jandd
/
poc-browser-csr-generation
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Move handlers into separate package

Browse Source
main
Jan Dittberner 3 years ago
parent b748050de3
commit 08be6e68bc
4 changed files with 390 additions and 322 deletions
Show Stats Download Patch File Download Diff File

98
handlers/index.go
Unescape Escape View File

@ -0,0 +1,98 @@
package handlers
import (
"html/template"
"net/http"
"github.com/gorilla/csrf"
"github.com/nicksnyder/go-i18n/v2/i18n"
log "github.com/sirupsen/logrus"
)
type IndexHandler struct {
bundle *i18n.Bundle
}
func NewIndexHandler(bundle *i18n.Bundle) *IndexHandler {
return &IndexHandler{bundle: bundle}
}
func (i *IndexHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
localizer := i18n.NewLocalizer(i.bundle, r.Header.Get("Accept-Language"))
csrGenTitle := localizer.MustLocalize(&i18n.LocalizeConfig{DefaultMessage: &i18n.Message{
ID: "CSRGenTitle",
Other: "CSR generation in browser",
}})
nameLabel := localizer.MustLocalize(&i18n.LocalizeConfig{DefaultMessage: &i18n.Message{
ID: "NameLabel",
Other: "Your name",
}})
nameHelpText := localizer.MustLocalize(&i18n.LocalizeConfig{DefaultMessage: &i18n.Message{
ID: "NameHelpText",
Other: "Please input your name as it should be added to your certificate",
}})
passwordLabel := localizer.MustLocalize(&i18n.LocalizeConfig{DefaultMessage: &i18n.Message{
ID: "PasswordLabel",
Other: "Password for your client certificate",
}})
rsaKeySizeLegend := localizer.MustLocalize(&i18n.LocalizeConfig{DefaultMessage: &i18n.Message{
ID: "RSAKeySizeLabel",
Other: "RSA Key Size",
}})
rsa3072Label := localizer.MustLocalize(&i18n.LocalizeConfig{DefaultMessage: &i18n.Message{
ID: "RSA3072Label",
Other: "3072 Bit",
}})
rsa2048Label := localizer.MustLocalize(&i18n.LocalizeConfig{DefaultMessage: &i18n.Message{
ID: "RSA2048Label",
Other: "2048 Bit (not recommended)",
}})
rsa4096Label := localizer.MustLocalize(&i18n.LocalizeConfig{DefaultMessage: &i18n.Message{
ID: "RSA4096Label",
Other: "4096 Bit",
}})
rsaHelpText := localizer.MustLocalize(&i18n.LocalizeConfig{DefaultMessage: &i18n.Message{
ID: "RSAHelpText",
Other: "An RSA key pair will be generated in your browser. Longer key" +
" sizes provide better security but take longer to generate.",
}})
csrButtonLabel := localizer.MustLocalize(&i18n.LocalizeConfig{DefaultMessage: &i18n.Message{
ID: "CSRButtonLabel",
Other: "Generate signing request",
}})
statusLoading := localizer.MustLocalize(&i18n.LocalizeConfig{DefaultMessage: &i18n.Message{
ID: "StatusLoading",
Other: "Loading ...",
}})
downloadLabel := localizer.MustLocalize(&i18n.LocalizeConfig{DefaultMessage: &i18n.Message{
ID: "DownloadLabel",
Other: "Download",
}})
downloadDescription := localizer.MustLocalize(&i18n.LocalizeConfig{DefaultMessage: &i18n.Message{
ID: "DownloadDescription",
Other: "Your key material is ready for download. The downloadable file contains your private key and your" +
" certificate encrypted with your password. You can now use the file to install your certificate in your" +
" browser or other applications.",
}})
t := template.Must(template.ParseFiles("templates/index.html"))
err := t.Execute(w, map[string]interface{}{
"Title": csrGenTitle,
"NameLabel": nameLabel,
"NameHelpText": nameHelpText,
