Add SystemCertPool usage as client option

everesio · everesio · commit 39b2dde2e6ce · 2025-02-05T00:14:08.000+01:00
diff --git a/config/config.go b/config/config.go
@@ -24,6 +24,7 @@ type TLSClientConfig struct {
 	InsecureSkipVerify bool           `help:"Skip TLS verification on client side."`
 	File               TLSClientFiles `embed:"" prefix:"file."`
 	KeyPassword        string         `help:"Optional password to decrypt RSA private key."`
+	UseSystemPool      bool           `help:"Use system pool for root CAs."`
 }
 
 type TLSClientFiles struct {
diff --git a/tls/client/config/config.go b/tls/client/config/config.go
@@ -20,6 +20,7 @@ func GetTLSClientConfigFunc(logger *slog.Logger, conf *config.TLSClientConfig, o
 		filesource.WithClientCert(conf.File.Cert, conf.File.Key),
 		filesource.WithClientRootCAs(conf.File.RootCAs),
 		filesource.WithKeyPassword(conf.KeyPassword),
+		filesource.WithSystemPool(conf.UseSystemPool),
 	)
 	if err != nil {
 		return nil, fmt.Errorf("setup client cert file source: %w", err)
diff --git a/tls/client/filesource/filesource.go b/tls/client/filesource/filesource.go
@@ -18,6 +18,7 @@ type fileSource struct {
 	keyFile            string
 	keyPassword        string
 	rootCAsFile        string
+	useSystemPool      bool
 	refresh            time.Duration
 	logger             *slog.Logger
 	notifyFunc         func()
@@ -95,8 +96,9 @@ func (s *fileSource) ClientCerts() chan tlscert.ClientCerts {
 }
 
 func (s *fileSource) Load() (pemBlocks *tlscert.ClientPEMs, err error) {
-	pemBlocks = &tlscert.ClientPEMs{}
-
+	pemBlocks = &tlscert.ClientPEMs{
+		UseSystemPool: s.useSystemPool,
+	}
 	if (s.certFile == "") != (s.keyFile == "") {
 		return nil, errors.New("cert file source: both certFile and keyFile must be set or be empty")
 	}
diff --git a/tls/client/filesource/filesource_test.go b/tls/client/filesource/filesource_test.go
@@ -97,6 +97,7 @@ func TestKeyEncryption(t *testing.T) {
 		WithClientCert(bundle.ClientCert.Name(), bundle.ClientKeyEncrypted.Name()),
 		WithKeyPassword(bundle.ClientKeyPassword),
 		WithRefresh(1*time.Second),
+		WithSystemPool(true),
 	).(*fileSource)
 
 	clientCertsStore, err := tlsclient.NewTLSClientCertsStore(slog.Default(), clientSource)
diff --git a/tls/client/filesource/option.go b/tls/client/filesource/option.go
@@ -49,3 +49,9 @@ func WithNotifyFunc(notifyFunc func()) Option {
 		c.notifyFunc = notifyFunc
 	}
 }
+
+func WithSystemPool(useSystemPool bool) Option {
+	return func(c *fileSource) {
+		c.useSystemPool = useSystemPool
+	}
+}
diff --git a/tls/client/roundtripper.go b/tls/client/roundtripper.go
@@ -34,7 +34,7 @@ func WithClientCertsStore(source *source.ClientCertsStore) RoundTripperOption {
 	}
 }
 
-func WithRootCA(cert *x509.Certificate) RoundTripperOption {
+func WithSystemRootCA(cert *x509.Certificate) RoundTripperOption {
 	certPool, err := x509.SystemCertPool()
 	if err != nil {
 		certPool = x509.NewCertPool()
@@ -43,6 +43,12 @@ func WithRootCA(cert *x509.Certificate) RoundTripperOption {
 	return WithRootCAs(certPool)
 }
 
+func WithRootCA(cert *x509.Certificate) RoundTripperOption {
+	certPool := x509.NewCertPool()
+	certPool.AddCert(cert)
+	return WithRootCAs(certPool)
+}
+
 func WithRootCAs(rootCAs *x509.CertPool) RoundTripperOption {
 	return func(rt *RoundTripper) {
 		if rt.transport.TLSClientConfig == nil {
diff --git a/tls/client/source/pems.go b/tls/client/source/pems.go
@@ -15,6 +15,7 @@ type ClientPEMs struct {
 	CertPEMBlock    []byte
 	KeyPEMBlock     []byte
 	RootCAsPEMBlock []byte
+	UseSystemPool   bool
 }
 
