vereign root certificate expires on 1st november

closes https://code.vereign.com/code/restful-api/-/issues/354

config/configs.go

 package config
 
 import (
+	"bytes"
+	"code.vereign.com/code/viam-apis/clientutils"
+	"code.vereign.com/code/viam-apis/errors"
+	"crypto"
+	"crypto/x509"
 	"os"
 	"path/filepath"
 	"strings"
@@ -24,7 +29,9 @@ var CertificatePEM []byte
 var PrivateKeyPEM []byte
 var CaCertificatePEM []byte
 var VereignCaCertificatePEM []byte
-var VereignCaKeyPEM []byte
+
+var EncryptionCert *x509.Certificate
+var EncryptionKey crypto.Signer
 
 var ReplaceKey bool
 
@@ -40,7 +47,7 @@ var GlobalLogLevel string
 var PrometeusListenAddress string
 var MetricEnvPrefix string
 
-func SetConfigValues(configFile, etcdURL string) {
+func SetConfigValues(configFile, etcdURL string) error {
 	// Set Default Values For Config Variables
 
 	// Vereign API Related
@@ -66,7 +73,6 @@ func SetConfigValues(configFile, etcdURL string) {
 	viper.SetDefault("certificationKeyFile", "server.key")
 	viper.SetDefault("certificationCaCertFile", "ca.crt")
 	viper.SetDefault("certificationVereignCertFile", "vereign_ca.cer")
-	viper.SetDefault("certificationVereignKeyFile", "vereign_ca.key")
 	viper.SetDefault("globalLogLevel", "info")
 
 	/*
@@ -79,9 +85,15 @@ func SetConfigValues(configFile, etcdURL string) {
 			viper.SetDefault("certificationKeyFile", "privateKey")
 			viper.SetDefault("certificationCaCertFile", "caCertificateKey")
 			viper.SetDefault("certificationVereignCertFile", "vereignCaCertificateKey")
-			viper.SetDefault("certificationVereignKeyFile", "vereignCaPrivateKey")
 	*/
 
+	// Encryption/Decryption Related
+	viper.SetDefault("vaultEncryptionURL", "")
+	viper.SetDefault("vaultEncryptionToken", "")
+	viper.SetDefault("vaultEncryptionPath", "")
+	viper.SetDefault("vaultEncryptionCertFile", "encryptionCert")
+	viper.SetDefault("vaultEncryptionKeyFile", "encryptionKey")
+
 	// Read Config File
 	if configFile != "" {
 		configName := strings.Split(filepath.Base(configFile), ".")[0]
@@ -101,6 +113,13 @@ func SetConfigValues(configFile, etcdURL string) {
 		}
 	}
 
+	// Print all config values to log file
+	log.Printf("All Settings From Config:")
+	as := viper.AllSettings()
+	for key, _ := range as {
+		log.Printf("%s => %s", key, viper.GetString(key))
+	}
+
 	CertificationMethod = viper.GetString("certificationMethod")
 	if CertificationMethod == "1" {
 		// Read From File System
@@ -110,8 +129,7 @@ func SetConfigValues(configFile, etcdURL string) {
 			certificationCertFile:        viper.GetString("certificationCertFile"),
 			certificationKeyFile:         viper.GetString("certificationKeyFile"),
 			certificationCaCertFile:      viper.GetString("certificationCaCertFile"),
-			certificationVereignCertFile: viper.GetString("certificationVereignCertFile"),
-			certificationVereignKeyFile:  viper.GetString("certificationVereignKeyFile")}
+			certificationVereignCertFile: viper.GetString("certificationVereignCertFile")}
 	} else if CertificationMethod == "2" {
 		// Read From Vault
 		P = VaultPEMReader{certificationURL: viper.GetString("certificationURL"),
@@ -120,15 +138,57 @@ func SetConfigValues(configFile, etcdURL string) {
 			certificationCertFile:        viper.GetString("certificationCertFile"),
 			certificationKeyFile:         viper.GetString("certificationKeyFile"),
 			certificationCaCertFile:      viper.GetString("certificationCaCertFile"),
-			certificationVereignCertFile: viper.GetString("certificationVereignCertFile"),
-			certificationVereignKeyFile:  viper.GetString("certificationVereignKeyFile")}
+			certificationVereignCertFile: viper.GetString("certificationVereignCertFile")}
 	}
 
-	// Print all config values to log file
-	log.Printf("All Settings From Config:")
-	as := viper.AllSettings()
-	for key, _ := range as {
-		log.Printf("%s => %s", key, viper.GetString(key))
+	// Encryption/Decryption Related
+	if viper.GetString("vaultEncryptionURL") == "" ||
+		viper.GetString("vaultEncryptionToken") == "" ||
+		viper.GetString("vaultEncryptionPath") == "" ||
+		viper.GetString("vaultEncryptionCertFile") == "" ||
+		viper.GetString("vaultEncryptionKeyFile") == "" {
+		log.Error("Some config values for encryption/decryption are missing!")
+		return errors.NewFormat("Some config values for encryption/decryption are missing!")
+	}
+	encryptionCertPEM, err := ReadEncryptionPEMFromVault(
+		viper.GetString("vaultEncryptionURL"),
+		viper.GetString("vaultEncryptionToken"),
+		viper.GetString("vaultEncryptionPath"),
+		viper.GetString("vaultEncryptionCertFile"))
+	if err != nil {
+		errors.LogFormat(err, "Vault Err")
+		return err
+	}
+	encryptionKeyPEM, err := ReadEncryptionPEMFromVault(
+		viper.GetString("vaultEncryptionURL"),
+		viper.GetString("vaultEncryptionToken"),
+		viper.GetString("vaultEncryptionPath"),
+		viper.GetString("vaultEncryptionKeyFile"))
+	if err != nil {
+		errors.LogFormat(err, "Vault Err")
+		return err
+	}
+	var encryptionCerts []*x509.Certificate
+	encryptionCerts, EncryptionKey, err = clientutils.LoadCertAndKey(encryptionCertPEM, encryptionKeyPEM)
+	if err != nil {
+		errors.LogFormat(err, "Load Err")
+		return err
+	}
+	if len(encryptionCerts) != 1 {
+		log.Errorf("%d certs found in vaultEncryptionCertFile, 1 expected", len(encryptionCerts))
+		return err
+	}
+	EncryptionCert = encryptionCerts[0]
+	keyPub, err := x509.MarshalPKIXPublicKey(EncryptionKey.Public())
+	if err != nil {
+		return err
+	}
+	certPub, err := x509.MarshalPKIXPublicKey(EncryptionCert.PublicKey)
+	if err != nil {
+		return err
+	}
+	if !bytes.Equal(keyPub, certPub) {
+		return errors.New("Encryption certificate public key does not correspond to encryption private key")
 	}
 
 	GrpcListenAddress = viper.GetString("grpcListenAddress")
@@ -154,7 +214,8 @@ func SetConfigValues(configFile, etcdURL string) {
 	PrivateKeyPEM = GetPrivateKeyPEM()
 	CaCertificatePEM = GetCaCertificatePEM()
 	VereignCaCertificatePEM = GetVereignCaCertificatePEM()
-	VereignCaKeyPEM = GetVereignCaKeyPEM()
+
+	return nil
 }
 
 func GetCertificatePEM() []byte {
@@ -172,7 +233,3 @@ func GetCaCertificatePEM() []byte {
 func GetVereignCaCertificatePEM() []byte {
 	return P.readVereignCaCertificatePEM()
 }
-
-func GetVereignCaKeyPEM() []byte {
-	return P.readVereignCaKeyPEM()
-}