"PasswordLabel": passwordLabel,
"RSAKeySizeLegend": rsaKeySizeLegend,
"RSA3072Label": rsa3072Label,
"RSA2048Label": rsa2048Label,
"RSA4096Label": rsa4096Label,
"RSAHelpText": rsaHelpText,
"CSRButtonLabel": csrButtonLabel,
"StatusLoading": statusLoading,
"DownloadDescription": downloadDescription,
"DownloadLabel": downloadLabel,
csrf.TemplateTag: csrf.TemplateField(r),
})
if err != nil {
log.Panic(err)
}
}

55
handlers/jslocales.go
Unescape Escape View File

@ -0,0 +1,55 @@
package handlers
import (
"encoding/json"
"net/http"
"strings"
"github.com/nicksnyder/go-i18n/v2/i18n"
)
type JSLocalesHandler struct {
bundle *i18n.Bundle
}
func NewJSLocalesHandler(bundle *i18n.Bundle) *JSLocalesHandler {
return &JSLocalesHandler{bundle: bundle}
}
func (j *JSLocalesHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
parts := strings.Split(r.URL.Path, "/")
if len(parts) != 4 {
http.Error(w, "Not found", http.StatusNotFound)
return
}
lang := parts[2]
localizer := i18n.NewLocalizer(j.bundle, lang)
type translationData struct {
Keygen struct {
Started string `json:"started"`
Running string `json:"running"`
Generated string `json:"generated"`
} `json:"keygen"`
}
translations := &translationData{}
translations.Keygen.Started = localizer.MustLocalize(&i18n.LocalizeConfig{DefaultMessage: &i18n.Message{
ID: "JavaScript.KeyGen.Started",
Other: "started key generation",
}})
translations.Keygen.Running = localizer.MustLocalize(&i18n.LocalizeConfig{DefaultMessage: &i18n.Message{
ID: "JavaScript.KeyGen.Running",
Other: "key generation running for __seconds__ seconds",
}})
translations.Keygen.Generated = localizer.MustLocalize(&i18n.LocalizeConfig{DefaultMessage: &i18n.Message{
ID: "JavaScript.KeyGen.Generated",
Other: "key generated in __seconds__ seconds",
}})
encoder := json.NewEncoder(w)
if err := encoder.Encode(translations); err != nil {
http.Error(w, err.Error(), http.StatusInternalServerError)
}
}

171
handlers/signing.go
Unescape Escape View File

@ -0,0 +1,171 @@
package handlers
import (
"bytes"
"crypto/x509"
"encoding/json"
"encoding/pem"
"errors"
"fmt"
"io/ioutil"
"net/http"
"os"
"os/exec"
log "github.com/sirupsen/logrus"
)
type CertificateSigningHandler struct {
caCertificates []*x509.Certificate
caChainMap map[string][]string
}
func NewCertificateSigningHandler(caCertificates []*x509.Certificate) *CertificateSigningHandler {
return &CertificateSigningHandler{caCertificates: caCertificates, caChainMap: make(map[string][]string)}
}
func (h *CertificateSigningHandler) sign(csrPem string, commonName string) (certPem string, caChain []string, err error) {
log.Printf("received CSR for %s:\n\n%s", commonName, csrPem)
subjectDN := fmt.Sprintf("/CN=%s", commonName)
var csrFile *os.File
if csrFile, err = ioutil.TempFile("", "*.csr.pem"); err != nil {
log.Errorf("could not open temporary file: %s", err)
return
}
if _, err = csrFile.Write([]byte(csrPem)); err != nil {
log.Errorf("could not write CSR to file: %s", err)
return
}
if err = csrFile.Close(); err != nil {
log.Errorf("could not close CSR file: %s", err)
return
}
defer func(file *os.File) {
err = os.Remove(file.Name())
if err != nil {
log.Errorf("could not remove temporary file: %s", err)
}
}(csrFile)
opensslCommand := exec.Command(
"openssl", "ca", "-config", "ca.cnf",
