Merge pull request #157 in DNS/adguard-dns from feature/600 to master
* commit '6b7a8078b0155ba81678e71fe53f447f444dce8b': * control: use single line comment * disable config saving if invalid pair * control: TLS: don't return empty error messages * control: move TLS handlers to a separate file * helper functions return 'error', not 'int' * tlsConfigStatus.usable is public, renamed ("ValidPair") and is exported to json ("valid_pair") * validateCertificates(): split the function's code * validateCertificates(): change input parameters; added short description + add tests for validateCertificates()
This commit is contained in:
commit
c443672e35
6
app.go
6
app.go
|
@ -176,13 +176,13 @@ func run(args options) {
|
||||||
}
|
}
|
||||||
address := net.JoinHostPort(config.BindHost, strconv.Itoa(config.TLS.PortHTTPS))
|
address := net.JoinHostPort(config.BindHost, strconv.Itoa(config.TLS.PortHTTPS))
|
||||||
// validate current TLS config and update warnings (it could have been loaded from file)
|
// validate current TLS config and update warnings (it could have been loaded from file)
|
||||||
data := validateCertificates(config.TLS)
|
data := validateCertificates(config.TLS.CertificateChain, config.TLS.PrivateKey, config.TLS.ServerName)
|
||||||
if !data.usable {
|
if !data.ValidPair {
|
||||||
log.Fatal(data.WarningValidation)
|
log.Fatal(data.WarningValidation)
|
||||||
os.Exit(1)
|
os.Exit(1)
|
||||||
}
|
}
|
||||||
config.Lock()
|
config.Lock()
|
||||||
config.TLS = data // update warnings
|
config.TLS.tlsConfigStatus = data // update warnings
|
||||||
config.Unlock()
|
config.Unlock()
|
||||||
|
|
||||||
// prepare certs for HTTPS server
|
// prepare certs for HTTPS server
|
||||||
|
|
|
@ -57,6 +57,7 @@ let Form = (props) => {
|
||||||
valid_chain,
|
valid_chain,
|
||||||
valid_key,
|
valid_key,
|
||||||
valid_cert,
|
valid_cert,
|
||||||
|
valid_pair,
|
||||||
dns_names,
|
dns_names,
|
||||||
key_type,
|
key_type,
|
||||||
issuer,
|
issuer,
|
||||||
|
@ -65,6 +66,15 @@ let Form = (props) => {
|
||||||
setTlsConfig,
|
setTlsConfig,
|
||||||
} = props;
|
} = props;
|
||||||
|
|
||||||
|
const isSavingDisabled = invalid
|
||||||
|
|| submitting
|
||||||
|
|| processingConfig
|
||||||
|
|| processingValidate
|
||||||
|
|| (isEnabled && (!privateKey || !certificateChain))
|
||||||
|
|| (privateKey && !valid_key)
|
||||||
|
|| (certificateChain && !valid_cert)
|
||||||
|
|| (privateKey && certificateChain && !valid_pair);
|
||||||
|
|
||||||
return (
|
return (
|
||||||
<form onSubmit={handleSubmit}>
|
<form onSubmit={handleSubmit}>
|
||||||
<div className="row">
|
<div className="row">
|
||||||
|
@ -291,15 +301,7 @@ let Form = (props) => {
|
||||||
<button
|
<button
|
||||||
type="submit"
|
type="submit"
|
||||||
className="btn btn-success btn-standart"
|
className="btn btn-success btn-standart"
|
||||||
disabled={
|
disabled={isSavingDisabled}
|
||||||
invalid
|
|
||||||
|| submitting
|
|
||||||
|| processingConfig
|
|
||||||
|| processingValidate
|
|
||||||
|| (isEnabled && (!privateKey || !certificateChain))
|
|
||||||
|| (privateKey && !valid_key)
|
|
||||||
|| (certificateChain && !valid_cert)
|
|
||||||
}
|
|
||||||
>
|
>
|
||||||
<Trans>save_config</Trans>
|
<Trans>save_config</Trans>
|
||||||
</button>
|
</button>
|
||||||
|
@ -334,6 +336,7 @@ Form.propTypes = {
|
||||||
valid_chain: PropTypes.bool,
|
valid_chain: PropTypes.bool,
|
||||||
valid_key: PropTypes.bool,
|
valid_key: PropTypes.bool,
|
||||||
valid_cert: PropTypes.bool,
|
valid_cert: PropTypes.bool,
|
||||||
|
valid_pair: PropTypes.bool,
|
||||||
dns_names: PropTypes.string,
|
dns_names: PropTypes.string,
|
||||||
key_type: PropTypes.string,
|
key_type: PropTypes.string,
|
||||||
issuer: PropTypes.string,
|
issuer: PropTypes.string,
|
||||||
|
|
|
@ -70,6 +70,7 @@ const encryption = handleActions({
|
||||||
valid_chain: false,
|
valid_chain: false,
|
||||||
valid_key: false,
|
valid_key: false,
|
||||||
valid_cert: false,
|
valid_cert: false,
|
||||||
|
valid_pair: false,
|
||||||
status_cert: '',
|
status_cert: '',
|
||||||
status_key: '',
|
status_key: '',
|
||||||
certificate_chain: '',
|
certificate_chain: '',
|
||||||
|
|
|
@ -87,7 +87,7 @@ type tlsConfigStatus struct {
|
||||||
KeyType string `yaml:"-" json:"key_type,omitempty"` // KeyType is one of RSA or ECDSA
|
KeyType string `yaml:"-" json:"key_type,omitempty"` // KeyType is one of RSA or ECDSA
|
||||||
|
|
||||||
// is usable? set by validator
|
// is usable? set by validator
|
||||||
usable bool
|
ValidPair bool `yaml:"-" json:"valid_pair"` // ValidPair is true if both certificate and private key are correct
|
||||||
|
|
||||||
// warnings
|
// warnings
|
||||||
WarningValidation string `yaml:"-" json:"warning_validation,omitempty"` // WarningValidation is a validation warning message with the issue description
|
