podman
175 строк · 4.4 Кб
1package libtrust
2
3import (
4"crypto/tls"
5"crypto/x509"
6"fmt"
7"io/ioutil"
8"net"
9"os"
10"path"
11"sync"
12)
13
14// ClientKeyManager manages client keys on the filesystem
15type ClientKeyManager struct {
16key PrivateKey
17clientFile string
18clientDir string
19
20clientLock sync.RWMutex
21clients []PublicKey
22
23configLock sync.Mutex
24configs []*tls.Config
25}
26
27// NewClientKeyManager loads a new manager from a set of key files
28// and managed by the given private key.
29func NewClientKeyManager(trustKey PrivateKey, clientFile, clientDir string) (*ClientKeyManager, error) {
30m := &ClientKeyManager{
31key: trustKey,
32clientFile: clientFile,
33clientDir: clientDir,
34}
35if err := m.loadKeys(); err != nil {
36return nil, err
37}
38// TODO Start watching file and directory
39
40return m, nil
41}
42
43func (c *ClientKeyManager) loadKeys() (err error) {
44// Load authorized keys file
45var clients []PublicKey
46if c.clientFile != "" {
47clients, err = LoadKeySetFile(c.clientFile)
48if err != nil {
49return fmt.Errorf("unable to load authorized keys: %s", err)
50}
51}
52
53// Add clients from authorized keys directory
54files, err := ioutil.ReadDir(c.clientDir)
55if err != nil && !os.IsNotExist(err) {
56return fmt.Errorf("unable to open authorized keys directory: %s", err)
57}
58for _, f := range files {
59if !f.IsDir() {
60publicKey, err := LoadPublicKeyFile(path.Join(c.clientDir, f.Name()))
61if err != nil {
62return fmt.Errorf("unable to load authorized key file: %s", err)
63}
64clients = append(clients, publicKey)
65}
66}
67
68c.clientLock.Lock()
69c.clients = clients
70c.clientLock.Unlock()
71
72return nil
73}
74
75// RegisterTLSConfig registers a tls configuration to manager
76// such that any changes to the keys may be reflected in
77// the tls client CA pool
78func (c *ClientKeyManager) RegisterTLSConfig(tlsConfig *tls.Config) error {
79c.clientLock.RLock()
80certPool, err := GenerateCACertPool(c.key, c.clients)
81if err != nil {
82return fmt.Errorf("CA pool generation error: %s", err)
83}
84c.clientLock.RUnlock()
85
86tlsConfig.ClientCAs = certPool
87
88c.configLock.Lock()
89c.configs = append(c.configs, tlsConfig)
90c.configLock.Unlock()
91
92return nil
93}
94
95// NewIdentityAuthTLSConfig creates a tls.Config for the server to use for
96// libtrust identity authentication for the domain specified
97func NewIdentityAuthTLSConfig(trustKey PrivateKey, clients *ClientKeyManager, addr string, domain string) (*tls.Config, error) {
98tlsConfig := newTLSConfig()
99
100tlsConfig.ClientAuth = tls.RequireAndVerifyClientCert
101if err := clients.RegisterTLSConfig(tlsConfig); err != nil {
102return nil, err
103}
104
105// Generate cert
106ips, domains, err := parseAddr(addr)
107if err != nil {
108return nil, err
109}
110// add domain that it expects clients to use
111domains = append(domains, domain)
112x509Cert, err := GenerateSelfSignedServerCert(trustKey, domains, ips)
113if err != nil {
114return nil, fmt.Errorf("certificate generation error: %s", err)
115}
116tlsConfig.Certificates = []tls.Certificate{{
117Certificate: [][]byte{x509Cert.Raw},
118PrivateKey: trustKey.CryptoPrivateKey(),
119Leaf: x509Cert,
120}}
121
122return tlsConfig, nil
123}
124
125// NewCertAuthTLSConfig creates a tls.Config for the server to use for
126// certificate authentication
127func NewCertAuthTLSConfig(caPath, certPath, keyPath string) (*tls.Config, error) {
128tlsConfig := newTLSConfig()
129
130cert, err := tls.LoadX509KeyPair(certPath, keyPath)
131if err != nil {
132return nil, fmt.Errorf("Couldn't load X509 key pair (%s, %s): %s. Key encrypted?", certPath, keyPath, err)
133}
134tlsConfig.Certificates = []tls.Certificate{cert}
135
136// Verify client certificates against a CA?
137if caPath != "" {
138certPool := x509.NewCertPool()
139file, err := ioutil.ReadFile(caPath)
140if err != nil {
141return nil, fmt.Errorf("Couldn't read CA certificate: %s", err)
142}
143certPool.AppendCertsFromPEM(file)
144
145tlsConfig.ClientAuth = tls.RequireAndVerifyClientCert
146tlsConfig.ClientCAs = certPool
147}
148
149return tlsConfig, nil
150}
151
152func newTLSConfig() *tls.Config {
153return &tls.Config{
154NextProtos: []string{"http/1.1"},
155// Avoid fallback on insecure SSL protocols
156MinVersion: tls.VersionTLS10,
157}
158}
159
160// parseAddr parses an address into an array of IPs and domains
161func parseAddr(addr string) ([]net.IP, []string, error) {
162host, _, err := net.SplitHostPort(addr)
163if err != nil {
164return nil, nil, err
165}
166var domains []string
167var ips []net.IP
168ip := net.ParseIP(host)
169if ip != nil {
170ips = []net.IP{ip}
171} else {
172domains = []string{host}
173}
174return ips, domains, nil
175}
176