tlscert.go 4.0 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151
  1. package tlscert
  2. import (
  3. "crypto/tls"
  4. "crypto/x509"
  5. "encoding/pem"
  6. "io"
  7. "io/ioutil"
  8. "log"
  9. "os"
  10. "path/filepath"
  11. "strings"
  12. "imuslab.com/arozos/ReverseProxy/mod/utils"
  13. )
  14. type Manager struct {
  15. CertStore string
  16. verbal bool
  17. }
  18. func NewManager(certStore string) (*Manager, error) {
  19. if !utils.FileExists(certStore) {
  20. os.MkdirAll(certStore, 0775)
  21. }
  22. thisManager := Manager{
  23. CertStore: certStore,
  24. verbal: true,
  25. }
  26. return &thisManager, nil
  27. }
  28. func (m *Manager) ListCertDomains() ([]string, error) {
  29. filenames, err := m.ListCerts()
  30. if err != nil {
  31. return []string{}, err
  32. }
  33. //Remove certificates where there are missing public key or private key
  34. filenames = getCertPairs(filenames)
  35. return filenames, nil
  36. }
  37. func (m *Manager) ListCerts() ([]string, error) {
  38. certs, err := ioutil.ReadDir(m.CertStore)
  39. if err != nil {
  40. return []string{}, err
  41. }
  42. filenames := make([]string, 0, len(certs))
  43. for _, cert := range certs {
  44. if !cert.IsDir() {
  45. filenames = append(filenames, cert.Name())
  46. }
  47. }
  48. return filenames, nil
  49. }
  50. func (m *Manager) GetCert(helloInfo *tls.ClientHelloInfo) (*tls.Certificate, error) {
  51. //Check if the domain corrisponding cert exists
  52. pubKey := "./system/localhost.crt"
  53. priKey := "./system/localhost.key"
  54. if utils.FileExists(filepath.Join(m.CertStore, helloInfo.ServerName+".crt")) && utils.FileExists(filepath.Join(m.CertStore, helloInfo.ServerName+".key")) {
  55. pubKey = filepath.Join(m.CertStore, helloInfo.ServerName+".crt")
  56. priKey = filepath.Join(m.CertStore, helloInfo.ServerName+".key")
  57. } else {
  58. domainCerts, _ := m.ListCertDomains()
  59. cloestDomainCert := matchClosestDomainCertificate(helloInfo.ServerName, domainCerts)
  60. if cloestDomainCert != "" {
  61. //There is a matching parent domain for this subdomain. Use this instead.
  62. pubKey = filepath.Join(m.CertStore, cloestDomainCert+".crt")
  63. priKey = filepath.Join(m.CertStore, cloestDomainCert+".key")
  64. } else if m.DefaultCertExists() {
  65. //Use default.crt and default.key
  66. pubKey = filepath.Join(m.CertStore, "default.crt")
  67. priKey = filepath.Join(m.CertStore, "default.key")
  68. if m.verbal {
  69. log.Println("No matching certificate found. Serving with default")
  70. }
  71. } else {
  72. if m.verbal {
  73. log.Println("Matching certificate not found. Serving with default. Requesting server name: ", helloInfo.ServerName)
  74. }
  75. }
  76. }
  77. //Load the cert and serve it
  78. cer, err := tls.LoadX509KeyPair(pubKey, priKey)
  79. if err != nil {
  80. log.Println(err)
  81. return nil, nil
  82. }
  83. return &cer, nil
  84. }
  85. //Check if both the default cert public key and private key exists
  86. func (m *Manager) DefaultCertExists() bool {
  87. return utils.FileExists(filepath.Join(m.CertStore, "default.crt")) && utils.FileExists(filepath.Join(m.CertStore, "default.key"))
  88. }
  89. //Check if the default cert exists returning seperate results for pubkey and prikey
  90. func (m *Manager) DefaultCertExistsSep() (bool, bool) {
  91. return utils.FileExists(filepath.Join(m.CertStore, "default.crt")), utils.FileExists(filepath.Join(m.CertStore, "default.key"))
  92. }
  93. //Check if the given file is a valid TLS file
  94. func isValidTLSFile(file io.Reader) bool {
  95. // Read the contents of the uploaded file
  96. contents, err := io.ReadAll(file)
  97. if err != nil {
  98. // Handle the error
  99. return false
  100. }
  101. // Parse the contents of the file as a PEM-encoded certificate or key
  102. block, _ := pem.Decode(contents)
  103. if block == nil {
  104. // The file is not a valid PEM-encoded certificate or key
  105. return false
  106. }
  107. // Parse the certificate or key
  108. if strings.Contains(block.Type, "CERTIFICATE") {
  109. // The file contains a certificate
  110. cert, err := x509.ParseCertificate(block.Bytes)
  111. if err != nil {
  112. // Handle the error
  113. return false
  114. }
  115. // Check if the certificate is a valid TLS/SSL certificate
  116. return cert.IsCA == false && cert.KeyUsage&x509.KeyUsageDigitalSignature != 0 && cert.KeyUsage&x509.KeyUsageKeyEncipherment != 0
  117. } else if strings.Contains(block.Type, "PRIVATE KEY") {
  118. // The file contains a private key
  119. _, err := x509.ParsePKCS1PrivateKey(block.Bytes)
  120. if err != nil {
  121. // Handle the error
  122. return false
  123. }
  124. return true
  125. } else {
  126. return false
  127. }
  128. }