goocsp/cmd/cacertocsp/main.go

/*
Copyright 2022 CAcert Inc.
SPDX-License-Identifier: Apache-2.0

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

    http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/

package main

import (
	"context"
	"crypto"
	"crypto/x509"
	"encoding/pem"
	"errors"
	"flag"
	"fmt"
	"io/ioutil"
	"net/http"
	"os"
	"os/signal"
	"syscall"
	"time"

	"github.com/knadh/koanf"
	"github.com/knadh/koanf/parsers/yaml"
	"github.com/knadh/koanf/providers/file"
	"github.com/sirupsen/logrus"

	"git.cacert.org/cacert-goocsp/pkg/ocsp"

	"git.cacert.org/cacert-goocsp/pkg/ocspsource"
)

/* constants for configuration keys */

const (
	coIssuers      = "issuers"
	issuerCaCert   = "caCertificate"
	issuerReCert   = "responderCertificate"
	issuerReKey    = "responderKey"
	issuerCertList = "certificateList"
)

func main() {
	var (
		serverAddr = flag.String("serverAddr", ":8080", "Server ip addr and port")
		config     = koanf.New(".")
		opts       []ocspsource.Option
	)

	err := config.Load(file.Provider("config.yaml"), yaml.Parser())
	if err != nil {
		logrus.Panicf("could not load configuration: %v", err)
	}

	logrus.SetLevel(logrus.DebugLevel)

	issuerConfigs := config.Slices(coIssuers)

	ctx, cancel := context.WithCancel(context.Background())
	opts = configureIssuers(ctx, issuerConfigs, opts)

	cacertSource, err := ocspsource.NewSource(opts...)
	if err != nil {
		logrus.Panicf("could not create OCSP source: %v", err)
	}

	http.Handle("/", withLogging(ocsp.NewResponder(cacertSource, nil).ServeHTTP))

	defer cancel()

	server := &http.Server{
		Addr: *serverAddr,
	}

	setupCloseHandler(ctx, server)

	if err := server.ListenAndServe(); err != nil {
		if !errors.Is(err, http.ErrServerClosed) {
			logrus.Panicf("could not start the server process: %v", err)
		}

		logrus.Infof("server shutdown")
	}
}

func configureIssuers(ctx context.Context, issuerConfigs []*koanf.Koanf, opts []ocspsource.Option) []ocspsource.Option {
	for number, issuerConfig := range issuerConfigs {
		hasErrors := false

		for _, item := range []string{issuerCaCert, issuerReCert, issuerReKey, issuerCertList} {
			if v := issuerConfig.String(item); v == "" {
				logrus.Warnf("%s parameter for issuers entry %d is missing", item, number)

				hasErrors = true
			}
		}

		if hasErrors {
			logrus.Warnf("configuration for issuers entry %d had errors and has been skipped", number)

			continue
		}

		caCertificate, err := parseCertificate(issuerConfig.String(issuerCaCert))
		if err != nil {
			logrus.Errorf("could not parse CA certificate for issuer %d: %v", number, err)

			continue
		}

		responderCertificate, err := parseCertificate(issuerConfig.String(issuerReCert))
		if err != nil {
			logrus.Errorf("could not parse OCSP responder certificate for issuer %d: %v", number, err)

			continue
		}

		responderKey, err := parsePrivateKey(issuerConfig.String(issuerReKey))
		if err != nil {
			logrus.Errorf("could not parse OCSP responder key for issuer %d: %v", number, err)

			continue
		}

		certDb, err := ocspsource.NewCertDB(ctx, issuerConfig.String(issuerCertList))
		if err != nil {
			logrus.Errorf("could not create certificate db %d: %v", number, err)

			continue
		}
		issuer := ocspsource.NewIssuer(
			caCertificate,
			responderCertificate,
			responderKey,
			certDb,
		)

		opts = append(opts, ocspsource.WithIssuer(issuer))
	}

	return opts
}

// The setupCloseHandler takes care of OS signal handling
func setupCloseHandler(ctx context.Context, server *http.Server) {
	c := make(chan os.Signal, 1)

	signal.Notify(c, os.Interrupt, syscall.SIGTERM)

	go func(ctx context.Context) {
		<-c
		logrus.Infof("program interrupted")

		err := server.Shutdown(ctx)
		if err != nil {
			logrus.Errorf("could not close server: %v", err)
		}
	}(ctx)
}

