Use system cert pool

Add WithTLSServerCurvePreferences, WithTLSServerCipherSuites and WithTLSServerVerifyPeerCertificate TLSServerConfigOption
Decrypt RSA private key
GetClientCertificate cannot return nil cert in TLS 1.3

Author: everesio

config/config.go

@@ -5,9 +5,10 @@ import (
 )
 
 type TLSServerConfig struct {
-	Enable  bool           `help:"Enable server-side TLS."`
-	Refresh time.Duration  `default:"0s" help:"Interval for refreshing server TLS certificates."`
-	File    TLSServerFiles `embed:"" prefix:"file."`
+	Enable      bool           `help:"Enable server-side TLS."`
+	Refresh     time.Duration  `default:"0s" help:"Interval for refreshing server TLS certificates."`
+	File        TLSServerFiles `embed:"" prefix:"file."`
+	KeyPassword string         `help:"Optional password to decrypt RSA private key."`
 }
 
 type TLSServerFiles struct {
@@ -22,6 +23,7 @@ type TLSClientConfig struct {
 	Refresh            time.Duration  `default:"0s" help:"Interval for refreshing client TLS certificates."`
 	InsecureSkipVerify bool           `help:"Skip TLS verification on client side."`
 	File               TLSClientFiles `embed:"" prefix:"file."`
+	KeyPassword        string         `help:"Optional password to decrypt RSA private key."`
 }
 
 type TLSClientFiles struct {

go.mod

@@ -2,10 +2,14 @@ module github.com/grepplabs/cert-source
 
 go 1.21
 
-require github.com/stretchr/testify v1.8.4
+require (
+	github.com/stretchr/testify v1.10.0
+	github.com/youmark/pkcs8 v0.0.0-20240726163527-a2c0da244d78
+)
 
 require (
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
+	golang.org/x/crypto v0.32.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )

go.sum

@@ -2,8 +2,12 @@ github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk=
-github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
+github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
+github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
+github.com/youmark/pkcs8 v0.0.0-20240726163527-a2c0da244d78 h1:ilQV1hzziu+LLM3zUTJ0trRztfwgjqKnBWNtSRkbmwM=
+github.com/youmark/pkcs8 v0.0.0-20240726163527-a2c0da244d78/go.mod h1:aL8wCCfTfSfmXjznFBSZNN13rSJjlIOI1fUNAtF7rmI=
+golang.org/x/crypto v0.32.0 h1:euUpcYgM8WcP71gNpTqQCn6rC2t6ULUPiOzfWaXVVfc=
+golang.org/x/crypto v0.32.0/go.mod h1:ZnnJkOaASj8g0AjIduWNlq2NRxL0PlBrbKVyZ6V/Ugc=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=

internal/testutil/certs.go

@@ -1,6 +1,7 @@
 package testutil
 
 import (
+	"bytes"
 	"crypto"
 	"crypto/rand"
 	"crypto/rsa"
@@ -9,6 +10,7 @@ import (
 	"crypto/x509/pkix"
 	"encoding/pem"
 	"fmt"
+	"io"
 	"math/big"
 	mathrand "math/rand"
 	"net"
@@ -18,8 +20,11 @@ import (
 	"time"
 
 	tlsclient "github.com/grepplabs/cert-source/tls/client"
+	"github.com/grepplabs/cert-source/tls/keyutil"
 )
 
+const DefaultKeyPassword = "test123"
+
 func GenerateCRL(caX509Cert *x509.Certificate, caPrivateKey crypto.PrivateKey, certs []*x509.Certificate, crlFile *os.File) error {
 	revoked := make([]x509.RevocationListEntry, 0)
 	for _, cert := range certs {
@@ -193,25 +198,31 @@ type CertsBundle struct {
 	CATLSCert  *tls.Certificate
 	CAX509Cert *x509.Certificate
 
