goocsp/cmd/cacertocsp/main.go

package main

import (
	"crypto"
	"crypto/x509"
	"encoding/pem"
	"flag"
	"fmt"
	"io/ioutil"
	"net/http"
	"time"

	"git.cacert.org/cacert-goocsp/internal/ocspsource"
	"github.com/cloudflare/cfssl/ocsp"
	"github.com/knadh/koanf"
	"github.com/knadh/koanf/parsers/yaml"
	"github.com/knadh/koanf/providers/file"
	"github.com/sirupsen/logrus"
)

const (
	coIssuers      = "issuers"
	issuerCaCert   = "caCertificate"
	issuerReCert   = "responderCertificate"
	issuerReKey    = "responderKey"
	issuerCertList = "certificateList"
)

func main() {
	var serverAddr = flag.String("serverAddr", ":8080", "Server ip addr and port")
	var config = koanf.New(".")

	err := config.Load(file.Provider("config.yaml"), yaml.Parser())
	if err != nil {
		logrus.Panicf("could not load configuration: %v", err)
	}

	var opts []ocspsource.Option

	issuerConfigs := config.Slices(coIssuers)
	for number, issuerConfig := range issuerConfigs {
		hasErrors := false
		for _, item := range []string{issuerCaCert, issuerReCert, issuerReKey, issuerCertList} {
			if v := issuerConfig.String(item); v == "" {
				logrus.Warnf("%s parameter for issuers entry %d is missing", item, number)
				hasErrors = true
			}
		}
		if hasErrors {
			logrus.Warnf("configuration for issuers entry %d had errors and has been skipped", number)
			continue
		}

		caCertificate, err := parseCertificate(issuerConfig.String(issuerCaCert))
		if err != nil {
			logrus.Errorf("could not parse CA certificate for issuer %d: %v", number, err)
			continue
		}
		responderCertificate, err := parseCertificate(issuerConfig.String(issuerReCert))
		if err != nil {
			logrus.Errorf("could not parse OCSP responder certificate for issuer %d: %v", number, err)
			continue
		}
		responderKey, err := parsePrivateKey(issuerConfig.String(issuerReKey))
		if err != nil {
			logrus.Errorf("could not parse OCSP responder key for issuer %d: %v", number, err)
			continue
		}
		issuer, err := ocspsource.NewIssuer(caCertificate, responderCertificate, responderKey, issuerConfig.String(issuerCertList))
		if err != nil {
			logrus.Errorf("could not create issuer %d: %v", number, err)
			continue
		}
		opts = append(opts, ocspsource.WithIssuer(issuer))
	}

	cacertSource, err := ocspsource.NewSource(opts...)
	if err != nil {
		logrus.Panicf("could not create OCSP source: %v", err)
	}

	http.Handle("/", withLogging(ocsp.NewResponder(cacertSource, nil).ServeHTTP))

	server := &http.Server{
		Addr: *serverAddr,
	}
	if err := server.ListenAndServe(); err != nil {
		logrus.Panicf("could not start the server process: %v", err)
	}
}

func withLogging(next http.HandlerFunc) http.HandlerFunc {
	return func(w http.ResponseWriter, r *http.Request) {
		start := time.Now()
		next.ServeHTTP(w, r)
		logrus.Infof("GET %s FROM %s in %dms", r.URL.Path, r.RemoteAddr, time.Since(start).Milliseconds())
	}
}

func parseCertificate(certificateFile string) (*x509.Certificate, error) {
	pemData, err := ioutil.ReadFile(certificateFile)
	if err != nil {
		return nil, fmt.Errorf("could not read PEM data from %s: %w", certificateFile, err)
	}

	block, _ := pem.Decode(pemData)
	if block == nil {
		return nil, fmt.Errorf("could not find PEM data in %s", certificateFile)
	}
	certificate, err := x509.ParseCertificate(block.Bytes)
	if err != nil {
		return nil, fmt.Errorf("could not parse certificate in %s: %w", certificateFile, err)
	}

	return certificate, nil
}

func parsePrivateKey(keyFile string) (crypto.Signer, error) {
	pemData, err := ioutil.ReadFile(keyFile)
	if err != nil {
		return nil, fmt.Errorf("could not read PEM data from %s: %w", keyFile, err)
	}

	block, _ := pem.Decode(pemData)
	if block == nil {
		return nil, fmt.Errorf("could not find PEM data in %s", keyFile)
	}

	switch block.Type {
	case "PRIVATE KEY":
		key, err := x509.ParsePKCS8PrivateKey(block.Bytes)
		if err != nil {
			return nil, fmt.Errorf("no usable private key found in %s: %w", keyFile, err)
		}
		return key.(crypto.Signer), nil
	case "RSA PRIVATE KEY":
		rsaKey, err := x509.ParsePKCS1PrivateKey(block.Bytes)
		if err != nil {
			return nil, fmt.Errorf("no usable private key found in %s: %w", keyFile, err)
		}
		return rsaKey, nil
	default:
		return nil, fmt.Errorf("unsupported PEM block type %s in %s", block.Type, keyFile)
	}
}
Initial implementation - support multiple issuer certificates - support separate responder keys and certificates - support openssl index.txt format certificate databases 2022-03-06 13:40:46 +00:00			`package main`

			`import (`
			`"crypto"`
			`"crypto/x509"`
			`"encoding/pem"`
			`"flag"`
			`"fmt"`
			`"io/ioutil"`
			`"net/http"`
			`"time"`