"-policy", "policy_match", "-extensions", "client_ext",
"-batch", "-subj", subjectDN, "-utf8", "-rand_serial", "-in", "in.pem")
var out, cmdErr bytes.Buffer
opensslCommand.Stdout = &out
opensslCommand.Stderr = &cmdErr
err = opensslCommand.Run()
if err != nil {
log.Print(err)
log.Print(cmdErr.String())
return
}
var block *pem.Block
if block, _ = pem.Decode(out.Bytes()); block == nil {
err = fmt.Errorf("could not decode pem")
return
}
var certificate *x509.Certificate
if certificate, err = x509.ParseCertificate(block.Bytes); err != nil {
return
}
certPem = string(pem.EncodeToMemory(&pem.Block{
Type: "CERTIFICATE",
Bytes: certificate.Raw,
}))
caChain, err = h.getCAChain(certificate)
return
}
func (h *CertificateSigningHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
if r.Method != "POST" {
http.Error(w, "Only POST requests support", http.StatusMethodNotAllowed)
return
}
if r.Header.Get("content-type") != "application/json" {
http.Error(w, "Only JSON content is accepted", http.StatusNotAcceptable)
return
}
var err error
var requestBody requestData
var responseData responseData
if err = json.NewDecoder(r.Body).Decode(&requestBody); err != nil {
log.Print(err)
http.Error(w, err.Error(), http.StatusBadRequest)
return
}
responseData.Certificate, responseData.CAChain, err = h.sign(requestBody.Csr, requestBody.CommonName)
if err != nil {
http.Error(w, "Could not sign certificate", http.StatusInternalServerError)
return
}
var jsonBytes []byte
if jsonBytes, err = json.Marshal(&responseData); err != nil {
log.Print(err)
}
if _, err = w.Write(jsonBytes); err != nil {
log.Print(err)
}
}
type requestData struct {
Csr string `json:"csr"`
CommonName string `json:"commonName"`
}
type responseData struct {
Certificate string `json:"certificate"`
CAChain []string `json:"ca_chain"`
}
func (h *CertificateSigningHandler) getCAChain(certificate *x509.Certificate) ([]string, error) {
issuerString := string(certificate.RawIssuer)
if value, exists := h.caChainMap[issuerString]; exists {
return value, nil
}
result := make([]string, 0)
appendCert := func(cert *x509.Certificate) {
result = append(
result,
string(pem.EncodeToMemory(&pem.Block{Bytes: cert.Raw, Type: "CERTIFICATE"})))
log.Debugf("added %s to cachain", result[len(result)-1])
}
var previous *x509.Certificate
var count = 0
for {
if len(h.caCertificates) == 0 {
return nil, errors.New("no CA certificates loaded")
}
if count > len(h.caCertificates) {
return nil, errors.New("could not construct certificate chain")
}
for _, caCert := range h.caCertificates {
if previous == nil {
if bytes.Equal(caCert.RawSubject, certificate.RawIssuer) {
previous = caCert
appendCert(caCert)
}
} else if bytes.Equal(previous.RawSubject, previous.RawIssuer) {
h.caChainMap[issuerString] = result
return result, nil
} else if bytes.Equal(caCert.RawSubject, previous.RawIssuer) {
previous = caCert
appendCert(caCert)
} else {
log.Debugf("skipped certificate %s", caCert.Subject)
}
}
count++
}
}

388
main.go
Unescape Escape View File

@ -1,19 +1,15 @@
package main package main
import ( import (
"bytes"
"crypto/rand" "crypto/rand"
"crypto/tls" "crypto/tls"
"crypto/x509" "crypto/x509"
"encoding/base64" "encoding/base64"
"encoding/json"
"encoding/pem" "encoding/pem"
"fmt" "fmt"
"html/template"
