sftpgo-mirror/common/tlsutils.go

package common

import (
	"crypto/tls"
	"crypto/x509"
	"crypto/x509/pkix"
	"fmt"
	"os"
	"path/filepath"
	"sync"
	"time"

	"github.com/drakkan/sftpgo/v2/logger"
	"github.com/drakkan/sftpgo/v2/util"
)

// CertManager defines a TLS certificate manager
type CertManager struct {
	certPath  string
	keyPath   string
	configDir string
	logSender string
	sync.RWMutex
	caCertificates    []string
	caRevocationLists []string
	cert              *tls.Certificate
	rootCAs           *x509.CertPool
	crls              []*pkix.CertificateList
}

// Reload tries to reload certificate and CRLs
func (m *CertManager) Reload() error {
	errCrt := m.loadCertificate()
	errCRLs := m.LoadCRLs()

	if errCrt != nil {
		return errCrt
	}
	return errCRLs
}

// LoadCertificate loads the configured x509 key pair
func (m *CertManager) loadCertificate() error {
	newCert, err := tls.LoadX509KeyPair(m.certPath, m.keyPath)
	if err != nil {
		logger.Warn(m.logSender, "", "unable to load X509 key pair, cert file %#v key file %#v error: %v",
			m.certPath, m.keyPath, err)
		return err
	}
	logger.Debug(m.logSender, "", "TLS certificate %#v successfully loaded", m.certPath)

	m.Lock()
	defer m.Unlock()

	m.cert = &newCert
	return nil
}

// GetCertificateFunc returns the loaded certificate
func (m *CertManager) GetCertificateFunc() func(*tls.ClientHelloInfo) (*tls.Certificate, error) {
	return func(clientHello *tls.ClientHelloInfo) (*tls.Certificate, error) {
		m.RLock()
		defer m.RUnlock()

		return m.cert, nil
	}
}

// IsRevoked returns true if the specified certificate has been revoked
func (m *CertManager) IsRevoked(crt *x509.Certificate, caCrt *x509.Certificate) bool {
	m.RLock()
	defer m.RUnlock()

	if crt == nil || caCrt == nil {
		logger.Warn(m.logSender, "", "unable to verify crt %v ca crt %v", crt, caCrt)
		return len(m.crls) > 0
	}

	for _, crl := range m.crls {
		if !crl.HasExpired(time.Now()) && caCrt.CheckCRLSignature(crl) == nil {
			for _, rc := range crl.TBSCertList.RevokedCertificates {
				if rc.SerialNumber.Cmp(crt.SerialNumber) == 0 {
					return true
				}
			}
		}
	}

	return false
}

// LoadCRLs tries to load certificate revocation lists from the given paths
func (m *CertManager) LoadCRLs() error {
	if len(m.caRevocationLists) == 0 {
		return nil
	}

	var crls []*pkix.CertificateList

	for _, revocationList := range m.caRevocationLists {
		if !util.IsFileInputValid(revocationList) {
			return fmt.Errorf("invalid root CA revocation list %#v", revocationList)
		}
		if revocationList != "" && !filepath.IsAbs(revocationList) {
			revocationList = filepath.Join(m.configDir, revocationList)
		}
		crlBytes, err := os.ReadFile(revocationList)
		if err != nil {
			logger.Warn(m.logSender, "unable to read revocation list %#v", revocationList)
			return err
		}
		crl, err := x509.ParseCRL(crlBytes)
		if err != nil {
			logger.Warn(m.logSender, "unable to parse revocation list %#v", revocationList)
			return err
		}

		logger.Debug(m.logSender, "", "CRL %#v successfully loaded", revocationList)
		crls = append(crls, crl)
	}

	m.Lock()
	defer m.Unlock()

	m.crls = crls

	return nil
}

// GetRootCAs returns the set of root certificate authorities that servers
// use if required to verify a client certificate
func (m *CertManager) GetRootCAs() *x509.CertPool {
	m.RLock()
	defer m.RUnlock()

