mirror of
https://github.com/1f349/violet.git
synced 2024-11-21 19:01:39 +00:00
224 lines
4.9 KiB
Go
224 lines
4.9 KiB
Go
package certs
|
|
|
|
import (
|
|
"crypto/tls"
|
|
"crypto/x509/pkix"
|
|
"fmt"
|
|
"github.com/1f349/violet/logger"
|
|
"github.com/1f349/violet/utils"
|
|
"github.com/mrmelon54/certgen"
|
|
"github.com/mrmelon54/rescheduler"
|
|
"io/fs"
|
|
"math/big"
|
|
"os"
|
|
"strings"
|
|
"sync"
|
|
"sync/atomic"
|
|
"time"
|
|
)
|
|
|
|
var Logger = logger.Logger.WithPrefix("Violet Certs")
|
|
|
|
// Certs is the certificate loader and management system.
|
|
type Certs struct {
|
|
cDir fs.FS
|
|
kDir fs.FS
|
|
ss bool
|
|
s *sync.RWMutex
|
|
m map[string]*tls.Certificate
|
|
ca *certgen.CertGen
|
|
sn atomic.Int64
|
|
r *rescheduler.Rescheduler
|
|
t *time.Ticker
|
|
ts chan struct{}
|
|
}
|
|
|
|
// New creates a new cert list
|
|
func New(certDir fs.FS, keyDir fs.FS, selfCert bool) *Certs {
|
|
c := &Certs{
|
|
cDir: certDir,
|
|
kDir: keyDir,
|
|
ss: selfCert,
|
|
s: &sync.RWMutex{},
|
|
m: make(map[string]*tls.Certificate),
|
|
ts: make(chan struct{}, 1),
|
|
}
|
|
|
|
if !selfCert {
|
|
// the rescheduler isn't even used in self cert mode so why initialise it
|
|
c.r = rescheduler.NewRescheduler(c.threadCompile)
|
|
|
|
c.t = time.NewTicker(2 * time.Hour)
|
|
go func() {
|
|
for {
|
|
select {
|
|
case <-c.t.C:
|
|
c.Compile()
|
|
case <-c.ts:
|
|
return
|
|
}
|
|
}
|
|
}()
|
|
} else {
|
|
// in self-signed mode generate a CA certificate to sign other certificates
|
|
ca, err := certgen.MakeCaTls(4096, pkix.Name{
|
|
Country: []string{"GB"},
|
|
Organization: []string{"Violet"},
|
|
OrganizationalUnit: []string{"Development"},
|
|
SerialNumber: "0",
|
|
CommonName: fmt.Sprintf("%d.violet.test", time.Now().Unix()),
|
|
}, big.NewInt(0), func(now time.Time) time.Time {
|
|
return now.AddDate(10, 0, 0)
|
|
})
|
|
if err != nil {
|
|
logger.Logger.Fatal("Failed to generate CA cert for self-signed mode", "err", err)
|
|
}
|
|
c.ca = ca
|
|
}
|
|
return c
|
|
}
|
|
|
|
func (c *Certs) GetCertForDomain(domain string) *tls.Certificate {
|
|
// safety read lock
|
|
c.s.RLock()
|
|
defer c.s.RUnlock()
|
|
|
|
// lookup and return cert
|
|
if cert, ok := c.m[domain]; ok {
|
|
return cert
|
|
}
|
|
|
|
// if self-signed certificate is enabled then generate a certificate
|
|
if c.ss {
|
|
sn := c.sn.Add(1)
|
|
serverTls, err := certgen.MakeServerTls(c.ca, 4096, pkix.Name{
|
|
Country: []string{"GB"},
|
|
Organization: []string{domain},
|
|
OrganizationalUnit: []string{domain},
|
|
SerialNumber: fmt.Sprintf("%d", sn),
|
|
CommonName: domain,
|
|
}, big.NewInt(sn), func(now time.Time) time.Time {
|
|
return now.AddDate(10, 0, 0)
|
|
}, []string{domain}, nil)
|
|
if err != nil {
|
|
return nil
|
|
}
|
|
|
|
// save the generated leaf for loading if the domain is requested again
|
|
leaf := serverTls.GetTlsLeaf()
|
|
c.m[domain] = &leaf
|
|
return &leaf
|
|
}
|
|
|
|
// lookup and return wildcard cert
|
|
if wildcardDomain, ok := utils.ReplaceSubdomainWithWildcard(domain); ok {
|
|
if cert, ok := c.m[wildcardDomain]; ok {
|
|
return cert
|
|
}
|
|
}
|
|
|
|
// no cert found
|
|
return nil
|
|
}
|
|
|
|
// Compile loads the certificates and keys from the directories.
