From efb5ae91955a3f3282d62648eccd8edeb14449b5 Mon Sep 17 00:00:00 2001
From: Firas Ghanmi <fghanmi@redhat.com>
Date: Mon, 1 Jul 2024 14:38:21 +0200
Subject: [PATCH] Add TLS support for CTLog

Signed-off-by: Firas Ghanmi <fghanmi@redhat.com>
---
 cmd/app/serve.go | 30 +++++++++++++++++++++++++++++-
 1 file changed, 29 insertions(+), 1 deletion(-)

diff --git a/cmd/app/serve.go b/cmd/app/serve.go
index de0b28194..881ef68ee 100644
--- a/cmd/app/serve.go
+++ b/cmd/app/serve.go
@@ -18,6 +18,7 @@ package app
 import (
 	"bytes"
 	"context"
+	"crypto/tls"
 	"crypto/x509"
 	"errors"
 	"flag"
@@ -108,6 +109,7 @@ func newServeCmd() *cobra.Command {
 	cmd.Flags().String("grpc-tls-certificate", "", "the certificate file to use for secure connections - only applies to grpc-port")
 	cmd.Flags().String("grpc-tls-key", "", "the private key file to use for secure connections (without passphrase) - only applies to grpc-port")
 	cmd.Flags().Duration("idle-connection-timeout", 30*time.Second, "The time allowed for connections (HTTP or gRPC) to go idle before being closed by the server")
+	cmd.Flags().String("tls-ca-cert", "", "Path to TLS CA certificate")
 
 	// convert "http-host" flag to "host" and "http-port" flag to be "port"
 	cmd.Flags().SetNormalizeFunc(func(_ *pflag.FlagSet, name string) pflag.NormalizedName {
@@ -273,7 +275,33 @@ func runServeCmd(cmd *cobra.Command, args []string) { //nolint: revive
 			}
 			opts.PublicKey = string(pemPubKey)
 		}
-		ctClient, err = ctclient.New(logURL, &http.Client{Timeout: 30 * time.Second}, opts)
+		var httpClient *http.Client
+		if tlsCaCertPath := viper.GetString("tls-ca-cert"); tlsCaCertPath != "" {
+			tlsCaCert, err := os.ReadFile(filepath.Clean(tlsCaCertPath))
+			if err != nil {
+				log.Logger.Fatal(err)
+			}
+			caCertPool := x509.NewCertPool()
+			if ok := caCertPool.AppendCertsFromPEM(tlsCaCert); !ok {
+				log.Logger.Fatal("failed to append TLS CA certificate")
+			}
+			tlsConfig := &tls.Config{
+				RootCAs:    caCertPool,
+				MinVersion: tls.VersionTLS12,
+			}
+			transport := &http.Transport{
+				TLSClientConfig: tlsConfig,
+			}
+			httpClient = &http.Client{
+				Timeout:   30 * time.Second,
+				Transport: transport,
+			}
+		} else {
+			httpClient = &http.Client{
+				Timeout: 30 * time.Second,
+			}
+		}
+		ctClient, err = ctclient.New(logURL, httpClient, opts)
 		if err != nil {
 			log.Logger.Fatal(err)
 		}