// The withLogging provides middleware to log incoming requests
func withLogging(next http.HandlerFunc) http.HandlerFunc {
	return func(w http.ResponseWriter, r *http.Request) {
		start := time.Now()

		next.ServeHTTP(w, r)
		logrus.Infof("GET %s FROM %s in %dms", r.URL.Path, r.RemoteAddr, time.Since(start).Milliseconds())
	}
}

// parseCertificate is a helper to parse X.509 certificates from files
func parseCertificate(certificateFile string) (*x509.Certificate, error) {
	pemData, err := ioutil.ReadFile(certificateFile)
	if err != nil {
		return nil, fmt.Errorf("could not read PEM data from %s: %w", certificateFile, err)
	}

	block, _ := pem.Decode(pemData)
	if block == nil {
		return nil, fmt.Errorf("could not find PEM data in %s", certificateFile)
	}

	certificate, err := x509.ParseCertificate(block.Bytes)
	if err != nil {
		return nil, fmt.Errorf("could not parse certificate in %s: %w", certificateFile, err)
	}

	return certificate, nil
}

// parsePrivateKey is a helper to parse PKCS#1 or PKCS#8 private keys from files
func parsePrivateKey(keyFile string) (crypto.Signer, error) {
	pemData, err := ioutil.ReadFile(keyFile)
	if err != nil {
		return nil, fmt.Errorf("could not read PEM data from %s: %w", keyFile, err)
	}

	block, _ := pem.Decode(pemData)
	if block == nil {
		return nil, fmt.Errorf("could not find PEM data in %s", keyFile)
	}

	switch block.Type {
	case "PRIVATE KEY":
		key, err := x509.ParsePKCS8PrivateKey(block.Bytes)
		if err != nil {
			return nil, fmt.Errorf("no usable private key found in %s: %w", keyFile, err)
		}

		signer, ok := key.(crypto.Signer)
		if !ok {
			return nil, errors.New("key cannot be used as signer")
		}

		return signer, nil
	case "RSA PRIVATE KEY":
		rsaKey, err := x509.ParsePKCS1PrivateKey(block.Bytes)
		if err != nil {
			return nil, fmt.Errorf("no usable private key found in %s: %w", keyFile, err)
		}

		return rsaKey, nil
	default:
		return nil, fmt.Errorf("unsupported PEM block type %s in %s", block.Type, keyFile)
	}
}
Add license and inline documentation 2022-03-06 15:51:09 +00:00			`/*`
Implement golangci-lint suggestions 2022-03-21 17:46:04 +00:00			`Copyright 2022 CAcert Inc.`
			`SPDX-License-Identifier: Apache-2.0`
Add license and inline documentation 2022-03-06 15:51:09 +00:00
Implement golangci-lint suggestions 2022-03-21 17:46:04 +00:00			`Licensed under the Apache License, Version 2.0 (the "License");`
			`you may not use this file except in compliance with the License.`
			`You may obtain a copy of the License at`
Add license and inline documentation 2022-03-06 15:51:09 +00:00
Implement golangci-lint suggestions 2022-03-21 17:46:04 +00:00			`http://www.apache.org/licenses/LICENSE-2.0`
Add license and inline documentation 2022-03-06 15:51:09 +00:00
Implement golangci-lint suggestions 2022-03-21 17:46:04 +00:00			`Unless required by applicable law or agreed to in writing, software`
			`distributed under the License is distributed on an "AS IS" BASIS,`
			`WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.`
			`See the License for the specific language governing permissions and`
			`limitations under the License.`
Add license and inline documentation 2022-03-06 15:51:09 +00:00			`*/`

Initial implementation - support multiple issuer certificates - support separate responder keys and certificates - support openssl index.txt format certificate databases 2022-03-06 13:40:46 +00:00			`package main`

