From d4d1075fddf1bfd7f79e190f787005497f0fdfb0 Mon Sep 17 00:00:00 2001
From: "A.Unger" <zyxancf@gmail.com>
Date: Mon, 7 Jun 2021 19:57:18 +0200
Subject: [PATCH] refactor crypto code

---
 ocis-pkg/crypto/gencert.go   | 51 +++++++++++-------------------------
 ocis-pkg/crypto/templates.go | 25 ++++++++++++++++++
 2 files changed, 40 insertions(+), 36 deletions(-)
 create mode 100644 ocis-pkg/crypto/templates.go

diff --git a/ocis-pkg/crypto/gencert.go b/ocis-pkg/crypto/gencert.go
index d16371cb68..a24d74d189 100644
--- a/ocis-pkg/crypto/gencert.go
+++ b/ocis-pkg/crypto/gencert.go
@@ -5,18 +5,19 @@ import (
 	"crypto/rand"
 	"crypto/rsa"
 	"crypto/x509"
-	"crypto/x509/pkix"
 	"encoding/pem"
 	"fmt"
-	"math/big"
 	"net"
 	"os"
 	"path/filepath"
-	"time"
 
 	"github.com/owncloud/ocis/ocis-pkg/log"
 )
 
+var (
+	DEFAULT_HOSTS = []string{"127.0.0.1", "localhost"}
+)
+
 func publicKey(priv interface{}) interface{} {
 	switch k := priv.(type) {
 	case *rsa.PrivateKey:
@@ -43,7 +44,8 @@ func pemBlockForKey(priv interface{}, l log.Logger) *pem.Block {
 	}
 }
 
-// GenCert generates TLS-Certificates
+// GenCert generates TLS-Certificates. This function has side effects: it creates the respective certificate / key pair at
+// the destination locations unless the tuple already exists, if that is the case, this is a noop.
 func GenCert(certName string, keyName string, l log.Logger) error {
 	var pk *rsa.PrivateKey
 	var err error
@@ -53,7 +55,6 @@ func GenCert(certName string, keyName string, l log.Logger) error {
 		return err
 	}
 
-	// if either the key or certificate already exist skip this entire ordeal
 	_, certErr := os.Stat(certName)
 	_, keyErr := os.Stat(keyName)
 
@@ -67,7 +68,8 @@ func GenCert(certName string, keyName string, l log.Logger) error {
 	return nil
 }
 
-func persistCertificate(certName string, l log.Logger, pk *rsa.PrivateKey) {
+// persistCertificate generates a certificate using pk as private key and proceeds to store it into a file named certName.
+func persistCertificate(certName string, l log.Logger, pk interface{}) {
 	if err := ensureExistsDir(certName); err != nil {
 		l.Fatal().Err(err).Msg("creating certificate destination: " + certName)
 	}
@@ -94,7 +96,8 @@ func persistCertificate(certName string, l log.Logger, pk *rsa.PrivateKey) {
 	l.Info().Msg(fmt.Sprintf("written certificate to %v", certName))
 }
 
-func persistKey(keyName string, l log.Logger, pk *rsa.PrivateKey) {
+// persistKey persists the private key used to generate the certificate at the configured location.
+func persistKey(keyName string, l log.Logger, pk interface{}) {
 	if err := ensureExistsDir(keyName); err != nil {
 		l.Fatal().Err(err).Msg("creating certificate destination: " + keyName)
 	}
@@ -116,40 +119,16 @@ func persistKey(keyName string, l log.Logger, pk *rsa.PrivateKey) {
 }
 
 // genCert generates a self signed certificate using a random rsa key.
-func generateCertificate(pk *rsa.PrivateKey) ([]byte, error) {
-	notBefore := time.Now()
-	notAfter := notBefore.Add(24 * time.Hour * 365)
-
-	serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)
-	serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
-	if err != nil {
-		return nil, err
-	}
-
-	template := x509.Certificate{
-		SerialNumber: serialNumber,
-		Subject: pkix.Name{
-			Organization: []string{"Acme Corp"},
-			CommonName:   "OCIS",
-		},
-		NotBefore: notBefore,
-		NotAfter:  notAfter,
-
-		KeyUsage:              x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
-		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
-		BasicConstraintsValid: true,
-	}
-
-	hosts := []string{"127.0.0.1", "localhost"}
-	for _, h := range hosts {
+func generateCertificate(pk interface{}) ([]byte, error) {
+	for _, h := range DEFAULT_HOSTS {
 		if ip := net.ParseIP(h); ip != nil {
-			template.IPAddresses = append(template.IPAddresses, ip)
+			acmeTemplate.IPAddresses = append(acmeTemplate.IPAddresses, ip)
 		} else {
-			template.DNSNames = append(template.DNSNames, h)
+			acmeTemplate.DNSNames = append(acmeTemplate.DNSNames, h)
 		}
 	}
 
-	return x509.CreateCertificate(rand.Reader, &template, &template, publicKey(pk), pk)
+	return x509.CreateCertificate(rand.Reader, &acmeTemplate, &acmeTemplate, publicKey(pk), pk)
 }
 
 func ensureExistsDir(uri string) error {
diff --git a/ocis-pkg/crypto/templates.go b/ocis-pkg/crypto/templates.go
new file mode 100644
index 0000000000..17db0dc186
--- /dev/null
+++ b/ocis-pkg/crypto/templates.go
@@ -0,0 +1,25 @@
+package crypto
+
+import (
+	"crypto/rand"
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"math/big"
+	"time"
+)
+
+var serialNumber, _ = rand.Int(rand.Reader, new(big.Int).Lsh(big.NewInt(1), 128))
+
+var acmeTemplate = x509.Certificate{
+	SerialNumber: serialNumber,
+	Subject: pkix.Name{
+		Organization: []string{"Acme Corp"},
+		CommonName:   "OCIS",
+	},
+	NotBefore: time.Now(),
+	NotAfter:  time.Now().Add(24 * time.Hour * 365),
+
+	KeyUsage:              x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
+	ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
+	BasicConstraintsValid: true,
+}