wilderjds
/
peroxide
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

bridge: Remove the X509 generation and management code

Browse Source 
Issue #6
create-reload-action
Lukasz Janyst 4 years ago
parent c81cfd0d57
commit 0576dcddff
No known key found for this signature in database
GPG Key ID: 32DE641041F17A9A
8 changed files with 29 additions and 374 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 10
      pkg/bridge/bridge.go
  2. 50
      pkg/bridge/utils.go
  3. 6
      pkg/config/settings/settings.go
  4. 53
      pkg/config/tls/cert_store_darwin.go
  5. 26
      pkg/config/tls/cert_store_linux.go
  6. 26
      pkg/config/tls/cert_store_windows.go
  7. 155
      pkg/config/tls/tls.go
  8. 77
      pkg/config/tls/tls_test.go

10
pkg/bridge/bridge.go
Unescape View File

@ -28,7 +28,6 @@ import (
cacheCfg "github.com/ljanyst/peroxide/pkg/config/cache" cacheCfg "github.com/ljanyst/peroxide/pkg/config/cache"
"github.com/ljanyst/peroxide/pkg/config/settings" "github.com/ljanyst/peroxide/pkg/config/settings"
"github.com/ljanyst/peroxide/pkg/config/tls"
"github.com/ljanyst/peroxide/pkg/cookies" "github.com/ljanyst/peroxide/pkg/cookies"
"github.com/ljanyst/peroxide/pkg/events" "github.com/ljanyst/peroxide/pkg/events"
"github.com/ljanyst/peroxide/pkg/imap" "github.com/ljanyst/peroxide/pkg/imap"
@ -52,7 +51,7 @@ var ErrLocalCacheUnavailable = errors.New("local cache is unavailable")
type Bridge struct { type Bridge struct {
Users *users.Users Users *users.Users
settings SettingsProvider settings *settings.Settings
clientManager pmapi.Manager clientManager pmapi.Manager
cacheProvider *cacheCfg.Cache cacheProvider *cacheCfg.Cache
cache cache.Cache cache cache.Cache
@ -133,9 +132,10 @@ func (b *Bridge) Configure(configFile string) error {
} }
func (b *Bridge) Run() error { func (b *Bridge) Run() error {
tlsCfg := tls.New(b.settings.Get(settings.TLSDir)) tlsConfig, err := loadTlsConfig(
b.settings.Get(settings.X509Cert),
tlsConfig, err := loadTLSConfig(tlsCfg) b.settings.Get(settings.X509Key),
)
if err != nil { if err != nil {
return err return err
} }

50
pkg/bridge/utils.go
Unescape View File

@ -20,14 +20,14 @@ package bridge
import ( import (
"crypto/tls" "crypto/tls"
"crypto/x509"
"time"
cfgCache "github.com/ljanyst/peroxide/pkg/config/cache" cfgCache "github.com/ljanyst/peroxide/pkg/config/cache"
"github.com/ljanyst/peroxide/pkg/config/settings" "github.com/ljanyst/peroxide/pkg/config/settings"
pkgTLS "github.com/ljanyst/peroxide/pkg/config/tls"
"github.com/ljanyst/peroxide/pkg/store" "github.com/ljanyst/peroxide/pkg/store"
"github.com/ljanyst/peroxide/pkg/store/cache" "github.com/ljanyst/peroxide/pkg/store/cache"
"github.com/pkg/errors" "github.com/pkg/errors"
"github.com/sirupsen/logrus"
) )
const ( const (
@ -36,42 +36,32 @@ const (
inMemoryCacheLimnit = 100 * (1 << 20) inMemoryCacheLimnit = 100 * (1 << 20)
) )
func loadTLSConfig(cfg *pkgTLS.TLS) (*tls.Config, error) { // GetConfig tries to load TLS config or generate new one which is then returned.
if !cfg.HasCerts() { func loadTlsConfig(certPath, keyPath string) (*tls.Config, error) {
if err := generateTLSCerts(cfg); err != nil { c, err := tls.LoadX509KeyPair(certPath, keyPath)
return nil, err if err != nil {
} return nil, errors.Wrap(err, "Failed to load cert and key")
}
tlsConfig, err := cfg.GetConfig()
if err == nil {
return tlsConfig, nil
}
logrus.WithError(err).Error("Failed to load TLS config, regenerating certificates")
if err := generateTLSCerts(cfg); err != nil {
return nil, err
} }
return cfg.GetConfig() c.Leaf, err = x509.ParseCertificate(c.Certificate[0])
}
func generateTLSCerts(cfg *pkgTLS.TLS) error {
template, err := pkgTLS.NewTLSTemplate()
if err != nil { if err != nil {
return errors.Wrap(err, "failed to generate TLS template") return nil, errors.Wrap(err, "Failed to parse the certificate")
} }
if err := cfg.GenerateCerts(template); err != nil { if time.Now().Add(31 * 24 * time.Hour).After(c.Leaf.NotAfter) {
return errors.Wrap(err, "failed to generate TLS certs") return nil, errors.Wrap(err, "The X509 certificate is about to expire")
} }
if err := cfg.InstallCerts(); err != nil { caCertPool := x509.NewCertPool()
return errors.Wrap(err, "failed to install TLS certs") caCertPool.AddCert(c.Leaf)
}
return nil return &tls.Config{
Certificates: []tls.Certificate{c},
ServerName: c.Leaf.Subject.CommonName,
ClientAuth: tls.VerifyClientCertIfGiven,
RootCAs: caCertPool,
ClientCAs: caCertPool,
}, nil
} }
// loadMessageCache loads local cache in case it is enabled in settings and available. // loadMessageCache loads local cache in case it is enabled in settings and available.

