2020-04-25 22:22:45 +00:00
|
|
|
package cert
|
|
|
|
|
|
|
|
import (
|
|
|
|
"crypto/ecdsa"
|
|
|
|
"crypto/elliptic"
|
|
|
|
"crypto/rand"
|
|
|
|
"crypto/tls"
|
|
|
|
"crypto/x509"
|
|
|
|
"net"
|
2020-12-26 13:11:49 +00:00
|
|
|
|
|
|
|
"gitlab.com/inetmock/inetmock/pkg/config"
|
|
|
|
"gitlab.com/inetmock/inetmock/pkg/logging"
|
|
|
|
"go.uber.org/zap"
|
2020-04-25 22:22:45 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
const (
|
|
|
|
ipv4Loopback = "127.0.0.1"
|
|
|
|
)
|
|
|
|
|
|
|
|
var (
|
2020-04-27 22:26:15 +00:00
|
|
|
defaultKeyProvider = func(options config.CertOptions) func() (key interface{}, err error) {
|
2020-04-25 22:22:45 +00:00
|
|
|
return func() (key interface{}, err error) {
|
|
|
|
return privateKeyForCurve(options)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
)
|
|
|
|
|
|
|
|
type KeyProvider func() (key interface{}, err error)
|
|
|
|
|
|
|
|
type Store interface {
|
|
|
|
CACert() *tls.Certificate
|
|
|
|
GetCertificate(serverName string, ip string) (*tls.Certificate, error)
|
|
|
|
TLSConfig() *tls.Config
|
|
|
|
}
|
|
|
|
|
|
|
|
func NewDefaultStore(
|
2020-04-27 22:26:15 +00:00
|
|
|
config config.Config,
|
2020-04-25 22:22:45 +00:00
|
|
|
logger logging.Logger,
|
|
|
|
) (Store, error) {
|
|
|
|
timeSource := NewTimeSource()
|
|
|
|
return NewStore(
|
2020-04-27 22:26:15 +00:00
|
|
|
config.TLSConfig(),
|
|
|
|
NewFileSystemCache(config.TLSConfig().CertCachePath, timeSource),
|
|
|
|
NewDefaultGenerator(config.TLSConfig()),
|
2020-04-25 22:22:45 +00:00
|
|
|
logger,
|
|
|
|
)
|
|
|
|
}
|
|
|
|
|
|
|
|
func NewStore(
|
2020-04-27 22:26:15 +00:00
|
|
|
options config.CertOptions,
|
2020-04-25 22:22:45 +00:00
|
|
|
cache Cache,
|
|
|
|
generator Generator,
|
|
|
|
logger logging.Logger,
|
|
|
|
) (Store, error) {
|
|
|
|
store := &store{
|
|
|
|
options: options,
|
|
|
|
cache: cache,
|
|
|
|
generator: generator,
|
|
|
|
logger: logger,
|
|
|
|
}
|
|
|
|
|
|
|
|
if err := store.loadCACert(); err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
return store, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
type store struct {
|
2020-04-27 22:26:15 +00:00
|
|
|
options config.CertOptions
|
2020-04-25 22:22:45 +00:00
|
|
|
caCert *tls.Certificate
|
|
|
|
cache Cache
|
|
|
|
timeSource TimeSource
|
|
|
|
generator Generator
|
|
|
|
logger logging.Logger
|
|
|
|
}
|
|
|
|
|
|
|
|
func (s *store) TLSConfig() *tls.Config {
|
|
|
|
rootCaPool := x509.NewCertPool()
|
|
|
|
rootCaPubKey, _ := x509.ParseCertificate(s.caCert.Certificate[0])
|
|
|
|
rootCaPool.AddCert(rootCaPubKey)
|
|
|
|
|
2020-06-24 10:25:34 +00:00
|
|
|
suites := make([]uint16, 0)
|
|
|
|
|
|
|
|
for _, suite := range tls.CipherSuites() {
|
|
|
|
suites = append(suites, suite.ID)
|
|
|
|
}
|
|
|
|
|
|
|
|
if s.options.IncludeInsecureCipherSuites {
|
|
|
|
for _, suite := range tls.InsecureCipherSuites() {
|
|
|
|
suites = append(suites, suite.ID)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2020-04-25 22:22:45 +00:00
