1
Fork 0
mirror of https://github.com/jech/galene.git synced 2024-11-22 16:45:58 +01:00
galene/webserver/certificate.go
2021-02-26 12:38:18 +01:00

145 lines
3.3 KiB
Go

package webserver
import (
"crypto/rand"
"crypto/rsa"
"crypto/tls"
"crypto/x509"
"errors"
"log"
"math/big"
"os"
"path/filepath"
"sync"
"sync/atomic"
"time"
)
type certInfo struct {
certificate *tls.Certificate
keyTime time.Time
certTime time.Time
}
// certMu protects writing to certificate
var certMu sync.Mutex
// certificate holds our current certificate, of type certInfo
var certificate atomic.Value
// generateCertificate generates a self-signed certficate
func generateCertificate() (tls.Certificate, error) {
priv, err := rsa.GenerateKey(rand.Reader, 2048)
if err != nil {
return tls.Certificate{}, err
}
serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)
serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
now := time.Now()
template := x509.Certificate{
SerialNumber: serialNumber,
NotBefore: now,
NotAfter: now.Add(365 * 24 * time.Hour),
KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
BasicConstraintsValid: true,
}
bytes, err := x509.CreateCertificate(
rand.Reader, &template, &template, &priv.PublicKey, priv,
)
if err != nil {
return tls.Certificate{}, err
}
return tls.Certificate{
Certificate: [][]byte{bytes},
PrivateKey: priv,
}, nil
}
func modTime(filename string) time.Time {
fi, err := os.Stat(filename)
if err != nil {
if !os.IsNotExist(err) {
log.Printf("%v: %v", filename, err)
}
return time.Time{}
}
return fi.ModTime()
}
// loadCertificate returns the current certificate if it is still valid.
func loadCertificate(certFile string, certTime time.Time, keyFile string, keyTime time.Time) *certInfo {
info, ok := certificate.Load().(*certInfo)
if !ok {
return nil
}
if !info.certTime.Equal(certTime) || !info.keyTime.Equal(keyTime) {
return nil
}
return info
}
// storeCertificate returns the current certificate if it is still valid,
// and either reads or generates a new one otherwise.
func storeCertificate(certFile string, certTime time.Time, keyFile string, keyTime time.Time) (info *certInfo, err error) {
certMu.Lock()
defer certMu.Unlock()
// the certificate may have been updated since we checked
info = loadCertificate(certFile, certTime, keyFile, keyTime)
if info != nil {
return
}
var cert tls.Certificate
nocert := certTime.Equal(time.Time{})
nokey := keyTime.Equal(time.Time{})
if nocert != nokey {
err = errors.New("only one of cert.pem and key.pem exists")
return
} else if nokey {
log.Printf("Generating self-signed certificate")
cert, err = generateCertificate()
if err != nil {
return
}
} else {
cert, err = tls.LoadX509KeyPair(certFile, keyFile)
if err != nil {
return
}
}
info = &certInfo{
certificate: &cert,
certTime: certTime,
keyTime: keyTime,
}
certificate.Store(info)
return
}
func getCertificate(dataDir string) (*tls.Certificate, error) {
certFile := filepath.Join(dataDir, "cert.pem")
keyFile := filepath.Join(dataDir, "key.pem")
certTime := modTime(certFile)
keyTime := modTime(keyFile)
info := loadCertificate(certFile, certTime, keyFile, keyTime)
if info == nil {
var err error
info, err = storeCertificate(
certFile, certTime, keyFile, keyTime,
)
if info == nil || err != nil {
return nil, err
}
}
return info.certificate, nil
}