1 // Copyright 2023 Google LLC
2 //
3 // Licensed under the Apache License, Version 2.0 (the "License");
4 // you may not use this file except in compliance with the License.
5 // You may obtain a copy of the License at
6 //
7 // http://www.apache.org/licenses/LICENSE-2.0
8 //
9 // Unless required by applicable law or agreed to in writing, software
10 // distributed under the License is distributed on an "AS IS" BASIS,
11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 // See the License for the specific language governing permissions and
13 // limitations under the License.
14 15 package cert
16 17 import (
18 "crypto/tls"
19 20 "github.com/googleapis/enterprise-certificate-proxy/client"
21 )
22 23 type ecpSource struct {
24 key *client.Key
25 }
26 27 // NewEnterpriseCertificateProxyProvider creates a certificate source
28 // using the Enterprise Certificate Proxy client, which delegates
29 // certifcate related operations to an OS-specific "signer binary"
30 // that communicates with the native keystore (ex. keychain on MacOS).
31 //
32 // The configFilePath points to a config file containing relevant parameters
33 // such as the certificate issuer and the location of the signer binary.
34 // If configFilePath is empty, the client will attempt to load the config from
35 // a well-known gcloud location.
36 func NewEnterpriseCertificateProxyProvider(configFilePath string) (Provider, error) {
37 key, err := client.Cred(configFilePath)
38 if err != nil {
39 // TODO(codyoss): once this is fixed upstream can handle this error a
40 // little better here. But be safe for now and assume unavailable.
41 return nil, errSourceUnavailable
42 }
43 44 return (&ecpSource{
45 key: key,
46 }).getClientCertificate, nil
47 }
48 49 func (s *ecpSource) getClientCertificate(info *tls.CertificateRequestInfo) (*tls.Certificate, error) {
50 var cert tls.Certificate
51 cert.PrivateKey = s.key
52 cert.Certificate = s.key.CertificateChain()
53 return &cert, nil
54 }
55