From b6c4c63fb4aeeb86e9401ccbd4a3fd6d0bc290e8 Mon Sep 17 00:00:00 2001 From: 6543 <6543@obermui.de> Date: Sun, 5 Dec 2021 15:25:12 +0100 Subject: [PATCH] own file --- server/certificates/certificates.go | 70 ------------------------ server/certificates/mock.go | 84 +++++++++++++++++++++++++++++ 2 files changed, 84 insertions(+), 70 deletions(-) create mode 100644 server/certificates/mock.go diff --git a/server/certificates/certificates.go b/server/certificates/certificates.go index b63ed0e..afaa4f0 100644 --- a/server/certificates/certificates.go +++ b/server/certificates/certificates.go @@ -6,17 +6,13 @@ import ( "crypto/ecdsa" "crypto/elliptic" "crypto/rand" - "crypto/rsa" "crypto/tls" "crypto/x509" - "crypto/x509/pkix" "encoding/gob" "encoding/json" - "encoding/pem" "errors" "io/ioutil" "log" - "math/big" "os" "strconv" "strings" @@ -335,72 +331,6 @@ func obtainCert(acmeClient *lego.Client, domains []string, renew *certificate.Re return tlsCertificate, nil } -func mockCert(domain, msg, mainDomainSuffix string, keyDatabase database.KeyDB) tls.Certificate { - key, err := certcrypto.GeneratePrivateKey(certcrypto.RSA2048) - if err != nil { - panic(err) - } - - template := x509.Certificate{ - SerialNumber: big.NewInt(1), - Subject: pkix.Name{ - CommonName: domain, - Organization: []string{"Codeberg Pages Error Certificate (couldn't obtain ACME certificate)"}, - OrganizationalUnit: []string{ - "Will not try again for 6 hours to avoid hitting rate limits for your domain.", - "Check https://docs.codeberg.org/codeberg-pages/troubleshooting/ for troubleshooting tips, and feel " + - "free to create an issue at https://codeberg.org/Codeberg/pages-server if you can't solve it.\n", - "Error message: " + msg, - }, - }, - - // certificates younger than 7 days are renewed, so this enforces the cert to not be renewed for a 6 hours - NotAfter: time.Now().Add(time.Hour*24*7 + time.Hour*6), - NotBefore: time.Now(), - - KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature, - ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth}, - BasicConstraintsValid: true, - } - certBytes, err := x509.CreateCertificate( - rand.Reader, - &template, - &template, - &key.(*rsa.PrivateKey).PublicKey, - key, - ) - if err != nil { - panic(err) - } - - out := &bytes.Buffer{} - err = pem.Encode(out, &pem.Block{ - Bytes: certBytes, - Type: "CERTIFICATE", - }) - if err != nil { - panic(err) - } - outBytes := out.Bytes() - res := &certificate.Resource{ - PrivateKey: certcrypto.PEMEncode(key), - Certificate: outBytes, - IssuerCertificate: outBytes, - Domain: domain, - } - databaseName := domain - if domain == "*"+mainDomainSuffix || domain == mainDomainSuffix[1:] { - databaseName = mainDomainSuffix - } - database.PogrebPut(keyDatabase, []byte(databaseName), res) - - tlsCertificate, err := tls.X509KeyPair(res.Certificate, res.PrivateKey) - if err != nil { - panic(err) - } - return tlsCertificate -} - func SetupCertificates(mainDomainSuffix []byte, acmeAPI, acmeMail, acmeEabHmac, acmeEabKID, dnsProvider string, acmeUseRateLimits, acmeAcceptTerms, enableHTTPServer bool, challengeCache cache.SetGetKey, keyDatabase database.KeyDB) { // getting main cert before ACME account so that we can panic here on database failure without hitting rate limits mainCertBytes, err := keyDatabase.Get(mainDomainSuffix) diff --git a/server/certificates/mock.go b/server/certificates/mock.go new file mode 100644 index 0000000..19adb92 --- /dev/null +++ b/server/certificates/mock.go @@ -0,0 +1,84 @@ +package certificates + +import ( + "bytes" + "crypto/rand" + "crypto/rsa" + "crypto/tls" + "crypto/x509" + "crypto/x509/pkix" + "encoding/pem" + "math/big" + "time" + + "github.com/go-acme/lego/v4/certcrypto" + "github.com/go-acme/lego/v4/certificate" + + "codeberg.org/codeberg/pages/server/database" +) + +func mockCert(domain, msg, mainDomainSuffix string, keyDatabase database.KeyDB) tls.Certificate { + key, err := certcrypto.GeneratePrivateKey(certcrypto.RSA2048) + if err != nil { + panic(err) + } + + template := x509.Certificate{ + SerialNumber: big.NewInt(1), + Subject: pkix.Name{ + CommonName: domain, + Organization: []string{"Codeberg Pages Error Certificate (couldn't obtain ACME certificate)"}, + OrganizationalUnit: []string{ + "Will not try again for 6 hours to avoid hitting rate limits for your domain.", + "Check https://docs.codeberg.org/codeberg-pages/troubleshooting/ for troubleshooting tips, and feel " + + "free to create an issue at https://codeberg.org/Codeberg/pages-server if you can't solve it.\n", + "Error message: " + msg, + }, + }, + + // certificates younger than 7 days are renewed, so this enforces the cert to not be renewed for a 6 hours + NotAfter: time.Now().Add(time.Hour*24*7 + time.Hour*6), + NotBefore: time.Now(), + + KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature, + ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth}, + BasicConstraintsValid: true, + } + certBytes, err := x509.CreateCertificate( + rand.Reader, + &template, + &template, + &key.(*rsa.PrivateKey).PublicKey, + key, + ) + if err != nil { + panic(err) + } + + out := &bytes.Buffer{} + err = pem.Encode(out, &pem.Block{ + Bytes: certBytes, + Type: "CERTIFICATE", + }) + if err != nil { + panic(err) + } + outBytes := out.Bytes() + res := &certificate.Resource{ + PrivateKey: certcrypto.PEMEncode(key), + Certificate: outBytes, + IssuerCertificate: outBytes, + Domain: domain, + } + databaseName := domain + if domain == "*"+mainDomainSuffix || domain == mainDomainSuffix[1:] { + databaseName = mainDomainSuffix + } + database.PogrebPut(keyDatabase, []byte(databaseName), res) + + tlsCertificate, err := tls.X509KeyPair(res.Certificate, res.PrivateKey) + if err != nil { + panic(err) + } + return tlsCertificate +}