|
|
//
|
|
// This method makes use of the rescheduler instead of just ignoring multiple
|
|
// calls.
|
|
func (c *Certs) Compile() {
|
|
// don't bother compiling in self-signed mode
|
|
if c.ss {
|
|
return
|
|
}
|
|
c.r.Run()
|
|
}
|
|
|
|
func (c *Certs) Stop() {
|
|
if c.t != nil {
|
|
c.t.Stop()
|
|
}
|
|
close(c.ts)
|
|
}
|
|
|
|
func (c *Certs) threadCompile() {
|
|
// new map
|
|
certMap := make(map[string]*tls.Certificate)
|
|
|
|
// compile map and check errors
|
|
err := c.internalCompile(certMap)
|
|
if err != nil {
|
|
Logger.Infof("Compile failed: %s\n", err)
|
|
return
|
|
}
|
|
|
|
// lock while replacing the map
|
|
c.s.Lock()
|
|
c.m = certMap
|
|
c.s.Unlock()
|
|
}
|
|
|
|
// internalCompile is a hidden internal method for loading the certificate and
|
|
// key files
|
|
func (c *Certs) internalCompile(m map[string]*tls.Certificate) error {
|
|
if c.cDir == nil {
|
|
return nil
|
|
}
|
|
|
|
// try to read dir
|
|
files, err := fs.ReadDir(c.cDir, ".")
|
|
if err != nil {
|
|
return fmt.Errorf("failed to read cert dir: %w", err)
|
|
}
|
|
|
|
Logger.Infof("Compiling lookup table for %d certificates\n", len(files))
|
|
|
|
// find and parse certs
|
|
for _, i := range files {
|
|
// skip dirs
|
|
if i.IsDir() {
|
|
continue
|
|
}
|
|
|
|
// get file name and extension
|
|
name := i.Name()
|
|
if !strings.HasSuffix(name, ".cert.pem") {
|
|
continue
|
|
}
|
|
keyName := name[:len(name)-len("cert.pem")] + "key.pem"
|
|
|
|
// try to read cert file
|
|
certData, err := fs.ReadFile(c.cDir, name)
|
|
if err != nil {
|
|
return fmt.Errorf("failed to read cert file '%s': %w", name, err)
|
|
}
|
|
|
|
// try to read key file
|
|
keyData, err := fs.ReadFile(c.kDir, keyName)
|
|
if err != nil {
|
|
// ignore the file if the certificate doesn't exist
|
|
if os.IsNotExist(err) {
|
|
continue
|
|
}
|
|
return fmt.Errorf("failed to read key file '%s': %w", keyName, err)
|
|
}
|
|
|
|
// load key pair
|
|
pair, err := tls.X509KeyPair(certData, keyData)
|
|
if err != nil {
|
|
return fmt.Errorf("failed to load x509 key pair '%s + %s': %w", name, keyName, err)
|
|
}
|
|
|
|
// load tls leaf
|
|
cert := &pair
|
|
leaf := certgen.TlsLeaf(cert)
|
|
|
|
// save in map under each dns name
|
|
for _, j := range leaf.DNSNames {
|
|
m[j] = cert
|
|
}
|
|
}
|
|
|
|
// well no errors happened
|
|
return nil
|
|
}
|