Check if TLS certificate and key file have been modified (prometheus#345)

LeviHarrison · radek-ryckowski · commit 110f072bf68f · 2025-05-20T10:48:32.000+01:00
* Check hash of cert and key file

Signed-off-by: Levi Harrison &lt;git@leviharrison.dev&gt;

Signed-off-by: Simon Pasquier &lt;spasquie@redhat.com&gt;
diff --git a/config/http_config.go b/config/http_config.go
@@ -1152,6 +1152,37 @@ func (c *TLSConfig) UnmarshalYAML(unmarshal func(interface{}) error) error {
 	return c.Validate()
 }
 
+// readCertAndKey reads the cert and key files from the disk.
+func readCertAndKey(certFile, keyFile string) ([]byte, []byte, error) {
+	certData, err := ioutil.ReadFile(certFile)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	keyData, err := ioutil.ReadFile(keyFile)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	return certData, keyData, nil
+}
+
+// getClientCertificate reads the pair of client cert and key from disk and returns a tls.Certificate.
+func (c *TLSConfig) getClientCertificate(_ *tls.CertificateRequestInfo) (*tls.Certificate, error) {
+	certData, keyData, err := readCertAndKey(c.CertFile, c.KeyFile)
+	if err != nil {
+		return nil, fmt.Errorf("unable to read specified client cert (%s) & key (%s): %s", c.CertFile, c.KeyFile, err)
+	}
+
+	cert, err := tls.X509KeyPair(certData, keyData)
+	if err != nil {
+		return nil, fmt.Errorf("unable to use specified client cert (%s) & key (%s): %s", c.CertFile, c.KeyFile, err)
+	}
+
+	return &cert, nil
+>>>>>>> 78d22dc (Check if TLS certificate and key file have been modified (#345))
+}
+
 // Validate validates the TLSConfig to check that only one of the inlined or
 // file-based fields for the TLS CA, client certificate, and client key are
 // used.
