-// Certificate Authority, this server will always require and verify a client
-// certificate. By default the server will kick off a routine that will renew
-// the certificate after 2/3rd of the certificate's lifetime has expired.
-//
-// Usage:
-//   // Default example with certificate rotation.
-//   srv, err := ca.BootstrapServerWithMTLS(context.Background(), token, &http.Server{
-//       Addr: ":443",
-//       Handler: handler,
-//   })
-//
-//   // Example canceling automatic certificate rotation.
-//   ctx, cancel := context.WithCancel(context.Background())
-//   defer cancel()
-//   srv, err := ca.BootstrapServerWithMTLS(ctx, token, &http.Server{
-//       Addr: ":443",
-//       Handler: handler,
-//   })
-//   if err != nil {
-//       return err
-//   }
-//   srv.ListenAndServeTLS("", "")
-func BootstrapServerWithMTLS(ctx context.Context, token string, base *http.Server) (*http.Server, error) {
+func BootstrapServer(ctx context.Context, token string, base *http.Server, options ...TLSOption) (*http.Server, error) {
 	if base.TLSConfig != nil {
 		return nil, errors.New("server TLSConfig is already set")
 	}
@@ -134,7 +87,7 @@ func BootstrapServerWithMTLS(ctx context.Context, token string, base *http.Serve
 		return nil, err
 	}
 
-	tlsConfig, err := client.GetServerMutualTLSConfig(ctx, sign, pk)
+	tlsConfig, err := client.GetServerTLSConfig(ctx, sign, pk, options...)
 	if err != nil {
 		return nil, err
 	}
@@ -161,7 +114,7 @@ func BootstrapServerWithMTLS(ctx context.Context, token string, base *http.Serve
 //     return err
 //   }
 //   resp, err := client.Get("https://internal.smallstep.com")
-func BootstrapClient(ctx context.Context, token string) (*http.Client, error) {
+func BootstrapClient(ctx context.Context, token string, options ...TLSOption) (*http.Client, error) {
 	client, err := Bootstrap(token)
 	if err != nil {
 		return nil, err
@@ -177,7 +130,7 @@ func BootstrapClient(ctx context.Context, token string) (*http.Client, error) {
 		return nil, err
 	}
 
-	transport, err := client.Transport(ctx, sign, pk)
+	transport, err := client.Transport(ctx, sign, pk, options...)
 	if err != nil {
 		return nil, err
 	}

ca/bootstrap_test.go

@@ -124,7 +124,7 @@ func TestBootstrap(t *testing.T) {
 	}
 }
 
-func TestBootstrapServer(t *testing.T) {
+func TestBootstrapServerWithoutMTLS(t *testing.T) {
 	srv := startCABootstrapServer()
 	defer srv.Close()
 	token := func() string {
@@ -146,7 +146,7 @@ func TestBootstrapServer(t *testing.T) {
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			got, err := BootstrapServer(tt.args.ctx, tt.args.token, tt.args.base)
+			got, err := BootstrapServer(tt.args.ctx, tt.args.token, tt.args.base, VerifyClientCertIfGiven())
 			if (err != nil) != tt.wantErr {
 				t.Errorf("BootstrapServer() error = %v, wantErr %v", err, tt.wantErr)
 				return
@@ -192,24 +192,24 @@ func TestBootstrapServerWithMTLS(t *testing.T) {
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			got, err := BootstrapServerWithMTLS(tt.args.ctx, tt.args.token, tt.args.base)
+			got, err := BootstrapServer(tt.args.ctx, tt.args.token, tt.args.base)
 			if (err != nil) != tt.wantErr {
-				t.Errorf("BootstrapServerWithMTLS() error = %v, wantErr %v", err, tt.wantErr)
+				t.Errorf("BootstrapServer() error = %v, wantErr %v", err, tt.wantErr)
 				return
 			}
 			if tt.wantErr {
 				if got != nil {
-					t.Errorf("BootstrapServerWithMTLS() = %v, want nil", got)
+					t.Errorf("BootstrapServer() = %v, want nil", got)
 				}
 			} else {
 				expected := &http.Server{
 					TLSConfig: got.TLSConfig,
 				}
 				if !reflect.DeepEqual(got, expected) {
-					t.Errorf("BootstrapServerWithMTLS() = %v, want %v", got, expected)
+					t.Errorf("BootstrapServer() = %v, want %v", got, expected)
 				}
 				if got.TLSConfig == nil || got.TLSConfig.ClientCAs == nil || got.TLSConfig.RootCAs == nil || got.TLSConfig.GetCertificate == nil || got.TLSConfig.GetClientCertificate == nil {
-					t.Errorf("BootstrapServerWithMTLS() invalid TLSConfig = %#v", got.TLSConfig)
+					t.Errorf("BootstrapServer() invalid TLSConfig = %#v", got.TLSConfig)
 				}
 			}
 		})

