First Commit

internal/federation/tls.go

@@ -0,0 +1,32 @@
+package federation
+
+import (
+	"crypto/tls"
+	"crypto/x509"
+	"os"
+)
+
+func ServerTLSConfig(certFile, keyFile, clientCAFile string) (*tls.Config, error) {
+	// Load server cert
+	cert, err := tls.LoadX509KeyPair(certFile, keyFile)
+	if err != nil {
+		return nil, err
+	}
+
+	// Load client CA for mTLS
+	caPEM, err := os.ReadFile(clientCAFile)
+	if err != nil {
+		return nil, err
+	}
+	clientCAs := x509.NewCertPool()
+	if ok := clientCAs.AppendCertsFromPEM(caPEM); !ok {
+		return nil, err
+	}
+
+	return &tls.Config{
+		MinVersion:   tls.VersionTLS13,
+		Certificates: []tls.Certificate{cert},
+		ClientAuth:   tls.RequireAndVerifyClientCert,
+		ClientCAs:    clientCAs,
+	}, nil
+}