"io/ioutil" "io/ioutil"
"net/http" "net/http"
"os" "os"
"os/exec"
"os/signal" "os/signal"
"strings" "strings"
"syscall" "syscall"
@ -24,271 +20,88 @@ import (
"github.com/nicksnyder/go-i18n/v2/i18n" "github.com/nicksnyder/go-i18n/v2/i18n"
log "github.com/sirupsen/logrus" log "github.com/sirupsen/logrus"
"golang.org/x/text/language" "golang.org/x/text/language"
)
type signCertificate struct{} "git.dittberner.info/jan/browser_csr_generation/handlers"
)
type requestData struct { func main() {
Csr string `json:"csr"` tlsConfig := &tls.Config{
CommonName string `json:"commonName"` CipherSuites: []uint16{
} tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
},
NextProtos: []string{"h2"},
PreferServerCipherSuites: true,
MinVersion: tls.VersionTLS12,
}
type responseData struct { bundle := loadI18nBundle()
Certificate string `json:"certificate"` mux := http.NewServeMux()
CAChain []string `json:"ca_chain"`
}
var caCertificates []*x509.Certificate csrfKey := initCSRFKey()
func (h *signCertificate) sign(csrPem string, commonName string) (certPem string, caChain []string, err error) { mux.Handle("/sign/", handlers.NewCertificateSigningHandler(loadCACertificates()))
log.Printf("received CSR for %s:\n\n%s", commonName, csrPem) mux.Handle("/", handlers.NewIndexHandler(bundle))
subjectDN := fmt.Sprintf("/CN=%s", commonName) fileServer := http.FileServer(http.Dir("./public"))
var csrFile *os.File mux.Handle("/css/", fileServer)
if csrFile, err = ioutil.TempFile("", "*.csr.pem"); err != nil { mux.Handle("/js/", fileServer)
log.Errorf("could not open temporary file: %s", err) mux.Handle("/locales/", handlers.NewJSLocalesHandler(bundle))
return server := http.Server{
} Addr: ":8000",
if _, err = csrFile.Write([]byte(csrPem)); err != nil { Handler: csrf.Protect(csrfKey, csrf.FieldName("csrfToken"), csrf.RequestHeader("X-CSRF-Token"))(mux),
log.Errorf("could not write CSR to file: %s", err) TLSConfig: tlsConfig,
return ReadTimeout: 20 * time.Second,
} ReadHeaderTimeout: 5 * time.Second,
if err = csrFile.Close(); err != nil { WriteTimeout: 30 * time.Second,
log.Errorf("could not close CSR file: %s", err) IdleTimeout: 30 * time.Second,
return
} }
defer func(file *os.File) { go func() {
err = os.Remove(file.Name()) err := server.ListenAndServeTLS("server.crt.pem", "server.key.pem")
if err != nil { if err != nil {
log.Errorf("could not remove temporary file: %s", err) log.Fatal(err)
} }
}(csrFile) }()
var hostPort string
opensslCommand := exec.Command( if strings.HasPrefix(server.Addr, ":") {
"openssl", "ca", "-config", "ca.cnf", hostPort = fmt.Sprintf("localhost%s", server.Addr)
"-policy", "policy_match", "-extensions", "client_ext", } else {
"-batch", "-subj", subjectDN, "-utf8", "-rand_serial", "-in", "in.pem") hostPort = server.Addr
var out, cmdErr bytes.Buffer
opensslCommand.Stdout = &out
opensslCommand.Stderr = &cmdErr
err = opensslCommand.Run()
if err != nil {
log.Print(err)
log.Print(cmdErr.String())
return
}
var block *pem.Block
if block, _ = pem.Decode(out.Bytes()); block == nil {
err = fmt.Errorf("could not decode pem")
return
}
var certificate *x509.Certificate
if certificate, err = x509.ParseCertificate(block.Bytes); err != nil {
return
}
certPem = string(pem.EncodeToMemory(&pem.Block{
Type: "CERTIFICATE",