 func (s ClientPEMs) Checksum() []byte {
@@ -39,12 +40,19 @@ func (s ClientPEMs) RootCAs() (*x509.CertPool, error) {
 	if len(s.RootCAsPEMBlock) == 0 {
 		return nil, nil
 	}
-	certPool, err := x509.SystemCertPool()
-	if err != nil {
-		certPool = x509.NewCertPool()
-	}
+	certPool := s.newCertPool()
 	if !certPool.AppendCertsFromPEM(s.RootCAsPEMBlock) {
 		return nil, errors.New("client PEMs: building client CAs failed")
 	}
 	return certPool, nil
 }
+
+func (s ClientPEMs) newCertPool() *x509.CertPool {
+	if s.UseSystemPool {
+		certPool, err := x509.SystemCertPool()
+		if err == nil {
+			return certPool
+		}
+	}
+	return x509.NewCertPool()
+}
diff --git a/tls/server/filesource/filesource_test.go b/tls/server/filesource/filesource_test.go
@@ -64,6 +64,17 @@ func TestServerConfig(t *testing.T) {
 				))
 			},
 		},
+		{
+			name: "Client trusted CA added to system pool",
+			transportFunc: func() http.RoundTripper {
+				return tlsclient.NewDefaultRoundTripper(tlsclient.WithSystemRootCA(bundle.CAX509Cert))
+			},
+			configFunc: func() *tls.Config {
+				return servertls.MustNewServerConfig(logger, MustNew(
+					WithX509KeyPair(bundle.ServerCert.Name(), bundle.ServerKey.Name()),
+				))
+			},
+		},
 		{
 			name: "Client without required certificate",
 			transportFunc: func() http.RoundTripper {

Original file line number	Diff line number	Diff line change
`@@ -24,6 +24,7 @@ type TLSClientConfig struct {`
`24`	`24`	InsecureSkipVerify bool `help:"Skip TLS verification on client side."`
`25`	`25`	File TLSClientFiles `embed:"" prefix:"file."`
`26`	`26`	KeyPassword string `help:"Optional password to decrypt RSA private key."`
	`27`	+ UseSystemPool bool `help:"Use system pool for root CAs."`
`27`	`28`	`}`
`28`	`29`
`29`	`30`	`type TLSClientFiles struct {`
Original file line number	Diff line number	Diff line change
`@@ -20,6 +20,7 @@ func GetTLSClientConfigFunc(logger slog.Logger, conf config.TLSClientConfig, o`
`20`	`20`	`filesource.WithClientCert(conf.File.Cert, conf.File.Key),`
`21`	`21`	`filesource.WithClientRootCAs(conf.File.RootCAs),`
`22`	`22`	`filesource.WithKeyPassword(conf.KeyPassword),`
	`23`	`+ filesource.WithSystemPool(conf.UseSystemPool),`
`23`	`24`	`)`
`24`	`25`	`if err != nil {`
`25`	`26`	`return nil, fmt.Errorf("setup client cert file source: %w", err)`
Original file line number	Diff line number	Diff line change
`@@ -49,3 +49,9 @@ func WithNotifyFunc(notifyFunc func()) Option {`
`49`	`49`	`c.notifyFunc = notifyFunc`
`50`	`50`	`}`
`51`	`51`	`}`
	`52`	`+`
	`53`	`+func WithSystemPool(useSystemPool bool) Option {`
	`54`	`+ return func(c *fileSource) {`
	`55`	`+ c.useSystemPool = useSystemPool`
	`56`	`+ }`
	`57`	`+}`
Original file line number	Diff line number	Diff line change
`@@ -34,7 +34,7 @@ func WithClientCertsStore(source *source.ClientCertsStore) RoundTripperOption {`
`34`	`34`	`}`
`35`	`35`	`}`
`36`	`36`
`37`		`-func WithRootCA(cert *x509.Certificate) RoundTripperOption {`
	`37`	`+func WithSystemRootCA(cert *x509.Certificate) RoundTripperOption {`
`38`	`38`	`certPool, err := x509.SystemCertPool()`
`39`	`39`	`if err != nil {`
`40`	`40`	`certPool = x509.NewCertPool()`
`@@ -43,6 +43,12 @@ func WithRootCA(cert *x509.Certificate) RoundTripperOption {`
`43`	`43`	`return WithRootCAs(certPool)`
`44`	`44`	`}`
`45`	`45`
	`46`	`+func WithRootCA(cert *x509.Certificate) RoundTripperOption {`
	`47`	`+ certPool := x509.NewCertPool()`
	`48`	`+ certPool.AddCert(cert)`
	`49`	`+ return WithRootCAs(certPool)`
	`50`	`+}`
	`51`	`+`
`46`	`52`	`func WithRootCAs(rootCAs *x509.CertPool) RoundTripperOption {`
`47`	`53`	`return func(rt *RoundTripper) {`
`48`	`54`	`if rt.transport.TLSClientConfig == nil {`