sashakoshka/go-gemini
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

certificate.Store: Support client certificates

Browse Source
This commit is contained in:
Adnan Maolood 2021-02-28 18:56:22 -05:00
parent fcc71b76d9
commit ada42ff427
1 changed files with 74 additions and 36 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

110
certificate/store.go
View File

@ -6,53 +6,56 @@ import (
"crypto/x509/pkix" "crypto/x509/pkix"
"errors" "errors"
"fmt" "fmt"
"io/fs"
"os"
"path/filepath" "path/filepath"
"strings" "strings"
"sync" "sync"
"time" "time"
) )
// A Store represents a certificate store. // A Store represents a TLS certificate store.
// It generates certificates as needed and automatically rotates expired certificates.
// The zero value for Store is an empty store ready to use. // The zero value for Store is an empty store ready to use.
// //
// Certificate scopes must be registered with Register before calling Get or Load. // Store can be used to store server certificates.
// This prevents the Store from creating or loading unnecessary certificates. // Servers should provide a hostname or wildcard pattern as a certificate scope.
// Servers will most likely use the methods Register, Load and Get.
//
// Store can also be used to store client certificates.
// Clients should provide the hostname and path of a URL as a certificate scope.
// Clients will most likely use the methods Add, Load, and Lookup.
// //
// Store is safe for concurrent use by multiple goroutines. // Store is safe for concurrent use by multiple goroutines.
type Store struct { type Store struct {
// CreateCertificate, if not nil, is called to create a new certificate // CreateCertificate, if not nil, is called by Get to create a new
// to replace a missing or expired certificate. If CreateCertificate // certificate to replace a missing or expired certificate.
// is nil, a certificate with a duration of 1 year will be created.
// The provided scope is suitable for use in a certificate's DNSNames. // The provided scope is suitable for use in a certificate's DNSNames.
CreateCertificate func(scope string) (tls.Certificate, error) CreateCertificate func(scope string) (tls.Certificate, error)
certs map[string]tls.Certificate scopes map[string]struct{}
path string certs map[string]tls.Certificate
mu sync.RWMutex path string
mu sync.RWMutex
} }
// Register registers the provided scope with the certificate store. // Register registers the provided scope with the certificate store.
// The scope can either be a hostname or a wildcard pattern (e.g. "*.example.com"). // The scope can either be a hostname or a wildcard pattern (e.g. "*.example.com").
// To accept all hostnames, use the special pattern "*". // To accept all hostnames, use the special pattern "*".
//
// Calls to Get will only succeed for registered scopes.
// Other methods are not affected.
func (s *Store) Register(scope string) { func (s *Store) Register(scope string) {
s.mu.Lock() s.mu.Lock()
defer s.mu.Unlock() defer s.mu.Unlock()
if s.certs == nil { if s.scopes == nil {
s.certs = make(map[string]tls.Certificate) s.scopes = make(map[string]struct{})
} }
s.certs[scope] = tls.Certificate{} s.scopes[scope] = struct{}{}
} }
// Add adds a certificate with the given scope to the certificate store. // Add registers the certificate for the given scope.
// If a certificate for the given scope already exists, Add will overwrite it. // If a certificate already exists for scope, Add will overwrite it.
func (s *Store) Add(scope string, cert tls.Certificate) error { func (s *Store) Add(scope string, cert tls.Certificate) error {
s.mu.Lock()
defer s.mu.Unlock()
if s.certs == nil {
s.certs = make(map[string]tls.Certificate)
}
// Parse certificate if not already parsed // Parse certificate if not already parsed
if cert.Leaf == nil { if cert.Leaf == nil {
parsed, err := x509.ParseCertificate(cert.Certificate[0]) parsed, err := x509.ParseCertificate(cert.Certificate[0])
@ -62,43 +65,65 @@ func (s *Store) Add(scope string, cert tls.Certificate) error {
cert.Leaf = parsed cert.Leaf = parsed
} }
if err := s.write(scope, cert); err != nil {
return err
}
s.mu.Lock()
defer s.mu.Unlock()
if s.certs == nil {
s.certs = make(map[string]tls.Certificate)
}
s.certs[scope] = cert
return nil
}
func (s *Store) write(scope string, cert tls.Certificate) error {
s.mu.RLock()
defer s.mu.RUnlock()
if s.path != "" { if s.path != "" {
certPath := filepath.Join(s.path, scope+".crt") certPath := filepath.Join(s.path, scope+".crt")
