From d40414b40f441d6a077083247316ed031129ff7a Mon Sep 17 00:00:00 2001 From: Cadey Dodrill Date: Wed, 25 Jan 2017 20:22:27 -0800 Subject: [PATCH] encrypt inserted SSL certificates --- database/certcache.go | 7 +++++++ lib/routecrypto/secretbox.go | 35 +++++++++++++++++++++++++++++++++++ main.go | 6 ++++++ server/server.go | 6 ++++++ 4 files changed, 54 insertions(+) create mode 100644 lib/routecrypto/secretbox.go diff --git a/database/certcache.go b/database/certcache.go index 392b6b2..5cc5057 100644 --- a/database/certcache.go +++ b/database/certcache.go @@ -4,6 +4,7 @@ import ( "log" r "github.com/GoRethink/gorethink" + "github.com/brandur/simplebox" "golang.org/x/crypto/acme/autocert" "golang.org/x/net/context" ) @@ -12,6 +13,7 @@ import ( // https://godoc.org/golang.org/x/crypto/acme/autocert#Cache type CertCache struct { *DB + SimpleBox *simplebox.SimpleBox } // CryptoLevel indicates what form of cryptography the certificate is stored @@ -72,6 +74,11 @@ func (c *CertCache) Put(ctx context.Context, key string, data []byte) error { Body: data, } + if c.SimpleBox != nil { + cert.CryptoLevel = CryptoLevelSecretbox + cert.Body = c.SimpleBox.Encrypt(data) + } + log.Printf("certcache: added: %s", key) _, err := r.Table("certs").Insert(cert).RunWrite(c.s) diff --git a/lib/routecrypto/secretbox.go b/lib/routecrypto/secretbox.go new file mode 100644 index 0000000..871f0df --- /dev/null +++ b/lib/routecrypto/secretbox.go @@ -0,0 +1,35 @@ +package routecrypto + +import ( + "crypto/rand" + "encoding/base64" + "errors" +) + +// GenerateKey creates a new key full of random data. +func GenerateKey() (*[32]byte, error) { + var k [32]byte + _, err := rand.Read(k[:]) + if err != nil { + return nil, err + } + return &k, nil +} + +// ShowKey makes a string out of an encryption key. +func ShowKey(key *[32]byte) string { + return base64.URLEncoding.EncodeToString(key[:]) +} + +// ParseKey decodes a key from a string. +func ParseKey(s string) (*[32]byte, error) { + k := &[32]byte{} + raw, err := base64.URLEncoding.DecodeString(s) + if err != nil { + return nil, err + } + if n := copy(k[:], raw); n < len(k) { + return nil, errors.New("not valid") + } + return k, nil +} diff --git a/main.go b/main.go index 8eb6bf2..4ee60f1 100644 --- a/main.go +++ b/main.go @@ -9,6 +9,7 @@ import ( "net/http" "time" + "git.xeserv.us/xena/route/lib/routecrypto" "git.xeserv.us/xena/route/server" "github.com/facebookgo/flagenv" _ "github.com/joho/godotenv/autoload" @@ -26,6 +27,8 @@ var ( webPort = flag.String("web-port", "9234", "HTTP ingress port for backends and users") sslPort = flag.String("ssl-port", "", "if set use this port for SSL HTTP requests (certs via LE, you agree to follow their TOS)") domainSuffix = flag.String("domain-suffix", ".apps.xeserv.us", "Domain name suffix associated with the load balancer") + + sslCertKey = flag.String("ssl-cert-key", "", "if set encrypt SSL certs with this key") ) func main() { @@ -33,6 +36,8 @@ func main() { flagenv.Parse() rand.Seed(time.Now().Unix()) + certKey, _ := routecrypto.ParseKey(*sslCertKey) + s, err := server.New(server.Config{ ControlHost: *controlHost, ControlKeyFile: *controlKeyFile, @@ -44,6 +49,7 @@ func main() { WebPort: *webPort, SSLPort: *sslPort, DomainSuffix: *domainSuffix, + CertKey: certKey, }) if err != nil { log.Fatal(err) diff --git a/server/server.go b/server/server.go index 5f96c78..3a50a43 100644 --- a/server/server.go +++ b/server/server.go @@ -22,6 +22,7 @@ import ( "git.xeserv.us/xena/route/utils" "github.com/Xe/uuid" "github.com/Yawning/bulb" + "github.com/brandur/simplebox" ) // RPC constants @@ -50,6 +51,7 @@ type Config struct { RethinkDBHost, RethinkDBDatabase string TorDataDir, TorHashedPassword, TorPassword string WebPort, DomainSuffix, SSLPort string + CertKey *[32]byte } // New creates a new Server @@ -118,6 +120,10 @@ func New(cfg Config) (*Server, error) { }, } + if cfg.CertKey != nil { + s.CertCache.SimpleBox = simplebox.NewFromSecretKey(cfg.CertKey) + } + rpcs.RegisterName("Urls", &RPCServer{Server: s}) go rpcs.Accept(l)