Merge pull request #381 from gerbrand-bosch/master

Option to configure client mtls redis cert and key
privacybydesign · Jul 16, 2024 · d2fbfa5 · d2fbfa5
2 parents fc5e46f + 00693ca
commit d2fbfa5
Show file tree

Hide file tree

Showing 5 changed files with 30 additions and 5 deletions.
diff --git a/irma/cmd/config.go b/irma/cmd/config.go
@@ -96,6 +96,9 @@ func configureIRMAServer() (*server.Configuration, error) {
 
 		conf.RedisSettings.TLSCertificate = viper.GetString("redis_tls_cert")
 		conf.RedisSettings.TLSCertificateFile = viper.GetString("redis_tls_cert_file")
+		conf.RedisSettings.TLSClientKeyFile = viper.GetString("redis_tls_client_key_file")
+		conf.RedisSettings.TLSClientCertificateFile = viper.GetString("redis_tls_client_cert_file")
+
 		conf.RedisSettings.DisableTLS = viper.GetBool("redis_no_tls")
 	}
 	return conf, nil

diff --git a/irma/cmd/keyshare-myirma.go b/irma/cmd/keyshare-myirma.go
@@ -75,6 +75,8 @@ func init() {
 	flags.Int("redis-db", 0, "database to be selected after connecting to the server (default 0)")
 	flags.String("redis-tls-cert", "", "use Redis TLS with specific certificate or certificate authority")
 	flags.String("redis-tls-cert-file", "", "use Redis TLS path to specific certificate or certificate authority")
+	flags.String("redis-tls-client-key-file", "", "use Redis mTLS with specified client key path")
+	flags.String("redis-tls-client-cert-file", "", "use Redis mTLS with specified client certificate path")
 	flags.Bool("redis-no-tls", false, "disable Redis TLS (by default, Redis TLS is enabled with the system certificate pool)")
 
 	headers["keyshare-attributes"] = "IRMA session configuration"

diff --git a/irma/cmd/keyshare-server.go b/irma/cmd/keyshare-server.go
@@ -72,6 +72,8 @@ func init() {
 	flags.Int("redis-db", 0, "database to be selected after connecting to the server (default 0)")
 	flags.String("redis-tls-cert", "", "use Redis TLS with specific certificate or certificate authority")
 	flags.String("redis-tls-cert-file", "", "use Redis TLS path to specific certificate or certificate authority")
+	flags.String("redis-tls-client-key-file", "", "use Redis mTLS with specified client path")
+	flags.String("redis-tls-client-cert-file", "", "use Redis mTLS with specified client certificate path")
 	flags.Bool("redis-no-tls", false, "disable Redis TLS (by default, Redis TLS is enabled with the system certificate pool)")
 
 	headers["jwt-privkey"] = "Cryptographic keys"

diff --git a/irma/cmd/server.go b/irma/cmd/server.go
@@ -136,6 +136,8 @@ func setFlags(cmd *cobra.Command, production bool) error {
 	flags.Int("redis-db", 0, "database to be selected after connecting to the server (default 0)")
 	flags.String("redis-tls-cert", "", "use Redis TLS with specific certificate or certificate authority")
 	flags.String("redis-tls-cert-file", "", "use Redis TLS path to specific certificate or certificate authority")
+	flags.String("redis-tls-client-key-file", "", "use Redis mTLS with specified client key path")
+	flags.String("redis-tls-client-cert-file", "", "use Redis mTLS with specified client certificate path")
 	flags.Bool("redis-no-tls", false, "disable Redis TLS (by default, Redis TLS is enabled with the system certificate pool)")
 
 	headers["jwt-issuer"] = "JWT configuration"

diff --git a/server/conf.go b/server/conf.go
@@ -129,9 +129,11 @@ type RedisSettings struct {
 
 	DB int `json:"db,omitempty" mapstructure:"db"`
 
-	TLSCertificate     string `json:"tls_cert,omitempty" mapstructure:"tls_cert"`
-	TLSCertificateFile string `json:"tls_cert_file,omitempty" mapstructure:"tls_cert_file"`
-	DisableTLS         bool   `json:"no_tls,omitempty" mapstructure:"no_tls"`
+	TLSCertificate           string `json:"tls_cert,omitempty" mapstructure:"tls_cert"`
+	TLSCertificateFile       string `json:"tls_cert_file,omitempty" mapstructure:"tls_cert_file"`
+	TLSClientCertificateFile string `json:"tls_client_cert_file,omitempty" mapstructure:"tls_client_cert_file"`
+	TLSClientKeyFile         string `json:"tls_client_key_file,omitempty" mapstructure:"tls_client_key_file"`
+	DisableTLS               bool   `json:"no_tls,omitempty" mapstructure:"no_tls"`
 }
 
 // Check ensures that the Configuration is loaded, usable and free of errors.
@@ -513,14 +515,28 @@ func (conf *Configuration) redisTLSConfig() (*tls.Config, error) {
 	}
 
 	if conf.RedisSettings.TLSCertificate != "" || conf.RedisSettings.TLSCertificateFile != "" {
-		cert, err := common.ReadKey(conf.RedisSettings.TLSCertificate, conf.RedisSettings.TLSCertificateFile)
+		caCert, err := common.ReadKey(conf.RedisSettings.TLSCertificate, conf.RedisSettings.TLSCertificateFile)
 		if err != nil {
 			return nil, errors.WrapPrefix(err, "Redis TLS config failed", 0)
 		}
+
 		tlsConfig := &tls.Config{
 			RootCAs: x509.NewCertPool(),
 		}
-		tlsConfig.RootCAs.AppendCertsFromPEM(cert)
+		tlsConfig.RootCAs.AppendCertsFromPEM(caCert)
+
+		if conf.RedisSettings.TLSClientKeyFile != "" || conf.RedisSettings.TLSClientCertificateFile != "" {
+			if conf.RedisSettings.TLSClientKeyFile == "" || conf.RedisSettings.TLSClientCertificateFile == "" {
+				return nil, errors.New("provide either certificate and key or neither of them")
+			}
+
+			cert, err := tls.LoadX509KeyPair(conf.RedisSettings.TLSClientCertificateFile, conf.RedisSettings.TLSClientKeyFile)
+			if err != nil {
+				return nil, errors.WrapPrefix(err, "Redis TLS config failed", 0)
+			}
+
+			tlsConfig.Certificates = []tls.Certificate{cert}
+		}
 		return tlsConfig, nil
 	}