v2 init commit

src/mod/tlscert/helper.go

@@ -0,0 +1,60 @@
+package tlscert
+
+import (
+	"path/filepath"
+	"strings"
+)
+
+//This remove the certificates in the list where either the
+//public key or the private key is missing
+func getCertPairs(certFiles []string) []string {
+	crtMap := make(map[string]bool)
+	keyMap := make(map[string]bool)
+
+	for _, filename := range certFiles {
+		if filepath.Ext(filename) == ".crt" {
+			crtMap[strings.TrimSuffix(filename, ".crt")] = true
+		} else if filepath.Ext(filename) == ".key" {
+			keyMap[strings.TrimSuffix(filename, ".key")] = true
+		}
+	}
+
+	var result []string
+	for domain := range crtMap {
+		if keyMap[domain] {
+			result = append(result, domain)
+		}
+	}
+
+	return result
+}
+
+//Get the cloest subdomain certificate from a list of domains
+func matchClosestDomainCertificate(subdomain string, domains []string) string {
+	var matchingDomain string = ""
+	maxLength := 0
+
+	for _, domain := range domains {
+		if strings.HasSuffix(subdomain, "."+domain) && len(domain) > maxLength {
+			matchingDomain = domain
+			maxLength = len(domain)
+		}
+	}
+
+	return matchingDomain
+}
+
+//Check if a requesting domain is a subdomain of a given domain
+func isSubdomain(subdomain, domain string) bool {
+	subdomainParts := strings.Split(subdomain, ".")
+	domainParts := strings.Split(domain, ".")
+	if len(subdomainParts) < len(domainParts) {
+		return false
+	}
+	for i := range domainParts {
+		if subdomainParts[len(subdomainParts)-1-i] != domainParts[len(domainParts)-1-i] {
+			return false
+		}
+	}
+	return true
+}

src/mod/tlscert/localhost.crt

@@ -0,0 +1,34 @@
+-----BEGIN CERTIFICATE-----
+MIIF8TCCA9mgAwIBAgIUavNWjB6rlfRLpeXJ9TXb2FVrENYwDQYJKoZIhvcNAQEL
+BQAwbjELMAkGA1UEBhMCR0wxEjAQBgNVBAgMCU1pbGt5IFdheTEOMAwGA1UEBwwF
+RWFydGgxEDAOBgNVBAoMB2ltdXNsYWIxDzANBgNVBAsMBkFyb3pPUzEYMBYGA1UE
+AwwPd3d3LmltdXNsYWIuY29tMB4XDTIxMDkxNzA4NTkyNFoXDTQ5MDIwMTA4NTky
+NFowbjELMAkGA1UEBhMCR0wxEjAQBgNVBAgMCU1pbGt5IFdheTEOMAwGA1UEBwwF
+RWFydGgxEDAOBgNVBAoMB2ltdXNsYWIxDzANBgNVBAsMBkFyb3pPUzEYMBYGA1UE
+AwwPd3d3LmltdXNsYWIuY29tMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKC
+AgEAsBpf9ufRYOfdKft+51EibpqhA9yw6YstxL5BNselx3ETVnu7vYRIlH0ypgPN
+nKguZ+BcN4mJFjQ36N4VpN7ySVfOCSCZz7lPvPfLib9iukBodBYQNAzMkKcLjyoY
+gS8MD99cqe7s48k4JKp6b2WOmn2OtVZIS7AKZvVsRJNblhy7C3LkLnASKF0jb/ia
+MGRAE+QV/zznvGg9FhNgQWWUil2Oesx3elj4KwlcHNX+c9pZz6yVgJrerj0s94OD
