micro/mtls/mtls.go

package mtls // import "go.unistack.org/micro/v3/mtls"

import (
	"bytes"
	"crypto"
	"crypto/ed25519"
	"crypto/rand"
	"crypto/tls"
	"crypto/x509"
	"crypto/x509/pkix"
	"encoding/pem"
	"sync"
)

var bp = newBPool()

type bpool struct {
	pool sync.Pool
}

func newBPool() *bpool {
	var bp bpool
	bp.pool.New = alloc
	return &bp
}

func alloc() interface{} {
	return &bytes.Buffer{}
}

func (bp *bpool) Get() *bytes.Buffer {
	return bp.pool.Get().(*bytes.Buffer)
}

func (bp *bpool) Put(buf *bytes.Buffer) {
	buf.Reset()
	bp.pool.Put(buf)
}

// NewCA creates new CA keypair
func NewCA(opts ...CertificateOption) ([]byte, crypto.PrivateKey, error) {
	options := NewCertificateOptions(opts...)

	crtreq := &x509.CertificateRequest{
		Subject: pkix.Name{
			Organization:       options.Organization,
			OrganizationalUnit: options.OrganizationalUnit,
			CommonName:         options.CommonName,
		},
		SignatureAlgorithm: options.SignatureAlgorithm,
	}

	pemcsr, pemkey, err := newCsr(crtreq)
	if err != nil {
		return nil, nil, err
	}

	pemcrt, err := SignCSR(pemcsr, nil, pemkey, opts...)
	if err != nil {
		return nil, nil, err
	}

	return pemcrt, pemkey, nil
}

func NewIntermediate(cacrt *x509.Certificate, cakey crypto.PrivateKey, opts ...CertificateOption) ([]byte, crypto.PrivateKey, error) {
	options := &CertificateOptions{}
	for _, o := range opts {
		o(options)
	}

	crtreq := &x509.CertificateRequest{
		Subject: pkix.Name{
			Organization:       options.Organization,
			OrganizationalUnit: options.OrganizationalUnit,
			CommonName:         options.CommonName,
		},
		SignatureAlgorithm: options.SignatureAlgorithm,
	}

	pemcsr, pemkey, err := newCsr(crtreq)
	if err != nil {
		return nil, nil, err
	}

	pemcrt, err := SignCSR(pemcsr, cacrt, cakey)
	if err != nil {
		return nil, nil, err
	}

	return pemcrt, pemkey, nil
}

// SignCSR sign certificate request and return signed pubkey
func SignCSR(rawcsr []byte, cacrt *x509.Certificate, cakey crypto.PrivateKey, opts ...CertificateOption) ([]byte, error) {
	if cacrt == nil {
		opts = append(opts, CertificateIsCA(true))
	}

	options := NewCertificateOptions(opts...)

	csr, err := x509.ParseCertificateRequest(rawcsr)
	if err == nil {
		err = csr.CheckSignature()
	}
	if err != nil {
		return nil, err
	}

	tpl := &x509.Certificate{
		Signature:             csr.Signature,
		SignatureAlgorithm:    csr.SignatureAlgorithm,
		PublicKeyAlgorithm:    csr.PublicKeyAlgorithm,
		PublicKey:             csr.PublicKey,
		SerialNumber:          options.SerialNumber,
		OCSPServer:            options.OCSPServer,
		IssuingCertificateURL: options.IssuingCertificateURL,
		Subject:               csr.Subject,
		NotBefore:             options.NotBefore,
		NotAfter:              options.NotAfter,
		KeyUsage:              options.KeyUsage,
		ExtKeyUsage:           options.ExtKeyUsage,
		BasicConstraintsValid: true,
		IsCA:                  options.IsCA,
	}

	if options.IsCA {
		cacrt = tpl
	} else {
		tpl.Issuer = cacrt.Subject
	}

	crt, err := x509.CreateCertificate(rand.Reader, tpl, cacrt, csr.PublicKey, cakey)
	if err != nil {
		return nil, err
	}

	return crt, nil
}

// NewCertificateRequest create new certificate signing request and return key, csr in byte slice and err
func NewCertificateRequest(opts ...CertificateOption) ([]byte, crypto.PrivateKey, error) {
	options := NewCertificateOptions(opts...)

	crtreq := &x509.CertificateRequest{
		Subject: pkix.Name{
			Organization:       options.Organization,
			OrganizationalUnit: options.OrganizationalUnit,
			CommonName:         options.CommonName,
		},
		SignatureAlgorithm: options.SignatureAlgorithm,
	}

	return newCsr(crtreq)
}

// newCsr returns CSR and private key
func newCsr(crtreq *x509.CertificateRequest) ([]byte, crypto.PrivateKey, error) {
	_, key, err := ed25519.GenerateKey(rand.Reader)
	if err != nil {
		return nil, nil, err
	}
	csr, err := x509.CreateCertificateRequest(rand.Reader, crtreq, key)
	if err != nil {
		return nil, nil, err
	}
	return csr, key, nil
}

// ServerOptions holds server specific options
type ServerOptions struct {
	ServerName string
	RootCAs    []string
	ClientCAs  []string
}

// ServerOption func signature
type ServerOption func(*ServerOptions)

func NewServerConfig(src *tls.Config) *tls.Config {
	dst := src.Clone()
	// dst.InsecureSkipVerify = true
	dst.MinVersion = tls.VersionTLS13
	dst.ClientAuth = tls.VerifyClientCertIfGiven
	return dst
}

func DecodeCrtKey(rawcrt []byte, rawkey []byte) (*x509.Certificate, crypto.PrivateKey, error) {
	var crt *x509.Certificate
	var key crypto.PrivateKey
	var err error

	crt, err = DecodeCrt(rawcrt)
	if err == nil {
		key, err = DecodeKey(rawkey)
	}

	if err != nil {
		return nil, nil, err
	}

	return crt, key, nil
}

func DecodeCrt(rawcrt []byte) (*x509.Certificate, error) {
	pemcrt, _ := pem.Decode(rawcrt)
	return x509.ParseCertificate(pemcrt.Bytes)
}

func EncodeCrt(crts ...*x509.Certificate) ([]byte, error) {
	var err error
	buf := bp.Get()
	defer bp.Put(buf)
	for _, crt := range crts {
		if err = pem.Encode(buf, &pem.Block{Type: "CERTIFICATE", Bytes: crt.Raw}); err != nil {
			return nil, err
		}
	}
	return buf.Bytes(), nil
}

func EncodeCsr(csr *x509.Certificate) ([]byte, error) {
	buf := bp.Get()
	defer bp.Put(buf)
	if err := pem.Encode(buf, &pem.Block{Type: "CERTIFICATE REQUEST", Bytes: csr.Raw}); err != nil {
		return nil, err
	}
	return buf.Bytes(), nil
}

func DecodeKey(rawkey []byte) (crypto.PrivateKey, error) {
	pemkey, _ := pem.Decode(rawkey)
	return x509.ParsePKCS8PrivateKey(pemkey.Bytes)
}

func EncodeKey(privkey crypto.PrivateKey) ([]byte, error) {
	buf := bp.Get()
	defer bp.Put(buf)
	enckey, err := x509.MarshalPKCS8PrivateKey(privkey)
	if err == nil {
		err = pem.Encode(buf, &pem.Block{Type: "PRIVATE KEY", Bytes: enckey})
	}
	if err != nil {
		return nil, err
	}
	return buf.Bytes(), nil
}