			`import (`
Implement graceful shutdown and reload 2022-03-06 15:18:04 +00:00			`"context"`
Initial implementation - support multiple issuer certificates - support separate responder keys and certificates - support openssl index.txt format certificate databases 2022-03-06 13:40:46 +00:00			`"crypto"`
			`"crypto/x509"`
			`"encoding/pem"`
Add license and inline documentation 2022-03-06 15:51:09 +00:00			`"errors"`
Initial implementation - support multiple issuer certificates - support separate responder keys and certificates - support openssl index.txt format certificate databases 2022-03-06 13:40:46 +00:00			`"flag"`
			`"fmt"`
			`"io/ioutil"`
			`"net/http"`
Implement graceful shutdown and reload 2022-03-06 15:18:04 +00:00			`"os"`
			`"os/signal"`
			`"syscall"`
Initial implementation - support multiple issuer certificates - support separate responder keys and certificates - support openssl index.txt format certificate databases 2022-03-06 13:40:46 +00:00			`"time"`

			`"github.com/knadh/koanf"`
			`"github.com/knadh/koanf/parsers/yaml"`
			`"github.com/knadh/koanf/providers/file"`
			`"github.com/sirupsen/logrus"`
Implement golangci-lint suggestions 2022-03-21 17:46:04 +00:00
Start golangci-lint fixes 2022-03-28 19:28:41 +00:00			`"git.cacert.org/cacert-goocsp/pkg/ocsp"`

Implement golangci-lint suggestions 2022-03-21 17:46:04 +00:00			`"git.cacert.org/cacert-goocsp/pkg/ocspsource"`
Initial implementation - support multiple issuer certificates - support separate responder keys and certificates - support openssl index.txt format certificate databases 2022-03-06 13:40:46 +00:00			`)`

Add license and inline documentation 2022-03-06 15:51:09 +00:00			`/* constants for configuration keys */`

Initial implementation - support multiple issuer certificates - support separate responder keys and certificates - support openssl index.txt format certificate databases 2022-03-06 13:40:46 +00:00			`const (`
			`coIssuers = "issuers"`
			`issuerCaCert = "caCertificate"`
			`issuerReCert = "responderCertificate"`
			`issuerReKey = "responderKey"`
			`issuerCertList = "certificateList"`
			`)`

			`func main() {`
Implement golangci-lint suggestions 2022-03-21 17:46:04 +00:00			`var (`
			`serverAddr = flag.String("serverAddr", ":8080", "Server ip addr and port")`
			`config = koanf.New(".")`
			`opts []ocspsource.Option`
			`)`
Initial implementation - support multiple issuer certificates - support separate responder keys and certificates - support openssl index.txt format certificate databases 2022-03-06 13:40:46 +00:00
			`err := config.Load(file.Provider("config.yaml"), yaml.Parser())`
			`if err != nil {`
			`logrus.Panicf("could not load configuration: %v", err)`
			`}`
Implement golangci-lint suggestions 2022-03-21 17:46:04 +00:00
Implement graceful shutdown and reload 2022-03-06 15:18:04 +00:00			`logrus.SetLevel(logrus.DebugLevel)`
Initial implementation - support multiple issuer certificates - support separate responder keys and certificates - support openssl index.txt format certificate databases 2022-03-06 13:40:46 +00:00
			`issuerConfigs := config.Slices(coIssuers)`
Implement golangci-lint suggestions 2022-03-21 17:46:04 +00:00
Add test, include extensions support needed to integrate code from cfssl and golang.org/x/crypto/ocsp into new pkg/ocsp to be able to add response extensions. 2022-03-28 19:16:14 +00:00			`ctx, cancel := context.WithCancel(context.Background())`
			`opts = configureIssuers(ctx, issuerConfigs, opts)`
Implement golangci-lint suggestions 2022-03-21 17:46:04 +00:00
			`cacertSource, err := ocspsource.NewSource(opts...)`
			`if err != nil {`
			`logrus.Panicf("could not create OCSP source: %v", err)`
			`}`