	return m.rootCAs
}

// LoadRootCAs tries to load root CA certificate authorities from the given paths
func (m *CertManager) LoadRootCAs() error {
	if len(m.caCertificates) == 0 {
		return nil
	}

	rootCAs := x509.NewCertPool()

	for _, rootCA := range m.caCertificates {
		if !util.IsFileInputValid(rootCA) {
			return fmt.Errorf("invalid root CA certificate %#v", rootCA)
		}
		if rootCA != "" && !filepath.IsAbs(rootCA) {
			rootCA = filepath.Join(m.configDir, rootCA)
		}
		crt, err := os.ReadFile(rootCA)
		if err != nil {
			return err
		}
		if rootCAs.AppendCertsFromPEM(crt) {
			logger.Debug(m.logSender, "", "TLS certificate authority %#v successfully loaded", rootCA)
		} else {
			err := fmt.Errorf("unable to load TLS certificate authority %#v", rootCA)
			logger.Warn(m.logSender, "", "%v", err)
			return err
		}
	}

	m.Lock()
	defer m.Unlock()

	m.rootCAs = rootCAs
	return nil
}

// SetCACertificates sets the root CA authorities file paths.
// This should not be changed at runtime
func (m *CertManager) SetCACertificates(caCertificates []string) {
	m.caCertificates = caCertificates
}

// SetCARevocationLists sets the CA revocation lists file paths.
// This should not be changed at runtime
func (m *CertManager) SetCARevocationLists(caRevocationLists []string) {
	m.caRevocationLists = caRevocationLists
}

// NewCertManager creates a new certificate manager
func NewCertManager(certificateFile, certificateKeyFile, configDir, logSender string) (*CertManager, error) {
	manager := &CertManager{
		cert:      nil,
		certPath:  certificateFile,
		keyPath:   certificateKeyFile,
		configDir: configDir,
		logSender: logSender,
	}
	err := manager.loadCertificate()
	if err != nil {
		return nil, err
	}
	return manager, nil
}
refactoring: add common package The common package defines the interfaces that a protocol must implement and contain code that can be shared among supported protocols. This way should be easier to support new protocols 2020-07-24 21:39:38 +00:00			`package common`

			`import (`
			`"crypto/tls"`
webdav: add support for client certificate authentication Fixes #263 2020-12-28 18:48:23 +00:00			`"crypto/x509"`
mutal TLS: add support for revocation lists 2021-01-03 16:03:04 +00:00			`"crypto/x509/pkix"`
webdav: add support for client certificate authentication Fixes #263 2020-12-28 18:48:23 +00:00			`"fmt"`
Use new methods in the io and os packages instead of ioutil ones ioutil is deprecated in Go 1.16 and SFTPGo is an application, not a library, we have no reason to keep compatibility with old Go versions. Go 1.16 fix some cifs related issues too. 2021-02-25 20:53:04 +00:00			`"os"`
webdav: add support for client certificate authentication Fixes #263 2020-12-28 18:48:23 +00:00			`"path/filepath"`
refactoring: add common package The common package defines the interfaces that a protocol must implement and contain code that can be shared among supported protocols. This way should be easier to support new protocols 2020-07-24 21:39:38 +00:00			`"sync"`
mutal TLS: add support for revocation lists 2021-01-03 16:03:04 +00:00			`"time"`
refactoring: add common package The common package defines the interfaces that a protocol must implement and contain code that can be shared among supported protocols. This way should be easier to support new protocols 2020-07-24 21:39:38 +00:00
modules: add v2 support 2021-06-26 05:31:41 +00:00			`"github.com/drakkan/sftpgo/v2/logger"`
add experimental plugin system 2021-07-11 13:26:51 +00:00			`"github.com/drakkan/sftpgo/v2/util"`
refactoring: add common package The common package defines the interfaces that a protocol must implement and contain code that can be shared among supported protocols. This way should be easier to support new protocols 2020-07-24 21:39:38 +00:00			`)`