			`"git.cacert.org/cacert-goocsp/internal/ocspsource"`
			`"github.com/cloudflare/cfssl/ocsp"`
			`"github.com/knadh/koanf"`
			`"github.com/knadh/koanf/parsers/yaml"`
			`"github.com/knadh/koanf/providers/file"`
			`"github.com/sirupsen/logrus"`
			`)`

			`const (`
			`coIssuers = "issuers"`
			`issuerCaCert = "caCertificate"`
			`issuerReCert = "responderCertificate"`
			`issuerReKey = "responderKey"`
			`issuerCertList = "certificateList"`
			`)`

			`func main() {`
			`var serverAddr = flag.String("serverAddr", ":8080", "Server ip addr and port")`
			`var config = koanf.New(".")`

			`err := config.Load(file.Provider("config.yaml"), yaml.Parser())`
			`if err != nil {`
			`logrus.Panicf("could not load configuration: %v", err)`
			`}`

			`var opts []ocspsource.Option`

			`issuerConfigs := config.Slices(coIssuers)`
			`for number, issuerConfig := range issuerConfigs {`
			`hasErrors := false`
			`for _, item := range []string{issuerCaCert, issuerReCert, issuerReKey, issuerCertList} {`
			`if v := issuerConfig.String(item); v == "" {`
			`logrus.Warnf("%s parameter for issuers entry %d is missing", item, number)`
			`hasErrors = true`
			`}`
			`}`
			`if hasErrors {`
			`logrus.Warnf("configuration for issuers entry %d had errors and has been skipped", number)`
			`continue`
			`}`

			`caCertificate, err := parseCertificate(issuerConfig.String(issuerCaCert))`
			`if err != nil {`
			`logrus.Errorf("could not parse CA certificate for issuer %d: %v", number, err)`
			`continue`
			`}`
			`responderCertificate, err := parseCertificate(issuerConfig.String(issuerReCert))`
			`if err != nil {`
			`logrus.Errorf("could not parse OCSP responder certificate for issuer %d: %v", number, err)`
			`continue`
			`}`
			`responderKey, err := parsePrivateKey(issuerConfig.String(issuerReKey))`
			`if err != nil {`
			`logrus.Errorf("could not parse OCSP responder key for issuer %d: %v", number, err)`
			`continue`
			`}`
			`issuer, err := ocspsource.NewIssuer(caCertificate, responderCertificate, responderKey, issuerConfig.String(issuerCertList))`
			`if err != nil {`
			`logrus.Errorf("could not create issuer %d: %v", number, err)`
			`continue`
			`}`
			`opts = append(opts, ocspsource.WithIssuer(issuer))`
			`}`

			`cacertSource, err := ocspsource.NewSource(opts...)`
			`if err != nil {`
			`logrus.Panicf("could not create OCSP source: %v", err)`
			`}`

			`http.Handle("/", withLogging(ocsp.NewResponder(cacertSource, nil).ServeHTTP))`

			`server := &http.Server{`
			`Addr: *serverAddr,`
			`}`
			`if err := server.ListenAndServe(); err != nil {`
			`logrus.Panicf("could not start the server process: %v", err)`
			`}`
			`}`

			`func withLogging(next http.HandlerFunc) http.HandlerFunc {`
			`return func(w http.ResponseWriter, r *http.Request) {`
			`start := time.Now()`
			`next.ServeHTTP(w, r)`
			`logrus.Infof("GET %s FROM %s in %dms", r.URL.Path, r.RemoteAddr, time.Since(start).Milliseconds())`
			`}`
			`}`

			`func parseCertificate(certificateFile string) (*x509.Certificate, error) {`
			`pemData, err := ioutil.ReadFile(certificateFile)`
			`if err != nil {`
			`return nil, fmt.Errorf("could not read PEM data from %s: %w", certificateFile, err)`
			`}`

			`block, _ := pem.Decode(pemData)`
			`if block == nil {`
			`return nil, fmt.Errorf("could not find PEM data in %s", certificateFile)`
			`}`
			`certificate, err := x509.ParseCertificate(block.Bytes)`
			`if err != nil {`
			`return nil, fmt.Errorf("could not parse certificate in %s: %w", certificateFile, err)`
			`}`

			`return certificate, nil`
			`}`

			`func parsePrivateKey(keyFile string) (crypto.Signer, error) {`
			`pemData, err := ioutil.ReadFile(keyFile)`
			`if err != nil {`
			`return nil, fmt.Errorf("could not read PEM data from %s: %w", keyFile, err)`
			`}`

			`block, _ := pem.Decode(pemData)`
			`if block == nil {`
			`return nil, fmt.Errorf("could not find PEM data in %s", keyFile)`
			`}`

			`switch block.Type {`
			`case "PRIVATE KEY":`
			`key, err := x509.ParsePKCS8PrivateKey(block.Bytes)`
			`if err != nil {`
			`return nil, fmt.Errorf("no usable private key found in %s: %w", keyFile, err)`
			`}`
			`return key.(crypto.Signer), nil`
			`case "RSA PRIVATE KEY":`
			`rsaKey, err := x509.ParsePKCS1PrivateKey(block.Bytes)`
			`if err != nil {`
			`return nil, fmt.Errorf("no usable private key found in %s: %w", keyFile, err)`
			`}`
			`return rsaKey, nil`
			`default:`
			`return nil, fmt.Errorf("unsupported PEM block type %s in %s", block.Type, keyFile)`
			`}`
			`}`