Move github.com/elasitc/beats/v7/common/transport/tlscommon (#19)

Author: kvch

README.md

@@ -16,3 +16,4 @@ Provided packages:
 * `github.com/elastic/elastic-agent-libs/mapstr` is the old `github.com/elastic/beats/v7/libbeat/common.MapStr`. It is an extra layer on top of `map[string]interface{}`.
 * `github.com/elastic/elastic-agent-libs/safemapstr` contains safe operations for `mapstr.M`.
 * `github.com/elastic/elastic-agent-libs/str` the previous `stringset.go` file from `github.com/elastic/beats/v7/libbeat/common`. It provides a string set implementation. 
+* `github.com/elastic/elastic-agent-libs/transport/tlscommon` TLS configuration and validation, CA pinning, etc.

transport/tlscommon/ca_pinning.go

@@ -0,0 +1,60 @@
+// Licensed to Elasticsearch B.V. under one or more contributor
+// license agreements. See the NOTICE file distributed with
+// this work for additional information regarding copyright
+// ownership. Elasticsearch B.V. licenses this file to you under
+// the Apache License, Version 2.0 (the "License"); you may
+// not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package tlscommon
+
+import (
+	"crypto/sha256"
+	"crypto/x509"
+	"encoding/base64"
+	"errors"
+)
+
+// ErrCAPinMissmatch is returned when no pin is matched in the verified chain.
+var ErrCAPinMissmatch = errors.New("provided CA certificate pins doesn't match any of the certificate authorities used to validate the certificate")
+
+// verifyCAPin loops through the verified chains and will try to match the certificates pin.
+//
+// NOTE: Defining a PIN to check certificates is not a replacement for the normal TLS validations it's
+// an additional validation. In fact if you set `InsecureSkipVerify` to true and a PIN, the
+// verifiedChains variable will be empty and the added validation will fail.
+func verifyCAPin(hashes []string, verifiedChains [][]*x509.Certificate) error {
+	for _, chain := range verifiedChains {
+		for _, certificate := range chain {
+			h := Fingerprint(certificate)
+			if matches(hashes, h) {
+				return nil
+			}
+		}
+	}
+	return ErrCAPinMissmatch
+}
+
+// Fingerprint takes a certificate and create a hash of the DER encoded public key.
+func Fingerprint(certificate *x509.Certificate) string {
+	hash := sha256.Sum256(certificate.RawSubjectPublicKeyInfo)
+	return base64.StdEncoding.EncodeToString(hash[:])
+}
+
+func matches(pins []string, candidate string) bool {
+	for _, pin := range pins {
+		if pin == candidate {
+			return true
+		}
+	}
+	return false
+}