package crypto import ( "crypto/ecdsa" "crypto/rand" "crypto/rsa" "crypto/tls" "crypto/x509" "encoding/pem" "fmt" "net" "os" "path/filepath" "github.com/opencloud-eu/opencloud/pkg/log" mtls "go-micro.dev/v4/util/tls" ) var ( defaultHosts = []string{"127.0.0.1", "localhost"} ) // GenCert generates TLS-Certificates. This function has side effects: it creates the respective certificate / key pair at // the destination locations unless the tuple already exists, if that is the case, this is a noop. func GenCert(certName string, keyName string, l log.Logger) error { var pk *rsa.PrivateKey var err error pk, err = rsa.GenerateKey(rand.Reader, 2048) if err != nil { return err } _, certErr := os.Stat(certName) _, keyErr := os.Stat(keyName) if certErr == nil || keyErr == nil { l.Info().Msg( fmt.Sprintf("%v certificate / key pair already present. skipping acme certificate generation", filepath.Base(certName))) return nil } if err := persistCertificate(certName, l, pk); err != nil { l.Fatal().Err(err).Msg("failed to store certificate") } if err := persistKey(keyName, l, pk); err != nil { l.Fatal().Err(err).Msg("failed to store key") } return nil } // GenTempCertForAddr generates temporary TLS-Certificates in memory. func GenTempCertForAddr(addr string) (tls.Certificate, error) { subjects := defaultHosts if host, _, err := net.SplitHostPort(addr); err == nil && host != "" { subjects = []string{host} } return mtls.Certificate(subjects...) } // persistCertificate generates a certificate using pk as private key and proceeds to store it into a file named certName. func persistCertificate(certName string, l log.Logger, pk interface{}) error { if err := ensureExistsDir(certName); err != nil { return fmt.Errorf("creating certificate destination: %s", certName) } certificate, err := generateCertificate(pk) if err != nil { return fmt.Errorf("creating certificate: %s", filepath.Dir(certName)) } certOut, err := os.Create(certName) if err != nil { return fmt.Errorf("failed to open `%v` for writing", certName) } err = pem.Encode(certOut, &pem.Block{Type: "CERTIFICATE", Bytes: certificate}) if err != nil { return fmt.Errorf("failed to encode certificate") } err = certOut.Close() if err != nil { return fmt.Errorf("failed to write cert") } l.Info().Msg(fmt.Sprintf("written certificate to %v", certName)) return nil } // genCert generates a self signed certificate using a random rsa key. func generateCertificate(pk interface{}) ([]byte, error) { for _, h := range defaultHosts { if ip := net.ParseIP(h); ip != nil { acmeTemplate.IPAddresses = append(acmeTemplate.IPAddresses, ip) } else { acmeTemplate.DNSNames = append(acmeTemplate.DNSNames, h) } } return x509.CreateCertificate(rand.Reader, &acmeTemplate, &acmeTemplate, publicKey(pk), pk) } // persistKey persists the private key used to generate the certificate at the configured location. func persistKey(destination string, l log.Logger, pk interface{}) error { if err := ensureExistsDir(destination); err != nil { return fmt.Errorf("creating key destination: %s", destination) } keyOut, err := os.OpenFile(destination, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0600) if err != nil { return fmt.Errorf("failed to open %v for writing", destination) } err = pem.Encode(keyOut, pemBlockForKey(pk, l)) if err != nil { return fmt.Errorf("failed to encode key") } err = keyOut.Close() if err != nil { return fmt.Errorf("failed to write key") } l.Info().Msg(fmt.Sprintf("written key to %v", destination)) return nil } func publicKey(pk interface{}) interface{} { switch k := pk.(type) { case *rsa.PrivateKey: return &k.PublicKey case *ecdsa.PrivateKey: return &k.PublicKey default: return nil } } func pemBlockForKey(pk interface{}, l log.Logger) *pem.Block { switch k := pk.(type) { case *rsa.PrivateKey: return &pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(k)} case *ecdsa.PrivateKey: b, err := x509.MarshalECPrivateKey(k) if err != nil { l.Fatal().Err(err).Msg("Unable to marshal ECDSA private key") } return &pem.Block{Type: "EC PRIVATE KEY", Bytes: b} default: return nil } } func ensureExistsDir(uri string) error { certPath := filepath.Dir(uri) if _, err := os.Stat(certPath); os.IsNotExist(err) { err = os.MkdirAll(certPath, 0700) if err != nil { return err } } return nil }