pkg/serverconfigs/sslconfigs/ssl_policy.go

package sslconfigs

import (
	"crypto/tls"
	"crypto/x509"
	"github.com/TeaOSLab/EdgeCommon/pkg/configutils"
	"golang.org/x/net/http2"
)

// TLSVersion TLS Version
type TLSVersion = string

// TLSCipherSuite Cipher Suites
type TLSCipherSuite = string

// SSLPolicy SSL配置
type SSLPolicy struct {
	Id   int64 `yaml:"id" json:"id"`     // ID
	IsOn bool  `yaml:"isOn" json:"isOn"` // 是否开启

	CertRefs       []*SSLCertRef     `yaml:"certRefs" json:"certRefs"`
	Certs          []*SSLCertConfig  `yaml:"certs" json:"certs"`
	ClientAuthType SSLClientAuthType `yaml:"clientAuthType" json:"clientAuthType"` // 客户端认证类型
	ClientCARefs   []*SSLCertRef     `yaml:"clientCARefs" json:"clientCARefs"`     // 客户端认证CA证书引用
	ClientCACerts  []*SSLCertConfig  `yaml:"clientCACerts" json:"clientCACerts"`   // 客户端认证CA

	MinVersion       TLSVersion       `yaml:"minVersion" json:"minVersion"`             // 支持的最小版本
	CipherSuitesIsOn bool             `yaml:"cipherSuitesIsOn" json:"cipherSuitesIsOn"` // 是否自定义加密算法套件
	CipherSuites     []TLSCipherSuite `yaml:"cipherSuites" json:"cipherSuites"`         // 加密算法套件

	HSTS         *HSTSConfig `yaml:"hsts" json:"hsts"`                 // HSTS配置
	HTTP2Enabled bool        `yaml:"http2Enabled" json:"http2Enabled"` // 是否启用HTTP2

	nameMapping map[string]*tls.Certificate // dnsName => cert

	minVersion   uint16
	cipherSuites []uint16

	clientCAPool *x509.CertPool

	tlsConfig *tls.Config
}

// Init 校验配置
func (this *SSLPolicy) Init() error {
	this.nameMapping = map[string]*tls.Certificate{}

	// certs
	var certs = []tls.Certificate{}
	for _, cert := range this.Certs {
		err := cert.Init()
		if err != nil {
			return err
		}
		certs = append(certs, *cert.CertObject())
		for _, dnsName := range cert.DNSNames {
			this.nameMapping[dnsName] = cert.CertObject()
		}
	}

	// CA certs
	for _, cert := range this.ClientCACerts {
		err := cert.Init()
		if err != nil {
			return err
		}
		certs = append(certs, *cert.CertObject())
		for _, dnsName := range cert.DNSNames {
			this.nameMapping[dnsName] = cert.CertObject()
		}
	}

	// min version
	this.convertMinVersion()

	// cipher suite categories
	this.initCipherSuites()

	// hsts
	if this.HSTS != nil {
		err := this.HSTS.Init()
		if err != nil {
			return err
		}
	}

	// tls config
	this.tlsConfig = &tls.Config{}
	cipherSuites := this.TLSCipherSuites()
	if !this.CipherSuitesIsOn || len(cipherSuites) == 0 {
		cipherSuites = nil
	}

	nextProto := []string{}
	if this.HTTP2Enabled {
		nextProto = []string{http2.NextProtoTLS}
	}
	this.tlsConfig = &tls.Config{
		Certificates:   certs,
		MinVersion:     this.TLSMinVersion(),
		CipherSuites:   cipherSuites,
		GetCertificate: nil,
		ClientAuth:     GoSSLClientAuthType(this.ClientAuthType),
		ClientCAs:      this.CAPool(),
		NextProtos:     nextProto,
	}

	return nil
}

// TLSMinVersion 取得最小版本
func (this *SSLPolicy) TLSMinVersion() uint16 {
	return this.minVersion
}

// TLSCipherSuites 套件
func (this *SSLPolicy) TLSCipherSuites() []uint16 {
	return this.cipherSuites
}

// MatchDomain 校验是否匹配某个域名
func (this *SSLPolicy) MatchDomain(domain string) (cert *tls.Certificate, ok bool) {
	cert, ok = this.nameMapping[domain]
	if ok {
		return
	}

	for name, cert := range this.nameMapping {
		if configutils.MatchDomain(name, domain) {
			return cert, true
		}
	}
	return nil, false
}

// FirstCert 取得第一个证书
func (this *SSLPolicy) FirstCert() *tls.Certificate {
	for _, cert := range this.Certs {
		return cert.CertObject()
	}
	return nil
}