			`http.Handle("/", withLogging(ocsp.NewResponder(cacertSource, nil).ServeHTTP))`

			`defer cancel()`

			`server := &http.Server{`
			`Addr: *serverAddr,`
			`}`

			`setupCloseHandler(ctx, server)`

			`if err := server.ListenAndServe(); err != nil {`
			`if !errors.Is(err, http.ErrServerClosed) {`
			`logrus.Panicf("could not start the server process: %v", err)`
			`}`

			`logrus.Infof("server shutdown")`
			`}`
			`}`

Add test, include extensions support needed to integrate code from cfssl and golang.org/x/crypto/ocsp into new pkg/ocsp to be able to add response extensions. 2022-03-28 19:16:14 +00:00			`func configureIssuers(ctx context.Context, issuerConfigs []*koanf.Koanf, opts []ocspsource.Option) []ocspsource.Option {`
Initial implementation - support multiple issuer certificates - support separate responder keys and certificates - support openssl index.txt format certificate databases 2022-03-06 13:40:46 +00:00			`for number, issuerConfig := range issuerConfigs {`
			`hasErrors := false`
Implement golangci-lint suggestions 2022-03-21 17:46:04 +00:00
Initial implementation - support multiple issuer certificates - support separate responder keys and certificates - support openssl index.txt format certificate databases 2022-03-06 13:40:46 +00:00			`for _, item := range []string{issuerCaCert, issuerReCert, issuerReKey, issuerCertList} {`
			`if v := issuerConfig.String(item); v == "" {`
			`logrus.Warnf("%s parameter for issuers entry %d is missing", item, number)`
Implement golangci-lint suggestions 2022-03-21 17:46:04 +00:00
Initial implementation - support multiple issuer certificates - support separate responder keys and certificates - support openssl index.txt format certificate databases 2022-03-06 13:40:46 +00:00			`hasErrors = true`
			`}`
			`}`
Implement golangci-lint suggestions 2022-03-21 17:46:04 +00:00
Initial implementation - support multiple issuer certificates - support separate responder keys and certificates - support openssl index.txt format certificate databases 2022-03-06 13:40:46 +00:00			`if hasErrors {`
			`logrus.Warnf("configuration for issuers entry %d had errors and has been skipped", number)`
Implement golangci-lint suggestions 2022-03-21 17:46:04 +00:00
Initial implementation - support multiple issuer certificates - support separate responder keys and certificates - support openssl index.txt format certificate databases 2022-03-06 13:40:46 +00:00			`continue`
			`}`

