traefik/pkg/tls/certificate.go

277 lines
7.5 KiB
Go
Raw Normal View History

package tls
import (
"crypto/tls"
"crypto/x509"
"fmt"
"io/ioutil"
"os"
"sort"
"strings"
"github.com/traefik/traefik/v2/pkg/log"
"github.com/traefik/traefik/v2/pkg/tls/generate"
)
var (
2020-05-11 12:06:07 +02:00
// MinVersion Map of allowed TLS minimum versions.
MinVersion = map[string]uint16{
`VersionTLS10`: tls.VersionTLS10,
`VersionTLS11`: tls.VersionTLS11,
`VersionTLS12`: tls.VersionTLS12,
`VersionTLS13`: tls.VersionTLS13,
}
2020-05-11 12:06:07 +02:00
// MaxVersion Map of allowed TLS maximum versions.
MaxVersion = map[string]uint16{
`VersionTLS10`: tls.VersionTLS10,
`VersionTLS11`: tls.VersionTLS11,
`VersionTLS12`: tls.VersionTLS12,
`VersionTLS13`: tls.VersionTLS13,
}
// CurveIDs is a Map of TLS elliptic curves from crypto/tls
// Available CurveIDs defined at https://godoc.org/crypto/tls#CurveID,
// also allowing rfc names defined at https://tools.ietf.org/html/rfc8446#section-4.2.7
CurveIDs = map[string]tls.CurveID{
`secp256r1`: tls.CurveP256,
`CurveP256`: tls.CurveP256,
`secp384r1`: tls.CurveP384,
`CurveP384`: tls.CurveP384,
`secp521r1`: tls.CurveP521,
`CurveP521`: tls.CurveP521,
`x25519`: tls.X25519,
`X25519`: tls.X25519,
}
)
// Certificate holds a SSL cert/key pair
2020-05-11 12:06:07 +02:00
// Certs and Key could be either a file path, or the file content itself.
type Certificate struct {
2019-07-01 11:30:05 +02:00
CertFile FileOrContent `json:"certFile,omitempty" toml:"certFile,omitempty" yaml:"certFile,omitempty"`
KeyFile FileOrContent `json:"keyFile,omitempty" toml:"keyFile,omitempty" yaml:"keyFile,omitempty"`
}
// Certificates defines traefik certificates type
2020-05-11 12:06:07 +02:00
// Certs and Keys could be either a file path, or the file content itself.
type Certificates []Certificate
2020-09-11 15:40:03 +02:00
// GetCertificates retrieves the certificates as slice of tls.Certificate.
func (c Certificates) GetCertificates() []tls.Certificate {
var certs []tls.Certificate
for _, certificate := range c {
cert, err := certificate.GetCertificate()
if err != nil {
log.WithoutContext().Debugf("Error while getting certificate: %v", err)
continue
}
certs = append(certs, cert)
}
return certs
}
2020-05-11 12:06:07 +02:00
// FileOrContent hold a file path or content.
type FileOrContent string
func (f FileOrContent) String() string {
return string(f)
}
2020-05-11 12:06:07 +02:00
// IsPath returns true if the FileOrContent is a file path, otherwise returns false.
func (f FileOrContent) IsPath() bool {
_, err := os.Stat(f.String())
return err == nil
}
func (f FileOrContent) Read() ([]byte, error) {
var content []byte
if f.IsPath() {
var err error
content, err = ioutil.ReadFile(f.String())
if err != nil {
return nil, err
}
} else {
content = []byte(f)
}
return content, nil
}
2020-05-11 12:06:07 +02:00
// CreateTLSConfig creates a TLS config from Certificate structures.
2018-03-05 20:54:04 +01:00
func (c *Certificates) CreateTLSConfig(entryPointName string) (*tls.Config, error) {
config := &tls.Config{}
domainsCertificates := make(map[string]map[string]*tls.Certificate)
2018-04-23 10:54:03 +02:00
if c.isEmpty() {
2018-03-05 20:54:04 +01:00
config.Certificates = []tls.Certificate{}
2018-04-23 10:54:03 +02:00
cert, err := generate.DefaultCertificate()
if err != nil {
2018-03-05 20:54:04 +01:00
return nil, err
}
2018-04-23 10:54:03 +02:00
config.Certificates = append(config.Certificates, *cert)
} else {
for _, certificate := range *c {
err := certificate.AppendCertificate(domainsCertificates, entryPointName)
if err != nil {
log.Errorf("Unable to add a certificate to the entryPoint %q : %v", entryPointName, err)
continue
}
2018-04-23 10:54:03 +02:00
for _, certDom := range domainsCertificates {
2018-04-23 10:54:03 +02:00
for _, cert := range certDom {
config.Certificates = append(config.Certificates, *cert)
}
}
}
}
2018-03-05 20:54:04 +01:00
return config, nil
}
2020-05-11 12:06:07 +02:00
// isEmpty checks if the certificates list is empty.
