2019-11-13 13:59:13 +01:00
|
|
|
package cert
|
|
|
|
|
|
|
|
import (
|
|
|
|
"crypto/tls"
|
|
|
|
"crypto/x509"
|
|
|
|
)
|
|
|
|
|
|
|
|
var (
|
|
|
|
/*
|
|
|
|
* tlsCipherSuites is the list of cipher suites we accept for TLS
|
|
|
|
* connections. These cipher suites fit the following criteria:
|
|
|
|
* - Don't use outdated algorithms like SHA-1 and 3DES
|
|
|
|
* - Don't use ECB mode or other insecure symmetric methods
|
|
|
|
* - Included in the TLS v1.2 suite
|
|
|
|
* - Are available in the Go 1.7.6 standard library (more are
|
|
|
|
* available in 1.8.3 and will be added after lnd no longer
|
|
|
|
* supports 1.7, including suites that support CBC mode)
|
|
|
|
**/
|
|
|
|
tlsCipherSuites = []uint16{
|
|
|
|
tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
|
|
|
|
tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
|
|
|
|
tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
|
|
|
|
tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
|
|
|
|
}
|
|
|
|
)
|
|
|
|
|
2019-11-13 14:03:10 +01:00
|
|
|
// LoadCert loads a certificate and its corresponding private key from the PEM
|
2019-11-13 13:59:13 +01:00
|
|
|
// files indicated and returns the certificate in the two formats it is most
|
|
|
|
// commonly used.
|
2019-11-13 14:03:10 +01:00
|
|
|
func LoadCert(certPath, keyPath string) (tls.Certificate, *x509.Certificate,
|
2019-11-13 13:59:13 +01:00
|
|
|
error) {
|
|
|
|
|
|
|
|
// The certData returned here is just a wrapper around the PEM blocks
|
|
|
|
// loaded from the file. The PEM is not yet fully parsed but a basic
|
|
|
|
// check is performed that the certificate and private key actually
|
|
|
|
// belong together.
|
|
|
|
certData, err := tls.LoadX509KeyPair(certPath, keyPath)
|
|
|
|
if err != nil {
|
|
|
|
return tls.Certificate{}, nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
// Now parse the the PEM block of the certificate into its x509 data
|
|
|
|
// structure so it can be examined in more detail.
|
|
|
|
x509Cert, err := x509.ParseCertificate(certData.Certificate[0])
|
|
|
|
if err != nil {
|
|
|
|
return tls.Certificate{}, nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
return certData, x509Cert, nil
|
|
|
|
}
|
|
|
|
|
2019-11-13 14:03:10 +01:00
|
|
|
// TLSConfFromCert returns the default TLS configuration used for a server,
|
2019-11-13 13:59:13 +01:00
|
|
|
// using the given certificate as identity.
|
2019-11-13 14:03:10 +01:00
|
|
|
func TLSConfFromCert(certData tls.Certificate) *tls.Config {
|
2019-11-13 13:59:13 +01:00
|
|
|
return &tls.Config{
|
|
|
|
Certificates: []tls.Certificate{certData},
|
|
|
|
CipherSuites: tlsCipherSuites,
|
|
|
|
MinVersion: tls.VersionTLS12,
|
|
|
|
}
|
|
|
|
}
|