1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768 |
- package security
- import (
- "crypto/tls"
- "crypto/x509"
- "io/ioutil"
- "github.com/spf13/viper"
- "google.golang.org/grpc"
- "google.golang.org/grpc/credentials"
- "github.com/chrislusf/seaweedfs/weed/glog"
- )
- func LoadServerTLS(config *viper.Viper, component string) grpc.ServerOption {
- if config == nil {
- return nil
- }
- // load cert/key, ca cert
- cert, err := tls.LoadX509KeyPair(config.GetString(component+".cert"), config.GetString(component+".key"))
- if err != nil {
- glog.V(1).Infof("load cert/key error: %v", err)
- return nil
- }
- caCert, err := ioutil.ReadFile(config.GetString(component + ".ca"))
- if err != nil {
- glog.V(1).Infof("read ca cert file error: %v", err)
- return nil
- }
- caCertPool := x509.NewCertPool()
- caCertPool.AppendCertsFromPEM(caCert)
- ta := credentials.NewTLS(&tls.Config{
- Certificates: []tls.Certificate{cert},
- ClientCAs: caCertPool,
- ClientAuth: tls.RequireAndVerifyClientCert,
- })
- return grpc.Creds(ta)
- }
- func LoadClientTLS(config *viper.Viper, component string) grpc.DialOption {
- if config == nil {
- return grpc.WithInsecure()
- }
- // load cert/key, cacert
- cert, err := tls.LoadX509KeyPair(config.GetString(component+".cert"), config.GetString(component+".key"))
- if err != nil {
- glog.V(1).Infof("load cert/key error: %v", err)
- return grpc.WithInsecure()
- }
- caCert, err := ioutil.ReadFile(config.GetString(component + ".ca"))
- if err != nil {
- glog.V(1).Infof("read ca cert file error: %v", err)
- return grpc.WithInsecure()
- }
- caCertPool := x509.NewCertPool()
- caCertPool.AppendCertsFromPEM(caCert)
- ta := credentials.NewTLS(&tls.Config{
- Certificates: []tls.Certificate{cert},
- RootCAs: caCertPool,
- InsecureSkipVerify: true,
- })
- return grpc.WithTransportCredentials(ta)
- }
|