6
pkg/config/settings/settings.go
Unescape View File

@ -38,7 +38,8 @@ const (
FetchWorkers = "FetchWorkers" FetchWorkers = "FetchWorkers"
AttachmentWorkers = "AttachmentWorkers" AttachmentWorkers = "AttachmentWorkers"
CacheDir = "CacheDir" CacheDir = "CacheDir"
TLSDir = "TlsDir" X509Key = "X509Key"
X509Cert = "X509Cert"
CookieJar = "CookieJar" CookieJar = "CookieJar"
) )
@ -81,6 +82,7 @@ func (s *Settings) setDefaultValues() {
s.setDefault(SMTPPortKey, DefaultSMTPPort) s.setDefault(SMTPPortKey, DefaultSMTPPort)
s.setDefault(CacheDir, filepath.Join(s.settingsDir, "cache")) s.setDefault(CacheDir, filepath.Join(s.settingsDir, "cache"))
s.setDefault(TLSDir, s.settingsDir) s.setDefault(X509Key, filepath.Join(s.settingsDir, "key.pem"))
s.setDefault(X509Cert, filepath.Join(s.settingsDir, "cert.pem"))
s.setDefault(CookieJar, filepath.Join(s.settingsDir, "cookies.json")) s.setDefault(CookieJar, filepath.Join(s.settingsDir, "cookies.json"))
} }

53
pkg/config/tls/cert_store_darwin.go
Unescape View File

@ -1,53 +0,0 @@
// Copyright (c) 2022 Proton Technologies AG
//
// This file is part of ProtonMail Bridge.
//
// ProtonMail Bridge is free software: you can redistribute it and/or modify
// it under the terms of the GNU General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
//
// ProtonMail Bridge is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU General Public License for more details.
//
// You should have received a copy of the GNU General Public License
// along with ProtonMail Bridge. If not, see <https://www.gnu.org/licenses/>.
package tls
import "os/exec"
func addTrustedCert(certPath string) error {
return exec.Command( // nolint[gosec]
"/usr/bin/security",
"execute-with-privileges",
"/usr/bin/security",
"add-trusted-cert",
"-d",
"-r", "trustRoot",
"-p", "ssl",
"-k", "/Library/Keychains/System.keychain",
certPath,
).Run()
}
func removeTrustedCert(certPath string) error {
return exec.Command( // nolint[gosec]
"/usr/bin/security",
"execute-with-privileges",
"/usr/bin/security",
"remove-trusted-cert",
"-d",
certPath,
).Run()
}
func (t *TLS) InstallCerts() error {
return addTrustedCert(t.getTLSCertPath())
}
func (t *TLS) UninstallCerts() error {
return removeTrustedCert(t.getTLSCertPath())
}

