Moved self-signed certificate creation to NewGQLThread

graph-rework-2
noah metz 2023-07-21 01:21:53 -06:00
parent 2c1c75572e
commit 81e49b505b
2 changed files with 61 additions and 60 deletions

@ -25,6 +25,9 @@ import (
"crypto/rand" "crypto/rand"
"crypto/x509" "crypto/x509"
"crypto/tls" "crypto/tls"
"crypto/x509/pkix"
"math/big"
"encoding/pem"
) )
type AuthReqJSON struct { type AuthReqJSON struct {
@ -609,8 +612,8 @@ type GQLThread struct {
tcp_listener net.Listener tcp_listener net.Listener
http_server *http.Server http_server *http.Server
http_done *sync.WaitGroup http_done *sync.WaitGroup
ssl_key []byte tls_key []byte
ssl_cert []byte tls_cert []byte
Listen string Listen string
Users map[NodeID]*User Users map[NodeID]*User
Key *ecdsa.PrivateKey Key *ecdsa.PrivateKey
@ -641,8 +644,8 @@ type GQLThreadJSON struct {
Users []string `json:"users"` Users []string `json:"users"`
Key []byte `json:"key"` Key []byte `json:"key"`
ECDH uint8 `json:"ecdh_curve"` ECDH uint8 `json:"ecdh_curve"`
SSLKey []byte `json:"ssl_key"` TLSKey []byte `json:"ssl_key"`
SSLCert []byte `json:"ssl_cert"` TLSCert []byte `json:"ssl_cert"`
} }
var ecdsa_curves = map[uint8]elliptic.Curve{ var ecdsa_curves = map[uint8]elliptic.Curve{
@ -682,8 +685,8 @@ func NewGQLThreadJSON(thread *GQLThread) GQLThreadJSON {
Users: users, Users: users,
Key: ser_key, Key: ser_key,
ECDH: ecdh_curve_ids[thread.ECDH], ECDH: ecdh_curve_ids[thread.ECDH],
SSLKey: thread.ssl_key, TLSKey: thread.tls_key,
SSLCert: thread.ssl_cert, TLSCert: thread.tls_cert,
} }
} }
@ -704,7 +707,7 @@ func LoadGQLThread(ctx *Context, id NodeID, data []byte, nodes NodeMap) (Node, e
return nil, err return nil, err
} }
thread := NewGQLThread(id, j.Name, j.StateName, j.Listen, ecdh_curve, key, j.SSLCert, j.SSLKey) thread := NewGQLThread(id, j.Name, j.StateName, j.Listen, ecdh_curve, key, j.TLSCert, j.TLSKey)
thread.Users = map[NodeID]*User{} thread.Users = map[NodeID]*User{}
for _, id_str := range(j.Users) { for _, id_str := range(j.Users) {
id, err := ParseID(id_str) id, err := ParseID(id_str)
@ -727,7 +730,46 @@ func LoadGQLThread(ctx *Context, id NodeID, data []byte, nodes NodeMap) (Node, e
return &thread, nil return &thread, nil
} }
func NewGQLThread(id NodeID, name string, state_name string, listen string, ecdh_curve ecdh.Curve, key *ecdsa.PrivateKey, ssl_cert []byte, ssl_key []byte) GQLThread { func NewGQLThread(id NodeID, name string, state_name string, listen string, ecdh_curve ecdh.Curve, key *ecdsa.PrivateKey, tls_cert []byte, tls_key []byte) GQLThread {
if tls_cert == nil || tls_key == nil {
ssl_key, err := ecdsa.GenerateKey(key.Curve, rand.Reader)
if err != nil {
panic(err)
}
ssl_key_bytes, err := x509.MarshalECPrivateKey(ssl_key)
if err != nil {
panic(err)
}
ssl_key_pem := pem.EncodeToMemory(&pem.Block{Type: "PRIVATE KEY", Bytes: ssl_key_bytes})
serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)
serialNumber, _ := rand.Int(rand.Reader, serialNumberLimit)
notBefore := time.Now()
notAfter := notBefore.Add(365*24*time.Hour)
template := x509.Certificate{
SerialNumber: serialNumber,
Subject: pkix.Name{
Organization: []string{"mekkanized"},
},
NotBefore: notBefore,
NotAfter: notAfter,
KeyUsage: x509.KeyUsageDigitalSignature,
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
BasicConstraintsValid: true,
}
ssl_cert, err := x509.CreateCertificate(rand.Reader, &template, &template, &ssl_key.PublicKey, ssl_key)
if err != nil {
panic(err)
}
ssl_cert_pem := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: ssl_cert})
tls_cert = ssl_cert_pem
tls_key = ssl_key_pem
}
return GQLThread{ return GQLThread{
SimpleThread: NewSimpleThread(id, name, state_name, reflect.TypeOf((*ParentThreadInfo)(nil)), gql_actions, gql_handlers), SimpleThread: NewSimpleThread(id, name, state_name, reflect.TypeOf((*ParentThreadInfo)(nil)), gql_actions, gql_handlers),
Listen: listen, Listen: listen,
@ -735,8 +777,8 @@ func NewGQLThread(id NodeID, name string, state_name string, listen string, ecdh
http_done: &sync.WaitGroup{}, http_done: &sync.WaitGroup{},
Key: key, Key: key,
ECDH: ecdh_curve, ECDH: ecdh_curve,
ssl_cert: ssl_cert, tls_cert: tls_cert,
ssl_key: ssl_key, tls_key: tls_key,
} }
} }
@ -782,29 +824,22 @@ var gql_actions ThreadActions = ThreadActions{
Handler: mux, Handler: mux,
} }
var listener net.Listener
l, err := net.Listen("tcp", http_server.Addr) l, err := net.Listen("tcp", http_server.Addr)
if err != nil { if err != nil {
return "", fmt.Errorf("Failed to start listener for server on %s", http_server.Addr) return "", fmt.Errorf("Failed to start listener for server on %s", http_server.Addr)
} }
listener = l
if server.ssl_cert != nil { cert, err := tls.X509KeyPair(server.tls_cert, server.tls_key)
ser, _ := json.Marshal(server.ssl_cert) if err != nil {
ctx.Log.Logf("gql", "SSL_CERT: %s", ser) return "", err
cert, err := tls.X509KeyPair(server.ssl_cert, server.ssl_key) }
if err != nil {
return "", err
}
config := tls.Config{
Certificates: []tls.Certificate{cert},
NextProtos: []string{"http/1.1"},
}
listener = tls.NewListener(l, &config) config := tls.Config{
Certificates: []tls.Certificate{cert},
NextProtos: []string{"http/1.1"},
} }
listener := tls.NewListener(l, &config)
server.http_done.Add(1) server.http_done.Add(1)
go func(server *GQLThread) { go func(server *GQLThread) {

