Skip to content
Snippets Groups Projects
Normal view Permalink
storage.go 4 KiB
Newer Older
  • Learn to ignore specific revisions
    • ale's avatar
    Initial commit
    ale committed
    1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 
    package acmeserver

import (
	"bytes"
	"context"
	"crypto"
	"crypto/ecdsa"
	"crypto/rsa"
	"crypto/x509"
	"encoding/pem"
	"errors"
	"io/ioutil"
	"os"
	"path/filepath"
	"strings"
	"time"

	"git.autistici.org/ai3/go-common/clientutil"
	"git.autistici.org/ai3/replds"
)

type dirStorage struct {
	root string
}

func (d *dirStorage) GetCert(cn string) ([][]byte, crypto.Signer, error) {
	certPath := filepath.Join(d.root, cn, "fullchain.pem")
	keyPath := filepath.Join(d.root, cn, "private_key.pem")

	der, err := parseCertsFromFile(certPath)
	if err != nil {
		return nil, nil, err
	}
	priv, err := parsePrivateKeyFromFile(keyPath)
	if err != nil {
		return nil, nil, err
	}
	return der, priv, nil
}

func (d *dirStorage) PutCert(cn string, der [][]byte, key crypto.Signer) error {
	filemap, err := dumpCertsAndKey(cn, der, key)
	if err != nil {
		return err
	}

	dir := filepath.Join(d.root, cn)
	if _, err := os.Stat(dir); err != nil && os.IsNotExist(err) {
		if err = os.Mkdir(dir, 0755); err != nil {
			return err
		}
	}

	for path, data := range filemap {
		var mode os.FileMode = 0644
		if strings.HasSuffix(path, "private_key.pem") {
			mode = 0400
		}
		if err := ioutil.WriteFile(path, data, mode); err != nil {
			return err
		}
	}
	return nil
}

func dumpCertsAndKey(cn string, der [][]byte, key crypto.Signer) (map[string][]byte, error) {
	m := make(map[string][]byte)

	data, err := encodeCerts(der)
	if err != nil {
		return nil, err
	}
	m[filepath.Join(cn, "fullchain.pem")] = data

	data, err = encodeCerts(der[:1])
	if err != nil {
		return nil, err
	}
	m[filepath.Join(cn, "cert.pem")] = data

	data, err = encodePrivateKey(key)
	if err != nil {
		return nil, err
	}
	m[filepath.Join(cn, "private_key.pem")] = data

	return m, nil
}

// The replStorage overrides the PutCert method and writes the
// certificates to replds instead.
type replStorage struct {
	*dirStorage
	replClient clientutil.Backend
}

func (d *replStorage) PutCert(cn string, der [][]byte, key crypto.Signer) error {
	filemap, err := dumpCertsAndKey(cn, der, key)
	if err != nil {
		return err
	}

	now := time.Now()
	var req replds.SetNodesRequest
	for path, data := range filemap {
		req.Nodes = append(req.Nodes, replds.Node{
			Path:      path,
			Value:     data,
			Timestamp: now,
		})
	}

	ctx, cancel := context.WithTimeout(context.Background(), 60*time.Second)
	defer cancel()

	var resp replds.SetNodesResponse
	if err := clientutil.DoJSONHTTPRequest(ctx, d.replClient.Client(""), d.replClient.URL("")+"/api/set_nodes", req, &resp); err != nil {
		return err
	}
	if resp.HostsOk < 1 {
		return errors.New("not enough successful replds writes")
	}
	return nil
}

func parseCertsFromFile(path string) ([][]byte, error) {
	data, err := ioutil.ReadFile(path)
	if err != nil {
		return nil, err
	}

	var der [][]byte
	for {
		block, rest := pem.Decode(data)
		if block == nil {
			break
		}
		der = append(der, block.Bytes)
		data = rest
	}
	return der, nil
}

func parsePrivateKeyFromFile(path string) (crypto.Signer, error) {
	data, err := ioutil.ReadFile(path)
	if err != nil {
		return nil, err
	}

	priv, _ := pem.Decode(data)
	if priv == nil || !strings.Contains(priv.Type, "PRIVATE") {
		return nil, errors.New("invalid account key")
	}
	return parsePrivateKey(priv.Bytes)
}

func encodeCerts(der [][]byte) ([]byte, error) {
	var buf bytes.Buffer
	for _, b := range der {
		pb := &pem.Block{Type: "CERTIFICATE", Bytes: b}
		if err := pem.Encode(&buf, pb); err != nil {
			return nil, err
		}
	}
	return buf.Bytes(), nil
}

func encodePrivateKey(key crypto.Signer) ([]byte, error) {
	var pb *pem.Block
	switch priv := key.(type) {
	case *rsa.PrivateKey:
		pb = &pem.Block{
			Type:  "PRIVATE KEY",
			Bytes: x509.MarshalPKCS1PrivateKey(priv),
		}
	case *ecdsa.PrivateKey:
		b, err := x509.MarshalECPrivateKey(priv)
		if err != nil {
			return nil, err
		}
		pb = &pem.Block{
			Type:  "EC PRIVATE KEY",
			Bytes: b,
		}
	default:
		return nil, errors.New("unknown private key type")
	}
	var buf bytes.Buffer
	if err := pem.Encode(&buf, pb); err != nil {
		return nil, err
	}
	return buf.Bytes(), nil
}