mirror of https://github.com/jetkvm/kvm.git
feat(tls): rewrite tls feature
This commit is contained in:
Siyuan Miao
parent
82c018a2f6
commit
6a2ec4b52b
3
Makefile
3
Makefile
|
|
@ -8,6 +8,9 @@ VERSION := 0.3.8
|
||||||
PROMETHEUS_TAG := github.com/prometheus/common/version
|
PROMETHEUS_TAG := github.com/prometheus/common/version
|
||||||
KVM_PKG_NAME := github.com/jetkvm/kvm
|
KVM_PKG_NAME := github.com/jetkvm/kvm
|
||||||
|
|
||||||
|
PROMETHEUS_TAG := github.com/prometheus/common/version
|
||||||
|
KVM_PKG_NAME := github.com/jetkvm/kvm
|
||||||
|
|
||||||
GO_LDFLAGS := \
|
GO_LDFLAGS := \
|
||||||
-s -w \
|
-s -w \
|
||||||
-X $(PROMETHEUS_TAG).Branch=$(BRANCH) \
|
-X $(PROMETHEUS_TAG).Branch=$(BRANCH) \
|
||||||
|
|
|
||||||
|
|
@ -144,6 +144,51 @@ func (s *CertStore) ValidateAndSaveCertificate(hostname string, cert string, key
|
||||||
return nil, nil
|
return nil, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// GetCertificate returns the certificate for the given hostname
|
||||||
|
// returns nil if the certificate is not found
|
||||||
|
func (s *CertStore) GetCertificate(hostname string) *tls.Certificate {
|
||||||
|
s.certLock.Lock()
|
||||||
|
defer s.certLock.Unlock()
|
||||||
|
|
||||||
|
return s.certificates[hostname]
|
||||||
|
}
|
||||||
|
|
||||||
|
// ValidateAndSaveCertificate validates the certificate and saves it to the store
|
||||||
|
// returns are:
|
||||||
|
// - error: if the certificate is invalid or if there's any error during saving the certificate
|
||||||
|
// - error: if there's any warning or error during saving the certificate
|
||||||
|
func (s *CertStore) ValidateAndSaveCertificate(hostname string, cert string, key string, ignoreWarning bool) (error, error) {
|
||||||
|
tlsCert, err := tls.X509KeyPair([]byte(cert), []byte(key))
|
||||||
|
if err != nil {
|
||||||
|
return fmt.Errorf("Failed to parse certificate: %w", err), nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// this can be skipped as current implementation supports one custom certificate only
|
||||||
|
if tlsCert.Leaf != nil {
|
||||||
|
// add recover to avoid panic
|
||||||
|
defer func() {
|
||||||
|
if r := recover(); r != nil {
|
||||||
|
s.log.Errorf("Failed to verify hostname: %v", r)
|
||||||
|
}
|
||||||
|
}()
|
||||||
|
|
||||||
|
if err = tlsCert.Leaf.VerifyHostname(hostname); err != nil {
|
||||||
|
if !ignoreWarning {
|
||||||
|
return nil, fmt.Errorf("Certificate does not match hostname: %w", err)
|
||||||
|
}
|
||||||
|
s.log.Warnf("Certificate does not match hostname: %v", err)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
s.certLock.Lock()
|
||||||
|
s.certificates[hostname] = &tlsCert
|
||||||
|
s.certLock.Unlock()
|
||||||
|
|
||||||
|
s.saveCertificate(hostname)
|
||||||
|
|
||||||
|
return nil, nil
|
||||||
|
}
|
||||||
|
|
||||||
func (s *CertStore) saveCertificate(hostname string) {
|
func (s *CertStore) saveCertificate(hostname string) {
|
||||||
// check if certificate already exists
|
// check if certificate already exists
|
||||||
tlsCert := s.certificates[hostname]
|
tlsCert := s.certificates[hostname]
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue