Gitiles
Code Review Sign In
gerrit.hackerspace.pl / hscloud / f3312ef77ed0db94e20944efc6395750072f54d5^! / . / go / pki / grpc.go
commitf3312ef77ed0db94e20944efc6395750072f54d5[log] [tgz]
authorSerge Bazanski <q3k@hackerspace.pl>Sat Aug 01 17:15:52 2020 +0200
committerSerge Bazanski <q3k@hackerspace.pl>Sat Aug 01 17:15:52 2020 +0200
treef82574f21b6f7415e4aea49ea92b7785eb7c6aba
parent1e1a4ddfc88008465aa38e4c037d2ba5d6ec8130 [diff] [blame]
*: developer machine HSPKI credentials

In addition to k8s certificates, prodaccess now issues HSPKI
certificates, with DN=$username.sso.hswaw.net. These are installed into
XDG_CONFIG_HOME (or os equiv).

//go/pki will now automatically attempt to load these certificates. This
means you can now run any pki-dependant tool with -hspki_disable, and
with automatic mTLS!

Change-Id: I5b28e193e7c968d621bab0d42aabd6f0510fed6d

diff --git a/go/pki/grpc.go b/go/pki/grpc.go
index 1720ad8..313f4a9 100644
--- a/go/pki/grpc.go
+++ b/go/pki/grpc.go

@@ -20,7 +20,6 @@
 	"crypto/x509"
 	"flag"
 	"fmt"
-	"io/ioutil"
 	"strings"
 
 	"github.com/golang/glog"
@@ -210,18 +209,19 @@
 		return []grpc.ServerOption{}
 	}
 
-	serverCert, err := tls.LoadX509KeyPair(flagCertificatePath, flagKeyPath)
+	loc, err := loadCredentials()
+	if err != nil {
+		glog.Exitf("WithServerHSPKI: loadCredentials: %v", err)
+	}
+
+	serverCert, err := tls.X509KeyPair(loc.cert, loc.key)
 	if err != nil {
 		glog.Exitf("WithServerHSPKI: cannot load service certificate/key: %v", err)
 	}
 
 	certPool := x509.NewCertPool()
-	ca, err := ioutil.ReadFile(flagCAPath)
-	if err != nil {
-		glog.Exitf("WithServerHSPKI: cannot load CA certificate: %v", err)
-	}
-	if ok := certPool.AppendCertsFromPEM(ca); !ok {
-		glog.Exitf("WithServerHSPKI: cannot use CA certificate: %v", err)
+	if ok := certPool.AppendCertsFromPEM(loc.ca); !ok {
+		glog.Exitf("WithServerHSPKI: cannot use CA certificate")
 	}
 
 	creds := grpc.Creds(credentials.NewTLS(&tls.Config{
@@ -243,16 +243,17 @@
 		return grpc.WithInsecure()
 	}
 
-	certPool := x509.NewCertPool()
-	ca, err := ioutil.ReadFile(flagCAPath)
+	loc, err := loadCredentials()
 	if err != nil {
-		glog.Exitf("WithClientHSPKI: cannot load CA certificate: %v", err)
-	}
-	if ok := certPool.AppendCertsFromPEM(ca); !ok {
-		glog.Exitf("WithClientHSPKI: cannot use CA certificate: %v", err)
+		glog.Exitf("WithServerHSPKI: loadCredentials: %v", err)
 	}
 
-	clientCert, err := tls.LoadX509KeyPair(flagCertificatePath, flagKeyPath)
+	certPool := x509.NewCertPool()
+	if ok := certPool.AppendCertsFromPEM(loc.ca); !ok {
+		glog.Exitf("WithServerHSPKI: cannot use CA certificate")
+	}
+
+	clientCert, err := tls.X509KeyPair(loc.cert, loc.key)
 	if err != nil {
 		glog.Exitf("WithClientHSPKI: cannot load service certificate/key: %v", err)
 	}