WarningValidation string `yaml:"-" json:"warning_validation,omitempty"` // WarningValidation is a validation warning message with the issue description
|
||||||
|
|
303
control.go
303
control.go
|
@ -3,21 +3,12 @@ package main
|
||||||
import (
|
import (
|
||||||
"bytes"
|
"bytes"
|
||||||
"context"
|
"context"
|
||||||
"crypto"
|
|
||||||
"crypto/ecdsa"
|
|
||||||
"crypto/rsa"
|
|
||||||
"crypto/tls"
|
|
||||||
"crypto/x509"
|
|
||||||
"encoding/base64"
|
|
||||||
"encoding/json"
|
"encoding/json"
|
||||||
"encoding/pem"
|
|
||||||
"errors"
|
|
||||||
"fmt"
|
"fmt"
|
||||||
"io/ioutil"
|
"io/ioutil"
|
||||||
"net"
|
"net"
|
||||||
"net/http"
|
"net/http"
|
||||||
"os"
|
"os"
|
||||||
"reflect"
|
|
||||||
"sort"
|
"sort"
|
||||||
"strconv"
|
"strconv"
|
||||||
"strings"
|
"strings"
|
||||||
|
@ -26,7 +17,6 @@ import (
|
||||||
"github.com/AdguardTeam/AdGuardHome/dnsforward"
|
"github.com/AdguardTeam/AdGuardHome/dnsforward"
|
||||||
"github.com/AdguardTeam/dnsproxy/upstream"
|
"github.com/AdguardTeam/dnsproxy/upstream"
|
||||||
"github.com/AdguardTeam/golibs/log"
|
"github.com/AdguardTeam/golibs/log"
|
||||||
"github.com/joomcode/errorx"
|
|
||||||
"github.com/miekg/dns"
|
"github.com/miekg/dns"
|
||||||
govalidator "gopkg.in/asaskevich/govalidator.v4"
|
govalidator "gopkg.in/asaskevich/govalidator.v4"
|
||||||
)
|
)
|
||||||
|
@ -1030,295 +1020,6 @@ func handleInstallConfigure(w http.ResponseWriter, r *http.Request) {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// ---
|
|
||||||
// TLS
|
|
||||||
// ---
|
|
||||||
func handleTLSStatus(w http.ResponseWriter, r *http.Request) {
|
|
||||||
log.Tracef("%s %v", r.Method, r.URL)
|
|
||||||
marshalTLS(w, config.TLS)
|
|
||||||
}
|
|
||||||
|
|
||||||
func handleTLSValidate(w http.ResponseWriter, r *http.Request) {
|
|
||||||
log.Tracef("%s %v", r.Method, r.URL)
|
|
||||||
data, err := unmarshalTLS(r)
|
|
||||||
if err != nil {
|
|
||||||
httpError(w, http.StatusBadRequest, "Failed to unmarshal TLS config: %s", err)
|
|
||||||
return
|
|
||||||
}
|
|
||||||
|
|
||||||
// check if port is available
|
|
||||||
// BUT: if we are already using this port, no need
|
|
||||||
alreadyRunning := false
|
|
||||||
if httpsServer.server != nil {
|
|
||||||
alreadyRunning = true
|
|
||||||
}
|
|
||||||
if !alreadyRunning {
|
|
||||||
err = checkPortAvailable(config.BindHost, data.PortHTTPS)
|
|
||||||
if err != nil {
|
|
||||||
httpError(w, http.StatusBadRequest, "port %d is not available, cannot enable HTTPS on it", data.PortHTTPS)
|
|
||||||
return
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
data = validateCertificates(data)
|
|
||||||
marshalTLS(w, data)
|
|
||||||
}
|
|
||||||
|
|
||||||
func handleTLSConfigure(w http.ResponseWriter, r *http.Request) {
|
|
||||||
log.Tracef("%s %v", r.Method, r.URL)
|
|
||||||
data, err := unmarshalTLS(r)
|
|
||||||
if err != nil {
|
|
||||||
httpError(w, http.StatusBadRequest, "Failed to unmarshal TLS config: %s", err)
|
|
||||||
return
|
|
||||||
}
|
|
||||||
|
|
||||||
// check if port is available
|
|
||||||
// BUT: if we are already using this port, no need
|
|
||||||
alreadyRunning := false
|
|
||||||
if httpsServer.server != nil {
|
|
||||||
alreadyRunning = true
|
|
||||||
}
|
|
||||||
if !alreadyRunning {
|
|
||||||
err = checkPortAvailable(config.BindHost, data.PortHTTPS)
|
|
||||||
if err != nil {
|
|
||||||
httpError(w, http.StatusBadRequest, "port %d is not available, cannot enable HTTPS on it", data.PortHTTPS)
|
|
||||||
return
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
restartHTTPS := false
|
|
||||||
data = validateCertificates(data)
|
|
||||||
if !reflect.DeepEqual(config.TLS.tlsConfigSettings, data.tlsConfigSettings) {
|
|
||||||
log.Printf("tls config settings have changed, will restart HTTPS server")
|
|
||||||
restartHTTPS = true
|
|
||||||
}
|
|
||||||
config.TLS = data
|
|
||||||
err = writeAllConfigsAndReloadDNS()
|
|
||||||
if err != nil {
|
|
||||||
httpError(w, http.StatusInternalServerError, "Couldn't write config file: %s", err)
|
|
||||||
return
|
|
||||||
}
|
|
||||||
marshalTLS(w, data)
|
|
||||||
// this needs to be done in a goroutine because Shutdown() is a blocking call, and it will block
|
|
||||||
// until all requests are finished, and _we_ are inside a request right now, so it will block indefinitely
|
|
||||||
if restartHTTPS {
|
|
||||||
go func() {
|
|
||||||
time.Sleep(time.Second) // TODO: could not find a way to reliably know that data was fully sent to client by https server, so we wait a bit to let response through before closing the server
|
|
||||||
httpsServer.cond.L.Lock()
|
|
||||||
httpsServer.cond.Broadcast()
|
|
||||||
if httpsServer.server != nil {
|
|
||||||
httpsServer.server.Shutdown(context.TODO())
|
|
||||||
}
|
|
||||||
httpsServer.cond.L.Unlock()
|
|
||||||
}()
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
func validateCertificates(data tlsConfig) tlsConfig {
|
|
||||||