// CAPool CA证书Pool，用于TLS对客户端进行认证
func (this *SSLPolicy) CAPool() *x509.CertPool {
	return this.clientCAPool
}

func (this *SSLPolicy) TLSConfig() *tls.Config {
	return this.tlsConfig
}
-												实现证书管理

											
										
										
											2020-09-30 17:46:33 +08:00
+								package sslconfigs
 								import (
 									"crypto/tls"
 									"crypto/x509"
-												优化代码

											
										
										
											2021-12-13 14:58:45 +08:00
+									"github.com/TeaOSLab/EdgeCommon/pkg/configutils"
 									"golang.org/x/net/http2"
-												实现证书管理

											
										
										
											2020-09-30 17:46:33 +08:00
+								)
-												优化代码

											
										
										
											2021-12-13 14:58:45 +08:00
+								// TLSVersion TLS Version
-												实现证书管理

											
										
										
											2020-09-30 17:46:33 +08:00
+								type TLSVersion = string
-												优化代码

											
										
										
											2021-12-13 14:58:45 +08:00
+								// TLSCipherSuite Cipher Suites
-												实现证书管理

											
										
										
											2020-09-30 17:46:33 +08:00
+								type TLSCipherSuite = string
-												优化代码

											
										
										
											2021-12-13 14:58:45 +08:00
+								// SSLPolicy SSL配置
-												实现证书管理

											
										
										
											2020-09-30 17:46:33 +08:00
+								type SSLPolicy struct {
 									Id   int64 `yaml:"id" json:"id"`     // ID
 									IsOn bool  `yaml:"isOn" json:"isOn"` // 是否开启
 									CertRefs       []*SSLCertRef     `yaml:"certRefs" json:"certRefs"`
 									Certs          []*SSLCertConfig  `yaml:"certs" json:"certs"`
 									ClientAuthType SSLClientAuthType `yaml:"clientAuthType" json:"clientAuthType"` // 客户端认证类型
-												实现HTTPS配置

											
										
										
											2020-10-01 16:01:28 +08:00
+									ClientCARefs   []*SSLCertRef     `yaml:"clientCARefs" json:"clientCARefs"`     // 客户端认证CA证书引用
 									ClientCACerts  []*SSLCertConfig  `yaml:"clientCACerts" json:"clientCACerts"`   // 客户端认证CA
-												实现证书管理

											
										
										
											2020-09-30 17:46:33 +08:00
-												实现HTTPS配置

											
										
										
											2020-10-01 16:01:28 +08:00
+									MinVersion       TLSVersion       `yaml:"minVersion" json:"minVersion"`             // 支持的最小版本
 									CipherSuitesIsOn bool             `yaml:"cipherSuitesIsOn" json:"cipherSuitesIsOn"` // 是否自定义加密算法套件
 									CipherSuites     []TLSCipherSuite `yaml:"cipherSuites" json:"cipherSuites"`         // 加密算法套件
-												实现证书管理

											
										
										
											2020-09-30 17:46:33 +08:00
-												实现HTTPS配置

											
										
										
											2020-10-01 16:01:28 +08:00
+									HSTS         *HSTSConfig `yaml:"hsts" json:"hsts"`                 // HSTS配置
-												实现证书管理

											
										
										
											2020-09-30 17:46:33 +08:00
+									HTTP2Enabled bool        `yaml:"http2Enabled" json:"http2Enabled"` // 是否启用HTTP2
 									nameMapping map[string]*tls.Certificate // dnsName => cert
 									minVersion   uint16
 									cipherSuites []uint16
 									clientCAPool *x509.CertPool
-												优化代码

											
										
										
											2021-12-13 14:58:45 +08:00
 									tlsConfig *tls.Config
-												实现证书管理

											
										
										
											2020-09-30 17:46:33 +08:00
+								}
-												优化代码

											
										
										
											2021-12-13 14:58:45 +08:00
+								// Init 校验配置
-												实现证书管理

											
										
										
											2020-09-30 17:46:33 +08:00
+								func (this *SSLPolicy) Init() error {
-												优化代码

											
										
										
											2021-12-13 14:58:45 +08:00
+									this.nameMapping = map[string]*tls.Certificate{}
-												实现HTTPS配置

											
										
										
											2020-10-01 16:01:28 +08:00
+									// certs
-												优化代码

											
										
										
											2021-12-13 14:58:45 +08:00
+									var certs = []tls.Certificate{}
-												实现HTTPS配置

											
										
										
											2020-10-01 16:01:28 +08:00
+									for _, cert := range this.Certs {
 										err := cert.Init()
 										if err != nil {
 											return err
 										}
-												优化代码