|
|
|
return &tls.Config{
|
2020-06-24 10:25:34 +00:00
|
|
|
CipherSuites: suites,
|
|
|
|
MinVersion: s.options.MinTLSVersion.TLSVersion(),
|
|
|
|
CurvePreferences: []tls.CurveID{tls.CurveP521, tls.CurveP384, tls.CurveP256},
|
|
|
|
PreferServerCipherSuites: true,
|
2020-04-25 22:22:45 +00:00
|
|
|
GetCertificate: func(info *tls.ClientHelloInfo) (cert *tls.Certificate, err error) {
|
|
|
|
var localIp string
|
|
|
|
if localIp, err = extractIPFromAddress(info.Conn.LocalAddr().String()); err != nil {
|
|
|
|
localIp = ipv4Loopback
|
|
|
|
}
|
|
|
|
|
|
|
|
if cert, err = s.GetCertificate(info.ServerName, localIp); err != nil {
|
|
|
|
s.logger.Error(
|
|
|
|
"error while resolving certificate",
|
|
|
|
zap.String("serverName", info.ServerName),
|
|
|
|
zap.String("localAddr", localIp),
|
|
|
|
zap.Error(err),
|
|
|
|
)
|
|
|
|
}
|
|
|
|
|
|
|
|
return
|
|
|
|
},
|
|
|
|
RootCAs: rootCaPool,
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func (s *store) loadCACert() (err error) {
|
|
|
|
pemCrt := NewPEM(nil)
|
|
|
|
if err = pemCrt.ReadFrom(s.options.RootCACert.PublicKeyPath, s.options.RootCACert.PrivateKeyPath); err != nil {
|
|
|
|
return
|
|
|
|
}
|
|
|
|
s.caCert = pemCrt.Cert()
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
func (s *store) CACert() *tls.Certificate {
|
|
|
|
return s.caCert
|
|
|
|
}
|
|
|
|
|
|
|
|
func (s *store) GetCertificate(serverName string, ip string) (cert *tls.Certificate, err error) {
|
|
|
|
if crt, ok := s.cache.Get(serverName); ok {
|
|
|
|
return crt, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
if cert, err = s.generator.ServerCert(GenerationOptions{
|
|
|
|
CommonName: serverName,
|
|
|
|
DNSNames: []string{serverName},
|
|
|
|
IPAddresses: []net.IP{net.ParseIP(ip)},
|
|
|
|
}, s.caCert); err == nil {
|
|
|
|
s.cache.Put(cert)
|
|
|
|
}
|
|
|
|
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2020-04-27 22:26:15 +00:00
|
|
|
func privateKeyForCurve(options config.CertOptions) (privateKey interface{}, err error) {
|
2020-04-25 22:22:45 +00:00
|
|
|
switch options.Curve {
|
2020-04-27 22:26:15 +00:00
|
|
|
case config.CurveTypeP224:
|
2020-04-25 22:22:45 +00:00
|
|
|
privateKey, err = ecdsa.GenerateKey(elliptic.P224(), rand.Reader)
|
2020-04-27 22:26:15 +00:00
|
|
|
case config.CurveTypeP256:
|
2020-04-25 22:22:45 +00:00
|
|
|
privateKey, err = ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
|
2020-04-27 22:26:15 +00:00
|
|
|
case config.CurveTypeP384:
|
2020-04-25 22:22:45 +00:00
|
|
|
privateKey, err = ecdsa.GenerateKey(elliptic.P384(), rand.Reader)
|
2020-04-27 22:26:15 +00:00
|
|
|
case config.CurveTypeP521:
|
2020-04-25 22:22:45 +00:00
|
|
|
privateKey, err = ecdsa.GenerateKey(elliptic.P521(), rand.Reader)
|
|
|
|
default:
|
2020-06-24 10:25:34 +00:00
|
|
|
privateKey, err = ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
|
2020-04-25 22:22:45 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
return
|
|
|
|
}
|