feat(ssl): remove requirement of specifying CA certificate

CA certificate is no longer required to start secure HTTP servers for application's services.
Icikowski · Nov 17, 2022 · 2443e9e · 2443e9e
1 parent 8b7791d
commit 2443e9e
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 94 deletions.
diff --git a/src/config/service.go b/src/config/service.go
@@ -2,9 +2,6 @@ package config
 
 import (
 	"crypto/tls"
-	"crypto/x509"
-	"fmt"
-	"os"
 )
 
 // ServiceConfig represents the configuration of application's service
@@ -13,12 +10,10 @@ type ServiceConfig struct {
 	Port        int    `env:"PORT" json:"port"`
 	SecuredPort int    `env:"SECURED_PORT" json:"securedPort"`
 	SSLEnabled  bool   `env:"SSL_ENABLED" envDefault:"false" json:"sslEnabled"`
-	CACertPath  string `env:"CA_CERT_PATH" json:"caCertPath"`
 	TLSCertPath string `env:"TLS_CERT_PATH" json:"tlsCertPath"`
 	TLSKeyPath  string `env:"TLS_KEY_PATH" json:"tlsKeyPath"`
 
-	caCertPool *x509.CertPool
-	tlsCert    tls.Certificate
+	tlsCert tls.Certificate
 }
 
 // LoadCerts attempts to load CA & TLS certificates defined in configuration
@@ -27,18 +22,6 @@ func (c *ServiceConfig) LoadCerts() error {
 		return nil
 	}
 
-	ca, err := os.ReadFile(c.CACertPath)
-	if err != nil {
-		return err
-	}
-
-	caCerts := x509.NewCertPool()
-	if !caCerts.AppendCertsFromPEM(ca) {
-		return fmt.Errorf("failed to append CA certificates to pool")
-	}
-
-	c.caCertPool = caCerts
-
 	tlsCert, err := tls.LoadX509KeyPair(c.TLSCertPath, c.TLSKeyPath)
 	if err != nil {
 		return err
@@ -57,7 +40,6 @@ func (c *ServiceConfig) GetTLSConfig() *tls.Config {
 
 	return &tls.Config{
 		Certificates: []tls.Certificate{c.tlsCert},
-		RootCAs:      c.caCertPool,
 		MinVersion:   tls.VersionTLS12,
 		CipherSuites: []uint16{
 			tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,

diff --git a/src/config/service_test.go b/src/config/service_test.go
@@ -17,39 +17,12 @@ import (
 	"github.com/stretchr/testify/require"
 )
 
-func noopCertGen(t *testing.T) (caCert string, tlsCert string, tlsKey string) {
+func noopCertGen(t *testing.T) (tlsCert string, tlsKey string) {
 	t.Helper()
 	return
 }
 
-func missingCACertGen(t *testing.T) (caCert string, tlsCert string, tlsKey string) {
-	t.Helper()
-	caCert = "/tmp/thereIsNoSpoon"
-	return
-}
-
-func malformedCaCertGen(t *testing.T) (caCert string, tlsCert string, tlsKey string) {
-	t.Helper()
-
-	caCertFile, err := os.CreateTemp(os.TempDir(), "ca-*.crt")
-	if err != nil {
-		t.Fatal(err.Error())
-		return
-	}
-	t.Cleanup(func() {
-		os.Remove(caCertFile.Name())
-	})
-
-	if _, err := caCertFile.WriteString("malformed"); err != nil {
-		t.Fatal(err.Error())
-		return
-	}
-	caCert = caCertFile.Name()
-
-	return
-}
-
-func allOkCertGen(t *testing.T) (caCert string, tlsCert string, tlsKey string) {
+func allOkCertGen(t *testing.T) (tlsCert string, tlsKey string) {
 	t.Helper()
 
 	ca := &x509.Certificate{
@@ -77,30 +50,6 @@ func allOkCertGen(t *testing.T) (caCert string, tlsCert string, tlsKey string) {
 		return
 	}
 
-	caBytes, err := x509.CreateCertificate(rand.Reader, ca, ca, &caPrivKey.PublicKey, caPrivKey)
-	if err != nil {
-		t.Fatal(err.Error())
-		return
-	}
-
-	caCertFile, err := os.CreateTemp(os.TempDir(), "ca-*.crt")
-	if err != nil {
-		t.Fatal(err.Error())
-		return
-	}
-	t.Cleanup(func() {
-		os.Remove(caCertFile.Name())
-	})
-
-	if err := pem.Encode(caCertFile, &pem.Block{
-		Type:  "CERTIFICATE",
-		Bytes: caBytes,
-	}); err != nil {
-		t.Fatal(err.Error())
-		return
-	}
-	caCert = caCertFile.Name()
-
 	cert := &x509.Certificate{
 		SerialNumber: big.NewInt(1658),
 		Subject: pkix.Name{
@@ -171,40 +120,23 @@ func allOkCertGen(t *testing.T) (caCert string, tlsCert string, tlsKey string) {
 	return
 }
 
-func missingTLSCertGen(t *testing.T) (caCert string, tlsCert string, tlsKey string) {
-	t.Helper()
-	caCert, _, _ = allOkCertGen(t)
-	tlsCert, tlsKey = "", ""
-	return
-}
-
 func TestLoadCerts(t *testing.T) {
 	tests := map[string]struct {
 		sslEnabled    bool
-		genFunc       func(*testing.T) (string, string, string)
+		genFunc       func(*testing.T) (string, string)
 		errorExpected bool
 	}{
 		"SSL disabled": {
 			sslEnabled:    false,
 			genFunc:       noopCertGen,
 			errorExpected: false,
 		},
-		"missing CA certificate": {
-			sslEnabled:    true,
-			genFunc:       missingCACertGen,
-			errorExpected: true,
-		},
-		"malformed CA certificate": {
-			sslEnabled:    true,
-			genFunc:       malformedCaCertGen,
-			errorExpected: true,
-		},
-		"missing TLS certificate": {
+		"TLS missing": {
 			sslEnabled:    true,
-			genFunc:       missingTLSCertGen,
+			genFunc:       noopCertGen,
 			errorExpected: true,
 		},
-		"all OK": {
+		"TLS valid": {
 			sslEnabled:    true,
 			genFunc:       allOkCertGen,
 			errorExpected: false,
@@ -217,7 +149,7 @@ func TestLoadCerts(t *testing.T) {
 			conf := &config.ServiceConfig{
 				SSLEnabled: tc.sslEnabled,
 			}
-			conf.CACertPath, conf.TLSCertPath, conf.TLSKeyPath = tc.genFunc(t)
+			conf.TLSCertPath, conf.TLSKeyPath = tc.genFunc(t)
 
 			err := conf.LoadCerts()
 			if tc.errorExpected {