ca/tls.go

@@ -20,7 +20,7 @@ import (
 // GetClientTLSConfig returns a tls.Config for client use configured with the
 // sign certificate, and a new certificate pool with the sign root certificate.
 // The client certificate will automatically rotate before expiring.
-func (c *Client) GetClientTLSConfig(ctx context.Context, sign *api.SignResponse, pk crypto.PrivateKey) (*tls.Config, error) {
+func (c *Client) GetClientTLSConfig(ctx context.Context, sign *api.SignResponse, pk crypto.PrivateKey, options ...TLSOption) (*tls.Config, error) {
 	cert, err := TLSCertificate(sign, pk)
 	if err != nil {
 		return nil, err
@@ -36,10 +36,15 @@ func (c *Client) GetClientTLSConfig(ctx context.Context, sign *api.SignResponse,
 	tlsConfig.GetClientCertificate = renewer.GetClientCertificate
 	tlsConfig.PreferServerCipherSuites = true
 	// Build RootCAs with given root certificate
-	if pool := c.getCertPool(sign); pool != nil {
+	if pool := getCertPool(sign); pool != nil {
 		tlsConfig.RootCAs = pool
 	}
 
+	// Apply options if given
+	if err := setTLSOptions(tlsConfig, options); err != nil {
+		return nil, err
+	}
+
 	// Update renew function with transport
 	tr, err := getDefaultTransport(tlsConfig)
 	if err != nil {
@@ -56,7 +61,7 @@ func (c *Client) GetClientTLSConfig(ctx context.Context, sign *api.SignResponse,
 // sign certificate, and a new certificate pool with the sign root certificate.
 // The returned tls.Config will only verify the client certificate if provided.
 // The server certificate will automatically rotate before expiring.
-func (c *Client) GetServerTLSConfig(ctx context.Context, sign *api.SignResponse, pk crypto.PrivateKey) (*tls.Config, error) {
+func (c *Client) GetServerTLSConfig(ctx context.Context, sign *api.SignResponse, pk crypto.PrivateKey, options ...TLSOption) (*tls.Config, error) {
 	cert, err := TLSCertificate(sign, pk)
 	if err != nil {
 		return nil, err
@@ -74,13 +79,18 @@ func (c *Client) GetServerTLSConfig(ctx context.Context, sign *api.SignResponse,
 	tlsConfig.GetClientCertificate = renewer.GetClientCertificate
 	tlsConfig.PreferServerCipherSuites = true
 	// Build RootCAs with given root certificate
-	if pool := c.getCertPool(sign); pool != nil {
+	if pool := getCertPool(sign); pool != nil {
 		tlsConfig.ClientCAs = pool
-		tlsConfig.ClientAuth = tls.VerifyClientCertIfGiven
+		tlsConfig.ClientAuth = tls.RequireAndVerifyClientCert
 		// Add RootCAs for refresh client
 		tlsConfig.RootCAs = pool
 	}
 
+	// Apply options if given
+	if err := setTLSOptions(tlsConfig, options); err != nil {
+		return nil, err
+	}
+
 	// Update renew function with transport
 	tr, err := getDefaultTransport(tlsConfig)
 	if err != nil {
@@ -93,44 +103,15 @@ func (c *Client) GetServerTLSConfig(ctx context.Context, sign *api.SignResponse,
 	return tlsConfig, nil
 }
 
