1// Copyright 2023 Google LLC
 2//
 3// Licensed under the Apache License, Version 2.0 (the "License");
 4// you may not use this file except in compliance with the License.
 5// You may obtain a copy of the License at
 6//
 7//      http://www.apache.org/licenses/LICENSE-2.0
 8//
 9// Unless required by applicable law or agreed to in writing, software
10// distributed under the License is distributed on an "AS IS" BASIS,
11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12// See the License for the specific language governing permissions and
13// limitations under the License.
14
15package cert
16
17import (
18	"crypto/tls"
19
20	"github.com/googleapis/enterprise-certificate-proxy/client"
21)
22
23type ecpSource struct {
24	key *client.Key
25}
26
27// NewEnterpriseCertificateProxyProvider creates a certificate source
28// using the Enterprise Certificate Proxy client, which delegates
29// certifcate related operations to an OS-specific "signer binary"
30// that communicates with the native keystore (ex. keychain on MacOS).
31//
32// The configFilePath points to a config file containing relevant parameters
33// such as the certificate issuer and the location of the signer binary.
34// If configFilePath is empty, the client will attempt to load the config from
35// a well-known gcloud location.
36func NewEnterpriseCertificateProxyProvider(configFilePath string) (Provider, error) {
37	key, err := client.Cred(configFilePath)
38	if err != nil {
39		// TODO(codyoss): once this is fixed upstream can handle this error a
40		// little better here. But be safe for now and assume unavailable.
41		return nil, errSourceUnavailable
42	}
43
44	return (&ecpSource{
45		key: key,
46	}).getClientCertificate, nil
47}
48
49func (s *ecpSource) getClientCertificate(info *tls.CertificateRequestInfo) (*tls.Certificate, error) {
50	var cert tls.Certificate
51	cert.PrivateKey = s.key
52	cert.Certificate = s.key.CertificateChain()
53	return &cert, nil
54}