aau-network-security · mrtrkmn · Jan 17, 2021 · Jan 30, 2021 · Jan 30, 2021
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -37,13 +37,13 @@ jobs:
 
       - name: Download example config file
         run: |
-          curl -o config.yml https://gist.githubusercontent.com/mrturkmencom/cc5becf2d8413ea18c27a5bb2aa4106f/raw/2fc5b3fd415846f0b993a67d20d0094309f00698/config.yml
+          curl -o config.yml https://gist.githubusercontent.com/mrtrkmn/cc5becf2d8413ea18c27a5bb2aa4106f/raw/2fc5b3fd415846f0b993a67d20d0094309f00698/config.yml
 
       - name: Download certs
         run: |
-          curl -o haaukins-store.com.crt https://gist.githubusercontent.com/mrturkmencom/da480dd97f74c7a9581d6a69d5b2e984/raw/cbc2e338800d81a904c320999e44ec38b721ff5c/haaukins-store.com.crt
-          curl -o localhost_50051.key    https://gist.githubusercontent.com/mrturkmencom/12132d60247e24041b954ee43d5e5cb1/raw/f18d0f0f96539fb424d1c463ec7e60ae8f846d0c/localhost_50051.key
-          curl -o localhost_50051.crt    https://gist.githubusercontent.com/mrturkmencom/fc57419e46a859a031e11aa10b97c9e1/raw/109b1e64340c7394dcd9f7295969659d3cbc72af/localhost_50051.crt
+          curl -o haaukins-store.com.crt https://gist.githubusercontent.com/mrtrkmn/da480dd97f74c7a9581d6a69d5b2e984/raw/cbc2e338800d81a904c320999e44ec38b721ff5c/haaukins-store.com.crt
+          curl -o localhost_50051.key    https://gist.githubusercontent.com/mrtrkmn/12132d60247e24041b954ee43d5e5cb1/raw/f18d0f0f96539fb424d1c463ec7e60ae8f846d0c/localhost_50051.key
+          curl -o localhost_50051.crt    https://gist.githubusercontent.com/mrtrkmn/fc57419e46a859a031e11aa10b97c9e1/raw/109b1e64340c7394dcd9f7295969659d3cbc72af/localhost_50051.crt
 
       - name: Get dependencies
         run: |

diff --git a/database/store_test.go b/database/store_test.go
@@ -6,8 +6,6 @@ import (
 	"crypto/x509"
 	"errors"
 	"fmt"
-	"io/ioutil"
-	"os"
 	"strconv"
 	"testing"
 	"time"
@@ -26,12 +24,6 @@ const (
 	HOST           = "localhost:50051"
 )
 
-var (
-	testCertPath    = os.Getenv("CERT")
-	testCertKeyPath = os.Getenv("CERT_KEY")
-	testCAPath      = os.Getenv("CA")
-)
-
 type Creds struct {
 	Token    string
 	Insecure bool
@@ -75,35 +67,17 @@ func TestStoreConnection(t *testing.T) {
 
 			authCreds := Creds{Token: tokenString}
 
-			// Load the client certificates from disk
-			certificate, err := tls.LoadX509KeyPair(testCertPath, testCertKeyPath)
-			if err != nil {
-				t.Fatalf("could not load client key pair: %s", err)
-			}
-
-			// Create a certificate pool from the certificate authority
-			certPool := x509.NewCertPool()
-			ca, err := ioutil.ReadFile(testCAPath)
-			if err != nil {
-				t.Fatalf("could not read ca certificate: %s", err)
-			}
+			pool, _ := x509.SystemCertPool()
+			creds := credentials.NewClientTLSFromCert(pool, "")
 
-			// Append the certificates from the CA
-			if ok := certPool.AppendCertsFromPEM(ca); !ok {
-				t.Fatalf("failed to append ca certs")
-			}
-
-			creds := credentials.NewTLS(&tls.Config{
-				ServerName:   HOST,
-				Certificates: []tls.Certificate{certificate},
-				RootCAs:      certPool,
+			creds = credentials.NewTLS(&tls.Config{
+				RootCAs: pool,
 			})
 
 			dialOpts := []grpc.DialOption{
 				grpc.WithTransportCredentials(creds),
 				grpc.WithPerRPCCredentials(authCreds),
 			}
-			// Create a connection with the TLS credentials
 
 			conn, err := grpc.Dial(HOST, dialOpts...)
 			if err != nil {
@@ -150,28 +124,11 @@ func createTestClientConn() (*grpc.ClientConn, error) {
 
 	authCreds := Creds{Token: tokenString}
 
-	// Load the client certificates from disk
-	certificate, err := tls.LoadX509KeyPair(testCertPath, testCertKeyPath)
-	if err != nil {
-		return nil, err
-	}
-
-	// Create a certificate pool from the certificate authority
-	certPool := x509.NewCertPool()
-	ca, err := ioutil.ReadFile(testCAPath)
-	if err != nil {
-		return nil, err
-	}
-
-	// Append the certificates from the CA
-	if ok := certPool.AppendCertsFromPEM(ca); !ok {
-		return nil, err
-	}
+	pool, _ := x509.SystemCertPool()
+	creds := credentials.NewClientTLSFromCert(pool, "")
 
-	creds := credentials.NewTLS(&tls.Config{
-		ServerName:   HOST,
-		Certificates: []tls.Certificate{certificate},
-		RootCAs:      certPool,
+	creds = credentials.NewTLS(&tls.Config{
+		RootCAs: pool,
 	})
 
 	dialOpts := []grpc.DialOption{

diff --git a/util/util.go b/util/util.go
@@ -2,8 +2,6 @@ package util
 
 import (
 	"context"
-	"crypto/tls"
-	"crypto/x509"
 	"errors"
 	"fmt"
 	"io/ioutil"
@@ -194,33 +192,11 @@ func GetCreds(conf *model.Config) (credentials.TransportCredentials, error) {
 	certificateProps := certificate{
 		cPath:    conf.TLS.CertFile,
 		cKeyPath: conf.TLS.CertKey,
-		caPath:   conf.TLS.CAFile,
 	}
-
-	certificate, err := tls.LoadX509KeyPair(certificateProps.cPath, certificateProps.cKeyPath)
-	if err != nil {
-		return nil, fmt.Errorf("could not load server key pair: %s", err)
-	}
-
-	// Create a certificate pool from the certificate authority
-	certPool := x509.NewCertPool()
-	ca, err := ioutil.ReadFile(certificateProps.caPath)
+	creds, err := credentials.NewServerTLSFromFile(certificateProps.cPath, certificateProps.cKeyPath)
 	if err != nil {
-		return nil, fmt.Errorf("could not read ca certificate: %s", err)
-	}
-	// CA file for let's encrypt is located under domain conf as `chain.pem`
-	// pass chain.pem location
-	// Append the client certificates from the CA
-	if ok := certPool.AppendCertsFromPEM(ca); !ok {
-		return nil, errors.New("failed to append client certs")
+		return nil, err
 	}
-
-	// Create the TLS credentials
-	creds := credentials.NewTLS(&tls.Config{
-		ClientAuth:   tls.RequireAndVerifyClientCert,
-		Certificates: []tls.Certificate{certificate},
-		ClientCAs:    certPool,
-	})
 	return creds, nil
 }