			`// CertManager defines a TLS certificate manager`
			`type CertManager struct {`
mutal TLS: add support for revocation lists 2021-01-03 16:03:04 +00:00			`certPath string`
			`keyPath string`
			`configDir string`
			`logSender string`
refactoring: add common package The common package defines the interfaces that a protocol must implement and contain code that can be shared among supported protocols. This way should be easier to support new protocols 2020-07-24 21:39:38 +00:00			`sync.RWMutex`
mutal TLS: add support for revocation lists 2021-01-03 16:03:04 +00:00			`caCertificates []string`
			`caRevocationLists []string`
			`cert *tls.Certificate`
			`rootCAs *x509.CertPool`
			`crls []*pkix.CertificateList`
			`}`

			`// Reload tries to reload certificate and CRLs`
			`func (m *CertManager) Reload() error {`
			`errCrt := m.loadCertificate()`
			`errCRLs := m.LoadCRLs()`

			`if errCrt != nil {`
			`return errCrt`
			`}`
			`return errCRLs`
refactoring: add common package The common package defines the interfaces that a protocol must implement and contain code that can be shared among supported protocols. This way should be easier to support new protocols 2020-07-24 21:39:38 +00:00			`}`

			`// LoadCertificate loads the configured x509 key pair`
mutal TLS: add support for revocation lists 2021-01-03 16:03:04 +00:00			`func (m *CertManager) loadCertificate() error {`
refactoring: add common package The common package defines the interfaces that a protocol must implement and contain code that can be shared among supported protocols. This way should be easier to support new protocols 2020-07-24 21:39:38 +00:00			`newCert, err := tls.LoadX509KeyPair(m.certPath, m.keyPath)`
			`if err != nil {`
mutal TLS: add support for revocation lists 2021-01-03 16:03:04 +00:00			`logger.Warn(m.logSender, "", "unable to load X509 key pair, cert file %#v key file %#v error: %v",`
refactoring: add common package The common package defines the interfaces that a protocol must implement and contain code that can be shared among supported protocols. This way should be easier to support new protocols 2020-07-24 21:39:38 +00:00			`m.certPath, m.keyPath, err)`
			`return err`
			`}`
mutal TLS: add support for revocation lists 2021-01-03 16:03:04 +00:00			`logger.Debug(m.logSender, "", "TLS certificate %#v successfully loaded", m.certPath)`

refactoring: add common package The common package defines the interfaces that a protocol must implement and contain code that can be shared among supported protocols. This way should be easier to support new protocols 2020-07-24 21:39:38 +00:00			`m.Lock()`
			`defer m.Unlock()`
mutal TLS: add support for revocation lists 2021-01-03 16:03:04 +00:00
refactoring: add common package The common package defines the interfaces that a protocol must implement and contain code that can be shared among supported protocols. This way should be easier to support new protocols 2020-07-24 21:39:38 +00:00			`m.cert = &newCert`
			`return nil`
			`}`

			`// GetCertificateFunc returns the loaded certificate`
			`func (m CertManager) GetCertificateFunc() func(tls.ClientHelloInfo) (*tls.Certificate, error) {`
			`return func(clientHello tls.ClientHelloInfo) (tls.Certificate, error) {`
			`m.RLock()`
			`defer m.RUnlock()`
mutal TLS: add support for revocation lists 2021-01-03 16:03:04 +00:00
refactoring: add common package The common package defines the interfaces that a protocol must implement and contain code that can be shared among supported protocols. This way should be easier to support new protocols 2020-07-24 21:39:38 +00:00			`return m.cert, nil`
			`}`
			`}`

mutal TLS: add support for revocation lists 2021-01-03 16:03:04 +00:00			`// IsRevoked returns true if the specified certificate has been revoked`
			`func (m CertManager) IsRevoked(crt x509.Certificate, caCrt *x509.Certificate) bool {`
			`m.RLock()`
			`defer m.RUnlock()`

			`if crt == nil \|\| caCrt == nil {`
			`logger.Warn(m.logSender, "", "unable to verify crt %v ca crt %v", crt, caCrt)`
			`return len(m.crls) > 0`
			`}`

