certs: check if remote is valid and regenerate if not

Signed-off-by: Evan Hazlett <ejhazlett@gmail.com>
2026-04-12 14:25:46 +07:00 · 2015-03-12 00:25:43 -04:00
parent 89ea1ed4b4
commit d221d8ee97
5 changed files with 177 additions and 15 deletions
--- a/utils/certs.go
+++ b/utils/certs.go
@@ -7,12 +7,33 @@ import (
 	"crypto/x509"
 	"crypto/x509/pkix"
 	"encoding/pem"
+	"io/ioutil"
 	"math/big"
 	"net"
 	"os"
 	"time"
 )

+func getTLSConfig(caCert, cert, key []byte, allowInsecure bool) (*tls.Config, error) {
+	// TLS config
+	var tlsConfig tls.Config
+	tlsConfig.InsecureSkipVerify = allowInsecure
+	certPool := x509.NewCertPool()
+
+	certPool.AppendCertsFromPEM(caCert)
+	tlsConfig.RootCAs = certPool
+	keypair, err := tls.X509KeyPair(cert, key)
+	if err != nil {
+		return &tlsConfig, err
+	}
+	tlsConfig.Certificates = []tls.Certificate{keypair}
+	if allowInsecure {
+		tlsConfig.InsecureSkipVerify = true
+	}
+
+	return &tlsConfig, nil
+}
+
 func newCertificate(org string) (*x509.Certificate, error) {
 	now := time.Now()
 	// need to set notBefore slightly in the past to account for time
@@ -149,3 +170,32 @@ func GenerateCert(hosts []string, certFile, keyFile, caFile, caKeyFile, org stri

 	return nil
 }
+
+func ValidateCertificate(addr, caCertPath, serverCertPath, serverKeyPath string) (bool, error) {
+	caCert, err := ioutil.ReadFile(caCertPath)
+	if err != nil {
+		return false, err
+	}
+
+	serverCert, err := ioutil.ReadFile(serverCertPath)
+	if err != nil {
+		return false, err
+	}
+
+	serverKey, err := ioutil.ReadFile(serverKeyPath)
+	if err != nil {
+		return false, err
+	}
+
+	tlsConfig, err := getTLSConfig(caCert, serverCert, serverKey, false)
+	if err != nil {
+		return false, err
+	}
+
+	_, err = tls.Dial("tcp", addr, tlsConfig)
+	if err != nil {
+		return false, nil
+	}
+
+	return true, nil
+}
--- a/utils/certs_test.go
+++ b/utils/certs_test.go
@@ -12,6 +12,8 @@ func TestGenerateCACertificate(t *testing.T) {
 	if err != nil {
 		t.Fatal(err)
 	}
+	// cleanup
+	defer os.RemoveAll(tmpDir)

 	os.Setenv("MACHINE_DIR", tmpDir)
 	caCertPath := filepath.Join(tmpDir, "ca.pem")
@@ -29,9 +31,6 @@ func TestGenerateCACertificate(t *testing.T) {
 		t.Fatal(err)
 	}
 	os.Setenv("MACHINE_DIR", "")
-
-	// cleanup
-	_ = os.RemoveAll(tmpDir)
 }

 func TestGenerateCert(t *testing.T) {
@@ -39,6 +38,8 @@ func TestGenerateCert(t *testing.T) {
 	if err != nil {
 		t.Fatal(err)
 	}
+	// cleanup
+	defer os.RemoveAll(tmpDir)

 	os.Setenv("MACHINE_DIR", tmpDir)
 	caCertPath := filepath.Join(tmpDir, "ca.pem")
@@ -70,7 +71,4 @@ func TestGenerateCert(t *testing.T) {
 	if _, err := os.Stat(keyPath); err != nil {
 		t.Fatalf("key not created at %s", keyPath)
 	}
-
-	// cleanup
-	_ = os.RemoveAll(tmpDir)
 }