deleted file mode 100644

@@ -1,132 +0,0 @@

-// Package tlsconfig provides primitives to retrieve secure-enough TLS configurations for both clients and servers.

-//

-// As a reminder from https://golang.org/pkg/crypto/tls/#Config:

-//	A Config structure is used to configure a TLS client or server. After one has been passed to a TLS function it must not be modified.

-//	A Config may be reused; the tls package will also not modify it.

-package tlsconfig

-

-import (

-	"crypto/tls"

-	"crypto/x509"

-	"fmt"

-	"io/ioutil"

-	"os"

-

-	"github.com/Sirupsen/logrus"

-)

-

-// Options represents the information needed to create client and server TLS configurations.

-type Options struct {

-	CAFile string

-

-	// If either CertFile or KeyFile is empty, Client() will not load them

-	// preventing the client from authenticating to the server.

-	// However, Server() requires them and will error out if they are empty.

-	CertFile string

-	KeyFile  string

-

-	// client-only option

-	InsecureSkipVerify bool

-	// server-only option

-	ClientAuth tls.ClientAuthType

-}

-

-// Extra (server-side) accepted CBC cipher suites - will phase out in the future

-var acceptedCBCCiphers = []uint16{

-	tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,

-	tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,

-	tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,

-	tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,

-	tls.TLS_RSA_WITH_AES_256_CBC_SHA,

-	tls.TLS_RSA_WITH_AES_128_CBC_SHA,

-}

-

-// Client TLS cipher suites (dropping CBC ciphers for client preferred suite set)

-var clientCipherSuites = []uint16{

-	tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,

-	tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,

-}

-

-// DefaultServerAcceptedCiphers should be uses by code which already has a crypto/tls

-// options struct but wants to use a commonly accepted set of TLS cipher suites, with

-// known weak algorithms removed.

-var DefaultServerAcceptedCiphers = append(clientCipherSuites, acceptedCBCCiphers...)

-

-// ServerDefault returns a secure-enough TLS configuration for the server TLS configuration.

-func ServerDefault() *tls.Config {

-	return &tls.Config{

-		// Avoid fallback to SSL protocols < TLS1.0

-		MinVersion:               tls.VersionTLS10,

-		PreferServerCipherSuites: true,

-		CipherSuites:             DefaultServerAcceptedCiphers,

-	}

-}

-

-// ClientDefault returns a secure-enough TLS configuration for the client TLS configuration.

-func ClientDefault() *tls.Config {

-	return &tls.Config{

-		// Prefer TLS1.2 as the client minimum

-		MinVersion:   tls.VersionTLS12,

-		CipherSuites: clientCipherSuites,

-	}

-}

-

-// certPool returns an X.509 certificate pool from `caFile`, the certificate file.

-func certPool(caFile string) (*x509.CertPool, error) {

-	// If we should verify the server, we need to load a trusted ca

-	certPool := x509.NewCertPool()

-	pem, err := ioutil.ReadFile(caFile)

-	if err != nil {

-		return nil, fmt.Errorf("Could not read CA certificate %q: %v", caFile, err)

-	}

-	if !certPool.AppendCertsFromPEM(pem) {

-		return nil, fmt.Errorf("failed to append certificates from PEM file: %q", caFile)

-	}

-	logrus.Debugf("Trusting %d certs", len(certPool.Subjects()))

-	return certPool, nil

-}

-

-// Client returns a TLS configuration meant to be used by a client.

-func Client(options Options) (*tls.Config, error) {

-	tlsConfig := ClientDefault()

-	tlsConfig.InsecureSkipVerify = options.InsecureSkipVerify

-	if !options.InsecureSkipVerify && options.CAFile != "" {

-		CAs, err := certPool(options.CAFile)

-		if err != nil {

-			return nil, err

-		}

-		tlsConfig.RootCAs = CAs

-	}

-

-	if options.CertFile != "" || options.KeyFile != "" {

-		tlsCert, err := tls.LoadX509KeyPair(options.CertFile, options.KeyFile)

-		if err != nil {

-			return nil, fmt.Errorf("Could not load X509 key pair: %v. Make sure the key is not encrypted", err)

-		}

-		tlsConfig.Certificates = []tls.Certificate{tlsCert}

-	}

-

-	return tlsConfig, nil

-}

-

-// Server returns a TLS configuration meant to be used by a server.

-func Server(options Options) (*tls.Config, error) {

-	tlsConfig := ServerDefault()

-	tlsConfig.ClientAuth = options.ClientAuth

-	tlsCert, err := tls.LoadX509KeyPair(options.CertFile, options.KeyFile)

-	if err != nil {

-		if os.IsNotExist(err) {

-			return nil, fmt.Errorf("Could not load X509 key pair (cert: %q, key: %q): %v", options.CertFile, options.KeyFile, err)

-		}

-		return nil, fmt.Errorf("Error reading X509 key pair (cert: %q, key: %q): %v. Make sure the key is not encrypted.", options.CertFile, options.KeyFile, err)

-	}

-	tlsConfig.Certificates = []tls.Certificate{tlsCert}

-	if options.ClientAuth >= tls.VerifyClientCertIfGiven {

-		CAs, err := certPool(options.CAFile)

-		if err != nil {

-			return nil, err

-		}

-		tlsConfig.ClientCAs = CAs

-	}

-	return tlsConfig, nil

-}

@@ -3,7 +3,6 @@ package registry

 import (

 	"crypto/tls"

-	"crypto/x509"

 	"errors"

 	"fmt"

 	"io/ioutil"

@@ -64,8 +63,11 @@ func ReadCertsDirectory(tlsConfig *tls.Config, directory string) error {

 	for _, f := range fs {

 		if strings.HasSuffix(f.Name(), ".crt") {

 			if tlsConfig.RootCAs == nil {

-				// TODO(dmcgowan): Copy system pool

-				tlsConfig.RootCAs = x509.NewCertPool()

+				systemPool, err := tlsconfig.SystemCertPool()

+				if err != nil {

+					return fmt.Errorf("unable to get system cert pool: %v", err)

+				}

+				tlsConfig.RootCAs = systemPool

 			}

 			logrus.Debugf("crt: %s", filepath.Join(directory, f.Name()))

 			data, err := ioutil.ReadFile(filepath.Join(directory, f.Name()))