encrypt inserted SSL certificates

This commit is contained in:
Cadey Ratio 2017-01-25 20:22:27 -08:00
parent 385d340027
commit d40414b40f
4 changed files with 54 additions and 0 deletions

View File

@ -4,6 +4,7 @@ import (
"log"
r "github.com/GoRethink/gorethink"
"github.com/brandur/simplebox"
"golang.org/x/crypto/acme/autocert"
"golang.org/x/net/context"
)
@ -12,6 +13,7 @@ import (
// https://godoc.org/golang.org/x/crypto/acme/autocert#Cache
type CertCache struct {
*DB
SimpleBox *simplebox.SimpleBox
}
// CryptoLevel indicates what form of cryptography the certificate is stored
@ -72,6 +74,11 @@ func (c *CertCache) Put(ctx context.Context, key string, data []byte) error {
Body: data,
}
if c.SimpleBox != nil {
cert.CryptoLevel = CryptoLevelSecretbox
cert.Body = c.SimpleBox.Encrypt(data)
}
log.Printf("certcache: added: %s", key)
_, err := r.Table("certs").Insert(cert).RunWrite(c.s)

View File

@ -0,0 +1,35 @@
package routecrypto
import (
"crypto/rand"
"encoding/base64"
"errors"
)
// GenerateKey creates a new key full of random data.
func GenerateKey() (*[32]byte, error) {
var k [32]byte
_, err := rand.Read(k[:])
if err != nil {
return nil, err
}
return &k, nil
}
// ShowKey makes a string out of an encryption key.
func ShowKey(key *[32]byte) string {
return base64.URLEncoding.EncodeToString(key[:])
}
// ParseKey decodes a key from a string.
func ParseKey(s string) (*[32]byte, error) {
k := &[32]byte{}
raw, err := base64.URLEncoding.DecodeString(s)
if err != nil {
return nil, err
}
if n := copy(k[:], raw); n < len(k) {
return nil, errors.New("not valid")
}
return k, nil
}

View File

@ -9,6 +9,7 @@ import (
"net/http"
"time"
"git.xeserv.us/xena/route/lib/routecrypto"
"git.xeserv.us/xena/route/server"
"github.com/facebookgo/flagenv"
_ "github.com/joho/godotenv/autoload"
@ -26,6 +27,8 @@ var (
webPort = flag.String("web-port", "9234", "HTTP ingress port for backends and users")
sslPort = flag.String("ssl-port", "", "if set use this port for SSL HTTP requests (certs via LE, you agree to follow their TOS)")
domainSuffix = flag.String("domain-suffix", ".apps.xeserv.us", "Domain name suffix associated with the load balancer")
sslCertKey = flag.String("ssl-cert-key", "", "if set encrypt SSL certs with this key")
)
func main() {
@ -33,6 +36,8 @@ func main() {
flagenv.Parse()
rand.Seed(time.Now().Unix())
certKey, _ := routecrypto.ParseKey(*sslCertKey)
s, err := server.New(server.Config{
ControlHost: *controlHost,
ControlKeyFile: *controlKeyFile,
@ -44,6 +49,7 @@ func main() {
WebPort: *webPort,
SSLPort: *sslPort,
DomainSuffix: *domainSuffix,
CertKey: certKey,
})
if err != nil {
log.Fatal(err)

View File

@ -22,6 +22,7 @@ import (
"git.xeserv.us/xena/route/utils"
"github.com/Xe/uuid"
"github.com/Yawning/bulb"
"github.com/brandur/simplebox"
)
// RPC constants
@ -50,6 +51,7 @@ type Config struct {
RethinkDBHost, RethinkDBDatabase string
TorDataDir, TorHashedPassword, TorPassword string
WebPort, DomainSuffix, SSLPort string
CertKey *[32]byte
}
// New creates a new Server
@ -118,6 +120,10 @@ func New(cfg Config) (*Server, error) {
},
}
if cfg.CertKey != nil {
s.CertCache.SimpleBox = simplebox.NewFromSecretKey(cfg.CertKey)
}
rpcs.RegisterName("Urls", &RPCServer{Server: s})
go rpcs.Accept(l)