+EuueiqAFOWsZrpp754ffC45PbeTNiflQ1B3aqkTtl5bL88ESgwMdtb1JGWN5HIS1
+Tq2d/3PgqbtvUEhggaFDbe0OxG2V33HqEfeG3BpZpYhCB3I7FPpRC/Tp8PACY13N
+HYB9P5hRU/DnINhHjMCLKxHsolhiphWuxSuNIIojRL62zj7JwjnBgcghQzVFJ4O4
+TBfeMDadLII3ndDtsmR1dIba7fg+CWWdv4Zs0XGqHOaiHNclc7BhJF8SgiQxjxjm
+Fh1ZsJm3LxPsw/iCl7ILE7+1aBQlBjEj0yBvMttkEDhRbILxXFPMALG/qakPvW9O
+7WWClAc03ei/JFdq2camuY62/Tf1HB+TSpGWYH+cSIqsu3V5u29jmdZjrjnuM7Fz
+GEjNSCsrMhSLYLkMJmrDGdFQBB31x24o9IXtyrfKZiwxMlUCAwEAAaOBhjCBgzAL
+BgNVHQ8EBAMCBeAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwQAYDVR0RBDkwN4IBKoIQ
+aW11c2xhYi5pbnRlcm5hbIISbm90LmZvci5wcm9kdWN0aW9uggxkZXYudXNlLm9u
+bHkwHQYDVR0OBBYEFISIH/rn8RX1hcNf4rQajJR7FEdMMA0GCSqGSIb3DQEBCwUA
+A4ICAQBVldF/qjWyGJ5TiZMiXly/So9zR3Xq7O1qayqYxb5SxvhZYCtsFVrAl6Ux
+5bTZ0XQagjck2VouHOG6s98DpaslWFw9N8ADAmljQ8WL1hT5Ij1LXs2sF0FqttFf
+YgoT5BOjnHZGlN+FgzAkdF91cYrfZwLm63jvAQtIHwjMSeymy2Fq8gdEZxagYuwG
+gLkZxw1YG+gP778CKHT2Ff232kH+5up460aGLHLvg+xHQIWBt2FNGdv68u57hWxh
+XXji4/DewQ0RdJW1JdpSg4npebDNiXpo9pKY/SxU056raOtPA94U/h12cHVkszT7
+IxdFC2PszAblbSZhHKGE0C6SbATsqvK4gz6e4h7HWVuPPNWpPW2BNjvyenpijV/E
+YsSe6F7uQE/I/iHp9VMcjWuwItqed9yKDeOfDH4+pidowbSJQ97xYfZge36ZEUHC
+2ZdQsR0qS+t2h0KlEDN7FNxai3ikSB1bs2AjtU67ofGtoIz/HD70TT6zHKhISZgI
+w/4/SY7Hd+P+AWSdJwo+ycZYZlXajqh/cxVJ0zVBr5vKC9KnJ+IjnQ/q7CLcxM4W
+aAFC1jakdPz7qO+xNVLQRf8lVnPJNtI88OrlL4n02JlLS/QUSwELXFW0bOKP33jm
+PIbPdeP8k0XVe9wlI7MzUQC8pCt+gQ77awTt83Nxp9Xdn1Zbqw==
+-----END CERTIFICATE-----

src/mod/tlscert/localhost.key

@@ -0,0 +1,52 @@
+-----BEGIN PRIVATE KEY-----
+MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQCwGl/259Fg590p
++37nUSJumqED3LDpiy3EvkE2x6XHcRNWe7u9hEiUfTKmA82cqC5n4Fw3iYkWNDfo
+3hWk3vJJV84JIJnPuU+898uJv2K6QGh0FhA0DMyQpwuPKhiBLwwP31yp7uzjyTgk
+qnpvZY6afY61VkhLsApm9WxEk1uWHLsLcuQucBIoXSNv+JowZEAT5BX/POe8aD0W
+E2BBZZSKXY56zHd6WPgrCVwc1f5z2lnPrJWAmt6uPSz3g4MS656KoAU5axmumnvn
+h98Ljk9t5M2J+VDUHdqqRO2XlsvzwRKDAx21vUkZY3kchLVOrZ3/c+Cpu29QSGCB
+oUNt7Q7EbZXfceoR94bcGlmliEIHcjsU+lEL9Onw8AJjXc0dgH0/mFFT8Ocg2EeM
+wIsrEeyiWGKmFa7FK40giiNEvrbOPsnCOcGByCFDNUUng7hMF94wNp0sgjed0O2y
+ZHV0htrt+D4JZZ2/hmzRcaoc5qIc1yVzsGEkXxKCJDGPGOYWHVmwmbcvE+zD+IKX
+sgsTv7VoFCUGMSPTIG8y22QQOFFsgvFcU8wAsb+pqQ+9b07tZYKUBzTd6L8kV2rZ
+xqa5jrb9N/UcH5NKkZZgf5xIiqy7dXm7b2OZ1mOuOe4zsXMYSM1IKysyFItguQwm
+asMZ0VAEHfXHbij0he3Kt8pmLDEyVQIDAQABAoICAATmtwUILqujyGQCu+V0PKEX
+bKPO4J2fYga3xNjhdZu3afJePztnEx4O3foA4RgbFi+N7wMcsNQNYAD7LV8JVXT1
