goocsp/cmd/cacertocsp/main.go

176 lines
4.7 KiB
Go

package main
import (
"context"
"crypto"
"crypto/x509"
"encoding/pem"
"flag"
"fmt"
"io/ioutil"
"net/http"
"os"
"os/signal"
"syscall"
"time"
"git.cacert.org/cacert-goocsp/internal/ocspsource"
"github.com/cloudflare/cfssl/ocsp"
"github.com/knadh/koanf"
"github.com/knadh/koanf/parsers/yaml"
"github.com/knadh/koanf/providers/file"
"github.com/sirupsen/logrus"
)
const (
coIssuers = "issuers"
issuerCaCert = "caCertificate"
issuerReCert = "responderCertificate"
issuerReKey = "responderKey"
issuerCertList = "certificateList"
)
func main() {
var serverAddr = flag.String("serverAddr", ":8080", "Server ip addr and port")
var config = koanf.New(".")
err := config.Load(file.Provider("config.yaml"), yaml.Parser())
if err != nil {
logrus.Panicf("could not load configuration: %v", err)
}
logrus.SetLevel(logrus.DebugLevel)
var opts []ocspsource.Option
issuerConfigs := config.Slices(coIssuers)
for number, issuerConfig := range issuerConfigs {
hasErrors := false
for _, item := range []string{issuerCaCert, issuerReCert, issuerReKey, issuerCertList} {
if v := issuerConfig.String(item); v == "" {
logrus.Warnf("%s parameter for issuers entry %d is missing", item, number)
hasErrors = true
}
}
if hasErrors {
logrus.Warnf("configuration for issuers entry %d had errors and has been skipped", number)
continue
}
caCertificate, err := parseCertificate(issuerConfig.String(issuerCaCert))
if err != nil {
logrus.Errorf("could not parse CA certificate for issuer %d: %v", number, err)
continue
}
responderCertificate, err := parseCertificate(issuerConfig.String(issuerReCert))
if err != nil {
logrus.Errorf("could not parse OCSP responder certificate for issuer %d: %v", number, err)
continue
}
responderKey, err := parsePrivateKey(issuerConfig.String(issuerReKey))
if err != nil {
logrus.Errorf("could not parse OCSP responder key for issuer %d: %v", number, err)
continue
}
issuer, err := ocspsource.NewIssuer(caCertificate, responderCertificate, responderKey, issuerConfig.String(issuerCertList))
if err != nil {
logrus.Errorf("could not create issuer %d: %v", number, err)
continue
}
opts = append(opts, ocspsource.WithIssuer(issuer))
}
cacertSource, err := ocspsource.NewSource(opts...)
if err != nil {
logrus.Panicf("could not create OCSP source: %v", err)
}
http.Handle("/", withLogging(ocsp.NewResponder(cacertSource, nil).ServeHTTP))
ctx, cancel := context.WithCancel(context.Background())
defer cancel()
server := &http.Server{
Addr: *serverAddr,
}
done := make(chan struct{})
go func() {
cacertSource.BackgroundTasks(ctx)
}()
setupCloseHandler(server, done)
if err := server.ListenAndServe(); err != nil {
logrus.Panicf("could not start the server process: %v", err)
}
<-done
}
func setupCloseHandler(server *http.Server, done chan struct{}) {
c := make(chan os.Signal)
signal.Notify(c, os.Interrupt, syscall.SIGTERM)
go func() {
<-c
logrus.Infof("program interrupted")
err := server.Close()
if err != nil {
logrus.Errorf("could not close server: %v", err)
}
done <- struct{}{}
}()
}
func withLogging(next http.HandlerFunc) http.HandlerFunc {
return func(w http.ResponseWriter, r *http.Request) {
start := time.Now()
next.ServeHTTP(w, r)
logrus.Infof("GET %s FROM %s in %dms", r.URL.Path, r.RemoteAddr, time.Since(start).Milliseconds())
}
}
func parseCertificate(certificateFile string) (*x509.Certificate, error) {
pemData, err := ioutil.ReadFile(certificateFile)
if err != nil {
return nil, fmt.Errorf("could not read PEM data from %s: %w", certificateFile, err)
}
block, _ := pem.Decode(pemData)
if block == nil {
return nil, fmt.Errorf("could not find PEM data in %s", certificateFile)
}
certificate, err := x509.ParseCertificate(block.Bytes)
if err != nil {
return nil, fmt.Errorf("could not parse certificate in %s: %w", certificateFile, err)
}
return certificate, nil
}
func parsePrivateKey(keyFile string) (crypto.Signer, error) {
pemData, err := ioutil.ReadFile(keyFile)
if err != nil {
return nil, fmt.Errorf("could not read PEM data from %s: %w", keyFile, err)
}
block, _ := pem.Decode(pemData)
if block == nil {
return nil, fmt.Errorf("could not find PEM data in %s", keyFile)
}
switch block.Type {
case "PRIVATE KEY":
key, err := x509.ParsePKCS8PrivateKey(block.Bytes)
if err != nil {
return nil, fmt.Errorf("no usable private key found in %s: %w", keyFile, err)
}
return key.(crypto.Signer), nil
case "RSA PRIVATE KEY":
rsaKey, err := x509.ParsePKCS1PrivateKey(block.Bytes)
if err != nil {
return nil, fmt.Errorf("no usable private key found in %s: %w", keyFile, err)
}
return rsaKey, nil
default:
return nil, fmt.Errorf("unsupported PEM block type %s in %s", block.Type, keyFile)
}
}