26
pkg/config/tls/cert_store_linux.go
Unescape View File

@ -1,26 +0,0 @@
// Copyright (c) 2022 Proton Technologies AG
//
// This file is part of ProtonMail Bridge.
//
// ProtonMail Bridge is free software: you can redistribute it and/or modify
// it under the terms of the GNU General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
//
// ProtonMail Bridge is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU General Public License for more details.
//
// You should have received a copy of the GNU General Public License
// along with ProtonMail Bridge. If not, see <https://www.gnu.org/licenses/>.
package tls
func (t *TLS) InstallCerts() error {
return nil // Linux doesn't have a root cert store.
}
func (t *TLS) UninstallCerts() error {
return nil // Linux doesn't have a root cert store.
}

26
pkg/config/tls/cert_store_windows.go
Unescape View File

@ -1,26 +0,0 @@
// Copyright (c) 2022 Proton Technologies AG
//
// This file is part of ProtonMail Bridge.
//
// ProtonMail Bridge is free software: you can redistribute it and/or modify
// it under the terms of the GNU General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
//
// ProtonMail Bridge is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU General Public License for more details.
//
// You should have received a copy of the GNU General Public License
// along with ProtonMail Bridge. If not, see <https://www.gnu.org/licenses/>.
package tls
func (t *TLS) InstallCerts() error {
return nil // NOTE(GODT-986): Install certs to root cert store?
}
func (t *TLS) UninstallCerts() error {
return nil // NOTE(GODT-986): Uninstall certs from root cert store?
}

155
pkg/config/tls/tls.go
Unescape View File

@ -1,155 +0,0 @@
// Copyright (c) 2022 Proton Technologies AG
//
// This file is part of ProtonMail Bridge.
//
// ProtonMail Bridge is free software: you can redistribute it and/or modify
// it under the terms of the GNU General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
//
// ProtonMail Bridge is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU General Public License for more details.
//
// You should have received a copy of the GNU General Public License
// along with ProtonMail Bridge. If not, see <https://www.gnu.org/licenses/>.
package tls
import (
"crypto/rand"
"crypto/rsa"
"crypto/tls"
"crypto/x509"
"crypto/x509/pkix"
"encoding/pem"
"fmt"
"math/big"
"net"
"os"
"path/filepath"
"time"
"github.com/pkg/errors"
)
type TLS struct {
settingsPath string
}
func New(settingsPath string) *TLS {
return &TLS{
settingsPath: settingsPath,
}
}
// NewTLSTemplate creates a new TLS template certificate with a random serial number.
func NewTLSTemplate() (*x509.Certificate, error) {
serialNumber, err := rand.Int(rand.Reader, new(big.Int).Lsh(big.NewInt(1), 128))
if err != nil {
return nil, errors.Wrap(err, "failed to generate serial number")
}
return &x509.Certificate{
SerialNumber: serialNumber,
Subject: pkix.Name{
Country: []string{"CH"},
Organization: []string{"Proton Technologies AG"},
OrganizationalUnit: []string{"ProtonMail"},
CommonName: "127.0.0.1",
},
KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth},
BasicConstraintsValid: true,
IsCA: true,
IPAddresses: []net.IP{net.ParseIP("127.0.0.1")},
NotBefore: time.Now(),
NotAfter: time.Now().Add(20 * 365 * 24 * time.Hour),
}, nil
}
var ErrTLSCertExpiresSoon = fmt.Errorf("TLS certificate will expire soon")
// getTLSCertPath returns path to certificate; used for TLS servers (IMAP, SMTP).
func (t *TLS) getTLSCertPath() string {
return filepath.Join(t.settingsPath, "cert.pem")
}
// getTLSKeyPath returns path to private key; used for TLS servers (IMAP, SMTP).
func (t *TLS) getTLSKeyPath() string {
return filepath.Join(t.settingsPath, "key.pem")
}
// HasCerts returns whether TLS certs have been generated.
func (t *TLS) HasCerts() bool {
if _, err := os.Stat(t.getTLSCertPath()); err != nil {
return false
}
if _, err := os.Stat(t.getTLSKeyPath()); err != nil {
return false
}
return true
}
// GenerateCerts generates certs from the given template.
func (t *TLS) GenerateCerts(template *x509.Certificate) error {
priv, err := rsa.GenerateKey(rand.Reader, 2048)
if err != nil {
return errors.Wrap(err, "failed to generate private key")
}
derBytes, err := x509.CreateCertificate(rand.Reader, template, template, &priv.PublicKey, priv)
if err != nil {
return errors.Wrap(err, "failed to create certificate")
}
certOut, err := os.Create(t.getTLSCertPath())
if err != nil {
return err
}
defer certOut.Close() // nolint[errcheck]
if err := pem.Encode(certOut, &pem.Block{Type: "CERTIFICATE", Bytes: derBytes}); err != nil {
return err
}
keyOut, err := os.OpenFile(t.getTLSKeyPath(), os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0600)
if err != nil {
return err
}
defer keyOut.Close() // nolint[errcheck]
return pem.Encode(keyOut, &pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(priv)})
}
// GetConfig tries to load TLS config or generate new one which is then returned.
func (t *TLS) GetConfig() (*tls.Config, error) {
c, err := tls.LoadX509KeyPair(t.getTLSCertPath(), t.getTLSKeyPath())
if err != nil {
return nil, errors.Wrap(err, "failed to load keypair")
}
c.Leaf, err = x509.ParseCertificate(c.Certificate[0])
if err != nil {
return nil, errors.Wrap(err, "failed to parse certificate")
}
if time.Now().Add(31 * 24 * time.Hour).After(c.Leaf.NotAfter) {
return nil, ErrTLSCertExpiresSoon
}
caCertPool := x509.NewCertPool()
caCertPool.AddCert(c.Leaf)
// nolint[gosec]: We need to support older TLS versions for AppleMail and Outlook.
return &tls.Config{
Certificates: []tls.Certificate{c},
ServerName: "127.0.0.1",
ClientAuth: tls.VerifyClientCertIfGiven,
RootCAs: caCertPool,
ClientCAs: caCertPool,
}, nil
}