var err error
|
|
||||||
|
|
||||||
// clear out status for certificates
|
|
||||||
data.tlsConfigStatus = tlsConfigStatus{}
|
|
||||||
|
|
||||||
// check only public certificate separately from the key
|
|
||||||
if data.CertificateChain != "" {
|
|
||||||
log.Tracef("got certificate: %s", data.CertificateChain)
|
|
||||||
|
|
||||||
// now do a more extended validation
|
|
||||||
var certs []*pem.Block // PEM-encoded certificates
|
|
||||||
var skippedBytes []string // skipped bytes
|
|
||||||
|
|
||||||
pemblock := []byte(data.CertificateChain)
|
|
||||||
for {
|
|
||||||
var decoded *pem.Block
|
|
||||||
decoded, pemblock = pem.Decode(pemblock)
|
|
||||||
if decoded == nil {
|
|
||||||
break
|
|
||||||
}
|
|
||||||
if decoded.Type == "CERTIFICATE" {
|
|
||||||
certs = append(certs, decoded)
|
|
||||||
} else {
|
|
||||||
skippedBytes = append(skippedBytes, decoded.Type)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
var parsedCerts []*x509.Certificate
|
|
||||||
|
|
||||||
for _, cert := range certs {
|
|
||||||
parsed, err := x509.ParseCertificate(cert.Bytes)
|
|
||||||
if err != nil {
|
|
||||||
data.WarningValidation = fmt.Sprintf("Failed to parse certificate: %s", err)
|
|
||||||
return data
|
|
||||||
}
|
|
||||||
parsedCerts = append(parsedCerts, parsed)
|
|
||||||
}
|
|
||||||
|
|
||||||
if len(parsedCerts) == 0 {
|
|
||||||
data.WarningValidation = fmt.Sprintf("You have specified an empty certificate")
|
|
||||||
return data
|
|
||||||
}
|
|
||||||
|
|
||||||
data.ValidCert = true
|
|
||||||
|
|
||||||
// spew.Dump(parsedCerts)
|
|
||||||
|
|
||||||
opts := x509.VerifyOptions{
|
|
||||||
DNSName: data.ServerName,
|
|
||||||
}
|
|
||||||
|
|
||||||
log.Printf("number of certs - %d", len(parsedCerts))
|
|
||||||
if len(parsedCerts) > 1 {
|
|
||||||
// set up an intermediate
|
|
||||||
pool := x509.NewCertPool()
|
|
||||||
for _, cert := range parsedCerts[1:] {
|
|
||||||
log.Printf("got an intermediate cert")
|
|
||||||
pool.AddCert(cert)
|
|
||||||
}
|
|
||||||
opts.Intermediates = pool
|
|
||||||
}
|
|
||||||
|
|
||||||
// TODO: save it as a warning rather than error it out -- shouldn't be a big problem
|
|
||||||
mainCert := parsedCerts[0]
|
|
||||||
_, err := mainCert.Verify(opts)
|
|
||||||
if err != nil {
|
|
||||||
// let self-signed certs through
|
|
||||||
data.WarningValidation = fmt.Sprintf("Your certificate does not verify: %s", err)
|
|
||||||
} else {
|
|
||||||
data.ValidChain = true
|
|
||||||
}
|
|
||||||
// spew.Dump(chains)
|
|
||||||
|
|
||||||
// update status
|
|
||||||
if mainCert != nil {
|
|
||||||
notAfter := mainCert.NotAfter
|
|
||||||
data.Subject = mainCert.Subject.String()
|
|
||||||
data.Issuer = mainCert.Issuer.String()
|
|
||||||
data.NotAfter = notAfter
|
|
||||||
data.NotBefore = mainCert.NotBefore
|
|
||||||
data.DNSNames = mainCert.DNSNames
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
// validate private key (right now the only validation possible is just parsing it)
|
|
||||||
if data.PrivateKey != "" {
|
|
||||||
// now do a more extended validation
|
|
||||||
var key *pem.Block // PEM-encoded certificates
|
|
||||||
var skippedBytes []string // skipped bytes
|
|
||||||
|
|
||||||
// go through all pem blocks, but take first valid pem block and drop the rest
|
|
||||||
pemblock := []byte(data.PrivateKey)
|
|
||||||
for {
|
|
||||||
var decoded *pem.Block
|
|
||||||
decoded, pemblock = pem.Decode(pemblock)
|
|
||||||
if decoded == nil {
|
|
||||||
break
|
|
||||||
}
|
|
||||||
if decoded.Type == "PRIVATE KEY" || strings.HasSuffix(decoded.Type, " PRIVATE KEY") {
|
|
||||||
key = decoded
|
|
||||||
break
|
|
||||||
} else {
|
|
||||||
skippedBytes = append(skippedBytes, decoded.Type)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
if key == nil {
|
|
||||||
data.WarningValidation = "No valid keys were found"
|
|
||||||
return data
|
|
||||||
}
|
|
||||||
|
|
||||||
// parse the decoded key
|
|
||||||
_, keytype, err := parsePrivateKey(key.Bytes)
|
|
||||||
if err != nil {
|
|
||||||
data.WarningValidation = fmt.Sprintf("Failed to parse private key: %s", err)
|
|
||||||
return data
|
|
||||||
}
|
|
||||||
|
|
||||||
data.ValidKey = true
|
|
||||||
data.KeyType = keytype
|
|
||||||
}
|
|
||||||
|
|
||||||
// if both are set, validate both in unison
|
|
||||||
if data.PrivateKey != "" && data.CertificateChain != "" {
|
|
||||||
_, err = tls.X509KeyPair([]byte(data.CertificateChain), []byte(data.PrivateKey))
|
|
||||||
if err != nil {
|
|
||||||
data.WarningValidation = fmt.Sprintf("Invalid certificate or key: %s", err)
|
|
||||||
return data
|
|
||||||
}
|
|
||||||
data.usable = true
|
|
||||||
}
|
|
||||||
|
|
||||||
return data
|
|
||||||
}
|
|
||||||
|
|
||||||
// Attempt to parse the given private key DER block. OpenSSL 0.9.8 generates
|
|
||||||
// PKCS#1 private keys by default, while OpenSSL 1.0.0 generates PKCS#8 keys.