+HKbkYWOGpNF9lAyhZv4IDOAuPQU11fuwqoGxij0OMie+77VLEQzF7OoYVJAFI5Lp
+K6+gVyLEI4X6DqlZ8JKc+he3euJP/DFjZjkXkjMGl0H2dyZDa6+ytwCGSYeIbDnt
+oKmKR0kAcOfBuu6ShiJzUUyWYRLTPJ9c1IOPBXbhV+hDy+FtOanCYvBut6Z6r3s/
+gvj0F2vP6OYURQiTCdoe5YT/8TO9sOsj+Zrxlpo5+svBTd9reA2j9gulkVrd3itN
+c2Ee7fyuyrCRnEcKoT6BI8/LqH5eWGQKKS9WhOz26VkrorcYYZN3g4ayv+MiiSIm
+jeo/kAWCqT5ylvlw2gaCbPjB4kbx7yMI/myjgF0R4+aNQaHpXa2qqEORitGx40M7
+T1V2JIxnsa83TBwumunkYC2pX7bNS0a1VuCNxUafJRKEcvKhWmiRHaWddZn46G8N
+E56qFzSaLbkd+J71jso9llK5joGIQTt2pbKUdV9LIm5Nsbtp2VgF9URIw5RZFftx
+PfSm9XM9DtWuxheO4gNwAuOvtaOxztNMvSkQzhTOggSRpt15hFd7CeBrpK43feAH
+b2pMequB8MHpUieyxlwBAoIBAQC5IRbaKx+fSEbYeIySUwbN8GCJQl+wmvc1gqCC
+DflEQqxTvCGBB5SLHHurTT0ubhXkvbrtuS5f4IC+htzKSuwlqn3lS0aOXtFP2tT6
+D9iiMxLxIId5l6dD+PjMWtQcWc8wUQ7+ieRgxybDqiCWMyTbvNgwlkcIbRxmcqyN
+4/LmmgzTnr5CH0DC/J7xpUJuX9LPVb4ZvBYjz5X++Yb7pCa+kXp0Z6yU48bG3sRe
+yiUKp3Z4vDoOkMLHTPvTQLG81rQuJnBUw2uLWM0kg1AwteZcQ/gH1ilVbJzMBnKm
+mtuJWtoPnM2zIhCsURngmBN+qxOb5kchMSvPzAQBCw7HBjWpAoIBAQDzhLQO434G
+XhyDcdkdMRbDZ8Q8PqtOloAbczMuPGgwHV7rVe/BvnJS7HDDebwlJBD8nhGvgBrp
+CsjNGHjSQC7ydUa8dP4Aw/46izdR8DsAwqGZq+tZhkY5CS88QpflUT5rftW0RObn
+Cb/gDzdxHy35/scSICxa2HwcZnqXqfEwnbjkxFwBYFSt6hRiwNhDhd6ZxKa6gt56
+DS9uIxt1IhKgXZfIw1Vo0mHHFLsB7czGZ0O24ya31Es0bUWGgWIcxvKw6MqKhFWw
+ncCakVg278UYUm/zt6Dcrn3XYnK7Pr944AiKO21PMQhG7Rb+OVwxgjMhk7/BCt+k
+sPR1Dct5pqrNAoIBAAl2jYp9ZdJoiWaLUvQv1ks0nFqnz+hhI33SvY2oVTOODO0C
+0tubnZY20IODITt8WRYmNKXuL1arTSlwD10v0z5hpqnP3T1tz1k7oGNf5/zyi2dT
++FjYza4FzgH0Kp+AX7zih9evCMOBqpOZ4KyM1Ld+wbZKGDtwCGGcPwHJwyLSgRFY
+LfWHT3IoI5/KiMjHkSkUAvGh0afm9o3gB2xZibl4CkBlBEdgFUsZHASUZKxUvxOQ
+247fC3XQk5bK2csDVpZ9VISgsKCg22ugYrr6sVnKB6Wu5tH9CU7MjZPCmrI8uKTP
+qRwdA6krRB1c6LIy4H+5l600rD6k+Rdsj0bRJHECggEAeBXSrRzmAsHaEb/MryaL
+8SR0krjcxU5WMjMm5AAJ6OAy9J5WMxZ1TgsmuF6Jt08HyWsxkXf8zTryNqGAwz2/
+aPUIQtr2fu4nqjsItrFeh0tzYVJ0JpueeXXcAz1bpkvgGiZbwB/SNdCK/DTExFX5
+2DQZewi+lrX2zhKDFdNKCw1cJgPm0w7r8y9hiilK/FFBqlZdWdA7Ybiq0Qci/Som
+QUqmFOyua5iDeybv6U2ZE6XMsJ1ndHON+naAOIoJFePNvguuBYyorQW9+vr9o2mt
+qgbNCkRdYTXy/ImhxlB1H2hrDa+sgcbOLBuyoP8sRYXNLRutDccM7iwNAMQiuQTF
+aQKCAQEAiKPwUodT6LNu4lrSbsDAYIqWwlfM0wwUhudT5UTVHSYI3ap0QOiEuzOl
+IJVdx+vx7rQW7l+JIL6s4shA7mzpzuTVlhRuDuGZx0qQLP7INVpCLzIEbYGI2dL7
+WLhJd4eYKltJ+BG7S51tq9/6rVcUDn5DKzyGNyeGhOnaYkk+eTm483+vpOP2/ITi
+cbVv3mx4qE7zMPIxIufm+c8RonadJzYiq1uMk8t0TrcW/B9RTly/Y96kamjyU5b0
+OcLdRcx3ppKAxHD9AvwAR6SiuNLfNjM9KZM40zM5goMrCJJzwgb7UGeMuw2z7L9F
