Add WithTLSServerCurvePreferences, WithTLSServerCipherSuites and WithTLSServerVerifyPeerCertificate TLSServerConfigOption

everesio · everesio · commit 18a7c5629754 · 2025-02-02T22:21:11.000+01:00
diff --git a/go.mod b/go.mod
@@ -2,7 +2,7 @@ module github.com/grepplabs/cert-source
 
 go 1.21
 
-require github.com/stretchr/testify v1.8.4
+require github.com/stretchr/testify v1.10.0
 
 require (
 	github.com/davecgh/go-spew v1.1.1 // indirect
diff --git a/go.sum b/go.sum
@@ -2,8 +2,8 @@ github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk=
-github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
+github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
+github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
diff --git a/tls/server/config/config_test.go b/tls/server/config/config_test.go
@@ -2,6 +2,8 @@ package config
 
 import (
 	"crypto/tls"
+	"crypto/x509"
+	"errors"
 	"log/slog"
 	"testing"
 
@@ -24,11 +26,188 @@ func TestGetServerTLSConfig(t *testing.T) {
 			ClientCAs: bundle.CACert.Name(),
 			ClientCRL: bundle.ClientCRL.Name(),
 		},
-	}, tlsserver.WithTLSServerNextProtos([]string{"h2"}))
+	})
 	require.NoError(t, err)
 	require.NotNil(t, tlsConfig.ClientCAs)
 	require.Equal(t, tlsConfig.ClientAuth, tls.RequireAndVerifyClientCert)
 	require.NotEmpty(t, tlsConfig.Certificates)
+	// clientCRL verification
 	require.NotNil(t, tlsConfig.VerifyPeerCertificate)
+	require.Nil(t, tlsConfig.NextProtos)
+	require.Nil(t, tlsConfig.CipherSuites)
+	require.Nil(t, tlsConfig.CurvePreferences)
+}
+
+func TestGetServerTLSOptionsConfig(t *testing.T) {
+	bundle := testutil.NewCertsBundle()
+	defer bundle.Close()
+
+	tlsConfig, err := GetServerTLSConfig(slog.Default(), &config.TLSServerConfig{
+		Enable:  true,
+		Refresh: 0,
+		File: config.TLSServerFiles{
+			Key:  bundle.ServerKey.Name(),
+			Cert: bundle.ServerCert.Name(),
+		},
+	}, tlsserver.WithTLSServerNextProtos([]string{"h2"}),
+		tlsserver.WithTLSServerCipherSuites([]uint16{tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256}),
+		tlsserver.WithTLSServerCurvePreferences([]tls.CurveID{tls.CurveP256, tls.CurveP384}),
+	)
+	require.NoError(t, err)
+	require.Nil(t, tlsConfig.ClientCAs)
+	require.Equal(t, tlsConfig.ClientAuth, tls.NoClientCert)
+	require.NotEmpty(t, tlsConfig.Certificates)
+	require.Nil(t, tlsConfig.VerifyPeerCertificate)
 	require.Equal(t, tlsConfig.NextProtos, []string{"h2"})
+	require.Equal(t, tlsConfig.CipherSuites, []uint16{tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256})
+	require.Equal(t, tlsConfig.CurvePreferences, []tls.CurveID{tls.CurveP256, tls.CurveP384})
+}
+
+func TestGetServerTLSVerifyPeerCertificateConfig(t *testing.T) {
+	bundle := testutil.NewCertsBundle()
+	defer bundle.Close()
+
+	tests := []struct {
+		name        string
+		clientCAs   string
+		verifyFuncs []tlsserver.VerifyPeerCertificateFunc
+		verifyError error
+	}{
+		{
+			name: "no peer verification",
+		},
+		{
+			name:        "default client CA/CLR verification",
+			clientCAs:   bundle.CACert.Name(),
+			verifyError: nil, // CRLs are not set, verification is successful
+		},
+		{
+			name:      "client CA/CLR verify success, second verify success",
+			clientCAs: bundle.CACert.Name(),
+			verifyFuncs: []tlsserver.VerifyPeerCertificateFunc{
+				func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
+					return nil
+				},
+			},
+		},
+		{
+			name:      "client CA/CLR verify success, third verify success",
+			clientCAs: bundle.CACert.Name(),
+			verifyFuncs: []tlsserver.VerifyPeerCertificateFunc{
+				func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
+					return nil
+				},
+				func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
+					return nil
+				},
+			},
+		},
+		{
+			name:      "client CA/CLR verify success, third verify failure",
+			clientCAs: bundle.CACert.Name(),
+			verifyFuncs: []tlsserver.VerifyPeerCertificateFunc{
+				func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
+					return nil
+				},
+				func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
+					return errors.New("3 function failed")
+				},
+			},
+			verifyError: errors.New("3 function failed"),
+		},
+		{
+			name:      "client CA/CLR verify success, second verify failure",
+			clientCAs: bundle.CACert.Name(),
+			verifyFuncs: []tlsserver.VerifyPeerCertificateFunc{
+				func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
+					return errors.New("2 function failed")
+				},
+				func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
+					return errors.New("3 function would also fail")
+				},
+			},
+			verifyError: errors.New("2 function failed"),
+		},
+		{
+			name: "first verify success",
+			verifyFuncs: []tlsserver.VerifyPeerCertificateFunc{
+				func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
+					return nil
+				},
+			},
+		},
+		{
+			name: "second verify success",
+			verifyFuncs: []tlsserver.VerifyPeerCertificateFunc{
+				func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
+					return nil
+				},
+				func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
+					return nil
+				},
+			},
+		},
+		{
+			name: "second verify failure",
+			verifyFuncs: []tlsserver.VerifyPeerCertificateFunc{
+				func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
+					return nil
+				},
+				func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
+					return errors.New("2 function failed")
+				},
+			},
+			verifyError: errors.New("2 function failed"),
+		},
+		{
+			name: "first verify failure",
+			verifyFuncs: []tlsserver.VerifyPeerCertificateFunc{
+				func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
+					return errors.New("1 function failed")
+				},
+				func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
+					return errors.New("2 function would also fail")
+				},
+			},
+			verifyError: errors.New("1 function failed"),
+		},
+		{
+			name: "unset verify function",
+			verifyFuncs: []tlsserver.VerifyPeerCertificateFunc{
+				func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
+					return errors.New("1 function failed")
+				},
+				nil, // unset chain of verify functions
+				func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
+					return nil
+				},
+			},
+		},
+	}
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+
+			opts := make([]tlsserver.TLSServerConfigOption, 0, len(tc.verifyFuncs))
+			for _, f := range tc.verifyFuncs {
+				opts = append(opts, tlsserver.WithTLSServerVerifyPeerCertificate(f))
+			}
+			tlsConfig, err := GetServerTLSConfig(slog.Default(), &config.TLSServerConfig{
+				Enable:  true,
+				Refresh: 0,
+				File: config.TLSServerFiles{
+					Key:       bundle.ServerKey.Name(),
+					Cert:      bundle.ServerCert.Name(),
+					ClientCAs: tc.clientCAs,
+				},
+			}, opts...)
+			require.NoError(t, err)
+			if tc.clientCAs == "" && len(tc.verifyFuncs) == 0 {
+				require.Nil(t, tlsConfig.VerifyPeerCertificate)
+			} else {
+				require.NotNil(t, tlsConfig.VerifyPeerCertificate)
+				err = tlsConfig.VerifyPeerCertificate(nil, nil)
+				require.Equal(t, tc.verifyError, err)
+			}
+		})
+	}
 }
diff --git a/tls/server/option.go b/tls/server/option.go
@@ -1,6 +1,9 @@
 package tlsserver
 