|
|
||||||
// OpenSSL ecparam generates SEC1 EC private keys for ECDSA. We try all three.
|
|
||||||
func parsePrivateKey(der []byte) (crypto.PrivateKey, string, error) {
|
|
||||||
if key, err := x509.ParsePKCS1PrivateKey(der); err == nil {
|
|
||||||
return key, "RSA", nil
|
|
||||||
}
|
|
||||||
if key, err := x509.ParsePKCS8PrivateKey(der); err == nil {
|
|
||||||
switch key := key.(type) {
|
|
||||||
case *rsa.PrivateKey:
|
|
||||||
return key, "RSA", nil
|
|
||||||
case *ecdsa.PrivateKey:
|
|
||||||
return key, "ECDSA", nil
|
|
||||||
default:
|
|
||||||
return nil, "", errors.New("tls: found unknown private key type in PKCS#8 wrapping")
|
|
||||||
}
|
|
||||||
}
|
|
||||||
if key, err := x509.ParseECPrivateKey(der); err == nil {
|
|
||||||
return key, "ECDSA", nil
|
|
||||||
}
|
|
||||||
|
|
||||||
return nil, "", errors.New("tls: failed to parse private key")
|
|
||||||
}
|
|
||||||
|
|
||||||
// unmarshalTLS handles base64-encoded certificates transparently
|
|
||||||
func unmarshalTLS(r *http.Request) (tlsConfig, error) {
|
|
||||||
data := tlsConfig{}
|
|
||||||
err := json.NewDecoder(r.Body).Decode(&data)
|
|
||||||
if err != nil {
|
|
||||||
return data, errorx.Decorate(err, "Failed to parse new TLS config json")
|
|
||||||
}
|
|
||||||
|
|
||||||
if data.CertificateChain != "" {
|
|
||||||
certPEM, err := base64.StdEncoding.DecodeString(data.CertificateChain)
|
|
||||||
if err != nil {
|
|
||||||
return data, errorx.Decorate(err, "Failed to base64-decode certificate chain")
|
|
||||||
}
|
|
||||||
data.CertificateChain = string(certPEM)
|
|
||||||
}
|
|
||||||
|
|
||||||
if data.PrivateKey != "" {
|
|
||||||
keyPEM, err := base64.StdEncoding.DecodeString(data.PrivateKey)
|
|
||||||
if err != nil {
|
|
||||||
return data, errorx.Decorate(err, "Failed to base64-decode private key")
|
|
||||||
}
|
|
||||||
|
|
||||||
data.PrivateKey = string(keyPEM)
|
|
||||||
}
|
|
||||||
|
|
||||||
return data, nil
|
|
||||||
}
|
|
||||||
|
|
||||||
func marshalTLS(w http.ResponseWriter, data tlsConfig) {
|
|
||||||
w.Header().Set("Content-Type", "application/json")
|
|
||||||
if data.CertificateChain != "" {
|
|
||||||
encoded := base64.StdEncoding.EncodeToString([]byte(data.CertificateChain))
|
|
||||||
data.CertificateChain = encoded
|
|
||||||
}
|
|
||||||
if data.PrivateKey != "" {
|
|
||||||
encoded := base64.StdEncoding.EncodeToString([]byte(data.PrivateKey))
|
|
||||||
data.PrivateKey = encoded
|
|
||||||
}
|
|
||||||
err := json.NewEncoder(w).Encode(data)
|
|
||||||
if err != nil {
|
|
||||||
httpError(w, http.StatusInternalServerError, "Failed to marshal json with TLS status: %s", err)
|
|
||||||
return
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
// --------------
|
// --------------
|
||||||
// DNS-over-HTTPS
|
// DNS-over-HTTPS
|
||||||
// --------------
|
// --------------
|
||||||
|
@ -1384,9 +1085,7 @@ func registerControlHandlers() {
|
||||||
http.HandleFunc("/control/dhcp/set_config", postInstall(optionalAuth(ensurePOST(handleDHCPSetConfig))))
|
http.HandleFunc("/control/dhcp/set_config", postInstall(optionalAuth(ensurePOST(handleDHCPSetConfig))))
|
||||||
http.HandleFunc("/control/dhcp/find_active_dhcp", postInstall(optionalAuth(ensurePOST(handleDHCPFindActiveServer))))
|
http.HandleFunc("/control/dhcp/find_active_dhcp", postInstall(optionalAuth(ensurePOST(handleDHCPFindActiveServer))))
|
||||||
|
|
||||||
http.HandleFunc("/control/tls/status", postInstall(optionalAuth(ensureGET(handleTLSStatus))))
|
RegisterTLSHandlers()
|
||||||
http.HandleFunc("/control/tls/configure", postInstall(optionalAuth(ensurePOST(handleTLSConfigure))))
|
|
||||||
http.HandleFunc("/control/tls/validate", postInstall(optionalAuth(ensurePOST(handleTLSValidate))))
|
|
||||||
|
|
||||||
http.HandleFunc("/dns-query", postInstall(handleDOH))
|
http.HandleFunc("/dns-query", postInstall(handleDOH))
|
||||||
}
|
}
|
||||||
|
|
|
@ -0,0 +1,77 @@
|
||||||
|
package main
|
||||||
|
|
||||||
|
import (
|
||||||
|
"testing"
|
||||||
|
"time"
|
||||||
|
)
|
||||||
|
|
||||||
|
/* Tests performed:
|
||||||
|
. Bad certificate
|
||||||
|
. Bad private key