-	ServerCert     *os.File
-	ServerKey      *os.File
-	ServerTLSCert  *tls.Certificate
-	ServerX509Cert *x509.Certificate
+	ServerCert         *os.File
+	ServerKey          *os.File
+	ServerKeyPassword  string
+	ServerKeyEncrypted *os.File
+	ServerTLSCert      *tls.Certificate
+	ServerX509Cert     *x509.Certificate
 
-	ClientCert     *os.File
-	ClientKey      *os.File
-	ClientCRL      *os.File
-	ClientTLSCert  *tls.Certificate
-	ClientX509Cert *x509.Certificate
+	ClientCert         *os.File
+	ClientKey          *os.File
+	ClientKeyPassword  string
+	ClientKeyEncrypted *os.File
+	ClientCRL          *os.File
+	ClientTLSCert      *tls.Certificate
+	ClientX509Cert     *x509.Certificate
 }
 
 func (bundle *CertsBundle) Close() {
 	_ = os.Remove(bundle.CACert.Name())
 	_ = os.Remove(bundle.CAKey.Name())
 	_ = os.Remove(bundle.ServerCert.Name())
 	_ = os.Remove(bundle.ServerKey.Name())
+	_ = os.Remove(bundle.ServerKeyEncrypted.Name())
 	_ = os.Remove(bundle.ClientCert.Name())
 	_ = os.Remove(bundle.ClientKey.Name())
+	_ = os.Remove(bundle.ClientKeyEncrypted.Name())
 	_ = os.Remove(bundle.dirName)
 }
 
@@ -257,6 +268,12 @@ func NewCertsBundle() *CertsBundle {
 	}
 	defer closeFile(bundle.ServerKey)
 
+	bundle.ServerKeyEncrypted, err = os.CreateTemp(dirName, "server-key-encrypted-")
+	if err != nil {
+		panic(err)
+	}
+	defer closeFile(bundle.ServerKeyEncrypted)
+
 	bundle.ClientCert, err = os.CreateTemp(dirName, "client-cert-")
 	if err != nil {
 		panic(err)
@@ -269,6 +286,12 @@ func NewCertsBundle() *CertsBundle {
 	}
 	defer closeFile(bundle.ClientKey)
 
+	bundle.ClientKeyEncrypted, err = os.CreateTemp("", "client-key-encrypted-")
+	if err != nil {
+		panic(err)
+	}
+	defer closeFile(bundle.ClientKeyEncrypted)
+
 	bundle.ClientCRL, err = os.CreateTemp("", "client-crl-")
 	if err != nil {
 		panic(err)
@@ -284,10 +307,20 @@ func NewCertsBundle() *CertsBundle {
 	if err != nil {
 		panic(err)
 	}
+	if bundle.ServerKeyPassword == "" {
+		bundle.ServerKeyPassword = DefaultKeyPassword
+	}
+	writeEncryptedPrivate(bundle.ServerKey.Name(), bundle.ServerKeyEncrypted, bundle.ServerKeyPassword)
+
 	bundle.ClientTLSCert, bundle.ClientX509Cert, err = GenerateCert(bundle.CATLSCert, true, bundle.ClientCert, bundle.ClientKey)
 	if err != nil {
 		panic(err)
 	}
+	if bundle.ClientKeyPassword == "" {
+		bundle.ClientKeyPassword = DefaultKeyPassword
+	}
+	writeEncryptedPrivate(bundle.ClientKey.Name(), bundle.ClientKeyEncrypted, bundle.ClientKeyPassword)
+
 	// generate CRLs
 	err = GenerateCRL(bundle.CAX509Cert, bundle.CATLSCert.PrivateKey, []*x509.Certificate{}, bundle.CAEmptyCRL)
 	if err != nil {
@@ -300,6 +333,22 @@ func NewCertsBundle() *CertsBundle {
 	return bundle
 }
 
