rio/internal/certificates/store.go

114 lines
3.0 KiB
Go

package certificates
import (
"crypto/rsa"
"crypto/tls"
"encoding/base64"
"encoding/json"
"io/ioutil"
"time"
"github.com/go-acme/lego/v4/certcrypto"
log "github.com/sirupsen/logrus"
)
// A convenience wrapper around a TLS certificate
type CertificateWrapper struct {
TlsCertificate *tls.Certificate `json:"-"`
Domain string `json:"domain"`
NotAfter time.Time `json:"not_after"`
PrivateKeyEncoded string `json:"private_key"`
Certificate []byte `json:"certificate"`
CSR []byte `json:"csr"`
}
// A structure to store all the certificates we know of in.
type CertificatesCache struct {
// The certificate to use as a fallback if all else fails.
FallbackCertificate *CertificateWrapper
// Mapping of domain name to certificate.
Certificates map[string]CertificateWrapper
}
// Internal type to let encoding JSON handle the bulk of the work.
type certificatesStore struct {
FallbackCertificate CertificateWrapper `json:"fallback"`
Certificates []CertificateWrapper `json:"certificates"`
}
// Decodes the private key of the certificate wrapper.
func (c *CertificateWrapper) GetPrivateKey() *rsa.PrivateKey {
data, _ := base64.StdEncoding.DecodeString(c.PrivateKeyEncoded)
pk, _ := certcrypto.ParsePEMPrivateKey(data)
return pk.(*rsa.PrivateKey)
}
// Populate the certificate's TlsCertificate field.
func (c *CertificateWrapper) initTlsCertificate() {
pk, _ := base64.StdEncoding.DecodeString(c.PrivateKeyEncoded)
tlsCert, _ := tls.X509KeyPair(
c.Certificate,
pk,
)
c.TlsCertificate = &tlsCert
}
// Checks if the certificate is still valid now.
func (c *CertificateWrapper) IsValid() bool {
return time.Now().Compare(c.NotAfter) <= -1
}
// Serializes the certificate cache to a JSON string for writing to a file.
func (c *CertificatesCache) toStoreData() []byte {
certs := make([]CertificateWrapper, 0)
for _, cert := range c.Certificates {
certs = append(certs, cert)
}
result, err := json.Marshal(certificatesStore{
FallbackCertificate: *c.FallbackCertificate,
Certificates: certs,
})
if err != nil {
log.Errorf("Failed to Marshal cache: %v", err)
}
return result
}
// Saves the cache to disk.
func (c *CertificatesCache) FlushToDisk(path string) {
ioutil.WriteFile(path, c.toStoreData(), 0600)
}
func (c *CertificatesCache) AddCert(cert CertificateWrapper, path string) {
c.Certificates[cert.Domain] = cert
c.FlushToDisk(path)
}
// Load the certificate cache from the file.
func CertificateCacheFromFile(path string) (CertificatesCache, error) {
content, err := ioutil.ReadFile(path)
if err != nil {
return CertificatesCache{}, err
}
var store certificatesStore
_ = json.Unmarshal(content, &store)
store.FallbackCertificate.initTlsCertificate()
cache := CertificatesCache{
FallbackCertificate: &store.FallbackCertificate,
}
certs := make(map[string]CertificateWrapper)
for _, cert := range store.Certificates {
cert.initTlsCertificate()
certs[cert.Domain] = cert
}
cache.Certificates = certs
return cache, nil
}