|
||||||
|
. Valid certificate & private key */
|
||||||
|
func TestValidateCertificates(t *testing.T) {
|
||||||
|
var data tlsConfigStatus
|
||||||
|
|
||||||
|
// bad cert
|
||||||
|
data = validateCertificates("bad cert", "", "")
|
||||||
|
if !(data.WarningValidation != "" &&
|
||||||
|
!data.ValidCert &&
|
||||||
|
!data.ValidChain) {
|
||||||
|
t.Fatalf("bad cert: validateCertificates(): %v", data)
|
||||||
|
}
|
||||||
|
|
||||||
|
// bad priv key
|
||||||
|
data = validateCertificates("", "bad priv key", "")
|
||||||
|
if !(data.WarningValidation != "" &&
|
||||||
|
!data.ValidKey) {
|
||||||
|
t.Fatalf("bad priv key: validateCertificates(): %v", data)
|
||||||
|
}
|
||||||
|
|
||||||
|
// valid cert & priv key
|
||||||
|
CertificateChain := `-----BEGIN CERTIFICATE-----
|
||||||
|
MIICKzCCAZSgAwIBAgIJAMT9kPVJdM7LMA0GCSqGSIb3DQEBCwUAMC0xFDASBgNV
|
||||||
|
BAoMC0FkR3VhcmQgTHRkMRUwEwYDVQQDDAxBZEd1YXJkIEhvbWUwHhcNMTkwMjI3
|
||||||
|
MDkyNDIzWhcNNDYwNzE0MDkyNDIzWjAtMRQwEgYDVQQKDAtBZEd1YXJkIEx0ZDEV
|
||||||
|
MBMGA1UEAwwMQWRHdWFyZCBIb21lMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB
|
||||||
|
gQCwvwUnPJiOvLcOaWmGu6Y68ksFr13nrXBcsDlhxlXy8PaohVi3XxEmt2OrVjKW
|
||||||
|
QFw/bdV4fZ9tdWFAVRRkgeGbIZzP7YBD1Ore/O5SQ+DbCCEafvjJCcXQIrTeKFE6
|
||||||
|
i9G3aSMHs0Pwq2LgV8U5mYotLrvyFiE8QPInJbDDMpaFYwIDAQABo1MwUTAdBgNV
|
||||||
|
HQ4EFgQUdLUmQpEqrhn4eKO029jYd2AAZEQwHwYDVR0jBBgwFoAUdLUmQpEqrhn4
|
||||||
|
eKO029jYd2AAZEQwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOBgQB8
|
||||||
|
LwlXfbakf7qkVTlCNXgoY7RaJ8rJdPgOZPoCTVToEhT6u/cb1c2qp8QB0dNExDna
|
||||||
|
b0Z+dnODTZqQOJo6z/wIXlcUrnR4cQVvytXt8lFn+26l6Y6EMI26twC/xWr+1swq
|
||||||
|
Muj4FeWHVDerquH4yMr1jsYLD3ci+kc5sbIX6TfVxQ==
|
||||||
|
-----END CERTIFICATE-----`
|
||||||
|
PrivateKey := `-----BEGIN PRIVATE KEY-----
|
||||||
|
MIICeAIBADANBgkqhkiG9w0BAQEFAASCAmIwggJeAgEAAoGBALC/BSc8mI68tw5p
|
||||||
|
aYa7pjrySwWvXeetcFywOWHGVfLw9qiFWLdfESa3Y6tWMpZAXD9t1Xh9n211YUBV
|
||||||
|
FGSB4ZshnM/tgEPU6t787lJD4NsIIRp++MkJxdAitN4oUTqL0bdpIwezQ/CrYuBX
|
||||||
|
xTmZii0uu/IWITxA8iclsMMyloVjAgMBAAECgYEAmjzoG1h27UDkIlB9BVWl95TP
|
||||||
|
QVPLB81D267xNFDnWk1Lgr5zL/pnNjkdYjyjgpkBp1yKyE4gHV4skv5sAFWTcOCU
|
||||||
|
QCgfPfUn/rDFcxVzAdJVWAa/CpJNaZgjTPR8NTGU+Ztod+wfBESNCP5tbnuw0GbL
|
||||||
|
MuwdLQJGbzeJYpsNysECQQDfFHYoRNfgxHwMbX24GCoNZIgk12uDmGTA9CS5E+72
|
||||||
|
9t3V1y4CfXxSkfhqNbd5RWrUBRLEw9BKofBS7L9NMDKDAkEAytQoIueE1vqEAaRg
|
||||||
|
a3A1YDUekKesU5wKfKfKlXvNgB7Hwh4HuvoQS9RCvVhf/60Dvq8KSu6hSjkFRquj
|
||||||
|
FQ5roQJBAMwKwyiCD5MfJPeZDmzcbVpiocRQ5Z4wPbffl9dRTDnIA5AciZDthlFg
|
||||||
|
An/jMjZSMCxNl6UyFcqt5Et1EGVhuFECQQCZLXxaT+qcyHjlHJTMzuMgkz1QFbEp
|
||||||
|
O5EX70gpeGQMPDK0QSWpaazg956njJSDbNCFM4BccrdQbJu1cW4qOsfBAkAMgZuG
|
||||||
|
O88slmgTRHX4JGFmy3rrLiHNI2BbJSuJ++Yllz8beVzh6NfvuY+HKRCmPqoBPATU
|
||||||
|
kXS9jgARhhiWXJrk
|
||||||
|
-----END PRIVATE KEY-----`
|
||||||
|
data = validateCertificates(CertificateChain, PrivateKey, "")
|
||||||
|
notBefore, _ := time.Parse(time.RFC3339, "2019-02-27T09:24:23Z")
|
||||||
|
notAfter, _ := time.Parse(time.RFC3339, "2046-07-14T09:24:23Z")
|
||||||
|
if !(data.WarningValidation != "" /* self signed */ &&
|
||||||
|
data.ValidCert &&
|
||||||
|
!data.ValidChain &&
|
||||||
|
data.ValidKey &&
|
||||||
|
data.KeyType == "RSA" &&
|
||||||
|
data.Subject == "CN=AdGuard Home,O=AdGuard Ltd" &&
|
||||||
|
data.Issuer == "CN=AdGuard Home,O=AdGuard Ltd" &&
|
||||||
|
data.NotBefore == notBefore &&
|
||||||
|
data.NotAfter == notAfter &&
|
||||||
|
// data.DNSNames[0] == &&
|
||||||
|
data.ValidPair) {
|
||||||
|
t.Fatalf("valid cert & priv key: validateCertificates(): %v", data)
|
||||||
|
}
|
||||||
|
}
|
|
@ -0,0 +1,338 @@
|
||||||
|
// Control: TLS configuring handlers
|
||||||
|
|
||||||
|
package main
|
||||||
|
|
||||||
|
import (
|
||||||
|
"context"
|
||||||
|
"crypto"
|
||||||
|
"crypto/ecdsa"
|
||||||
|
"crypto/rsa"
|
||||||
|
"crypto/tls"
|
||||||
|
"crypto/x509"
|
||||||
|
"encoding/base64"
|
||||||
|
"encoding/json"
|
||||||
|
"encoding/pem"
|
||||||
|
"errors"
|
||||||
|
"fmt"
|
||||||
|
"net/http"
|
||||||
|
"reflect"
|
||||||
|
"strings"
|
||||||
|