-// GetServerMutualTLSConfig returns a tls.Config for server use configured with
-// the sign certificate, and a new certificate pool with the sign root certificate.
-// The returned tls.Config will always require and verify a client certificate.
-// The server certificate will automatically rotate before expiring.
-func (c *Client) GetServerMutualTLSConfig(ctx context.Context, sign *api.SignResponse, pk crypto.PrivateKey) (*tls.Config, error) {
-	tlsConfig, err := c.GetServerTLSConfig(ctx, sign, pk)
-	if err != nil {
-		return nil, err
-	}
-	tlsConfig.ClientAuth = tls.RequireAndVerifyClientCert
-	return tlsConfig, nil
-}
-
 // Transport returns an http.Transport configured to use the client certificate from the sign response.
-func (c *Client) Transport(ctx context.Context, sign *api.SignResponse, pk crypto.PrivateKey) (*http.Transport, error) {
-	tlsConfig, err := c.GetClientTLSConfig(ctx, sign, pk)
+func (c *Client) Transport(ctx context.Context, sign *api.SignResponse, pk crypto.PrivateKey, options ...TLSOption) (*http.Transport, error) {
+	tlsConfig, err := c.GetClientTLSConfig(ctx, sign, pk, options...)
 	if err != nil {
 		return nil, err
 	}
 	return getDefaultTransport(tlsConfig)
 }
 
-// getCertPool returns the transport x509.CertPool or the one from the sign
-// request.
-func (c *Client) getCertPool(sign *api.SignResponse) *x509.CertPool {
-	// Return the transport certPool
-	if c.certPool != nil {
-		return c.certPool
-	}
-	// Return certificate used in sign request.
-	if root, err := RootCertificate(sign); err == nil {
-		pool := x509.NewCertPool()
-		pool.AddCert(root)
-		return pool
-	}
-	return nil
-}
-
 // Certificate returns the server or client certificate from the sign response.
 func Certificate(sign *api.SignResponse) (*x509.Certificate, error) {
 	if sign.ServerPEM.Certificate == nil {
@@ -189,6 +170,17 @@ func TLSCertificate(sign *api.SignResponse, pk crypto.PrivateKey) (*tls.Certific
 	return &cert, nil
 }
 
+// getCertPool returns the transport x509.CertPool or the one from the sign
+// request.
+func getCertPool(sign *api.SignResponse) *x509.CertPool {
+	if root, err := RootCertificate(sign); err == nil {
+		pool := x509.NewCertPool()
+		pool.AddCert(root)
+		return pool
+	}
+	return nil
+}
+
 func getDefaultTLSConfig(sign *api.SignResponse) *tls.Config {
 	if sign.TLSOptions != nil {
 		return sign.TLSOptions.TLSConfig()

ca/tls_options.go

@@ -0,0 +1,64 @@
+package ca
+
+import (
+	"crypto/tls"
+	"crypto/x509"
+)
+
+// TLSOption defines the type of a function that modifies a tls.Config.
+type TLSOption func(c *tls.Config) error
+
+// setTLSOptions takes one or more option function and applies them in order to
+// a tls.Config.
+func setTLSOptions(c *tls.Config, options []TLSOption) error {
+	for _, opt := range options {
+		if err := opt(c); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+// RequireAndVerifyClientCert is a tls.Config option used on servers to enforce
+// a valid TLS client certificate. This is the default option for mTLS servers.
+func RequireAndVerifyClientCert() TLSOption {
+	return func(c *tls.Config) error {
+		c.ClientAuth = tls.RequireAndVerifyClientCert
+		return nil
+	}
+}
+
+// VerifyClientCertIfGiven is a tls.Config option used on on servers to validate
+// a TLS client certificate if it is provided. It does not requires a certificate.
+func VerifyClientCertIfGiven() TLSOption {
+	return func(c *tls.Config) error {
+		c.ClientAuth = tls.VerifyClientCertIfGiven
+		return nil
+	}
+}
+
+// AddRootCA adds to the tls.Config RootCAs the given certificate. RootCAs
+// defines the set of root certificate authorities that clients use when
+// verifying server certificates.
+func AddRootCA(cert *x509.Certificate) TLSOption {
+	return func(c *tls.Config) error {
+		if c.RootCAs == nil {
+			c.RootCAs = x509.NewCertPool()
+		}
+		c.RootCAs.AddCert(cert)
+		return nil
+	}
+}
+
+// AddClientCA adds to the tls.Config ClientCAs the given certificate. ClientCAs
+// defines the set of root certificate authorities that servers use if required
+// to verify a client certificate by the policy in ClientAuth.
+func AddClientCA(cert *x509.Certificate) TLSOption {
+	return func(c *tls.Config) error {
+		if c.ClientCAs == nil {
+			c.ClientCAs = x509.NewCertPool()
+		}
+		c.ClientCAs.AddCert(cert)
+		return nil
+	}
+}