++iSj2pW0Rbdy7oOcFRF/iM2GwFYc1Q==
+-----END PRIVATE KEY-----

src/mod/tlscert/tlscert.go

@@ -0,0 +1,187 @@
+package tlscert
+
+import (
+	"crypto/tls"
+	"crypto/x509"
+	"embed"
+	"encoding/pem"
+	"io"
+	"io/ioutil"
+	"log"
+	"os"
+	"path/filepath"
+	"strings"
+
+	"imuslab.com/zoraxy/mod/utils"
+)
+
+type Manager struct {
+	CertStore string
+	verbal    bool
+}
+
+//go:embed localhost.crt localhost.key
+var buildinCertStore embed.FS
+
+func NewManager(certStore string, verbal bool) (*Manager, error) {
+	if !utils.FileExists(certStore) {
+		os.MkdirAll(certStore, 0775)
+	}
+
+	thisManager := Manager{
+		CertStore: certStore,
+		verbal:    verbal,
+	}
+
+	return &thisManager, nil
+}
+
+func (m *Manager) ListCertDomains() ([]string, error) {
+	filenames, err := m.ListCerts()
+	if err != nil {
+		return []string{}, err
+	}
+
+	//Remove certificates where there are missing public key or private key
+	filenames = getCertPairs(filenames)
+
+	return filenames, nil
+}
+
+func (m *Manager) ListCerts() ([]string, error) {
+	certs, err := ioutil.ReadDir(m.CertStore)
+	if err != nil {
+		return []string{}, err
+	}
+
+	filenames := make([]string, 0, len(certs))
+	for _, cert := range certs {
+		if !cert.IsDir() {
+			filenames = append(filenames, cert.Name())
+		}
+	}
+
+	return filenames, nil
+}
+
+func (m *Manager) GetCert(helloInfo *tls.ClientHelloInfo) (*tls.Certificate, error) {
+	//Check if the domain corrisponding cert exists
+	pubKey := "./tmp/localhost.crt"
+	priKey := "./tmp/localhost.key"
+
+	//Check if this is initial setup
+	if !utils.FileExists(pubKey) {
+		buildInPubKey, _ := buildinCertStore.ReadFile(filepath.Base(pubKey))
+		os.WriteFile(pubKey, buildInPubKey, 0775)
+	}
+
+	if !utils.FileExists(priKey) {
+		buildInPriKey, _ := buildinCertStore.ReadFile(filepath.Base(priKey))
+		os.WriteFile(priKey, buildInPriKey, 0775)
+	}
+
+	if utils.FileExists(filepath.Join(m.CertStore, helloInfo.ServerName+".crt")) && utils.FileExists(filepath.Join(m.CertStore, helloInfo.ServerName+".key")) {
+		pubKey = filepath.Join(m.CertStore, helloInfo.ServerName+".crt")
+		priKey = filepath.Join(m.CertStore, helloInfo.ServerName+".key")
+
+	} else {
+		domainCerts, _ := m.ListCertDomains()
+		cloestDomainCert := matchClosestDomainCertificate(helloInfo.ServerName, domainCerts)
+		if cloestDomainCert != "" {
+			//There is a matching parent domain for this subdomain. Use this instead.