											
										
										
											2021-12-13 14:58:45 +08:00
+										certs = append(certs, *cert.CertObject())
 										for _, dnsName := range cert.DNSNames {
 											this.nameMapping[dnsName] = cert.CertObject()
 										}
-												实现证书管理

											
										
										
											2020-09-30 17:46:33 +08:00
+									}
-												实现HTTPS配置

											
										
										
											2020-10-01 16:01:28 +08:00
+									// CA certs
 									for _, cert := range this.ClientCACerts {
-												实现证书管理

											
										
										
											2020-09-30 17:46:33 +08:00
+										err := cert.Init()
 										if err != nil {
 											return err
 										}
-												优化代码

											
										
										
											2021-12-13 14:58:45 +08:00
+										certs = append(certs, *cert.CertObject())
 										for _, dnsName := range cert.DNSNames {
 											this.nameMapping[dnsName] = cert.CertObject()
 										}
-												实现证书管理

											
										
										
											2020-09-30 17:46:33 +08:00
+									}
 									// min version
 									this.convertMinVersion()
 									// cipher suite categories
 									this.initCipherSuites()
 									// hsts
 									if this.HSTS != nil {
 										err := this.HSTS.Init()
 										if err != nil {
 											return err
 										}
 									}
-												优化代码

											
										
										
											2021-12-13 14:58:45 +08:00
+									// tls config
 									this.tlsConfig = &tls.Config{}
 									cipherSuites := this.TLSCipherSuites()
 									if !this.CipherSuitesIsOn || len(cipherSuites) == 0 {
 										cipherSuites = nil
 									}
 									nextProto := []string{}
 									if this.HTTP2Enabled {
 										nextProto = []string{http2.NextProtoTLS}
 									}
 									this.tlsConfig = &tls.Config{
 										Certificates:   certs,
 										MinVersion:     this.TLSMinVersion(),
 										CipherSuites:   cipherSuites,
 										GetCertificate: nil,
 										ClientAuth:     GoSSLClientAuthType(this.ClientAuthType),
 										ClientCAs:      this.CAPool(),
 										NextProtos:     nextProto,
 									}
-												实现证书管理

											
										
										
											2020-09-30 17:46:33 +08:00
+									return nil
 								}
-												优化代码

											
										
										
											2021-12-13 14:58:45 +08:00
+								// TLSMinVersion 取得最小版本
-												实现证书管理

											
										
										
											2020-09-30 17:46:33 +08:00
+								func (this *SSLPolicy) TLSMinVersion() uint16 {
 									return this.minVersion
 								}
-												优化代码

											
										
										
											2021-12-13 14:58:45 +08:00
+								// TLSCipherSuites 套件
-												实现证书管理

											
										
										
											2020-09-30 17:46:33 +08:00
+								func (this *SSLPolicy) TLSCipherSuites() []uint16 {
 									return this.cipherSuites
 								}
-												优化代码

											
										
										
											2021-12-13 14:58:45 +08:00
+								// MatchDomain 校验是否匹配某个域名
-												实现证书管理

											
										
										
											2020-09-30 17:46:33 +08:00
+								func (this *SSLPolicy) MatchDomain(domain string) (cert *tls.Certificate, ok bool) {
-												优化代码

											
										
										
											2021-12-13 14:58:45 +08:00
+									cert, ok = this.nameMapping[domain]
 									if ok {
 										return
 									}
 									for name, cert := range this.nameMapping {
 										if configutils.MatchDomain(name, domain) {
 											return cert, true
-												实现证书管理

											
										
										
											2020-09-30 17:46:33 +08:00
+										}
 									}
 									return nil, false
 								}
-												优化代码

											
										
										
											2021-12-13 14:58:45 +08:00
+								// FirstCert 取得第一个证书
-												实现证书管理

											
										
										
											2020-09-30 17:46:33 +08:00
+								func (this *SSLPolicy) FirstCert() *tls.Certificate {
 									for _, cert := range this.Certs {
 										return cert.CertObject()
 									}
 									return nil
 								}
-												优化代码

											
										
										
											2021-12-13 14:58:45 +08:00
+								// CAPool CA证书Pool，用于TLS对客户端进行认证
-												实现证书管理

											
										
										
											2020-09-30 17:46:33 +08:00
+								func (this *SSLPolicy) CAPool() *x509.CertPool {
 									return this.clientCAPool
 								}
-												优化代码

											
										
										
											2021-12-13 14:58:45 +08:00
 								func (this *SSLPolicy) TLSConfig() *tls.Config {
 									return this.tlsConfig
 								}