+func writeEncryptedPrivate(keyFilename string, encryptedFile *os.File, password string) {
+	keyData, err := os.ReadFile(keyFilename)
+	if err != nil {
+		panic(err)
+	}
+	encryptedKey, err := keyutil.EncryptPKCS8PrivateKeyPEM(keyData, password)
+	if err != nil {
+		panic(err)
+	}
+
+	_, err = io.Copy(encryptedFile, bytes.NewReader(encryptedKey))
+	if err != nil {
+		panic(err)
+	}
+}
+
 func closeFile(file *os.File) {
 	err := file.Close()
 	if err != nil {

tls/client/client.go

@@ -20,14 +20,22 @@ func NewTLSClientConfigFunc(logger *slog.Logger, src source.ClientCertsSource, o
 	if err != nil {
 		return nil, err
 	}
+	var getClientCertificateFunc func(info *tls.CertificateRequestInfo) (*tls.Certificate, error)
+	if store.LoadClientCerts().Certificate != nil {
+		// Set function only when client certificate is available.
+		// TLS 1.3 checks if GetClientCertificate function is nil, if it is not nil,
+		// it assumes client certificate is available which call cause the panic if nil is returned.
+		// nolint:unparam
+		getClientCertificateFunc = func(_ *tls.CertificateRequestInfo) (*tls.Certificate, error) {
+			return store.LoadClientCerts().Certificate, nil
+		}
+	}
 	return func() *tls.Config {
 		cs := store.LoadClientCerts()
 		x := &tls.Config{
-			RootCAs:            cs.RootCAs,
-			InsecureSkipVerify: cs.InsecureSkipVerify,
-			GetClientCertificate: func(info *tls.CertificateRequestInfo) (*tls.Certificate, error) {
-				return store.LoadClientCerts().Certificate, nil
-			},
+			RootCAs:              cs.RootCAs,
+			InsecureSkipVerify:   cs.InsecureSkipVerify,
+			GetClientCertificate: getClientCertificateFunc,
 		}
 		for _, opt := range opts {
 			opt(x)

tls/client/config/config.go

@@ -19,6 +19,7 @@ func GetTLSClientConfigFunc(logger *slog.Logger, conf *config.TLSClientConfig, o
 		filesource.WithInsecureSkipVerify(conf.InsecureSkipVerify),
 		filesource.WithClientCert(conf.File.Cert, conf.File.Key),
 		filesource.WithClientRootCAs(conf.File.RootCAs),
+		filesource.WithKeyPassword(conf.KeyPassword),
 	)
 	if err != nil {
 		return nil, fmt.Errorf("setup client cert file source: %w", err)

tls/client/config/config_test.go

@@ -31,3 +31,37 @@ func TestGetClientTLSConfig(t *testing.T) {
 	require.NoError(t, err)
 	require.NotNil(t, clientCert)
 }
+
+func TestGetClientTLSConfigNoConfig(t *testing.T) {
+	bundle := testutil.NewCertsBundle()
+	defer bundle.Close()
+	tlsConfigFunc, err := GetTLSClientConfigFunc(slog.Default(), &config.TLSClientConfig{
+		Enable:  true,
+		Refresh: 0,
+		File:    config.TLSClientFiles{},
+	})
+	require.NoError(t, err)
+	tlsConfig := tlsConfigFunc()
+	require.Nil(t, tlsConfig.RootCAs)
+	require.Nil(t, tlsConfig.GetClientCertificate)
+}
+
+func TestGetClientTLSConfigSkipVerify(t *testing.T) {
+	bundle := testutil.NewCertsBundle()
+	defer bundle.Close()
+	tlsConfigFunc, err := GetTLSClientConfigFunc(slog.Default(), &config.TLSClientConfig{
+		Enable:  true,
+		Refresh: 0,
+		File: config.TLSClientFiles{
+			Key:  bundle.ClientKey.Name(),
+			Cert: bundle.ClientCert.Name(),
+		},
+	})
+	require.NoError(t, err)
+	tlsConfig := tlsConfigFunc()
+	require.Nil(t, tlsConfig.RootCAs)
+
+	clientCert, err := tlsConfig.GetClientCertificate(nil)
+	require.NoError(t, err)
+	require.NotNil(t, clientCert)
+}