			`caCertificate, err := parseCertificate(issuerConfig.String(issuerCaCert))`
			`if err != nil {`
			`logrus.Errorf("could not parse CA certificate for issuer %d: %v", number, err)`
Implement golangci-lint suggestions 2022-03-21 17:46:04 +00:00
Initial implementation - support multiple issuer certificates - support separate responder keys and certificates - support openssl index.txt format certificate databases 2022-03-06 13:40:46 +00:00			`continue`
			`}`
Implement golangci-lint suggestions 2022-03-21 17:46:04 +00:00
Initial implementation - support multiple issuer certificates - support separate responder keys and certificates - support openssl index.txt format certificate databases 2022-03-06 13:40:46 +00:00			`responderCertificate, err := parseCertificate(issuerConfig.String(issuerReCert))`
			`if err != nil {`
			`logrus.Errorf("could not parse OCSP responder certificate for issuer %d: %v", number, err)`
Implement golangci-lint suggestions 2022-03-21 17:46:04 +00:00
Initial implementation - support multiple issuer certificates - support separate responder keys and certificates - support openssl index.txt format certificate databases 2022-03-06 13:40:46 +00:00			`continue`
			`}`
Implement golangci-lint suggestions 2022-03-21 17:46:04 +00:00
Initial implementation - support multiple issuer certificates - support separate responder keys and certificates - support openssl index.txt format certificate databases 2022-03-06 13:40:46 +00:00			`responderKey, err := parsePrivateKey(issuerConfig.String(issuerReKey))`
			`if err != nil {`
			`logrus.Errorf("could not parse OCSP responder key for issuer %d: %v", number, err)`
Implement golangci-lint suggestions 2022-03-21 17:46:04 +00:00
Initial implementation - support multiple issuer certificates - support separate responder keys and certificates - support openssl index.txt format certificate databases 2022-03-06 13:40:46 +00:00			`continue`
			`}`
Implement golangci-lint suggestions 2022-03-21 17:46:04 +00:00
Add test, include extensions support needed to integrate code from cfssl and golang.org/x/crypto/ocsp into new pkg/ocsp to be able to add response extensions. 2022-03-28 19:16:14 +00:00			`certDb, err := ocspsource.NewCertDB(ctx, issuerConfig.String(issuerCertList))`
Initial implementation - support multiple issuer certificates - support separate responder keys and certificates - support openssl index.txt format certificate databases 2022-03-06 13:40:46 +00:00			`if err != nil {`
Add test, include extensions support needed to integrate code from cfssl and golang.org/x/crypto/ocsp into new pkg/ocsp to be able to add response extensions. 2022-03-28 19:16:14 +00:00			`logrus.Errorf("could not create certificate db %d: %v", number, err)`
Implement golangci-lint suggestions 2022-03-21 17:46:04 +00:00
Initial implementation - support multiple issuer certificates - support separate responder keys and certificates - support openssl index.txt format certificate databases 2022-03-06 13:40:46 +00:00			`continue`
			`}`
Add test, include extensions support needed to integrate code from cfssl and golang.org/x/crypto/ocsp into new pkg/ocsp to be able to add response extensions. 2022-03-28 19:16:14 +00:00			`issuer := ocspsource.NewIssuer(`
			`caCertificate,`
			`responderCertificate,`
			`responderKey,`
			`certDb,`
			`)`
Implement graceful shutdown and reload 2022-03-06 15:18:04 +00:00
Implement golangci-lint suggestions 2022-03-21 17:46:04 +00:00			`opts = append(opts, ocspsource.WithIssuer(issuer))`
Add license and inline documentation 2022-03-06 15:51:09 +00:00			`}`

Implement golangci-lint suggestions 2022-03-21 17:46:04 +00:00			`return opts`
Implement graceful shutdown and reload 2022-03-06 15:18:04 +00:00			`}`

Add license and inline documentation 2022-03-06 15:51:09 +00:00			`// The setupCloseHandler takes care of OS signal handling`
			`func setupCloseHandler(ctx context.Context, server *http.Server) {`
Implement golangci-lint suggestions 2022-03-21 17:46:04 +00:00			`c := make(chan os.Signal, 1)`

Implement graceful shutdown and reload 2022-03-06 15:18:04 +00:00			`signal.Notify(c, os.Interrupt, syscall.SIGTERM)`
Implement golangci-lint suggestions 2022-03-21 17:46:04 +00:00
Add license and inline documentation 2022-03-06 15:51:09 +00:00			`go func(ctx context.Context) {`
Implement graceful shutdown and reload 2022-03-06 15:18:04 +00:00			`<-c`
			`logrus.Infof("program interrupted")`
Implement golangci-lint suggestions 2022-03-21 17:46:04 +00:00
Add license and inline documentation 2022-03-06 15:51:09 +00:00			`err := server.Shutdown(ctx)`
Implement graceful shutdown and reload 2022-03-06 15:18:04 +00:00			`if err != nil {`
			`logrus.Errorf("could not close server: %v", err)`
			`}`
Add license and inline documentation 2022-03-06 15:51:09 +00:00			`}(ctx)`
Initial implementation - support multiple issuer certificates - support separate responder keys and certificates - support openssl index.txt format certificate databases 2022-03-06 13:40:46 +00:00			`}`