77
pkg/config/tls/tls_test.go
Unescape View File

@ -1,77 +0,0 @@
// Copyright (c) 2022 Proton Technologies AG
//
// This file is part of ProtonMail Bridge.
//
// ProtonMail Bridge is free software: you can redistribute it and/or modify
// it under the terms of the GNU General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
//
// ProtonMail Bridge is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU General Public License for more details.
//
// You should have received a copy of the GNU General Public License
// along with ProtonMail Bridge. If not, see <https://www.gnu.org/licenses/>.
package tls
import (
"io/ioutil"
"testing"
"time"
"github.com/stretchr/testify/require"
)
func TestGetOldConfig(t *testing.T) {
dir, err := ioutil.TempDir("", "test-tls")
require.NoError(t, err)
// Create new tls object.
tls := New(dir)
// Create new TLS template.
tlsTemplate, err := NewTLSTemplate()
require.NoError(t, err)
// Make the template be an old key.
tlsTemplate.NotBefore = time.Now().Add(-365 * 24 * time.Hour)
tlsTemplate.NotAfter = time.Now()
// Generate the certs from the template.
require.NoError(t, tls.GenerateCerts(tlsTemplate))
// Generate the config from the certs -- it's going to expire soon so we don't want to use it.
_, err = tls.GetConfig()
require.Equal(t, err, ErrTLSCertExpiresSoon)
}
func TestGetValidConfig(t *testing.T) {
dir, err := ioutil.TempDir("", "test-tls")
require.NoError(t, err)
// Create new tls object.
tls := New(dir)
// Create new TLS template.
tlsTemplate, err := NewTLSTemplate()
require.NoError(t, err)
// Make the template be a new key.
tlsTemplate.NotBefore = time.Now()
tlsTemplate.NotAfter = time.Now().Add(2 * 365 * 24 * time.Hour)
// Generate the certs from the template.
require.NoError(t, tls.GenerateCerts(tlsTemplate))
// Generate the config from the certs -- it's not going to expire soon so we want to use it.
config, err := tls.GetConfig()
require.NoError(t, err)
require.Equal(t, len(config.Certificates), 1)
// Check the cert is valid.
now, notValidAfter := time.Now(), config.Certificates[0].Leaf.NotAfter
require.False(t, now.After(notValidAfter), "new certificate expected to be valid at %v but have valid until %v", now, notValidAfter)
}
Write Preview
Loading…
Cancel
Save