			`for _, crl := range m.crls {`
			`if !crl.HasExpired(time.Now()) && caCrt.CheckCRLSignature(crl) == nil {`
			`for _, rc := range crl.TBSCertList.RevokedCertificates {`
			`if rc.SerialNumber.Cmp(crt.SerialNumber) == 0 {`
			`return true`
			`}`
			`}`
			`}`
			`}`

			`return false`
			`}`

			`// LoadCRLs tries to load certificate revocation lists from the given paths`
			`func (m *CertManager) LoadCRLs() error {`
			`if len(m.caRevocationLists) == 0 {`
			`return nil`
			`}`

			`var crls []*pkix.CertificateList`

			`for _, revocationList := range m.caRevocationLists {`
add experimental plugin system 2021-07-11 13:26:51 +00:00			`if !util.IsFileInputValid(revocationList) {`
mutal TLS: add support for revocation lists 2021-01-03 16:03:04 +00:00			`return fmt.Errorf("invalid root CA revocation list %#v", revocationList)`
			`}`
			`if revocationList != "" && !filepath.IsAbs(revocationList) {`
			`revocationList = filepath.Join(m.configDir, revocationList)`
			`}`
Use new methods in the io and os packages instead of ioutil ones ioutil is deprecated in Go 1.16 and SFTPGo is an application, not a library, we have no reason to keep compatibility with old Go versions. Go 1.16 fix some cifs related issues too. 2021-02-25 20:53:04 +00:00			`crlBytes, err := os.ReadFile(revocationList)`
mutal TLS: add support for revocation lists 2021-01-03 16:03:04 +00:00			`if err != nil {`
			`logger.Warn(m.logSender, "unable to read revocation list %#v", revocationList)`
			`return err`
			`}`
			`crl, err := x509.ParseCRL(crlBytes)`
			`if err != nil {`
			`logger.Warn(m.logSender, "unable to parse revocation list %#v", revocationList)`
			`return err`
			`}`

			`logger.Debug(m.logSender, "", "CRL %#v successfully loaded", revocationList)`
			`crls = append(crls, crl)`
			`}`

			`m.Lock()`
			`defer m.Unlock()`

			`m.crls = crls`

			`return nil`
			`}`

webdav: add support for client certificate authentication Fixes #263 2020-12-28 18:48:23 +00:00			`// GetRootCAs returns the set of root certificate authorities that servers`
			`// use if required to verify a client certificate`
			`func (m CertManager) GetRootCAs() x509.CertPool {`
mutal TLS: add support for revocation lists 2021-01-03 16:03:04 +00:00			`m.RLock()`
			`defer m.RUnlock()`

webdav: add support for client certificate authentication Fixes #263 2020-12-28 18:48:23 +00:00			`return m.rootCAs`
			`}`

			`// LoadRootCAs tries to load root CA certificate authorities from the given paths`
mutal TLS: add support for revocation lists 2021-01-03 16:03:04 +00:00			`func (m *CertManager) LoadRootCAs() error {`
			`if len(m.caCertificates) == 0 {`
webdav: add support for client certificate authentication Fixes #263 2020-12-28 18:48:23 +00:00			`return nil`
			`}`

			`rootCAs := x509.NewCertPool()`

mutal TLS: add support for revocation lists 2021-01-03 16:03:04 +00:00			`for _, rootCA := range m.caCertificates {`
add experimental plugin system 2021-07-11 13:26:51 +00:00			`if !util.IsFileInputValid(rootCA) {`
webdav: add support for client certificate authentication Fixes #263 2020-12-28 18:48:23 +00:00			`return fmt.Errorf("invalid root CA certificate %#v", rootCA)`
			`}`
			`if rootCA != "" && !filepath.IsAbs(rootCA) {`
mutal TLS: add support for revocation lists 2021-01-03 16:03:04 +00:00			`rootCA = filepath.Join(m.configDir, rootCA)`
webdav: add support for client certificate authentication Fixes #263 2020-12-28 18:48:23 +00:00			`}`
Use new methods in the io and os packages instead of ioutil ones ioutil is deprecated in Go 1.16 and SFTPGo is an application, not a library, we have no reason to keep compatibility with old Go versions. Go 1.16 fix some cifs related issues too. 2021-02-25 20:53:04 +00:00			`crt, err := os.ReadFile(rootCA)`
webdav: add support for client certificate authentication Fixes #263 2020-12-28 18:48:23 +00:00			`if err != nil {`
			`return err`
			`}`
			`if rootCAs.AppendCertsFromPEM(crt) {`
mutal TLS: add support for revocation lists 2021-01-03 16:03:04 +00:00			`logger.Debug(m.logSender, "", "TLS certificate authority %#v successfully loaded", rootCA)`
webdav: add support for client certificate authentication Fixes #263 2020-12-28 18:48:23 +00:00			`} else {`
			`err := fmt.Errorf("unable to load TLS certificate authority %#v", rootCA)`
mutal TLS: add support for revocation lists 2021-01-03 16:03:04 +00:00			`logger.Warn(m.logSender, "", "%v", err)`
webdav: add support for client certificate authentication Fixes #263 2020-12-28 18:48:23 +00:00			`return err`
			`}`
			`}`

