galene/webserver/certificate.go

package webserver

import (
	"crypto/rand"
	"crypto/rsa"
	"crypto/tls"
	"crypto/x509"
	"errors"
	"log"
	"math/big"
	"os"
	"path/filepath"
	"sync"
	"sync/atomic"
	"time"
)

type certInfo struct {
	certificate *tls.Certificate
	keyTime     time.Time
	certTime    time.Time
}

// certMu protects writing to certificate
var certMu sync.Mutex

// certificate holds our current certificate, of type certInfo
var certificate atomic.Value

// generateCertificate generates a self-signed certficate
func generateCertificate() (tls.Certificate, error) {
	priv, err := rsa.GenerateKey(rand.Reader, 2048)
	if err != nil {
		return tls.Certificate{}, err
	}

	serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)
	serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
	now := time.Now()

	template := x509.Certificate{
		SerialNumber:          serialNumber,
		NotBefore:             now,
		NotAfter:              now.Add(365 * 24 * time.Hour),
		KeyUsage:              x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
		BasicConstraintsValid: true,
	}
	bytes, err := x509.CreateCertificate(
		rand.Reader, &template, &template, &priv.PublicKey, priv,
	)
	if err != nil {
		return tls.Certificate{}, err
	}

	return tls.Certificate{
		Certificate: [][]byte{bytes},
		PrivateKey:  priv,
	}, nil
}

func modTime(filename string) time.Time {
	fi, err := os.Stat(filename)
	if err != nil {
		if !os.IsNotExist(err) {
			log.Printf("%v: %v", filename, err)
		}
		return time.Time{}
	}
	return fi.ModTime()
}

// loadCertificate returns the current certificate if it is still valid.
func loadCertificate(certFile string, certTime time.Time, keyFile string, keyTime time.Time) *certInfo {
	info, ok := certificate.Load().(*certInfo)
	if !ok {
		return nil
	}

	if !info.certTime.Equal(certTime) || !info.keyTime.Equal(keyTime) {
		return nil
	}

	return info
}

// storeCertificate returns the current certificate if it is still valid,
// and either reads or generates a new one otherwise.
func storeCertificate(certFile string, certTime time.Time, keyFile string, keyTime time.Time) (info *certInfo, err error) {
	certMu.Lock()
	defer certMu.Unlock()

	// the certificate may have been updated since we checked
	info = loadCertificate(certFile, certTime, keyFile, keyTime)
	if info != nil {
		return
	}

	var cert tls.Certificate
	nocert := certTime.Equal(time.Time{})
	nokey := keyTime.Equal(time.Time{})

	if nocert != nokey {
		err = errors.New("only one of cert.pem and key.pem exists")
		return
	} else if nokey {
		log.Printf("Generating self-signed certificate")
		cert, err = generateCertificate()
		if err != nil {
			return
		}
	} else {
		cert, err = tls.LoadX509KeyPair(certFile, keyFile)
		if err != nil {
			return
		}
	}
	info = &certInfo{
		certificate: &cert,
		certTime:    certTime,
		keyTime:     keyTime,
	}
	certificate.Store(info)
	return
}

func getCertificate(dataDir string) (*tls.Certificate, error) {
	certFile := filepath.Join(dataDir, "cert.pem")
	keyFile := filepath.Join(dataDir, "key.pem")
	certTime := modTime(certFile)
	keyTime := modTime(keyFile)

	info := loadCertificate(certFile, certTime, keyFile, keyTime)

	if info == nil {
		var err error
		info, err = storeCertificate(
			certFile, certTime, keyFile, keyTime,
		)
		if info == nil || err != nil {
			return nil, err
		}
	}
	return info.certificate, nil
}
Update TLS certificates, generate certificate if not found. We now notice that a TLS certificate on disk has changed, and we generate a self-signed certificate if none is found. 2021-02-24 20:01:48 +01:00			`package webserver`

			`import (`
			`"crypto/rand"`
			`"crypto/rsa"`
			`"crypto/tls"`
			`"crypto/x509"`
Fail the connection if only one of cert.pem and key.pem exists. 2021-02-24 22:23:38 +01:00			`"errors"`
Update TLS certificates, generate certificate if not found. We now notice that a TLS certificate on disk has changed, and we generate a self-signed certificate if none is found. 2021-02-24 20:01:48 +01:00			`"log"`
			`"math/big"`
			`"os"`
			`"path/filepath"`
Protect against simultaneous generation of certificates. 2021-02-26 12:38:18 +01:00			`"sync"`
Update TLS certificates, generate certificate if not found. We now notice that a TLS certificate on disk has changed, and we generate a self-signed certificate if none is found. 2021-02-24 20:01:48 +01:00			`"sync/atomic"`
			`"time"`
			`)`

			`type certInfo struct {`
			`certificate *tls.Certificate`
			`keyTime time.Time`
			`certTime time.Time`
			`}`

Protect against simultaneous generation of certificates. 2021-02-26 12:38:18 +01:00			`// certMu protects writing to certificate`
			`var certMu sync.Mutex`

			`// certificate holds our current certificate, of type certInfo`
Update TLS certificates, generate certificate if not found. We now notice that a TLS certificate on disk has changed, and we generate a self-signed certificate if none is found. 2021-02-24 20:01:48 +01:00			`var certificate atomic.Value`

