Implement TLS API Support

* Added flags to point to TLS PEM files to use for exposing and connecting to an encrypted remote API socket with server and client authentication. * Added TLS fields for system connection ls templates. * Added special "tls" format for system connection ls to list TLS fields in human-readable table format. * Updated remote integration and system tests to allow specifying a "transport" to run the full suite against a unix, tcp, tls, or mtls system service. * Added system tests to verify basic operation of unix, tcp, tls, and mtls services, clients, and connections. Signed-off-by: Andrew Melnick <meln5674.5674@gmail.com>
2025-11-29 17:48:05 +08:00 · 2025-07-31 18:51:37 -06:00
parent a118fdf4e2
commit feb36e4fe6
116 changed files with 1848 additions and 616 deletions
--- a/pkg/util/tlsutil/tls.go
+++ b/pkg/util/tlsutil/tls.go
@@ -0,0 +1,32 @@
+package tlsutil
+
+import (
+	"crypto/x509"
+	"encoding/pem"
+	"fmt"
+	"os"
+)
+
+func ReadCertBundle(path string) (*x509.CertPool, error) {
+	pool := x509.NewCertPool()
+	caPEM, err := os.ReadFile(path)
+	if err != nil {
+		return nil, fmt.Errorf("reading cert bundle %s: %w", path, err)
+	}
+	for ix := 0; len(caPEM) != 0; ix++ {
+		var caDER *pem.Block
+		caDER, caPEM = pem.Decode(caPEM)
+		if caDER == nil {
+			return nil, fmt.Errorf("reading cert bundle %s: non-PEM data found", path)
+		}
+		if caDER.Type != "CERTIFICATE" {
+			return nil, fmt.Errorf("reading cert bundle %s: non-certificate type `%s` PEM data found", path, caDER.Type)
+		}
+		caCert, err := x509.ParseCertificate(caDER.Bytes)
+		if err != nil {
+			return nil, fmt.Errorf("reading cert bundle %s: parsing item %d: %w", path, ix, err)
+		}
+		pool.AddCert(caCert)
+	}
+	return pool, nil
+}