keyPath := filepath.Join(s.path, scope+".key") keyPath := filepath.Join(s.path, scope+".key")
dir := filepath.Dir(certPath)
os.MkdirAll(dir, 0755)
if err := Write(cert, certPath, keyPath); err != nil { if err := Write(cert, certPath, keyPath); err != nil {
return err return err
} }
} }
s.certs[scope] = cert
return nil return nil
} }
// Get retrieves a certificate for the given hostname. // Get retrieves a certificate for the given hostname.
// If no matching scope has been registered, Get returns an error. // If no matching scope has been registered, Get returns an error.
// Get generates new certificates as needed and rotates expired certificates. // Get generates new certificates as needed and rotates expired certificates.
// It calls CreateCertificate to create a new certificate if it is not nil,
// otherwise it creates certificates with a duration of 1 year.
// //
// Get is suitable for use in a gemini.Server's GetCertificate field. // Get is suitable for use in a gemini.Server's GetCertificate field.
func (s *Store) Get(hostname string) (*tls.Certificate, error) { func (s *Store) Get(hostname string) (*tls.Certificate, error) {
s.mu.RLock() s.mu.RLock()
defer s.mu.RUnlock() defer s.mu.RUnlock()
cert, ok := s.certs[hostname] _, ok := s.certs[hostname]
if !ok { if !ok {
// Try wildcard // Try wildcard
wildcard := strings.SplitN(hostname, ".", 2) wildcard := strings.SplitN(hostname, ".", 2)
if len(wildcard) == 2 { if len(wildcard) == 2 {
hostname = "*." + wildcard[1] hostname = "*." + wildcard[1]
cert, ok = s.certs[hostname] _, ok = s.scopes[hostname]
} }
} }
if !ok { if !ok {
// Try "*" // Try "*"
cert, ok = s.certs["*"] _, ok = s.scopes["*"]
} }
if !ok { if !ok {
return nil, errors.New("unrecognized scope") return nil, errors.New("unrecognized scope")
} }
cert := s.certs[hostname]
// If the certificate is empty or expired, generate a new one. // If the certificate is empty or expired, generate a new one.
if cert.Leaf == nil || cert.Leaf.NotAfter.Before(time.Now()) { if cert.Leaf == nil || cert.Leaf.NotAfter.Before(time.Now()) {
var err error var err error
@ -114,6 +139,14 @@ func (s *Store) Get(hostname string) (*tls.Certificate, error) {
return &cert, nil return &cert, nil
} }
// Lookup returns the certificate for the provided scope.
func (s *Store) Lookup(scope string) (tls.Certificate, bool) {
s.mu.RLock()
defer s.mu.RUnlock()
cert, ok := s.certs[scope]
return cert, ok
}
func (s *Store) createCertificate(scope string) (tls.Certificate, error) { func (s *Store) createCertificate(scope string) (tls.Certificate, error) {
if s.CreateCertificate != nil { if s.CreateCertificate != nil {
return s.CreateCertificate(scope) return s.CreateCertificate(scope)
@ -132,29 +165,34 @@ func (s *Store) createCertificate(scope string) (tls.Certificate, error) {
// The path should lead to a directory containing certificates // The path should lead to a directory containing certificates
// and private keys named "scope.crt" and "scope.key" respectively, // and private keys named "scope.crt" and "scope.key" respectively,
// where "scope" is the scope of the certificate. // where "scope" is the scope of the certificate.
// Certificates with scopes that have not been registered will be ignored.
func (s *Store) Load(path string) error { func (s *Store) Load(path string) error {
matches, err := filepath.Glob(filepath.Join(path, "*.crt")) matches := findCertificates(path)
if err != nil {
return err
}
for _, crtPath := range matches { for _, crtPath := range matches {
scope := strings.TrimSuffix(filepath.Base(crtPath), ".crt")
if _, ok := s.certs[scope]; !ok {
continue
}
keyPath := strings.TrimSuffix(crtPath, ".crt") + ".key" keyPath := strings.TrimSuffix(crtPath, ".crt") + ".key"
cert, err := tls.LoadX509KeyPair(crtPath, keyPath) cert, err := tls.LoadX509KeyPair(crtPath, keyPath)
if err != nil { if err != nil {
continue continue
} }
scope := strings.TrimPrefix(crtPath, path)
scope = strings.TrimPrefix(scope, "/")
scope = strings.TrimSuffix(scope, ".crt")
s.Add(scope, cert) s.Add(scope, cert)
} }
s.SetPath(path) s.SetPath(path)
return nil return nil
} }
func findCertificates(path string) (matches []string) {
filepath.Walk(path, func(path string, _ fs.FileInfo, err error) error {
if filepath.Ext(path) == ".crt" {
matches = append(matches, path)
}
return nil
})
return
}
// Entries returns a map of scopes to certificates. // Entries returns a map of scopes to certificates.
func (s *Store) Entries() map[string]tls.Certificate { func (s *Store) Entries() map[string]tls.Certificate {
s.mu.RLock() s.mu.RLock()