Protect against simultaneous generation of certificates. 2021-02-26 12:38:18 +01:00			`// generateCertificate generates a self-signed certficate`
			`func generateCertificate() (tls.Certificate, error) {`
Update TLS certificates, generate certificate if not found. We now notice that a TLS certificate on disk has changed, and we generate a self-signed certificate if none is found. 2021-02-24 20:01:48 +01:00			`priv, err := rsa.GenerateKey(rand.Reader, 2048)`
			`if err != nil {`
			`return tls.Certificate{}, err`
			`}`

			`serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)`
			`serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)`
			`now := time.Now()`

			`template := x509.Certificate{`
			`SerialNumber: serialNumber,`
			`NotBefore: now,`
			`NotAfter: now.Add(365 * 24 * time.Hour),`
			`KeyUsage: x509.KeyUsageKeyEncipherment \| x509.KeyUsageDigitalSignature,`
			`ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},`
			`BasicConstraintsValid: true,`
			`}`
			`bytes, err := x509.CreateCertificate(`
			`rand.Reader, &template, &template, &priv.PublicKey, priv,`
			`)`
			`if err != nil {`
			`return tls.Certificate{}, err`
			`}`

			`return tls.Certificate{`
			`Certificate: [][]byte{bytes},`
			`PrivateKey: priv,`
			`}, nil`
			`}`

Protect against simultaneous generation of certificates. 2021-02-26 12:38:18 +01:00			`func modTime(filename string) time.Time {`
Update TLS certificates, generate certificate if not found. We now notice that a TLS certificate on disk has changed, and we generate a self-signed certificate if none is found. 2021-02-24 20:01:48 +01:00			`fi, err := os.Stat(filename)`
			`if err != nil {`
			`if !os.IsNotExist(err) {`
			`log.Printf("%v: %v", filename, err)`
			`}`
			`return time.Time{}`
			`}`
			`return fi.ModTime()`
			`}`

Protect against simultaneous generation of certificates. 2021-02-26 12:38:18 +01:00			`// loadCertificate returns the current certificate if it is still valid.`
			`func loadCertificate(certFile string, certTime time.Time, keyFile string, keyTime time.Time) *certInfo {`
Update TLS certificates, generate certificate if not found. We now notice that a TLS certificate on disk has changed, and we generate a self-signed certificate if none is found. 2021-02-24 20:01:48 +01:00			`info, ok := certificate.Load().(*certInfo)`
Protect against simultaneous generation of certificates. 2021-02-26 12:38:18 +01:00			`if !ok {`
			`return nil`
			`}`

			`if !info.certTime.Equal(certTime) \|\| !info.keyTime.Equal(keyTime) {`
			`return nil`
			`}`

			`return info`
			`}`

			`// storeCertificate returns the current certificate if it is still valid,`
			`// and either reads or generates a new one otherwise.`
			`func storeCertificate(certFile string, certTime time.Time, keyFile string, keyTime time.Time) (info *certInfo, err error) {`
			`certMu.Lock()`
			`defer certMu.Unlock()`

			`// the certificate may have been updated since we checked`
			`info = loadCertificate(certFile, certTime, keyFile, keyTime)`
			`if info != nil {`
			`return`
			`}`

			`var cert tls.Certificate`
			`nocert := certTime.Equal(time.Time{})`
			`nokey := keyTime.Equal(time.Time{})`
Update TLS certificates, generate certificate if not found. We now notice that a TLS certificate on disk has changed, and we generate a self-signed certificate if none is found. 2021-02-24 20:01:48 +01:00
Protect against simultaneous generation of certificates. 2021-02-26 12:38:18 +01:00			`if nocert != nokey {`
			`err = errors.New("only one of cert.pem and key.pem exists")`
			`return`
			`} else if nokey {`
			`log.Printf("Generating self-signed certificate")`
			`cert, err = generateCertificate()`
			`if err != nil {`
			`return`
			`}`
			`} else {`
			`cert, err = tls.LoadX509KeyPair(certFile, keyFile)`
			`if err != nil {`
			`return`
			`}`
			`}`
			`info = &certInfo{`
			`certificate: &cert,`
			`certTime: certTime,`
			`keyTime: keyTime,`
			`}`
			`certificate.Store(info)`
			`return`
			`}`

			`func getCertificate(dataDir string) (*tls.Certificate, error) {`
Update TLS certificates, generate certificate if not found. We now notice that a TLS certificate on disk has changed, and we generate a self-signed certificate if none is found. 2021-02-24 20:01:48 +01:00			`certFile := filepath.Join(dataDir, "cert.pem")`
			`keyFile := filepath.Join(dataDir, "key.pem")`
Protect against simultaneous generation of certificates. 2021-02-26 12:38:18 +01:00			`certTime := modTime(certFile)`
			`keyTime := modTime(keyFile)`

			`info := loadCertificate(certFile, certTime, keyFile, keyTime)`

			`if info == nil {`
			`var err error`
			`info, err = storeCertificate(`
			`certFile, certTime, keyFile, keyTime,`
			`)`
			`if info == nil \|\| err != nil {`
			`return nil, err`
Update TLS certificates, generate certificate if not found. We now notice that a TLS certificate on disk has changed, and we generate a self-signed certificate if none is found. 2021-02-24 20:01:48 +01:00			`}`
			`}`
			`return info.certificate, nil`
			`}`