Add CA cert option for TLS connection (#42)

Author: minggi

backend/mqttpubsub/backend.go

@@ -1,6 +1,9 @@
 package mqttpubsub
 
 import (
+	"crypto/tls"
+	"crypto/x509"
+	"io/ioutil"	
 	"encoding/json"
 	"fmt"
 	"sync"
@@ -21,7 +24,7 @@ type Backend struct {
 }
 
 // NewBackend creates a new Backend.
-func NewBackend(server, username, password string) (*Backend, error) {
+func NewBackend(server, username, password, cafile string) (*Backend, error) {
 	b := Backend{
 		txPacketChan: make(chan gw.TXPacketBytes),
 		gateways:     make(map[lorawan.EUI64]struct{}),
@@ -33,7 +36,14 @@ func NewBackend(server, username, password string) (*Backend, error) {
 	opts.SetPassword(password)
 	opts.SetOnConnectHandler(b.onConnected)
 	opts.SetConnectionLostHandler(b.onConnectionLost)
-
+	
+	if cafile != "" {
+		tlsconfig, err := NewTLSConfig(cafile)
+		if err == nil {
+			opts.SetTLSConfig(tlsconfig)
+		}
+	}
+	
 	log.WithField("server", server).Info("backend: connecting to mqtt broker")
 	b.conn = mqtt.NewClient(opts)
 	if token := b.conn.Connect(); token.Wait() && token.Error() != nil {
@@ -43,6 +53,26 @@ func NewBackend(server, username, password string) (*Backend, error) {
 	return &b, nil
 }
 
+// NewTLSConfig returns the TLS configuration.
+func NewTLSConfig(cafile string) (*tls.Config, error) {
+	// Import trusted certificates from CAfile.pem.
+	
+	cert, err := ioutil.ReadFile(cafile)
+	if err != nil {
+		log.Errorf("backend: couldn't load cafile: %s", err)
+		return nil, err
+	}
+	
+	certpool := x509.NewCertPool()
+	certpool.AppendCertsFromPEM(cert)
+	
+	// Create tls.Config with desired tls properties
+	return &tls.Config{
+		// RootCAs = certs used to verify server cert.
+		RootCAs: certpool,
+	}, nil
+}
+
 // Close closes the backend.
 func (b *Backend) Close() {
 	b.conn.Disconnect(250) // wait 250 milisec to complete pending actions

backend/mqttpubsub/backend_test.go

@@ -22,7 +22,7 @@ func TestBackend(t *testing.T) {
 		defer c.Disconnect(0)
 
 		Convey("Given a new Backend", func() {
-			backend, err := NewBackend(conf.Server, conf.Username, conf.Password)
+			backend, err := NewBackend(conf.Server, conf.Username, conf.Password, "")
 			So(err, ShouldBeNil)
 			defer backend.Close()
 

cmd/lora-gateway-bridge/doc.go

@@ -13,6 +13,7 @@ GLOBAL OPTIONS:
    --mqtt-server "tcp://127.0.0.1:1883"	MQTT server [$MQTT_SERVER]
    --mqtt-username 			MQTT username [$MQTT_USERNAME]
    --mqtt-password 			MQTT password [$MQTT_PASSWORD]
+   --mqtt-ca-cert                       CA certificate file [$MQTT_CA_CERT]
    --log-level "4"			debug=5, info=4, warning=3, error=2, fatal=1, panic=0 [$LOG_LEVEL]
    --help, -h				show help
    --version, -v			print the version

cmd/lora-gateway-bridge/main.go

@@ -28,7 +28,7 @@ func run(c *cli.Context) error {
 	var pubsub *mqttpubsub.Backend
 	for {
 		var err error
-		pubsub, err = mqttpubsub.NewBackend(c.String("mqtt-server"), c.String("mqtt-username"), c.String("mqtt-password"))
+		pubsub, err = mqttpubsub.NewBackend(c.String("mqtt-server"), c.String("mqtt-username"), c.String("mqtt-password"), c.String("mqtt-ca-cert"))
 		if err == nil {
 			break
 		}
@@ -113,6 +113,11 @@ func main() {
 			Usage:  "mqtt server password (optional)",
 			EnvVar: "MQTT_PASSWORD",
 		},
+		cli.StringFlag{
+			Name:   "mqtt-ca-cert",
+			Usage:  "mqtt CA certificate file (optional)",
+			EnvVar: "MQTT_CA_CERT",
+		},
 		cli.BoolFlag{
 			Name:   "skip-crc-check",
 			Usage:  "skip the CRC status-check of received packets",