Bytes: certificate.Raw,
}))
caChain, err = h.getCAChain(certificate)
return
}
func (h *signCertificate) ServeHTTP(w http.ResponseWriter, r *http.Request) {
if r.Method != "POST" {
http.Error(w, "Only POST requests support", http.StatusMethodNotAllowed)
return
}
if r.Header.Get("content-type") != "application/json" {
http.Error(w, "Only JSON content is accepted", http.StatusNotAcceptable)
return
}
var err error
var requestBody requestData
var responseData responseData
if err = json.NewDecoder(r.Body).Decode(&requestBody); err != nil {
log.Print(err)
http.Error(w, err.Error(), http.StatusBadRequest)
return
}
responseData.Certificate, responseData.CAChain, err = h.sign(requestBody.Csr, requestBody.CommonName)
if err != nil {
http.Error(w, "Could not sign certificate", http.StatusInternalServerError)
return
}
var jsonBytes []byte
if jsonBytes, err = json.Marshal(&responseData); err != nil {
log.Print(err)
}
if _, err = w.Write(jsonBytes); err != nil {
log.Print(err)
} }
log.Infof("started web server on https://%s/", hostPort)
c := make(chan os.Signal, 1)
signal.Notify(c, os.Interrupt, syscall.SIGTERM)
s := <-c
log.Infof("received %s, shutting down", s)
_ = server.Close()
} }
func (*signCertificate) getCAChain(certificate *x509.Certificate) ([]string, error) { func loadI18nBundle() *i18n.Bundle {
result := make([]string, 0) bundle := i18n.NewBundle(language.English)
bundle.RegisterUnmarshalFunc("toml", toml.Unmarshal)
appendCert := func(cert *x509.Certificate) { for _, lang := range []string{"en-US", "de-DE"} {
result = append( if _, err := bundle.LoadMessageFile(fmt.Sprintf("active.%s.toml", lang)); err != nil {
result, log.Panic(err)
string(pem.EncodeToMemory(&pem.Block{Bytes: cert.Raw, Type: "CERTIFICATE"})))
log.Debugf("added %s to cachain", result[len(result)-1])
}
var previous *x509.Certificate
for {
if len(caCertificates) == 0 {
return result, nil
}
for _, caCert := range caCertificates {
if previous == nil {
if bytes.Equal(caCert.RawSubject, certificate.RawIssuer) {
previous = caCert
appendCert(caCert)
}
} else if bytes.Equal(previous.RawSubject, previous.RawIssuer) {
return result, nil
} else if bytes.Equal(caCert.RawSubject, previous.RawIssuer) {
previous = caCert
appendCert(caCert)
} else {
log.Debugf("skipped certificate %s", caCert.Subject)
}
} }
} }
return bundle
} }
type indexHandler struct { func initCSRFKey() []byte {
Bundle *i18n.Bundle var csrfKey []byte = nil
}
func (i *indexHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
localizer := i18n.NewLocalizer(i.Bundle, r.Header.Get("Accept-Language"))
csrGenTitle := localizer.MustLocalize(&i18n.LocalizeConfig{DefaultMessage: &i18n.Message{
ID: "CSRGenTitle",
Other: "CSR generation in browser",
}})
nameLabel := localizer.MustLocalize(&i18n.LocalizeConfig{DefaultMessage: &i18n.Message{
ID: "NameLabel",
Other: "Your name",
}})
nameHelpText := localizer.MustLocalize(&i18n.LocalizeConfig{DefaultMessage: &i18n.Message{
ID: "NameHelpText",
Other: "Please input your name as it should be added to your certificate",
}})
passwordLabel := localizer.MustLocalize(&i18n.LocalizeConfig{DefaultMessage: &i18n.Message{
ID: "PasswordLabel",
Other: "Password for your client certificate",
}})
rsaKeySizeLegend := localizer.MustLocalize(&i18n.LocalizeConfig{DefaultMessage: &i18n.Message{
