kairos/tpm-helpers
1
0
Fork 0
mirror of https://github.com/kairos-io/tpm-helpers.git synced 2025-09-17 07:12:49 +00:00
Code Issues Packages Projects Releases Wiki Activity

Allow to append to system CA

Browse Source 
Fixes #1

Signed-off-by: Ettore Di Giacinto <edigiacinto@suse.com>
This commit is contained in:
Ettore Di Giacinto
2022-05-12 11:59:24 +02:00
parent a7b15ad1f8
commit 5842702dd4
3 changed files with 57 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
config.go
View File

@@ -13,6 +13,8 @@ type config struct {
cacerts []byte cacerts []byte
header http.Header header http.Header
systemfallback bool
} }
// Option is a generic option for TPM configuration // Option is a generic option for TPM configuration
@@ -26,6 +28,13 @@ var Emulated Option = func(c *config) error {
return nil return nil
} }
// AppendCustomCAToSystemCA uses the system CA pool as a fallback, appending the custom CA
// to it.
var AppendCustomCAToSystemCA Option = func(c *config) error {
c.systemfallback = true
return nil
}
// WithCAs sets the root CAs for the request // WithCAs sets the root CAs for the request
func WithCAs(ca []byte) Option { func WithCAs(ca []byte) Option {
return func(c *config) error { return func(c *config) error {

8
get.go
View File

@@ -30,6 +30,14 @@ func Get(url string, opts ...Option) ([]byte, error) {
dialer := websocket.DefaultDialer dialer := websocket.DefaultDialer
if len(c.cacerts) > 0 { if len(c.cacerts) > 0 {
pool := x509.NewCertPool() pool := x509.NewCertPool()
if c.systemfallback {
systemPool, err := x509.SystemCertPool()
if err != nil {
return nil, err
}
pool = systemPool
}
pool.AppendCertsFromPEM(c.cacerts) pool.AppendCertsFromPEM(c.cacerts)
dialer = &websocket.Dialer{ dialer = &websocket.Dialer{
Proxy: http.ProxyFromEnvironment, Proxy: http.ProxyFromEnvironment,

40
get_test.go
View File

@@ -6,6 +6,7 @@ import (
"fmt" "fmt"
"io/ioutil" "io/ioutil"
"net/http" "net/http"
"os"
"time" "time"
"github.com/gorilla/websocket" "github.com/gorilla/websocket"
@@ -108,5 +109,44 @@ var _ = Describe("GET", func() {
Expect(err).ToNot(HaveOccurred()) Expect(err).ToNot(HaveOccurred())
Expect(result).To(Equal(map[string]interface{}{"foo": "bar"})) Expect(result).To(Equal(map[string]interface{}{"foo": "bar"}))
}) })
})
})
// This test is meant to be running manually against a
// reg. server with a valid cert.
var _ = Describe("GET", func() {
Context("challenges with a remote endpoint", func() {
regUrl := os.Getenv("REG_URL")
expectedMatches := ContainElement("ros-node-{{ trunc 4 .MachineID }}")
BeforeEach(func() {
if regUrl == "" {
Skip("No remote url passed, skipping suite")
}
})
It("gets pubhash from remote with a public signed CA", func() {
msg, err := Get(regUrl, Emulated, WithSeed(1))
result := map[string]interface{}{}
json.Unmarshal(msg, &result)
Expect(err).ToNot(HaveOccurred())
Expect(result).To(expectedMatches)
})
It("it fails if we specify a custom CA (invalid)", func() {
msg, err := Get(regUrl, Emulated, WithSeed(1), WithCAs([]byte(`dddd`)))
result := map[string]interface{}{}
json.Unmarshal(msg, &result)
Expect(err).To(HaveOccurred())
})
It("it pass if appends to system CA", func() {
msg, err := Get(regUrl, Emulated, WithSeed(1), AppendCustomCAToSystemCA, WithCAs([]byte(`dddd`)))
result := map[string]interface{}{}
json.Unmarshal(msg, &result)
Expect(err).ToNot(HaveOccurred())
Expect(result).To(expectedMatches)
})
}) })
}) })