"time"
|
||||||
|
|
||||||
|
"github.com/AdguardTeam/golibs/log"
|
||||||
|
"github.com/joomcode/errorx"
|
||||||
|
)
|
||||||
|
|
||||||
|
// RegisterTLSHandlers registers HTTP handlers for TLS configuration
|
||||||
|
func RegisterTLSHandlers() {
|
||||||
|
http.HandleFunc("/control/tls/status", postInstall(optionalAuth(ensureGET(handleTLSStatus))))
|
||||||
|
http.HandleFunc("/control/tls/configure", postInstall(optionalAuth(ensurePOST(handleTLSConfigure))))
|
||||||
|
http.HandleFunc("/control/tls/validate", postInstall(optionalAuth(ensurePOST(handleTLSValidate))))
|
||||||
|
}
|
||||||
|
|
||||||
|
func handleTLSStatus(w http.ResponseWriter, r *http.Request) {
|
||||||
|
log.Tracef("%s %v", r.Method, r.URL)
|
||||||
|
marshalTLS(w, config.TLS)
|
||||||
|
}
|
||||||
|
|
||||||
|
func handleTLSValidate(w http.ResponseWriter, r *http.Request) {
|
||||||
|
log.Tracef("%s %v", r.Method, r.URL)
|
||||||
|
data, err := unmarshalTLS(r)
|
||||||
|
if err != nil {
|
||||||
|
httpError(w, http.StatusBadRequest, "Failed to unmarshal TLS config: %s", err)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
// check if port is available
|
||||||
|
// BUT: if we are already using this port, no need
|
||||||
|
alreadyRunning := false
|
||||||
|
if httpsServer.server != nil {
|
||||||
|
alreadyRunning = true
|
||||||
|
}
|
||||||
|
if !alreadyRunning {
|
||||||
|
err = checkPortAvailable(config.BindHost, data.PortHTTPS)
|
||||||
|
if err != nil {
|
||||||
|
httpError(w, http.StatusBadRequest, "port %d is not available, cannot enable HTTPS on it", data.PortHTTPS)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
data.tlsConfigStatus = validateCertificates(data.CertificateChain, data.PrivateKey, data.ServerName)
|
||||||
|
marshalTLS(w, data)
|
||||||
|
}
|
||||||
|
|
||||||
|
func handleTLSConfigure(w http.ResponseWriter, r *http.Request) {
|
||||||
|
log.Tracef("%s %v", r.Method, r.URL)
|
||||||
|
data, err := unmarshalTLS(r)
|
||||||
|
if err != nil {
|
||||||
|
httpError(w, http.StatusBadRequest, "Failed to unmarshal TLS config: %s", err)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
// check if port is available
|
||||||
|
// BUT: if we are already using this port, no need
|
||||||
|
alreadyRunning := false
|
||||||
|
if httpsServer.server != nil {
|
||||||
|
alreadyRunning = true
|
||||||
|
}
|
||||||
|
if !alreadyRunning {
|
||||||
|
err = checkPortAvailable(config.BindHost, data.PortHTTPS)
|
||||||
|
if err != nil {
|
||||||
|
httpError(w, http.StatusBadRequest, "port %d is not available, cannot enable HTTPS on it", data.PortHTTPS)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
restartHTTPS := false
|
||||||
|
data.tlsConfigStatus = validateCertificates(data.CertificateChain, data.PrivateKey, data.ServerName)
|
||||||
|
if !reflect.DeepEqual(config.TLS.tlsConfigSettings, data.tlsConfigSettings) {
|
||||||
|
log.Printf("tls config settings have changed, will restart HTTPS server")
|
||||||
|
restartHTTPS = true
|
||||||
|
}
|
||||||
|
config.TLS = data
|
||||||
|
err = writeAllConfigsAndReloadDNS()
|
||||||
|
if err != nil {
|
||||||
|
httpError(w, http.StatusInternalServerError, "Couldn't write config file: %s", err)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
marshalTLS(w, data)
|
||||||
|
// this needs to be done in a goroutine because Shutdown() is a blocking call, and it will block
|
||||||
|
// until all requests are finished, and _we_ are inside a request right now, so it will block indefinitely
|
||||||
|
if restartHTTPS {
|
||||||
|
go func() {
|
||||||
|
time.Sleep(time.Second) // TODO: could not find a way to reliably know that data was fully sent to client by https server, so we wait a bit to let response through before closing the server
|
||||||
|
httpsServer.cond.L.Lock()
|
||||||
|
httpsServer.cond.Broadcast()
|
||||||
|
if httpsServer.server != nil {
|
||||||
|
httpsServer.server.Shutdown(context.TODO())
|
||||||
|
}
|
||||||
|
httpsServer.cond.L.Unlock()
|
||||||
|
}()
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func verifyCertChain(data *tlsConfigStatus, certChain string, serverName string) error {
