From 16ffb2e412e05f3578ea2b956819ced398dc1c62 Mon Sep 17 00:00:00 2001 From: Chelsea Holland Komlo Date: Mon, 13 Aug 2018 16:08:23 -0400 Subject: [PATCH] extract functionality for determining signature algorithm per code review feedback --- helper/tlsutil/config.go | 33 +++++++++++++++++++-------------- 1 file changed, 19 insertions(+), 14 deletions(-) diff --git a/helper/tlsutil/config.go b/helper/tlsutil/config.go index 4aad22db5..9d6eb8153 100644 --- a/helper/tlsutil/config.go +++ b/helper/tlsutil/config.go @@ -447,20 +447,9 @@ func ParseCiphers(tlsConfig *config.TLSConfig) ([]uint16, error) { keyLoader.LoadKeyPair(tlsConfig.CertFile, tlsConfig.KeyFile) if keyLoader.GetCertificate() != nil { - var supportedSignatureAlgorithm algorithmStringRepr - - tlsCert := keyLoader.GetCertificate() - - // Determine what type of signature algorithm is being used by typecasting - // the certificate's private key - privKey := tlsCert.PrivateKey - switch privKey.(type) { - case *rsa.PrivateKey: - supportedSignatureAlgorithm = rsaStringRepr - case *ecdsa.PrivateKey: - supportedSignatureAlgorithm = ecdsaStringRepr - default: - return []uint16{}, fmt.Errorf("Unsupported signature algorithm %T; RSA and ECDSA only are supported.", privKey) + supportedSignatureAlgorithm, err := getSignatureAlgorithm(keyLoader.GetCertificate()) + if err != nil { + return []uint16{}, err } for _, cipher := range parsedCiphers { @@ -482,6 +471,22 @@ func ParseCiphers(tlsConfig *config.TLSConfig) ([]uint16, error) { return []uint16{}, nil } +// getSignatureAlgorithm returns the signature algorithm for a TLS certificate +// This is determined by examining the type of the certificate's public key, +// as Golang doesn't expose a more straightforward API which returns this +// type +func getSignatureAlgorithm(tlsCert *tls.Certificate) (algorithmStringRepr, error) { + privKey := tlsCert.PrivateKey + switch privKey.(type) { + case *rsa.PrivateKey: + return rsaStringRepr, nil + case *ecdsa.PrivateKey: + return ecdsaStringRepr, nil + default: + return "", fmt.Errorf("Unsupported signature algorithm %T; RSA and ECDSA only are supported.", privKey) + } +} + // ParseMinVersion parses the specified minimum TLS version for the Nomad agent func ParseMinVersion(version string) (uint16, error) { if version == "" {