encrypt inserted SSL certificates

2017-01-25 20:22:27 -08:00 · 2017-01-25 20:22:27 -08:00 · d40414b40f
parent 385d340027
commit d40414b40f
4 changed files with 54 additions and 0 deletions
--- a/database/certcache.go
+++ b/database/certcache.go
@ -4,6 +4,7 @@ import (
 	"log"

 	r "github.com/GoRethink/gorethink"
+	"github.com/brandur/simplebox"
 	"golang.org/x/crypto/acme/autocert"
 	"golang.org/x/net/context"
 )
@ -12,6 +13,7 @@ import (
 // https://godoc.org/golang.org/x/crypto/acme/autocert#Cache
 type CertCache struct {
 	*DB
+	SimpleBox *simplebox.SimpleBox
 }

 // CryptoLevel indicates what form of cryptography the certificate is stored
@ -72,6 +74,11 @@ func (c *CertCache) Put(ctx context.Context, key string, data []byte) error {
 		Body:        data,
 	}

+	if c.SimpleBox != nil {
+		cert.CryptoLevel = CryptoLevelSecretbox
+		cert.Body = c.SimpleBox.Encrypt(data)
+	}
+
 	log.Printf("certcache: added: %s", key)

 	_, err := r.Table("certs").Insert(cert).RunWrite(c.s)
--- a/lib/routecrypto/secretbox.go
+++ b/lib/routecrypto/secretbox.go
@ -0,0 +1,35 @@
+package routecrypto
+
+import (
+	"crypto/rand"
+	"encoding/base64"
+	"errors"
+)
+
+// GenerateKey creates a new key full of random data.
+func GenerateKey() (*[32]byte, error) {
+	var k [32]byte
+	_, err := rand.Read(k[:])
+	if err != nil {
+		return nil, err
+	}
+	return &k, nil
+}
+
+// ShowKey makes a string out of an encryption key.
+func ShowKey(key *[32]byte) string {
+	return base64.URLEncoding.EncodeToString(key[:])
+}
+
+// ParseKey decodes a key from a string.
+func ParseKey(s string) (*[32]byte, error) {
+	k := &[32]byte{}
+	raw, err := base64.URLEncoding.DecodeString(s)
+	if err != nil {
+		return nil, err
+	}
+	if n := copy(k[:], raw); n < len(k) {
+		return nil, errors.New("not valid")
+	}
+	return k, nil
+}
--- a/main.go
+++ b/main.go
@ -9,6 +9,7 @@ import (
 	"net/http"
 	"time"

+	"git.xeserv.us/xena/route/lib/routecrypto"
 	"git.xeserv.us/xena/route/server"
 	"github.com/facebookgo/flagenv"
 	_ "github.com/joho/godotenv/autoload"
@ -26,6 +27,8 @@ var (
 	webPort           = flag.String("web-port", "9234", "HTTP ingress port for backends and users")
 	sslPort           = flag.String("ssl-port", "", "if set use this port for SSL HTTP requests (certs via LE, you agree to follow their TOS)")
 	domainSuffix      = flag.String("domain-suffix", ".apps.xeserv.us", "Domain name suffix associated with the load balancer")
+
+	sslCertKey = flag.String("ssl-cert-key", "", "if set encrypt SSL certs with this key")
 )

 func main() {
@ -33,6 +36,8 @@ func main() {
 	flagenv.Parse()
 	rand.Seed(time.Now().Unix())

+	certKey, _ := routecrypto.ParseKey(*sslCertKey)
+
 	s, err := server.New(server.Config{
 		ControlHost:       *controlHost,
 		ControlKeyFile:    *controlKeyFile,
@ -44,6 +49,7 @@ func main() {
 		WebPort:           *webPort,
 		SSLPort:           *sslPort,
 		DomainSuffix:      *domainSuffix,
+		CertKey:           certKey,
 	})
 	if err != nil {
 		log.Fatal(err)
--- a/server/server.go
+++ b/server/server.go
@ -22,6 +22,7 @@ import (
 	"git.xeserv.us/xena/route/utils"
 	"github.com/Xe/uuid"
 	"github.com/Yawning/bulb"
+	"github.com/brandur/simplebox"
 )

 // RPC constants
@ -50,6 +51,7 @@ type Config struct {
 	RethinkDBHost, RethinkDBDatabase           string
 	TorDataDir, TorHashedPassword, TorPassword string
 	WebPort, DomainSuffix, SSLPort             string
+	CertKey                                    *[32]byte
 }

 // New creates a new Server
@ -118,6 +120,10 @@ func New(cfg Config) (*Server, error) {
 		},
 	}

+	if cfg.CertKey != nil {
+		s.CertCache.SimpleBox = simplebox.NewFromSecretKey(cfg.CertKey)
+	}
+
 	rpcs.RegisterName("Urls", &RPCServer{Server: s})
 	go rpcs.Accept(l)