2018-10-09 04:11:19 +08:00
|
|
|
package acme
|
|
|
|
|
|
|
|
import (
|
2020-07-07 08:18:24 +08:00
|
|
|
"crypto/ecdsa"
|
2018-10-09 04:11:19 +08:00
|
|
|
"crypto/x509"
|
|
|
|
"encoding/json"
|
|
|
|
"encoding/pem"
|
|
|
|
"fmt"
|
|
|
|
"strings"
|
|
|
|
|
2019-07-29 22:54:32 +08:00
|
|
|
"github.com/go-acme/lego/certificate"
|
2018-10-09 04:11:19 +08:00
|
|
|
"github.com/hashicorp/vault/api"
|
|
|
|
)
|
|
|
|
|
|
|
|
type vaultStorage struct {
|
|
|
|
path string
|
|
|
|
client *api.Logical
|
|
|
|
}
|
|
|
|
|
|
|
|
func makeVaultStorage(vaultPath string) (Storage, error) {
|
|
|
|
if !strings.HasSuffix(vaultPath, "/") {
|
|
|
|
vaultPath += "/"
|
|
|
|
}
|
|
|
|
client, err := api.NewClient(api.DefaultConfig())
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
storage := &vaultStorage{
|
|
|
|
path: vaultPath,
|
|
|
|
client: client.Logical(),
|
|
|
|
}
|
|
|
|
return storage, nil
|
|
|
|
}
|
|
|
|
|
2019-07-29 22:54:32 +08:00
|
|
|
func (v *vaultStorage) GetCertificate(name string) (*certificate.Resource, error) {
|
2020-06-18 21:37:57 +08:00
|
|
|
var err error
|
|
|
|
|
2018-10-09 04:11:19 +08:00
|
|
|
path := v.certPath(name)
|
|
|
|
secret, err := v.client.Read(path)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
if secret == nil {
|
|
|
|
return nil, nil
|
|
|
|
}
|
2019-07-29 22:54:32 +08:00
|
|
|
cert := &certificate.Resource{}
|
2018-10-09 04:11:19 +08:00
|
|
|
if dat, err := v.getString("meta", secret.Data, path); err != nil {
|
|
|
|
return nil, err
|
|
|
|
} else if err = json.Unmarshal(dat, cert); err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
2020-06-18 21:37:57 +08:00
|
|
|
var dat []byte
|
|
|
|
if dat, err = v.getString("tls.cert", secret.Data, path); err != nil {
|
2018-10-09 04:11:19 +08:00
|
|
|
return nil, err
|
|
|
|
}
|
2020-06-18 21:37:57 +08:00
|
|
|
cert.Certificate = dat
|
2018-10-09 04:11:19 +08:00
|
|
|
|
2020-06-18 21:37:57 +08:00
|
|
|
if dat, err = v.getString("tls.key", secret.Data, path); err != nil {
|
2018-10-09 04:11:19 +08:00
|
|
|
return nil, err
|
|
|
|
}
|
2020-06-18 21:37:57 +08:00
|
|
|
cert.PrivateKey = dat
|
2018-10-09 04:11:19 +08:00
|
|
|
|
|
|
|
return cert, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
func (v *vaultStorage) getString(key string, data map[string]interface{}, path string) ([]byte, error) {
|
|
|
|
dat, ok := data[key]
|
|
|
|
if !ok {
|
2020-08-31 07:52:37 +08:00
|
|
|
return nil, fmt.Errorf("secret at %s does not have key %s", path, key)
|
2018-10-09 04:11:19 +08:00
|
|
|
}
|
|
|
|
str, ok := dat.(string)
|
|
|
|
if !ok {
|
2020-08-31 07:52:37 +08:00
|
|
|
return nil, fmt.Errorf("secret at %s is not string", path)
|
2018-10-09 04:11:19 +08:00
|
|
|
}
|
|
|
|
return []byte(str), nil
|
|
|
|
}
|
|
|
|
|
2019-07-29 22:54:32 +08:00
|
|
|
func (v *vaultStorage) StoreCertificate(name string, cert *certificate.Resource) error {
|
2018-10-09 04:11:19 +08:00
|
|
|
jDat, err := json.MarshalIndent(cert, "", " ")
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
2019-02-07 04:21:08 +08:00
|
|
|
pub := string(cert.Certificate)
|
|
|
|
key := string(cert.PrivateKey)
|
2018-10-09 04:11:19 +08:00
|
|
|
data := map[string]interface{}{
|
2019-02-07 04:21:08 +08:00
|
|
|
"tls.cert": pub,
|
|
|
|
"tls.key": key,
|
|
|
|
"tls.combined": pub + "\n" + key,
|
|
|
|
"meta": string(jDat),
|
2018-10-09 04:11:19 +08:00
|
|
|
}
|
|
|
|
_, err = v.client.Write(v.certPath(name), data)
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
|
|
|
func (v *vaultStorage) registrationPath(acmeHost string) string {
|
|
|
|
return v.path + ".letsencrypt/" + acmeHost
|
|
|
|
}
|
|
|
|
|
|
|
|
func (v *vaultStorage) certPath(name string) string {
|
|
|
|
return v.path + name
|
|
|
|
}
|
|
|
|
|
|
|
|
func (v *vaultStorage) GetAccount(acmeHost string) (*Account, error) {
|
|
|
|
path := v.registrationPath(acmeHost)
|
|
|
|
secret, err := v.client.Read(path)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
if secret == nil {
|
|
|
|
return nil, nil
|
|
|
|
}
|
|
|
|
acct := &Account{}
|
|
|
|
if dat, err := v.getString("registration", secret.Data, path); err != nil {
|
|
|
|
return nil, err
|
|
|
|
} else if err = json.Unmarshal(dat, acct); err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
2020-07-07 08:18:24 +08:00
|
|
|
var key *ecdsa.PrivateKey
|
|
|
|
var dat []byte
|
|
|
|
var block *pem.Block
|
|
|
|
if dat, err = v.getString("tls.key", secret.Data, path); err != nil {
|
2018-10-09 04:11:19 +08:00
|
|
|
return nil, err
|
2020-07-07 08:18:24 +08:00
|
|
|
} else if block, _ = pem.Decode(dat); block == nil {
|
2020-08-31 07:52:37 +08:00
|
|
|
return nil, fmt.Errorf("error decoding account private key")
|
2020-07-07 08:18:24 +08:00
|
|
|
} else if key, err = x509.ParseECPrivateKey(block.Bytes); err != nil {
|
2018-10-09 04:11:19 +08:00
|
|
|
return nil, err
|
|
|
|
}
|
2020-07-07 08:18:24 +08:00
|
|
|
acct.key = key
|
2018-10-09 04:11:19 +08:00
|
|
|
return acct, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
func (v *vaultStorage) StoreAccount(acmeHost string, account *Account) error {
|
|
|
|
acctBytes, err := json.MarshalIndent(account, "", " ")
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
keyBytes, err := x509.MarshalECPrivateKey(account.key)
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
pemKey := &pem.Block{Type: "EC PRIVATE KEY", Bytes: keyBytes}
|
|
|
|
pemBytes := pem.EncodeToMemory(pemKey)
|
|
|
|
|
|
|
|
_, err = v.client.Write(v.registrationPath(acmeHost), map[string]interface{}{
|
|
|
|
"registration": string(acctBytes),
|
|
|
|
"tls.key": string(pemBytes),
|
|
|
|
})
|
|
|
|
return err
|
|
|
|
}
|