package main import ( "crypto" "crypto/x509" "encoding/pem" "flag" "fmt" "io/ioutil" "net/http" "time" "git.cacert.org/cacert-goocsp/internal/ocspsource" "github.com/cloudflare/cfssl/ocsp" "github.com/knadh/koanf" "github.com/knadh/koanf/parsers/yaml" "github.com/knadh/koanf/providers/file" "github.com/sirupsen/logrus" ) const ( coIssuers = "issuers" issuerCaCert = "caCertificate" issuerReCert = "responderCertificate" issuerReKey = "responderKey" issuerCertList = "certificateList" ) func main() { var serverAddr = flag.String("serverAddr", ":8080", "Server ip addr and port") var config = koanf.New(".") err := config.Load(file.Provider("config.yaml"), yaml.Parser()) if err != nil { logrus.Panicf("could not load configuration: %v", err) } var opts []ocspsource.Option issuerConfigs := config.Slices(coIssuers) for number, issuerConfig := range issuerConfigs { hasErrors := false for _, item := range []string{issuerCaCert, issuerReCert, issuerReKey, issuerCertList} { if v := issuerConfig.String(item); v == "" { logrus.Warnf("%s parameter for issuers entry %d is missing", item, number) hasErrors = true } } if hasErrors { logrus.Warnf("configuration for issuers entry %d had errors and has been skipped", number) continue } caCertificate, err := parseCertificate(issuerConfig.String(issuerCaCert)) if err != nil { logrus.Errorf("could not parse CA certificate for issuer %d: %v", number, err) continue } responderCertificate, err := parseCertificate(issuerConfig.String(issuerReCert)) if err != nil { logrus.Errorf("could not parse OCSP responder certificate for issuer %d: %v", number, err) continue } responderKey, err := parsePrivateKey(issuerConfig.String(issuerReKey)) if err != nil { logrus.Errorf("could not parse OCSP responder key for issuer %d: %v", number, err) continue } issuer, err := ocspsource.NewIssuer(caCertificate, responderCertificate, responderKey, issuerConfig.String(issuerCertList)) if err != nil { logrus.Errorf("could not create issuer %d: %v", number, err) continue } opts = append(opts, ocspsource.WithIssuer(issuer)) } cacertSource, err := ocspsource.NewSource(opts...) if err != nil { logrus.Panicf("could not create OCSP source: %v", err) } http.Handle("/", withLogging(ocsp.NewResponder(cacertSource, nil).ServeHTTP)) server := &http.Server{ Addr: *serverAddr, } if err := server.ListenAndServe(); err != nil { logrus.Panicf("could not start the server process: %v", err) } } func withLogging(next http.HandlerFunc) http.HandlerFunc { return func(w http.ResponseWriter, r *http.Request) { start := time.Now() next.ServeHTTP(w, r) logrus.Infof("GET %s FROM %s in %dms", r.URL.Path, r.RemoteAddr, time.Since(start).Milliseconds()) } } func parseCertificate(certificateFile string) (*x509.Certificate, error) { pemData, err := ioutil.ReadFile(certificateFile) if err != nil { return nil, fmt.Errorf("could not read PEM data from %s: %w", certificateFile, err) } block, _ := pem.Decode(pemData) if block == nil { return nil, fmt.Errorf("could not find PEM data in %s", certificateFile) } certificate, err := x509.ParseCertificate(block.Bytes) if err != nil { return nil, fmt.Errorf("could not parse certificate in %s: %w", certificateFile, err) } return certificate, nil } func parsePrivateKey(keyFile string) (crypto.Signer, error) { pemData, err := ioutil.ReadFile(keyFile) if err != nil { return nil, fmt.Errorf("could not read PEM data from %s: %w", keyFile, err) } block, _ := pem.Decode(pemData) if block == nil { return nil, fmt.Errorf("could not find PEM data in %s", keyFile) } switch block.Type { case "PRIVATE KEY": key, err := x509.ParsePKCS8PrivateKey(block.Bytes) if err != nil { return nil, fmt.Errorf("no usable private key found in %s: %w", keyFile, err) } return key.(crypto.Signer), nil case "RSA PRIVATE KEY": rsaKey, err := x509.ParsePKCS1PrivateKey(block.Bytes) if err != nil { return nil, fmt.Errorf("no usable private key found in %s: %w", keyFile, err) } return rsaKey, nil default: return nil, fmt.Errorf("unsupported PEM block type %s in %s", block.Type, keyFile) } }