func (c *Certificates) isEmpty() bool {
if len(*c) == 0 {
return true
}
var key int
for _, cert := range *c {
if len(cert.CertFile.String()) != 0 && len(cert.KeyFile.String()) != 0 {
break
}
key++
}
return key == len(*c)
}
// AppendCertificate appends a Certificate to a certificates map keyed by entrypoint.
func (c *Certificate) AppendCertificate(certs map[string]map[string]*tls.Certificate, ep string) error {
certContent, err := c.CertFile.Read()
if err != nil {
2020-05-11 12:06:07 +02:00
return fmt.Errorf("unable to read CertFile : %w", err)
}
keyContent, err := c.KeyFile.Read()
if err != nil {
2020-05-11 12:06:07 +02:00
return fmt.Errorf("unable to read KeyFile : %w", err)
}
tlsCert, err := tls.X509KeyPair(certContent, keyContent)
if err != nil {
2020-05-11 12:06:07 +02:00
return fmt.Errorf("unable to generate TLS certificate : %w", err)
}
parsedCert, _ := x509.ParseCertificate(tlsCert.Certificate[0])
2018-07-06 02:30:03 -06:00
var SANs []string
if parsedCert.Subject.CommonName != "" {
SANs = append(SANs, strings.ToLower(parsedCert.Subject.CommonName))
2018-07-06 02:30:03 -06:00
}
if parsedCert.DNSNames != nil {
sort.Strings(parsedCert.DNSNames)
for _, dnsName := range parsedCert.DNSNames {
if dnsName != parsedCert.Subject.CommonName {
SANs = append(SANs, strings.ToLower(dnsName))
2018-07-06 02:30:03 -06:00
}
}
}
if parsedCert.IPAddresses != nil {
for _, ip := range parsedCert.IPAddresses {
if ip.String() != parsedCert.Subject.CommonName {
SANs = append(SANs, strings.ToLower(ip.String()))
}
}
}
2018-07-06 02:30:03 -06:00
certKey := strings.Join(SANs, ",")
certExists := false
if certs[ep] == nil {
certs[ep] = make(map[string]*tls.Certificate)
} else {
for domains := range certs[ep] {
if domains == certKey {
certExists = true
break
}
}
}
if certExists {
log.Debugf("Skipping addition of certificate for domain(s) %q, to EntryPoint %s, as it already exists for this Entrypoint.", certKey, ep)
} else {
log.Debugf("Adding certificate for domain(s) %s", certKey)
certs[ep][certKey] = &tlsCert
}
return err
}
2020-09-11 15:40:03 +02:00
// GetCertificate retrieves Certificate as tls.Certificate.
func (c *Certificate) GetCertificate() (tls.Certificate, error) {
certContent, err := c.CertFile.Read()
if err != nil {
return tls.Certificate{}, fmt.Errorf("unable to read CertFile : %w", err)
}
keyContent, err := c.KeyFile.Read()
if err != nil {
return tls.Certificate{}, fmt.Errorf("unable to read KeyFile : %w", err)
}
cert, err := tls.X509KeyPair(certContent, keyContent)
if err != nil {
return tls.Certificate{}, fmt.Errorf("unable to generate TLS certificate : %w", err)
}
return cert, nil
}
2020-05-11 12:06:07 +02:00
// GetTruncatedCertificateName truncates the certificate name.
func (c *Certificate) GetTruncatedCertificateName() string {
certName := c.CertFile.String()
// Truncate certificate information only if it's a well formed certificate content with more than 50 characters
if !c.CertFile.IsPath() && strings.HasPrefix(certName, certificateHeader) && len(certName) > len(certificateHeader)+50 {
certName = strings.TrimPrefix(c.CertFile.String(), certificateHeader)[:50]
}
return certName
}
// String is the method to format the flag's value, part of the flag.Value interface.
// The String method's output will be used in diagnostics.
func (c *Certificates) String() string {
if len(*c) == 0 {
return ""
}
var result []string
for _, certificate := range *c {
result = append(result, certificate.CertFile.String()+","+certificate.KeyFile.String())
}
return strings.Join(result, ";")
}
// Set is the method to set the flag value, part of the flag.Value interface.
// Set's argument is a string to be parsed to set the flag.
// It's a comma-separated list, so we split it.
func (c *Certificates) Set(value string) error {
certificates := strings.Split(value, ";")
for _, certificate := range certificates {
files := strings.Split(certificate, ",")
if len(files) != 2 {
return fmt.Errorf("bad certificates format: %s", value)
}
*c = append(*c, Certificate{
CertFile: FileOrContent(files[0]),
KeyFile: FileOrContent(files[1]),
})
}
return nil
}
2020-05-11 12:06:07 +02:00
// Type is type of the struct.
func (c *Certificates) Type() string {
return "certificates"
}