|
||||||
|
log.Tracef("got certificate: %s", certChain)
|
||||||
|
|
||||||
|
// now do a more extended validation
|
||||||
|
var certs []*pem.Block // PEM-encoded certificates
|
||||||
|
var skippedBytes []string // skipped bytes
|
||||||
|
|
||||||
|
pemblock := []byte(certChain)
|
||||||
|
for {
|
||||||
|
var decoded *pem.Block
|
||||||
|
decoded, pemblock = pem.Decode(pemblock)
|
||||||
|
if decoded == nil {
|
||||||
|
break
|
||||||
|
}
|
||||||
|
if decoded.Type == "CERTIFICATE" {
|
||||||
|
certs = append(certs, decoded)
|
||||||
|
} else {
|
||||||
|
skippedBytes = append(skippedBytes, decoded.Type)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
var parsedCerts []*x509.Certificate
|
||||||
|
|
||||||
|
for _, cert := range certs {
|
||||||
|
parsed, err := x509.ParseCertificate(cert.Bytes)
|
||||||
|
if err != nil {
|
||||||
|
data.WarningValidation = fmt.Sprintf("Failed to parse certificate: %s", err)
|
||||||
|
return errors.New(data.WarningValidation)
|
||||||
|
}
|
||||||
|
parsedCerts = append(parsedCerts, parsed)
|
||||||
|
}
|
||||||
|
|
||||||
|
if len(parsedCerts) == 0 {
|
||||||
|
data.WarningValidation = fmt.Sprintf("You have specified an empty certificate")
|
||||||
|
return errors.New(data.WarningValidation)
|
||||||
|
}
|
||||||
|
|
||||||
|
data.ValidCert = true
|
||||||
|
|
||||||
|
// spew.Dump(parsedCerts)
|
||||||
|
|
||||||
|
opts := x509.VerifyOptions{
|
||||||
|
DNSName: serverName,
|
||||||
|
}
|
||||||
|
|
||||||
|
log.Printf("number of certs - %d", len(parsedCerts))
|
||||||
|
if len(parsedCerts) > 1 {
|
||||||
|
// set up an intermediate
|
||||||
|
pool := x509.NewCertPool()
|
||||||
|
for _, cert := range parsedCerts[1:] {
|
||||||
|
log.Printf("got an intermediate cert")
|
||||||
|
pool.AddCert(cert)
|
||||||
|
}
|
||||||
|
opts.Intermediates = pool
|
||||||
|
}
|
||||||
|
|
||||||
|
// TODO: save it as a warning rather than error it out -- shouldn't be a big problem
|
||||||
|
mainCert := parsedCerts[0]
|
||||||
|
_, err := mainCert.Verify(opts)
|
||||||
|
if err != nil {
|
||||||
|
// let self-signed certs through
|
||||||
|
data.WarningValidation = fmt.Sprintf("Your certificate does not verify: %s", err)
|
||||||
|
} else {
|
||||||
|
data.ValidChain = true
|
||||||
|
}
|
||||||
|
// spew.Dump(chains)
|
||||||
|
|
||||||
|
// update status
|
||||||
|
if mainCert != nil {
|
||||||
|
notAfter := mainCert.NotAfter
|
||||||
|
data.Subject = mainCert.Subject.String()
|
||||||
|
data.Issuer = mainCert.Issuer.String()
|
||||||
|
data.NotAfter = notAfter
|
||||||
|
data.NotBefore = mainCert.NotBefore
|
||||||
|
data.DNSNames = mainCert.DNSNames
|
||||||
|
}
|
||||||
|
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func validatePkey(data *tlsConfigStatus, pkey string) error {
|
||||||
|
// now do a more extended validation
|
||||||
|
var key *pem.Block // PEM-encoded certificates
|
||||||
|
var skippedBytes []string // skipped bytes
|
||||||
|
|
||||||
|
// go through all pem blocks, but take first valid pem block and drop the rest
|
||||||
|
pemblock := []byte(pkey)
|
||||||
|
for {
|
||||||
|
var decoded *pem.Block
|
||||||
|
decoded, pemblock = pem.Decode(pemblock)
|
||||||
|
if decoded == nil {
|
||||||
|
break
|
||||||
|
}
|
||||||
|
if decoded.Type == "PRIVATE KEY" || strings.HasSuffix(decoded.Type, " PRIVATE KEY") {
|
||||||
|
key = decoded
|
||||||
|
break
|
||||||
|
} else {
|
||||||
|
skippedBytes = append(skippedBytes, decoded.Type)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if key == nil {
|
||||||
|
data.WarningValidation = "No valid keys were found"
|
||||||
|
return errors.New(data.WarningValidation)
|
||||||
|
}
|
||||||
|
|
||||||
|
// parse the decoded key
|
||||||
|
_, keytype, err := parsePrivateKey(key.Bytes)
|
||||||
|
if err != nil {
|
||||||
|
data.WarningValidation = fmt.Sprintf("Failed to parse private key: %s", err)
|
||||||
|
return errors.New(data.WarningValidation)
|
||||||
|
}
|
||||||
|
|
||||||
|
data.ValidKey = true
|
||||||
|
data.KeyType = keytype
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// Process certificate data and its private key.
