package main import ( "bytes" "crypto/rand" "crypto/tls" "encoding/json" "fmt" "html/template" "io/ioutil" "net/http" "os" "os/exec" "strings" "time" "github.com/BurntSushi/toml" "github.com/gorilla/csrf" "github.com/nicksnyder/go-i18n/v2/i18n" log "github.com/sirupsen/logrus" "golang.org/x/text/language" ) type signCertificate struct{} type requestData struct { Csr string `json:"csr"` CommonName string `json:"commonName"` } type responseData struct { Certificate string `json:"certificate"` } func (h *signCertificate) sign(csrPem string, commonName string) (certPem string, err error) { log.Printf("received CSR for %s:\n\n%s", commonName, csrPem) subjectDN := fmt.Sprintf("/CN=%s", commonName) var csrFile *os.File if csrFile, err = ioutil.TempFile("", "*.csr.pem"); err != nil { log.Errorf("could not open temporary file: %s", err) return } if _, err = csrFile.Write([]byte(csrPem)); err != nil { log.Errorf("could not write CSR to file: %s", err) return } if err = csrFile.Close(); err != nil { log.Errorf("could not close CSR file: %s", err) return } defer func(file *os.File) { err = os.Remove(file.Name()) if err != nil { log.Errorf("could not remove temporary file: %s", err) } }(csrFile) opensslCommand := exec.Command( "openssl", "ca", "-config", "ca.cnf", "-policy", "policy_match", "-extensions", "client_ext", "-batch", "-subj", subjectDN, "-utf8", "-rand_serial", "-in", "in.pem") var out, cmdErr bytes.Buffer opensslCommand.Stdout = &out opensslCommand.Stderr = &cmdErr err = opensslCommand.Run() if err != nil { log.Print(err) log.Print(cmdErr.String()) return } certPem = out.String() return } func (h *signCertificate) ServeHTTP(w http.ResponseWriter, r *http.Request) { if r.Method != "POST" { http.Error(w, "Only POST requests support", http.StatusMethodNotAllowed) return } if r.Header.Get("content-type") != "application/json" { http.Error(w, "Only JSON content is accepted", http.StatusNotAcceptable) return } var err error var requestBody requestData var certificate string if err = json.NewDecoder(r.Body).Decode(&requestBody); err != nil { log.Print(err) http.Error(w, err.Error(), http.StatusBadRequest) return } certificate, err = h.sign(requestBody.Csr, requestBody.CommonName) if err != nil { http.Error(w, "Could not sign certificate", http.StatusInternalServerError) return } var jsonBytes []byte if jsonBytes, err = json.Marshal(&responseData{Certificate: certificate}); err != nil { log.Print(err) } if _, err = w.Write(jsonBytes); err != nil { log.Print(err) } } type indexHandler struct { Bundle *i18n.Bundle } func (i *indexHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) { localizer := i18n.NewLocalizer(i.Bundle, r.Header.Get("Accept-Language")) csrGenTitle := localizer.MustLocalize(&i18n.LocalizeConfig{DefaultMessage: &i18n.Message{ ID: "CSRGenTitle", Other: "CSR generation in browser", }}) nameLabel := localizer.MustLocalize(&i18n.LocalizeConfig{DefaultMessage: &i18n.Message{ ID: "NameLabel", Other: "Your name", }}) nameHelpText := localizer.MustLocalize(&i18n.LocalizeConfig{DefaultMessage: &i18n.Message{ ID: "NameHelpText", Other: "Please input your name as it should be added to your certificate", }}) passwordLabel := localizer.MustLocalize(&i18n.LocalizeConfig{DefaultMessage: &i18n.Message{ ID: "PasswordLabel", Other: "Password for your client certificate", }}) rsaKeySizeLegend := localizer.MustLocalize(&i18n.LocalizeConfig{DefaultMessage: &i18n.Message{ ID: "RSAKeySizeLabel", Other: "RSA Key Size", }}) rsa3072Label := localizer.MustLocalize(&i18n.LocalizeConfig{DefaultMessage: &i18n.Message{ ID: "RSA3072Label", Other: "3072 Bit", }}) rsa2048Label := localizer.MustLocalize(&i18n.LocalizeConfig{DefaultMessage: &i18n.Message{ ID: "RSA2048Label", Other: "2048 Bit (not recommended)", }}) rsa4096Label := localizer.MustLocalize(&i18n.LocalizeConfig{DefaultMessage: &i18n.Message{ ID: "RSA4096Label", Other: "4096 