mutal TLS: add support for revocation lists 2021-01-03 16:03:04 +00:00			`m.Lock()`
			`defer m.Unlock()`

webdav: add support for client certificate authentication Fixes #263 2020-12-28 18:48:23 +00:00			`m.rootCAs = rootCAs`
			`return nil`
			`}`

fix a potential race condition for pre-login and ext auth hooks doing something like this: err = provider.updateUser(u) ... return provider.userExists(username) could be racy if another update happen before provider.userExists(username) also pass a pointer to updateUser so if the user is modified inside "validateUser" we can just return the modified user without do a new query 2021-01-05 08:50:22 +00:00			`// SetCACertificates sets the root CA authorities file paths.`
			`// This should not be changed at runtime`
mutal TLS: add support for revocation lists 2021-01-03 16:03:04 +00:00			`func (m *CertManager) SetCACertificates(caCertificates []string) {`
			`m.caCertificates = caCertificates`
			`}`

fix a potential race condition for pre-login and ext auth hooks doing something like this: err = provider.updateUser(u) ... return provider.userExists(username) could be racy if another update happen before provider.userExists(username) also pass a pointer to updateUser so if the user is modified inside "validateUser" we can just return the modified user without do a new query 2021-01-05 08:50:22 +00:00			`// SetCARevocationLists sets the CA revocation lists file paths.`
			`// This should not be changed at runtime`
mutal TLS: add support for revocation lists 2021-01-03 16:03:04 +00:00			`func (m *CertManager) SetCARevocationLists(caRevocationLists []string) {`
			`m.caRevocationLists = caRevocationLists`
			`}`

refactoring: add common package The common package defines the interfaces that a protocol must implement and contain code that can be shared among supported protocols. This way should be easier to support new protocols 2020-07-24 21:39:38 +00:00			`// NewCertManager creates a new certificate manager`
mutal TLS: add support for revocation lists 2021-01-03 16:03:04 +00:00			`func NewCertManager(certificateFile, certificateKeyFile, configDir, logSender string) (*CertManager, error) {`
refactoring: add common package The common package defines the interfaces that a protocol must implement and contain code that can be shared among supported protocols. This way should be easier to support new protocols 2020-07-24 21:39:38 +00:00			`manager := &CertManager{`
mutal TLS: add support for revocation lists 2021-01-03 16:03:04 +00:00			`cert: nil,`
			`certPath: certificateFile,`
			`keyPath: certificateKeyFile,`
			`configDir: configDir,`
			`logSender: logSender,`
refactoring: add common package The common package defines the interfaces that a protocol must implement and contain code that can be shared among supported protocols. This way should be easier to support new protocols 2020-07-24 21:39:38 +00:00			`}`
mutal TLS: add support for revocation lists 2021-01-03 16:03:04 +00:00			`err := manager.loadCertificate()`
refactoring: add common package The common package defines the interfaces that a protocol must implement and contain code that can be shared among supported protocols. This way should be easier to support new protocols 2020-07-24 21:39:38 +00:00			`if err != nil {`
			`return nil, err`
			`}`
			`return manager, nil`
			`}`