Add client certificate support to the downloader

2025-12-22 05:40:11 +01:00 · 2023-08-02 21:16:32 +02:00 · 2023-08-02 21:16:32 +02:00 · f31ee53c27
commit f31ee53c27
parent 017a6b0a10
3 changed files with 63 additions and 32 deletions
--- a/cmd/csaf_downloader/config.go
+++ b/cmd/csaf_downloader/config.go
@ -9,8 +9,10 @@
 package main

 import (
+	"crypto/tls"
 	"net/http"

+	"github.com/csaf-poc/csaf_distribution/v2/internal/certs"
 	"github.com/csaf-poc/csaf_distribution/v2/internal/filter"
 	"github.com/csaf-poc/csaf_distribution/v2/internal/models"
 	"github.com/csaf-poc/csaf_distribution/v2/internal/options"
@ -25,6 +27,9 @@ type config struct {
 	Directory            *string           `short:"d" long:"directory" description:"DIRectory to store the downloaded files in" value-name:"DIR" toml:"directory"`
 	Insecure             bool              `long:"insecure" description:"Do not check TLS certificates from provider" toml:"insecure"`
 	IgnoreSignatureCheck bool              `long:"ignoresigcheck" description:"Ignore signature check results, just warn on mismatch" toml:"ignoresigcheck"`
+	ClientCert           *string           `long:"client-cert" description:"TLS client certificate file (PEM encoded data)" value-name:"CERT-FILE" toml:"client_cert"`
+	ClientKey            *string           `long:"client-key" description:"TLS client private key file (PEM encoded data)" value-name:"KEY-FILE" toml:"client_key"`
+	ClientPassphrase     *string           `long:"client-passphrase" description:"Optional passphrase for the client certificate" value-name:"PASSPHRASE" toml:"client_passphrase"`
 	Version              bool              `long:"version" description:"Display version of the binary" toml:"-"`
 	Verbose              bool              `long:"verbose" short:"v" description:"Verbose output" toml:"verbose"`
 	Rate                 *float64          `long:"rate" short:"r" description:"The average upper limit of https operations per second (defaults to unlimited)" toml:"rate"`
@ -41,6 +46,7 @@ type config struct {

 	Config string `short:"c" long:"config" description:"Path to config TOML file" value-name:"TOML-FILE" toml:"-"`

+	clientCerts   []tls.Certificate
 	ignorePattern filter.PatternMatcher
 }

@ -90,7 +96,21 @@ func (cfg *config) compileIgnorePatterns() error {
 	return nil
 }

+// prepareCertificates loads the client side certificates used by the HTTP client.
+func (cfg *config) prepareCertificates() error {
+	cert, err := certs.LoadCertificate(
+		cfg.ClientCert, cfg.ClientKey, cfg.ClientPassphrase)
+	if err != nil {
+		return err
+	}
+	cfg.clientCerts = cert
+	return nil
+}
+
 // prepare prepares internal state of a loaded configuration.
 func (cfg *config) prepare() error {
+	if err := cfg.prepareCertificates(); err != nil {
+		return err
+	}
 	return cfg.compileIgnorePatterns()
 }
--- a/cmd/csaf_downloader/downloader.go
+++ b/cmd/csaf_downloader/downloader.go
@ -84,10 +84,15 @@ func (d *downloader) httpClient() util.Client {
 	var tlsConfig tls.Config
 	if d.cfg.Insecure {
 		tlsConfig.InsecureSkipVerify = true
+	}
+
+	if len(d.cfg.clientCerts) != 0 {
+		tlsConfig.Certificates = d.cfg.clientCerts
+	}
+
 	hClient.Transport = &http.Transport{
 		TLSClientConfig: &tlsConfig,
 	}
-	}

 	client := util.Client(&hClient)

--- a/docs/csaf_downloader.md
+++ b/docs/csaf_downloader.md
@ -10,6 +10,9 @@ Application Options:
  -d, --directory=DIR                   DIRectory to store the downloaded files in
      --insecure                        Do not check TLS certificates from provider
      --ignoresigcheck                  Ignore signature check results, just warn on mismatch
+      --client-cert=CERT-FILE           TLS client certificate file (PEM encoded data)
+      --client-key=KEY-FILE             TLS client private key file (PEM encoded data)
+      --client-passphrase=PASSPHRASE    Optional passphrase for the client certificate
      --version                         Display version of the binary
  -v, --verbose                         Verbose output
  -r, --rate=                           The average upper limit of https operations per second (defaults to unlimited)
@ -47,8 +50,11 @@ with `~` expanding to `$HOME` on unixoid systems and `%HOMEPATH` on Windows syst

 Supported options in config files:
 ```
-directory         # not set by default
+# directory         # not set by default
 insecure            = false
+# client_cert       # not set by default
+# client_key        # not set by default
+# client_passphrase # not set by default
 ignoresigcheck      = false
 verbose             = false
 # rate              # set to unlimited