ID: "RSAKeySizeLabel",
Other: "RSA Key Size",
}})
rsa3072Label := localizer.MustLocalize(&i18n.LocalizeConfig{DefaultMessage: &i18n.Message{
ID: "RSA3072Label",
Other: "3072 Bit",
}})
rsa2048Label := localizer.MustLocalize(&i18n.LocalizeConfig{DefaultMessage: &i18n.Message{
ID: "RSA2048Label",
Other: "2048 Bit (not recommended)",
}})
rsa4096Label := localizer.MustLocalize(&i18n.LocalizeConfig{DefaultMessage: &i18n.Message{
ID: "RSA4096Label",
Other: "4096 Bit",
}})
rsaHelpText := localizer.MustLocalize(&i18n.LocalizeConfig{DefaultMessage: &i18n.Message{
ID: "RSAHelpText",
Other: "An RSA key pair will be generated in your browser. Longer key" +
" sizes provide better security but take longer to generate.",
}})
csrButtonLabel := localizer.MustLocalize(&i18n.LocalizeConfig{DefaultMessage: &i18n.Message{
ID: "CSRButtonLabel",
Other: "Generate signing request",
}})
statusLoading := localizer.MustLocalize(&i18n.LocalizeConfig{DefaultMessage: &i18n.Message{
ID: "StatusLoading",
Other: "Loading ...",
}})
downloadLabel := localizer.MustLocalize(&i18n.LocalizeConfig{DefaultMessage: &i18n.Message{
ID: "DownloadLabel",
Other: "Download",
}})
downloadDescription := localizer.MustLocalize(&i18n.LocalizeConfig{DefaultMessage: &i18n.Message{
ID: "DownloadDescription",
Other: "Your key material is ready for download. The downloadable file contains your private key and your" +
" certificate encrypted with your password. You can now use the file to install your certificate in your" +
" browser or other applications.",
}})
t := template.Must(template.ParseFiles("templates/index.html"))
err := t.Execute(w, map[string]interface{}{
"Title": csrGenTitle,
"NameLabel": nameLabel,
"NameHelpText": nameHelpText,
"PasswordLabel": passwordLabel,
"RSAKeySizeLegend": rsaKeySizeLegend,
"RSA3072Label": rsa3072Label,
"RSA2048Label": rsa2048Label,
"RSA4096Label": rsa4096Label,
"RSAHelpText": rsaHelpText,
"CSRButtonLabel": csrButtonLabel,
"StatusLoading": statusLoading,
"DownloadDescription": downloadDescription,
"DownloadLabel": downloadLabel,
csrf.TemplateTag: csrf.TemplateField(r),
})
if err != nil {
log.Panic(err)
}
}
type jsLocalesHandler struct {
Bundle *i18n.Bundle
}
func (j *jsLocalesHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
parts := strings.Split(r.URL.Path, "/")
if len(parts) != 4 {
http.Error(w, "Not found", http.StatusNotFound)
return
}
lang := parts[2]
localizer := i18n.NewLocalizer(j.Bundle, lang)
type translationData struct { if csrfB64, exists := os.LookupEnv("CSRF_KEY"); exists {
Keygen struct { csrfKey, _ = base64.RawStdEncoding.DecodeString(csrfB64)
Started string `json:"started"` log.Info("read CSRF key from environment variable")
Running string `json:"running"`
Generated string `json:"generated"`
} `json:"keygen"`
} }
if csrfKey == nil {
translations := &translationData{} csrfKey = generateRandomBytes(32)
translations.Keygen.Started = localizer.MustLocalize(&i18n.LocalizeConfig{DefaultMessage: &i18n.Message{ log.Infof(
ID: "JavaScript.KeyGen.Started", "generated new random CSRF key, set environment variable CSRF_KEY to %s to "+
Other: "started key generation", "keep the same key for new sessions",
}}) base64.RawStdEncoding.EncodeToString(csrfKey))