Add license and inline documentation 2022-03-06 15:51:09 +00:00			`// The withLogging provides middleware to log incoming requests`
Initial implementation - support multiple issuer certificates - support separate responder keys and certificates - support openssl index.txt format certificate databases 2022-03-06 13:40:46 +00:00			`func withLogging(next http.HandlerFunc) http.HandlerFunc {`
			`return func(w http.ResponseWriter, r *http.Request) {`
			`start := time.Now()`
Implement golangci-lint suggestions 2022-03-21 17:46:04 +00:00
Initial implementation - support multiple issuer certificates - support separate responder keys and certificates - support openssl index.txt format certificate databases 2022-03-06 13:40:46 +00:00			`next.ServeHTTP(w, r)`
			`logrus.Infof("GET %s FROM %s in %dms", r.URL.Path, r.RemoteAddr, time.Since(start).Milliseconds())`
			`}`
			`}`

Add license and inline documentation 2022-03-06 15:51:09 +00:00			`// parseCertificate is a helper to parse X.509 certificates from files`
Initial implementation - support multiple issuer certificates - support separate responder keys and certificates - support openssl index.txt format certificate databases 2022-03-06 13:40:46 +00:00			`func parseCertificate(certificateFile string) (*x509.Certificate, error) {`
			`pemData, err := ioutil.ReadFile(certificateFile)`
			`if err != nil {`
			`return nil, fmt.Errorf("could not read PEM data from %s: %w", certificateFile, err)`
			`}`

			`block, _ := pem.Decode(pemData)`
			`if block == nil {`
			`return nil, fmt.Errorf("could not find PEM data in %s", certificateFile)`
			`}`
Implement golangci-lint suggestions 2022-03-21 17:46:04 +00:00
Initial implementation - support multiple issuer certificates - support separate responder keys and certificates - support openssl index.txt format certificate databases 2022-03-06 13:40:46 +00:00			`certificate, err := x509.ParseCertificate(block.Bytes)`
			`if err != nil {`
			`return nil, fmt.Errorf("could not parse certificate in %s: %w", certificateFile, err)`
			`}`

			`return certificate, nil`
			`}`

Add license and inline documentation 2022-03-06 15:51:09 +00:00			`// parsePrivateKey is a helper to parse PKCS#1 or PKCS#8 private keys from files`
Initial implementation - support multiple issuer certificates - support separate responder keys and certificates - support openssl index.txt format certificate databases 2022-03-06 13:40:46 +00:00			`func parsePrivateKey(keyFile string) (crypto.Signer, error) {`
			`pemData, err := ioutil.ReadFile(keyFile)`
			`if err != nil {`
			`return nil, fmt.Errorf("could not read PEM data from %s: %w", keyFile, err)`
			`}`

			`block, _ := pem.Decode(pemData)`
			`if block == nil {`
			`return nil, fmt.Errorf("could not find PEM data in %s", keyFile)`
			`}`

			`switch block.Type {`
			`case "PRIVATE KEY":`
			`key, err := x509.ParsePKCS8PrivateKey(block.Bytes)`
			`if err != nil {`
			`return nil, fmt.Errorf("no usable private key found in %s: %w", keyFile, err)`
			`}`
Implement golangci-lint suggestions 2022-03-21 17:46:04 +00:00
			`signer, ok := key.(crypto.Signer)`
			`if !ok {`
			`return nil, errors.New("key cannot be used as signer")`
			`}`

			`return signer, nil`
Initial implementation - support multiple issuer certificates - support separate responder keys and certificates - support openssl index.txt format certificate databases 2022-03-06 13:40:46 +00:00			`case "RSA PRIVATE KEY":`
			`rsaKey, err := x509.ParsePKCS1PrivateKey(block.Bytes)`
			`if err != nil {`
			`return nil, fmt.Errorf("no usable private key found in %s: %w", keyFile, err)`
			`}`
Implement golangci-lint suggestions 2022-03-21 17:46:04 +00:00
Initial implementation - support multiple issuer certificates - support separate responder keys and certificates - support openssl index.txt format certificate databases 2022-03-06 13:40:46 +00:00			`return rsaKey, nil`
			`default:`
			`return nil, fmt.Errorf("unsupported PEM block type %s in %s", block.Type, keyFile)`
			`}`
			`}`