refactor: tidy up tls cert stuff

2021-01-20 13:11:06 +01:00
parent f17e0d761e
commit ab4776c332
6 changed files with 257 additions and 125 deletions
--- a/internal/config/tls/tls.go
+++ b/internal/config/tls/tls.go
@ -28,12 +28,10 @@ import (
 	"math/big"
 	"net"
 	"os"
-	"os/exec"
 	"path/filepath"
-	"runtime"
 	"time"

-	"github.com/sirupsen/logrus"
+	"github.com/pkg/errors"
 )

 type TLS struct {
@ -46,24 +44,32 @@ func New(settingsPath string) *TLS {
 	}
 }

-var tlsTemplate = x509.Certificate{ //nolint[gochecknoglobals]
-	SerialNumber: big.NewInt(-1),
-	Subject: pkix.Name{
-		Country:            []string{"CH"},
-		Organization:       []string{"Proton Technologies AG"},
-		OrganizationalUnit: []string{"ProtonMail"},
-		CommonName:         "127.0.0.1",
-	},
-	KeyUsage:              x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
-	ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth},
-	BasicConstraintsValid: true,
-	IsCA:                  true,
-	IPAddresses:           []net.IP{net.ParseIP("127.0.0.1")},
-	NotBefore:             time.Now(),
-	NotAfter:              time.Now().Add(20 * 365 * 24 * time.Hour),
+// NewTLSTemplate creates a new TLS template certificate with a random serial number.
+func NewTLSTemplate() (*x509.Certificate, error) {
+	serialNumber, err := rand.Int(rand.Reader, new(big.Int).Lsh(big.NewInt(1), 128))
+	if err != nil {
+		return nil, errors.Wrap(err, "failed to generate serial number")
+	}
+
+	return &x509.Certificate{
+		SerialNumber: serialNumber,
+		Subject: pkix.Name{
+			Country:            []string{"CH"},
+			Organization:       []string{"Proton Technologies AG"},
+			OrganizationalUnit: []string{"ProtonMail"},
+			CommonName:         "127.0.0.1",
+		},
+		KeyUsage:              x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
+		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth},
+		BasicConstraintsValid: true,
+		IsCA:                  true,
+		IPAddresses:           []net.IP{net.ParseIP("127.0.0.1")},
+		NotBefore:             time.Now(),
+		NotAfter:              time.Now().Add(20 * 365 * 24 * time.Hour),
+	}, nil
 }

-var ErrTLSCertExpireSoon = fmt.Errorf("TLS certificate will expire soon")
+var ErrTLSCertExpiresSoon = fmt.Errorf("TLS certificate will expire soon")

 // getTLSCertPath returns path to certificate; used for TLS servers (IMAP, SMTP).
 func (t *TLS) getTLSCertPath() string {
@ -75,110 +81,78 @@ func (t *TLS) getTLSKeyPath() string {
 	return filepath.Join(t.settingsPath, "key.pem")
 }

-// GenerateConfig generates certs and keys at the given filepaths and returns a TLS Config which holds them.
-// See https://golang.org/src/crypto/tls/generate_cert.go
-func (t *TLS) GenerateConfig() (tlsConfig *tls.Config, err error) {
+// HasCerts returns whether TLS certs have been generated.
+func (t *TLS) HasCerts() bool {
+	if _, err := os.Stat(t.getTLSCertPath()); err != nil {
+		return false
+	}
+
+	if _, err := os.Stat(t.getTLSKeyPath()); err != nil {
+		return false
+	}
+
+	return true
+}
+
+// GenerateCerts generates certs from the given template.
+func (t *TLS) GenerateCerts(template *x509.Certificate) error {
 	priv, err := rsa.GenerateKey(rand.Reader, 2048)
 	if err != nil {
-		err = fmt.Errorf("failed to generate private key: %s", err)
-		return
+		return errors.Wrap(err, "failed to generate private key")
 	}

