108 lines
2.9 KiB
Go
108 lines
2.9 KiB
Go
//////////////////////////////////////////////////////////////////////////
|
|
|
|
package libvault
|
|
|
|
//////////////////////////////////////////////////////////////////////////
|
|
|
|
import (
|
|
"crypto/tls"
|
|
"crypto/x509"
|
|
log "github.com/sirupsen/logrus"
|
|
"time"
|
|
)
|
|
|
|
//////////////////////////////////////////////////////////////////////////
|
|
|
|
type TLSRequest struct {
|
|
CommonName string `json:"common_name"`
|
|
AltNames string `json:"alt_names"`
|
|
IPSANs string `json:"ip_sans"`
|
|
URISANs string `json:"uri_sans"`
|
|
OtherSANs string `json:"other_sans"`
|
|
TTL time.Duration `json:"ttl"`
|
|
}
|
|
|
|
//////////////////////////////////////////////////////////////////////////
|
|
|
|
func (req *TLSRequest) Renew(t *Token, config *tls.Config) (bool, error) {
|
|
|
|
if len(config.Certificates) > 0 {
|
|
cert, err := x509.ParseCertificate(config.Certificates[0].Certificate[0])
|
|
if err != nil {
|
|
log.WithFields(log.Fields{
|
|
"error": err,
|
|
}).Error("libvault: failed to parse existing tls certificate")
|
|
}
|
|
|
|
ttl := cert.NotAfter.Sub(time.Now())
|
|
if ttl.Seconds() > VAULT_RENEW_PERIOD.Seconds() {
|
|
// nothing to see here, move along
|
|
log.WithFields(log.Fields{
|
|
"CommonName": req.CommonName,
|
|
"ttl": ttl.String(),
|
|
}).Info("libvault: TLS certificate renewal not required")
|
|
return false, nil
|
|
}
|
|
}
|
|
|
|
// default the TTL if it wasn't previously set
|
|
if req.TTL == 0 {
|
|
req.TTL = VAULT_TTL
|
|
}
|
|
|
|
// issue a new key pair
|
|
log.WithFields(log.Fields{
|
|
"CommonName": req.CommonName,
|
|
}).Debug("libvault: renewing TLS certificate")
|
|
|
|
response := &struct {
|
|
Data struct {
|
|
Certificate string `json:"certificate"`
|
|
IssuingCA string `json:"issuing_ca"`
|
|
CAChain []string `json:"ca_chain"`
|
|
PrivateKey string `json:"private_key"`
|
|
} `json:"data"`
|
|
}{}
|
|
|
|
if err := vault.POST(t, "/burble.dn42/pki/sites/issue/tls", req, response); err != nil {
|
|
log.WithFields(log.Fields{
|
|
"token": t,
|
|
"request": req,
|
|
"error": err,
|
|
}).Error("libvault: vault failed to renew certificate")
|
|
return false, err
|
|
}
|
|
|
|
// update the tls.Config structure
|
|
config.ServerName = req.CommonName
|
|
|
|
config.RootCAs = x509.NewCertPool()
|
|
config.RootCAs.AppendCertsFromPEM([]byte(response.Data.IssuingCA))
|
|
for _, ca := range response.Data.CAChain {
|
|
config.RootCAs.AppendCertsFromPEM([]byte(ca))
|
|
}
|
|
|
|
cert, err := tls.X509KeyPair(
|
|
[]byte(response.Data.Certificate),
|
|
[]byte(response.Data.PrivateKey),
|
|
)
|
|
if err != nil {
|
|
log.WithFields(log.Fields{
|
|
"cert": response.Data.Certificate,
|
|
"key": response.Data.PrivateKey,
|
|
"error": err,
|
|
}).Error("libvault: unable to load x509 cert pair")
|
|
return false, err
|
|
}
|
|
config.Certificates = []tls.Certificate{cert}
|
|
|
|
log.WithFields(log.Fields{
|
|
"CommonName": req.CommonName,
|
|
}).Debug("libvault: issued TLS certificate")
|
|
|
|
return true, nil
|
|
}
|
|
|
|
//////////////////////////////////////////////////////////////////////////
|
|
// end of file
|