-
-
Notifications
You must be signed in to change notification settings - Fork 1.4k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
For NATS Server on Windows, provide option for TLS certificate and handshake signature to be provided by the Windows Certificate Store instead of PEM files.
- Loading branch information
Showing
12 changed files
with
1,346 additions
and
6 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,91 @@ | ||
| // Copyright 2022-2023 The NATS Authors | ||
| // Licensed under the Apache License, Version 2.0 (the "License"); | ||
| // you may not use this file except in compliance with the License. | ||
| // You may obtain a copy of the License at | ||
| // | ||
| // http://www.apache.org/licenses/LICENSE-2.0 | ||
| // | ||
| // Unless required by applicable law or agreed to in writing, software | ||
| // distributed under the License is distributed on an "AS IS" BASIS, | ||
| // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
| // See the License for the specific language governing permissions and | ||
| // limitations under the License. | ||
|
|
||
| package certstore | ||
|
|
||
| import ( | ||
| "crypto" | ||
| "io" | ||
| "runtime" | ||
| "strings" | ||
| ) | ||
|
|
||
| type StoreType int | ||
|
|
||
| const MATCHBYEMPTY = 0 | ||
| const STOREEMPTY = 0 | ||
|
|
||
| const ( | ||
| windowsCurrentUser StoreType = iota + 1 | ||
| windowsLocalMachine | ||
| ) | ||
|
|
||
| var StoreMap = map[string]StoreType{ | ||
| "windowscurrentuser": windowsCurrentUser, | ||
| "windowslocalmachine": windowsLocalMachine, | ||
| } | ||
|
|
||
| var StoreOSMap = map[StoreType]string{ | ||
| windowsCurrentUser: "windows", | ||
| windowsLocalMachine: "windows", | ||
| } | ||
|
|
||
| type MatchByType int | ||
|
|
||
| const ( | ||
| matchByIssuer MatchByType = iota + 1 | ||
| matchBySubject | ||
| ) | ||
|
|
||
| var MatchByMap = map[string]MatchByType{ | ||
| "issuer": matchByIssuer, | ||
| "subject": matchBySubject, | ||
| } | ||
|
|
||
| var Usage = ` | ||
| In place of cert_file and key_file you may use the windows certificate store: | ||
| tls { | ||
| cert_store: "WindowsCurrentUser" | ||
| cert_match_by: "Subject" | ||
| cert_match: "MyServer123" | ||
| } | ||
| ` | ||
|
|
||
| func ParseCertStore(certStore string) (StoreType, error) { | ||
| certStoreType, exists := StoreMap[strings.ToLower(certStore)] | ||
| if !exists { | ||
| return 0, ErrBadCertStore | ||
| } | ||
| validOS, exists := StoreOSMap[certStoreType] | ||
| if !exists || validOS != runtime.GOOS { | ||
| return 0, ErrOSNotCompatCertStore | ||
| } | ||
| return certStoreType, nil | ||
| } | ||
|
|
||
| func ParseCertMatchBy(certMatchBy string) (MatchByType, error) { | ||
| certMatchByType, exists := MatchByMap[strings.ToLower(certMatchBy)] | ||
| if !exists { | ||
| return 0, ErrBadMatchByType | ||
| } | ||
| return certMatchByType, nil | ||
| } | ||
|
|
||
| // credential provides access to a public key and is a crypto.Signer. | ||
| type credential interface { | ||
| // Public returns the public key corresponding to the leaf certificate. | ||
| Public() crypto.PublicKey | ||
| // Sign signs digest with the private key. | ||
| Sign(rand io.Reader, digest []byte, opts crypto.SignerOpts) (signature []byte, err error) | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,46 @@ | ||
| // Copyright 2022-2023 The NATS Authors | ||
| // Licensed under the Apache License, Version 2.0 (the "License"); | ||
| // you may not use this file except in compliance with the License. | ||
| // You may obtain a copy of the License at | ||
| // | ||
| // http://www.apache.org/licenses/LICENSE-2.0 | ||
| // | ||
| // Unless required by applicable law or agreed to in writing, software | ||
| // distributed under the License is distributed on an "AS IS" BASIS, | ||
| // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
| // See the License for the specific language governing permissions and | ||
| // limitations under the License. | ||
|
|
||
| //go:build !windows | ||
|
|
||
| package certstore | ||
|
|
||
| import ( | ||
| "crypto" | ||
| "crypto/tls" | ||
| "io" | ||
| ) | ||
|
|
||
| var _ = MATCHBYEMPTY | ||
|
|
||
| // otherKey implements crypto.Signer and crypto.Decrypter to satisfy linter on platforms that don't implement certstore | ||
| type otherKey struct{} | ||
|
|
||
| func TLSConfig(certStore StoreType, certMatchBy MatchByType, certMatch string, config *tls.Config) error { | ||
| _, _, _, _ = certStore, certMatchBy, certMatch, config | ||
| return ErrOSNotCompatCertStore | ||
| } | ||
|
|
||
| // Public always returns nil public key since this is a stub on non-supported platform | ||
| func (k otherKey) Public() crypto.PublicKey { | ||
| return nil | ||
| } | ||
|
|
||
| // Sign always returns a nil signature since this is a stub on non-supported platform | ||
| func (k otherKey) Sign(rand io.Reader, digest []byte, opts crypto.SignerOpts) (signature []byte, err error) { | ||
| _, _, _ = rand, digest, opts | ||
| return nil, nil | ||
| } | ||
|
|
||
| // Verify interface conformance. | ||
| var _ credential = &otherKey{} |
Oops, something went wrong.