+			pubKey = filepath.Join(m.CertStore, cloestDomainCert+".crt")
+			priKey = filepath.Join(m.CertStore, cloestDomainCert+".key")
+		} else if m.DefaultCertExists() {
+			//Use default.crt and default.key
+			pubKey = filepath.Join(m.CertStore, "default.crt")
+			priKey = filepath.Join(m.CertStore, "default.key")
+			if m.verbal {
+				log.Println("No matching certificate found. Serving with default")
+			}
+		} else {
+			if m.verbal {
+				log.Println("Matching certificate not found. Serving with build-in certificate. Requesting server name: ", helloInfo.ServerName)
+			}
+		}
+	}
+
+	//Load the cert and serve it
+	cer, err := tls.LoadX509KeyPair(pubKey, priKey)
+	if err != nil {
+		log.Println(err)
+		return nil, nil
+	}
+
+	return &cer, nil
+}
+
+// Check if both the default cert public key and private key exists
+func (m *Manager) DefaultCertExists() bool {
+	return utils.FileExists(filepath.Join(m.CertStore, "default.crt")) && utils.FileExists(filepath.Join(m.CertStore, "default.key"))
+}
+
+// Check if the default cert exists returning seperate results for pubkey and prikey
+func (m *Manager) DefaultCertExistsSep() (bool, bool) {
+	return utils.FileExists(filepath.Join(m.CertStore, "default.crt")), utils.FileExists(filepath.Join(m.CertStore, "default.key"))
+}
+
+// Delete the cert if exists
+func (m *Manager) RemoveCert(domain string) error {
+	pubKey := filepath.Join(m.CertStore, domain+".crt")
+	priKey := filepath.Join(m.CertStore, domain+".key")
+	if utils.FileExists(pubKey) {
+		err := os.Remove(pubKey)
+		if err != nil {
+			return err
+		}
+	}
+
+	if utils.FileExists(priKey) {
+		err := os.Remove(priKey)
+		if err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+// Check if the given file is a valid TLS file
+func IsValidTLSFile(file io.Reader) bool {
+	// Read the contents of the uploaded file
+	contents, err := io.ReadAll(file)
+	if err != nil {
+		// Handle the error
+		return false
+	}
+
+	// Parse the contents of the file as a PEM-encoded certificate or key
+	block, _ := pem.Decode(contents)
+	if block == nil {
+		// The file is not a valid PEM-encoded certificate or key
+		return false
+	}
+
+	// Parse the certificate or key
+	if strings.Contains(block.Type, "CERTIFICATE") {
+		// The file contains a certificate
+		cert, err := x509.ParseCertificate(block.Bytes)
+		if err != nil {
+			// Handle the error
+			return false
+		}
+		// Check if the certificate is a valid TLS/SSL certificate
+		return cert.IsCA == false && cert.KeyUsage&x509.KeyUsageDigitalSignature != 0 && cert.KeyUsage&x509.KeyUsageKeyEncipherment != 0
+	} else if strings.Contains(block.Type, "PRIVATE KEY") {
+		// The file contains a private key
+		_, err := x509.ParsePKCS1PrivateKey(block.Bytes)
+		if err != nil {
+			// Handle the error
+			return false
+		}
+		return true
+	} else {
+		return false
+	}
+
+}