|
||||||
|
// All parameters are optional.
|
||||||
|
// On error, return partially set object
|
||||||
|
// with 'WarningValidation' field containing error description.
|
||||||
|
func validateCertificates(certChain, pkey, serverName string) tlsConfigStatus {
|
||||||
|
var data tlsConfigStatus
|
||||||
|
|
||||||
|
// check only public certificate separately from the key
|
||||||
|
if certChain != "" {
|
||||||
|
if verifyCertChain(&data, certChain, serverName) != nil {
|
||||||
|
return data
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// validate private key (right now the only validation possible is just parsing it)
|
||||||
|
if pkey != "" {
|
||||||
|
if validatePkey(&data, pkey) != nil {
|
||||||
|
return data
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// if both are set, validate both in unison
|
||||||
|
if pkey != "" && certChain != "" {
|
||||||
|
_, err := tls.X509KeyPair([]byte(certChain), []byte(pkey))
|
||||||
|
if err != nil {
|
||||||
|
data.WarningValidation = fmt.Sprintf("Invalid certificate or key: %s", err)
|
||||||
|
return data
|
||||||
|
}
|
||||||
|
data.ValidPair = true
|
||||||
|
}
|
||||||
|
|
||||||
|
return data
|
||||||
|
}
|
||||||
|
|
||||||
|
// Attempt to parse the given private key DER block. OpenSSL 0.9.8 generates
|
||||||
|
// PKCS#1 private keys by default, while OpenSSL 1.0.0 generates PKCS#8 keys.
|
||||||
|
// OpenSSL ecparam generates SEC1 EC private keys for ECDSA. We try all three.
|
||||||
|
func parsePrivateKey(der []byte) (crypto.PrivateKey, string, error) {
|
||||||
|
if key, err := x509.ParsePKCS1PrivateKey(der); err == nil {
|
||||||
|
return key, "RSA", nil
|
||||||
|
}
|
||||||
|
|
||||||
|
if key, err := x509.ParsePKCS8PrivateKey(der); err == nil {
|
||||||
|
switch key := key.(type) {
|
||||||
|
case *rsa.PrivateKey:
|
||||||
|
return key, "RSA", nil
|
||||||
|
case *ecdsa.PrivateKey:
|
||||||
|
return key, "ECDSA", nil
|
||||||
|
default:
|
||||||
|
return nil, "", errors.New("tls: found unknown private key type in PKCS#8 wrapping")
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if key, err := x509.ParseECPrivateKey(der); err == nil {
|
||||||
|
return key, "ECDSA", nil
|
||||||
|
}
|
||||||
|
|
||||||
|
return nil, "", errors.New("tls: failed to parse private key")
|
||||||
|
}
|
||||||
|
|
||||||
|
// unmarshalTLS handles base64-encoded certificates transparently
|
||||||
|
func unmarshalTLS(r *http.Request) (tlsConfig, error) {
|
||||||
|
data := tlsConfig{}
|
||||||
|
err := json.NewDecoder(r.Body).Decode(&data)
|
||||||
|
if err != nil {
|
||||||
|
return data, errorx.Decorate(err, "Failed to parse new TLS config json")
|
||||||
|
}
|
||||||
|
|
||||||
|
if data.CertificateChain != "" {
|
||||||
|
certPEM, err := base64.StdEncoding.DecodeString(data.CertificateChain)
|
||||||
|
if err != nil {
|
||||||
|
return data, errorx.Decorate(err, "Failed to base64-decode certificate chain")
|
||||||
|
}
|
||||||
|
data.CertificateChain = string(certPEM)
|
||||||
|
}
|
||||||
|
|
||||||
|
if data.PrivateKey != "" {
|
||||||
|
keyPEM, err := base64.StdEncoding.DecodeString(data.PrivateKey)
|
||||||
|
if err != nil {
|
||||||
|
return data, errorx.Decorate(err, "Failed to base64-decode private key")
|
||||||
|
}
|
||||||
|
|
||||||
|
data.PrivateKey = string(keyPEM)
|
||||||
|
}
|
||||||
|
|
||||||
|
return data, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func marshalTLS(w http.ResponseWriter, data tlsConfig) {
|
||||||
|
w.Header().Set("Content-Type", "application/json")
|
||||||
|
|
||||||
|
if data.CertificateChain != "" {
|
||||||
|
encoded := base64.StdEncoding.EncodeToString([]byte(data.CertificateChain))
|
||||||
|
data.CertificateChain = encoded
|
||||||
|
}
|
||||||
|
|
||||||
|
if data.PrivateKey != "" {
|
||||||
|
encoded := base64.StdEncoding.EncodeToString([]byte(data.PrivateKey))
|
||||||
|
data.PrivateKey = encoded
|
||||||
|
}
|
||||||
|
|
||||||
|
err := json.NewEncoder(w).Encode(data)
|
||||||
|
if err != nil {
|
||||||
|
httpError(w, http.StatusInternalServerError, "Failed to marshal json with TLS status: %s", err)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
}
|
|
@ -1247,6 +1247,10 @@ definitions:
|
||||||
type: "string"
|
type: "string"
|
||||||
example: "You have specified an empty certificate"
|
example: "You have specified an empty certificate"
|
||||||
description: "warning_validation is a validation warning message with the issue description"
|
description: "warning_validation is a validation warning message with the issue description"
|
||||||
|
valid_pair:
|
||||||
|
type: "boolean"
|
||||||
|
example: "true"
|
||||||
|
description: "valid_pair is true if both certificate and private key are correct"
|
||||||
NetInterface:
|
NetInterface:
|
||||||
type: "object"
|
type: "object"
|
||||||
description: "Network interface info"
|
description: "Network interface info"
|
||||||
|
|
Loading…
Reference in New Issue