translations.Keygen.Running = localizer.MustLocalize(&i18n.LocalizeConfig{DefaultMessage: &i18n.Message{
ID: "JavaScript.KeyGen.Running",
Other: "key generation running for __seconds__ seconds",
}})
translations.Keygen.Generated = localizer.MustLocalize(&i18n.LocalizeConfig{DefaultMessage: &i18n.Message{
ID: "JavaScript.KeyGen.Generated",
Other: "key generated in __seconds__ seconds",
}})
encoder := json.NewEncoder(w)
if err := encoder.Encode(translations); err != nil {
http.Error(w, err.Error(), http.StatusInternalServerError)
} }
return csrfKey
} }
func generateRandomBytes(count int) []byte { func generateRandomBytes(count int) []byte {
@ -303,7 +116,7 @@ func generateRandomBytes(count int) []byte {
return randomBytes return randomBytes
} }
func init() { func loadCACertificates() (caCertificates []*x509.Certificate) {
var err error var err error
caCertificates = make([]*x509.Certificate, 2) caCertificates = make([]*x509.Certificate, 2)
for index, certFile := range []string{"example_ca/sub/ca.crt.pem", "example_ca/root/ca.crt.pem"} { for index, certFile := range []string{"example_ca/sub/ca.crt.pem", "example_ca/root/ca.crt.pem"} {
@ -321,74 +134,5 @@ func init() {
} }
} }
log.Infof("read %d CA certificates", len(caCertificates)) log.Infof("read %d CA certificates", len(caCertificates))
} return
func main() {
tlsConfig := &tls.Config{
CipherSuites: []uint16{
tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
},
NextProtos: []string{"h2"},
PreferServerCipherSuites: true,
MinVersion: tls.VersionTLS12,
}
bundle := i18n.NewBundle(language.English)
bundle.RegisterUnmarshalFunc("toml", toml.Unmarshal)
for _, lang := range []string{"en-US", "de-DE"} {
if _, err := bundle.LoadMessageFile(fmt.Sprintf("active.%s.toml", lang)); err != nil {
log.Panic(err)
}
}
mux := http.NewServeMux()
var csrfKey []byte = nil
if csrfB64, exists := os.LookupEnv("CSRF_KEY"); exists {
csrfKey, _ = base64.RawStdEncoding.DecodeString(csrfB64)
log.Info("read CSRF key from environment variable")
}
if csrfKey == nil {
csrfKey = generateRandomBytes(32)
log.Infof(
"generated new random CSRF key, set environment variable CSRF_KEY to %s to "+
"keep the same key for new sessions",
base64.RawStdEncoding.EncodeToString(csrfKey))
}
mux.Handle("/sign/", &signCertificate{})
mux.Handle("/", &indexHandler{Bundle: bundle})
fileServer := http.FileServer(http.Dir("./public"))
mux.Handle("/css/", fileServer)
mux.Handle("/js/", fileServer)
mux.Handle("/locales/", &jsLocalesHandler{Bundle: bundle})
server := http.Server{
Addr: ":8000",
Handler: csrf.Protect(csrfKey, csrf.FieldName("csrfToken"), csrf.RequestHeader("X-CSRF-Token"))(mux),
TLSConfig: tlsConfig,
ReadTimeout: 20 * time.Second,
ReadHeaderTimeout: 5 * time.Second,
WriteTimeout: 30 * time.Second,
IdleTimeout: 30 * time.Second,
}
go func() {
err := server.ListenAndServeTLS("server.crt.pem", "server.key.pem")
if err != nil {
log.Fatal(err)
}
}()
var hostPort string
if strings.HasPrefix(server.Addr, ":") {
hostPort = fmt.Sprintf("localhost%s", server.Addr)
} else {
hostPort = server.Addr
}
log.Infof("started web server on https://%s/", hostPort)
c := make(chan os.Signal, 1)
signal.Notify(c, os.Interrupt, syscall.SIGTERM)
s := <-c
log.Infof("received %s, shutting down", s)
_ = server.Close()
} }

Write Preview
Loading…
Cancel
Save