Bit", }}) rsaHelpText := localizer.MustLocalize(&i18n.LocalizeConfig{DefaultMessage: &i18n.Message{ ID: "RSAHelpText", Other: "An RSA key pair will be generated in your browser. Longer key" + " sizes provide better security but take longer to generate.", }}) csrButtonLabel := localizer.MustLocalize(&i18n.LocalizeConfig{DefaultMessage: &i18n.Message{ ID: "CSRButtonLabel", Other: "Generate signing request", }}) statusLoading := localizer.MustLocalize(&i18n.LocalizeConfig{DefaultMessage: &i18n.Message{ ID: "StatusLoading", Other: "Loading ...", }}) sendCSRButtonLabel := localizer.MustLocalize(&i18n.LocalizeConfig{DefaultMessage: &i18n.Message{ ID: "SendCSRButtonLabel", Other: "Send signing request", }}) t := template.Must(template.ParseFiles("templates/index.html")) err := t.Execute(w, map[string]interface{}{ "Title": csrGenTitle, "NameLabel": nameLabel, "NameHelpText": nameHelpText, "PasswordLabel": passwordLabel, "RSAKeySizeLegend": rsaKeySizeLegend, "RSA3072Label": rsa3072Label, "RSA2048Label": rsa2048Label, "RSA4096Label": rsa4096Label, "RSAHelpText": rsaHelpText, "CSRButtonLabel": csrButtonLabel, "StatusLoading": statusLoading, "SendCSRButtonLabel": sendCSRButtonLabel, csrf.TemplateTag: csrf.TemplateField(r), }) if err != nil { log.Panic(err) } } type jsLocalesHandler struct { Bundle *i18n.Bundle } func (j *jsLocalesHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) { parts := strings.Split(r.URL.Path, "/") if len(parts) != 4 { http.Error(w, "Not found", http.StatusNotFound) return } lang := parts[2] localizer := i18n.NewLocalizer(j.Bundle, lang) type translationData struct { Keygen struct { Started string `json:"started"` Running string `json:"running"` Generated string `json:"generated"` } `json:"keygen"` } translations := &translationData{} translations.Keygen.Started = localizer.MustLocalize(&i18n.LocalizeConfig{DefaultMessage: &i18n.Message{ ID: "JavaScript.KeyGen.Started", Other: "started key generation", }}) translations.Keygen.Running = localizer.MustLocalize(&i18n.LocalizeConfig{DefaultMessage: &i18n.Message{ ID: "JavaScript.KeyGen.Running", Other: "key generation running for __seconds__ seconds", }}) translations.Keygen.Generated = localizer.MustLocalize(&i18n.LocalizeConfig{DefaultMessage: &i18n.Message{ ID: "JavaScript.KeyGen.Generated", Other: "key generated in __seconds__ seconds", }}) encoder := json.NewEncoder(w) if err := encoder.Encode(translations); err != nil { http.Error(w, err.Error(), http.StatusInternalServerError) } } func generateRandomBytes(count int) []byte { randomBytes := make([]byte, count) _, err := rand.Read(randomBytes) if err != nil { log.Fatalf("could not read random bytes: %v", err) return nil } return randomBytes } func main() { tlsConfig := &tls.Config{ CipherSuites: []uint16{ tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, }, NextProtos: []string{"h2"}, PreferServerCipherSuites: true, MinVersion: tls.VersionTLS12, } bundle := i18n.NewBundle(language.English) bundle.RegisterUnmarshalFunc("toml", toml.Unmarshal) for _, lang := range []string{"en-US", "de-DE"} { if _, err := bundle.LoadMessageFile(fmt.Sprintf("active.%s.toml", lang)); err != nil { log.Panic(err) } } mux := http.NewServeMux() csrfKey := generateRandomBytes(32) mux.Handle("/sign/", &signCertificate{}) mux.Handle("/", &indexHandler{Bundle: bundle}) fileServer := http.FileServer(http.Dir("./public")) mux.Handle("/css/", fileServer) mux.Handle("/js/", fileServer) mux.Handle("/locales/", &jsLocalesHandler{Bundle: bundle}) server := http.Server{ Addr: ":8000", Handler: csrf.Protect(csrfKey, csrf.FieldName("csrfToken"), csrf.RequestHeader("X-CSRF-Token"))(mux), TLSConfig: tlsConfig, ReadTimeout: 20 * time.Second, ReadHeaderTimeout: 5 * time.Second, WriteTimeout: 30 * time.Second, IdleTimeout: 30 * time.Second, } err := server.ListenAndServeTLS("server.crt.pem", "server.key.pem") if err != nil { log.Fatal(err) } }