@ -9,17 +9,13 @@ import (
"io" "io"
"fmt" "fmt"
"encoding/json" "encoding/json"
"encoding/pem"
"bytes" "bytes"
"crypto/rand" "crypto/rand"
"crypto/ecdh" "crypto/ecdh"
"crypto/ecdsa" "crypto/ecdsa"
"crypto/elliptic" "crypto/elliptic"
"crypto/x509"
"crypto/x509/pkix"
"crypto/tls" "crypto/tls"
"encoding/base64" "encoding/base64"
"math/big"
) )
func TestGQLThread(t * testing.T) { func TestGQLThread(t * testing.T) {
@ -160,37 +156,7 @@ func TestGQLAuth(t * testing.T) {
key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
fatalErr(t, err) fatalErr(t, err)
serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128) gql_t_r := NewGQLThread(RandID(), "GQL Thread", "init", ":0", ecdh.P256(), key, nil, nil)
serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
fatalErr(t, err)
notBefore := time.Now()
notAfter := notBefore.Add(365*24*time.Hour)
template := x509.Certificate{
SerialNumber: serialNumber,
Subject: pkix.Name{
Organization: []string{"mekkanized"},
},
NotBefore: notBefore,
NotAfter: notAfter,
KeyUsage: x509.KeyUsageDigitalSignature,
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
BasicConstraintsValid: true,
}
ssl_key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
fatalErr(t, err)
ssl_cert, err := x509.CreateCertificate(rand.Reader, &template, &template, &ssl_key.PublicKey, ssl_key)
fatalErr(t, err)
ssl_cert_bytes := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: ssl_cert})
ssl_key_bytes, err := x509.MarshalECPrivateKey(ssl_key)
fatalErr(t, err)
ssl_key_pem := pem.EncodeToMemory(&pem.Block{Type: "PRIVATE KEY", Bytes: ssl_key_bytes})
gql_t_r := NewGQLThread(RandID(), "GQL Thread", "init", ":0", ecdh.P256(), key, ssl_cert_bytes, ssl_key_pem)
gql_t := &gql_t_r gql_t := &gql_t_r
done := make(chan error, 1) done := make(chan error, 1)