| 12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152 |
- package quic
- import (
- gocrypto "crypto"
- "crypto/tls"
- "crypto/x509"
- "errors"
- "github.com/bifurcation/mint"
- "github.com/lucas-clemente/quic-go/internal/protocol"
- )
- func tlsToMintConfig(tlsConf *tls.Config, pers protocol.Perspective) (*mint.Config, error) {
- mconf := &mint.Config{
- NonBlocking: true,
- CipherSuites: []mint.CipherSuite{
- mint.TLS_AES_128_GCM_SHA256,
- mint.TLS_AES_256_GCM_SHA384,
- },
- }
- if tlsConf != nil {
- mconf.ServerName = tlsConf.ServerName
- mconf.InsecureSkipVerify = tlsConf.InsecureSkipVerify
- mconf.Certificates = make([]*mint.Certificate, len(tlsConf.Certificates))
- mconf.RootCAs = tlsConf.RootCAs
- mconf.VerifyPeerCertificate = tlsConf.VerifyPeerCertificate
- for i, certChain := range tlsConf.Certificates {
- mconf.Certificates[i] = &mint.Certificate{
- Chain: make([]*x509.Certificate, len(certChain.Certificate)),
- PrivateKey: certChain.PrivateKey.(gocrypto.Signer),
- }
- for j, cert := range certChain.Certificate {
- c, err := x509.ParseCertificate(cert)
- if err != nil {
- return nil, err
- }
- mconf.Certificates[i].Chain[j] = c
- }
- }
- switch tlsConf.ClientAuth {
- case tls.NoClientCert:
- case tls.RequireAnyClientCert:
- mconf.RequireClientAuth = true
- default:
- return nil, errors.New("mint currently only support ClientAuthType RequireAnyClientCert")
- }
- }
- if err := mconf.Init(pers == protocol.PerspectiveClient); err != nil {
- return nil, err
- }
- return mconf, nil
- }
|