-	serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)
-	serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
+	derBytes, err := x509.CreateCertificate(rand.Reader, template, template, &priv.PublicKey, priv)
 	if err != nil {
-		err = fmt.Errorf("failed to generate serial number: %s", err)
-		return
-	}
-
-	tlsTemplate.SerialNumber = serialNumber
-	derBytes, err := x509.CreateCertificate(rand.Reader, &tlsTemplate, &tlsTemplate, &priv.PublicKey, priv)
-	if err != nil {
-		err = fmt.Errorf("failed to create certificate: %s", err)
-		return
+		return errors.Wrap(err, "failed to create certificate")
 	}

 	certOut, err := os.Create(t.getTLSCertPath())
 	if err != nil {
-		return
+		return err
 	}
-	defer certOut.Close() //nolint[errcheck]
-	err = pem.Encode(certOut, &pem.Block{Type: "CERTIFICATE", Bytes: derBytes})
-	if err != nil {
-		return
+	defer certOut.Close() // nolint[errcheck]
+
+	if err := pem.Encode(certOut, &pem.Block{Type: "CERTIFICATE", Bytes: derBytes}); err != nil {
+		return err
 	}

 	keyOut, err := os.OpenFile(t.getTLSKeyPath(), os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0600)
 	if err != nil {
-		return
+		return err
 	}
-	defer keyOut.Close() //nolint[errcheck]
-	err = pem.Encode(keyOut, &pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(priv)})
-	if err != nil {
-		return
+	defer keyOut.Close() // nolint[errcheck]
+
+	if err := pem.Encode(keyOut, &pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(priv)}); err != nil {
+		return err
 	}

-	return loadTLSConfig(t.getTLSCertPath(), t.getTLSKeyPath())
+	return nil
 }

 // GetConfig tries to load TLS config or generate new one which is then returned.
-func (t *TLS) GetConfig() (tlsConfig *tls.Config, err error) {
-	certPath := t.getTLSCertPath()
-	keyPath := t.getTLSKeyPath()
-	tlsConfig, err = loadTLSConfig(certPath, keyPath)
+func (t *TLS) GetConfig() (*tls.Config, error) {
+	c, err := tls.LoadX509KeyPair(t.getTLSCertPath(), t.getTLSKeyPath())
 	if err != nil {
-		logrus.WithError(err).Warn("Cannot load cert, generating a new one")
-		tlsConfig, err = t.GenerateConfig()
-		if err != nil {
-			return
-		}
-
-		if runtime.GOOS == "darwin" {
-			if err := exec.Command( // nolint[gosec]
-				"/usr/bin/security",
-				"execute-with-privileges",
-				"/usr/bin/security",
-				"add-trusted-cert",
-				"-d",
-				"-r", "trustRoot",
-				"-p", "ssl",
-				"-k", "/Library/Keychains/System.keychain",
-				certPath,
-			).Run(); err != nil {
-				logrus.WithError(err).Error("Failed to add cert to system keychain")
-			}
-		}
-	}
-
-	tlsConfig.ServerName = "127.0.0.1"
-	tlsConfig.ClientAuth = tls.VerifyClientCertIfGiven
-
-	caCertPool := x509.NewCertPool()
-	caCertPool.AddCert(tlsConfig.Certificates[0].Leaf)
-	tlsConfig.RootCAs = caCertPool
-	tlsConfig.ClientCAs = caCertPool
-
-	return tlsConfig, err
-}
-
-func loadTLSConfig(certPath, keyPath string) (tlsConfig *tls.Config, err error) {
-	c, err := tls.LoadX509KeyPair(certPath, keyPath)
-	if err != nil {
-		return
+		return nil, errors.Wrap(err, "failed to load keypair")
 	}

 	c.Leaf, err = x509.ParseCertificate(c.Certificate[0])
 	if err != nil {
-		return
-	}
-
-	tlsConfig = &tls.Config{
-		Certificates: []tls.Certificate{c},
+		return nil, errors.Wrap(err, "failed to parse certificate")
 	}

 	if time.Now().Add(31 * 24 * time.Hour).After(c.Leaf.NotAfter) {
-		err = ErrTLSCertExpireSoon
-		return
+		return nil, ErrTLSCertExpiresSoon
 	}
-	return
+
+	caCertPool := x509.NewCertPool()
+	caCertPool.AddCert(c.Leaf)
+
+	return &tls.Config{
+		Certificates: []tls.Certificate{c},
+		ServerName:   "127.0.0.1",
+		ClientAuth:   tls.VerifyClientCertIfGiven,
+		RootCAs:      caCertPool,
+		ClientCAs:    caCertPool,
+	}, nil
 }