-import "crypto/tls"
+import (
+	"crypto/tls"
+	"crypto/x509"
+)
 
 type TLSServerConfigOption func(*tls.Config)
 
@@ -9,3 +12,48 @@ func WithTLSServerNextProtos(nextProto []string) TLSServerConfigOption {
 		c.NextProtos = nextProto
 	}
 }
+
+func WithTLSServerCurvePreferences(curvePreferences []tls.CurveID) TLSServerConfigOption {
+	return func(c *tls.Config) {
+		if len(curvePreferences) != 0 {
+			c.CurvePreferences = curvePreferences
+		} else {
+			c.CurvePreferences = nil
+		}
+	}
+}
+
+func WithTLSServerCipherSuites(cipherSuites []uint16) TLSServerConfigOption {
+	return func(c *tls.Config) {
+		if len(cipherSuites) != 0 {
+			c.CipherSuites = cipherSuites
+		} else {
+			c.CipherSuites = nil
+		}
+	}
+}
+
+type VerifyPeerCertificateFunc func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error
+
+// WithTLSServerVerifyPeerCertificate sets or chains a custom VerifyPeerCertificate function on a *tls.Config.
+// If a nil function is provided, it unsets the certificate verification function (including the standard verification).
+// If an existing verification function is present, the new function is chained so that it is invoked only if the existing one succeeds.
+func WithTLSServerVerifyPeerCertificate(verifyFunc VerifyPeerCertificateFunc) TLSServerConfigOption {
+	return func(c *tls.Config) {
+		if verifyFunc == nil {
+			c.VerifyPeerCertificate = nil
+			return
+		}
+		prevFunc := c.VerifyPeerCertificate
+		if prevFunc == nil {
+			c.VerifyPeerCertificate = verifyFunc
+		} else {
+			c.VerifyPeerCertificate = func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
+				if err := prevFunc(rawCerts, verifiedChains); err != nil {
+					return err
+				}
+				return verifyFunc(rawCerts, verifiedChains)
+			}
+		}
+	}
+}