tls/client/filesource/filesource.go

@@ -8,13 +8,15 @@ import (
 	"time"
 
 	tlscert "github.com/grepplabs/cert-source/tls/client/source"
+	"github.com/grepplabs/cert-source/tls/keyutil"
 	"github.com/grepplabs/cert-source/tls/watcher"
 )
 
 type fileSource struct {
 	insecureSkipVerify bool
 	certFile           string
 	keyFile            string
+	keyPassword        string
 	rootCAsFile        string
 	refresh            time.Duration
 	logger             *slog.Logger
@@ -105,6 +107,9 @@ func (s *fileSource) Load() (pemBlocks *tlscert.ClientPEMs, err error) {
 		if pemBlocks.KeyPEMBlock, err = s.readFile(s.keyFile); err != nil {
 			return nil, err
 		}
+		if pemBlocks.KeyPEMBlock, err = keyutil.DecryptPrivateKeyPEM(pemBlocks.KeyPEMBlock, s.keyPassword); err != nil {
+			return nil, err
+		}
 	}
 	if pemBlocks.RootCAsPEMBlock, err = s.readFile(s.rootCAsFile); err != nil {
 		return nil, err

tls/client/filesource/filesource_test.go

@@ -82,3 +82,44 @@ func TestCertRotation(t *testing.T) {
 	require.Contains(t, err.Error(), "unknown certificate authority")
 
 }
+
+func TestKeyEncryption(t *testing.T) {
+	bundle := testutil.NewCertsBundle()
+	defer bundle.Close()
+
+	ts := httptest.NewUnstartedServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(http.StatusOK)
+	}))
+	defer ts.Close()
+
+	clientSource := MustNew(
+		WithClientRootCAs(bundle.CACert.Name()),
+		WithClientCert(bundle.ClientCert.Name(), bundle.ClientKeyEncrypted.Name()),
+		WithKeyPassword(bundle.ClientKeyPassword),
+		WithRefresh(1*time.Second),
+	).(*fileSource)
+
+	clientCertsStore, err := tlsclient.NewTLSClientCertsStore(slog.Default(), clientSource)
+	require.NoError(t, err)
+
+	serverSource := serverfilesource.MustNew(
+		serverfilesource.WithX509KeyPair(bundle.ServerCert.Name(), bundle.ServerKeyEncrypted.Name()),
+		serverfilesource.WithKeyPassword(bundle.ServerKeyPassword),
+		serverfilesource.WithClientAuthFile(bundle.CACert.Name()),
+		serverfilesource.WithClientCRLFile(bundle.CAEmptyCRL.Name()),
+		serverfilesource.WithRefresh(1*time.Second),
+	)
+	ts.TLS = servertls.MustNewServerConfig(slog.Default(), serverSource)
+	ts.StartTLS()
+
+	req, err := http.NewRequest(http.MethodGet, ts.URL, nil)
+	require.NoError(t, err)
+
+	// when
+	client := &http.Client{
+		Transport: tlsclient.NewDefaultRoundTripper(tlsclient.WithClientCertsStore(clientCertsStore)),
+	}
+	_, err = client.Do(req)
+	require.NoError(t, err)
+
+}

tls/client/filesource/option.go

@@ -20,6 +20,12 @@ func WithClientCert(certFile, keyFile string) Option {
 	}
 }
 
+func WithKeyPassword(keyPassword string) Option {
+	return func(c *fileSource) {
+		c.keyPassword = keyPassword
+	}
+}
+
 func WithClientRootCAs(rootCAsFile string) Option {
 	return func(c *fileSource) {
 		c.rootCAsFile = rootCAsFile