*: developer machine HSPKI credentials
In addition to k8s certificates, prodaccess now issues HSPKI
certificates, with DN=$username.sso.hswaw.net. These are installed into
XDG_CONFIG_HOME (or os equiv).
//go/pki will now automatically attempt to load these certificates. This
means you can now run any pki-dependant tool with -hspki_disable, and
with automatic mTLS!
Change-Id: I5b28e193e7c968d621bab0d42aabd6f0510fed6d
diff --git a/go/pki/grpc.go b/go/pki/grpc.go
index 1720ad8..313f4a9 100644
--- a/go/pki/grpc.go
+++ b/go/pki/grpc.go
@@ -20,7 +20,6 @@
"crypto/x509"
"flag"
"fmt"
- "io/ioutil"
"strings"
"github.com/golang/glog"
@@ -210,18 +209,19 @@
return []grpc.ServerOption{}
}
- serverCert, err := tls.LoadX509KeyPair(flagCertificatePath, flagKeyPath)
+ loc, err := loadCredentials()
+ if err != nil {
+ glog.Exitf("WithServerHSPKI: loadCredentials: %v", err)
+ }
+
+ serverCert, err := tls.X509KeyPair(loc.cert, loc.key)
if err != nil {
glog.Exitf("WithServerHSPKI: cannot load service certificate/key: %v", err)
}
certPool := x509.NewCertPool()
- ca, err := ioutil.ReadFile(flagCAPath)
- if err != nil {
- glog.Exitf("WithServerHSPKI: cannot load CA certificate: %v", err)
- }
- if ok := certPool.AppendCertsFromPEM(ca); !ok {
- glog.Exitf("WithServerHSPKI: cannot use CA certificate: %v", err)
+ if ok := certPool.AppendCertsFromPEM(loc.ca); !ok {
+ glog.Exitf("WithServerHSPKI: cannot use CA certificate")
}
creds := grpc.Creds(credentials.NewTLS(&tls.Config{
@@ -243,16 +243,17 @@
return grpc.WithInsecure()
}
- certPool := x509.NewCertPool()
- ca, err := ioutil.ReadFile(flagCAPath)
+ loc, err := loadCredentials()
if err != nil {
- glog.Exitf("WithClientHSPKI: cannot load CA certificate: %v", err)
- }
- if ok := certPool.AppendCertsFromPEM(ca); !ok {
- glog.Exitf("WithClientHSPKI: cannot use CA certificate: %v", err)
+ glog.Exitf("WithServerHSPKI: loadCredentials: %v", err)
}
- clientCert, err := tls.LoadX509KeyPair(flagCertificatePath, flagKeyPath)
+ certPool := x509.NewCertPool()
+ if ok := certPool.AppendCertsFromPEM(loc.ca); !ok {
+ glog.Exitf("WithServerHSPKI: cannot use CA certificate")
+ }
+
+ clientCert, err := tls.X509KeyPair(loc.cert, loc.key)
if err != nil {
glog.Exitf("WithClientHSPKI: cannot load service certificate/key: %v", err)
}