Add options to use TLS client certificate for authentication (Checker)

* Add "client-cert" and "client-key" flag options to allow the checker to use TLS client certificate for authentication.
* Fix typo TSL -> TLS in docs.


Co-authored-by: Bernhard Reiter <bernhard@intevation.de>

README.md

@@ -41,7 +41,7 @@ Following options are supported:
 | -i, --password-interactive                 | Enter password interactively                                                               |
 | -I, --passphrase-interacive                | Enter passphrase interactively                                                             |
 | -c, --config=INI-FILE                      | Path to config ini file                                                                    |
-| --insecure                                 | Do not check TSL certificates from provider                                                |
+| --insecure                                 | Do not check TLS certificates from provider                                                |
 | --client-cert                              | TLS client certificate file (PEM encoded data)                                             |
 | --client-key                               | TLS client private key file (PEM encoded data)                                             |
 | -h, --help                                 | Show help                                                                                  |

cmd/csaf_checker/main.go

@@ -26,7 +26,9 @@ var reportHTML string
 type options struct {
 	Output     string  `short:"o" long:"output" description:"File name of the generated report" value-name:"REPORT-FILE"`
 	Format     string  `short:"f" long:"format" choice:"json" choice:"html" description:"Format of report" default:"json"`
-	Insecure bool   `long:"insecure" description:"Do not check TSL certificates from provider"`
+	Insecure   bool    `long:"insecure" description:"Do not check TLS certificates from provider"`
+	ClientCert *string `long:"client-cert" description:"TLS client certificate file (PEM encoded data)" value-name:"CERT-FILE"`
+	ClientKey  *string `long:"client-key" description:"TLS client private key file (PEM encoded data)" value-name:"KEY-FILE"`
 }
 
 func errCheck(err error) {
@@ -135,6 +137,11 @@ func main() {
 		return
 	}
 
+	if (opts.ClientCert != nil && opts.ClientKey == nil) || (opts.ClientCert == nil && opts.ClientKey != nil) {
+		log.Println("Both client-key and client-cert options must be set for the authentication.")
+		return
+	}
+
 	p := newProcessor(opts)
 
 	report, err := p.run(buildReporters(), domains)

cmd/csaf_checker/processor.go

@@ -230,15 +230,20 @@ func (p *processor) httpClient() *http.Client {
 	p.client = &http.Client{
 		CheckRedirect: p.checkRedirect,
 	}
-
+	var tlsConfig tls.Config
 	if p.opts.Insecure {
+		tlsConfig.InsecureSkipVerify = true
+	}
+	if p.opts.ClientCert != nil && p.opts.ClientKey != nil {
+		cert, err := tls.LoadX509KeyPair(*p.opts.ClientCert, *p.opts.ClientKey)
+		if err != nil {
+			log.Fatal(err)
+		}
+		tlsConfig.Certificates = []tls.Certificate{cert}
+	}
 	p.client.Transport = &http.Transport{
-			TLSClientConfig: &tls.Config{
+		TLSClientConfig: &tlsConfig,
-				InsecureSkipVerify: true,
-			},
 	}
-	}
-
 	return p.client
 }
 

cmd/csaf_uploader/main.go

@@ -46,7 +46,7 @@ type options struct {
 	PasswordInteractive   bool `short:"i" long:"password-interactive" description:"Enter password interactively" no-ini:"true"`
 	PassphraseInteractive bool `short:"I" long:"passphrase-interacive" description:"Enter passphrase interactively" no-ini:"true"`
 
-	Insecure bool `long:"insecure" description:"Do not check TSL certificates from provider"`
+	Insecure bool `long:"insecure" description:"Do not check TLS certificates from provider"`
 
 	Config *string `short:"c" long:"config" description:"Path to config ini file" value-name:"INI-FILE" no-ini:"true"`
 }