2021-02-28 18:09:06 +00:00
|
|
|
package nosql
|
|
|
|
|
|
|
|
import (
|
|
|
|
"context"
|
|
|
|
"crypto/x509"
|
|
|
|
"encoding/json"
|
|
|
|
"encoding/pem"
|
|
|
|
"time"
|
|
|
|
|
|
|
|
"github.com/pkg/errors"
|
2021-03-01 06:49:20 +00:00
|
|
|
"github.com/smallstep/certificates/acme"
|
2021-02-28 18:09:06 +00:00
|
|
|
"github.com/smallstep/nosql"
|
|
|
|
)
|
|
|
|
|
|
|
|
type dbCert struct {
|
|
|
|
ID string `json:"id"`
|
|
|
|
Created time.Time `json:"created"`
|
|
|
|
AccountID string `json:"accountID"`
|
|
|
|
OrderID string `json:"orderID"`
|
|
|
|
Leaf []byte `json:"leaf"`
|
|
|
|
Intermediates []byte `json:"intermediates"`
|
|
|
|
}
|
|
|
|
|
|
|
|
// CreateCertificate creates and stores an ACME certificate type.
|
2021-03-01 06:49:20 +00:00
|
|
|
func (db *DB) CreateCertificate(ctx context.Context, cert *acme.Certificate) error {
|
|
|
|
var err error
|
|
|
|
cert.ID, err = randID()
|
2021-02-28 18:09:06 +00:00
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
|
|
|
leaf := pem.EncodeToMemory(&pem.Block{
|
|
|
|
Type: "CERTIFICATE",
|
2021-03-01 06:49:20 +00:00
|
|
|
Bytes: cert.Leaf.Raw,
|
2021-02-28 18:09:06 +00:00
|
|
|
})
|
|
|
|
var intermediates []byte
|
2021-03-01 06:49:20 +00:00
|
|
|
for _, cert := range cert.Intermediates {
|
2021-02-28 18:09:06 +00:00
|
|
|
intermediates = append(intermediates, pem.EncodeToMemory(&pem.Block{
|
|
|
|
Type: "CERTIFICATE",
|
|
|
|
Bytes: cert.Raw,
|
|
|
|
})...)
|
|
|
|
}
|
|
|
|
|
2021-03-01 06:49:20 +00:00
|
|
|
dbch := &dbCert{
|
2021-02-28 18:09:06 +00:00
|
|
|
ID: cert.ID,
|
|
|
|
AccountID: cert.AccountID,
|
|
|
|
OrderID: cert.OrderID,
|
|
|
|
Leaf: leaf,
|
|
|
|
Intermediates: intermediates,
|
|
|
|
Created: time.Now().UTC(),
|
|
|
|
}
|
2021-03-01 06:49:20 +00:00
|
|
|
return db.save(ctx, cert.ID, dbch, nil, "certificate", certTable)
|
2021-02-28 18:09:06 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// GetCertificate retrieves and unmarshals an ACME certificate type from the
|
|
|
|
// datastore.
|
2021-03-01 06:49:20 +00:00
|
|
|
func (db *DB) GetCertificate(ctx context.Context, id string) (*acme.Certificate, error) {
|
2021-02-28 18:09:06 +00:00
|
|
|
b, err := db.db.Get(certTable, []byte(id))
|
|
|
|
if nosql.IsErrNotFound(err) {
|
2021-03-01 06:49:20 +00:00
|
|
|
return nil, errors.Wrapf(err, "certificate %s not found", id)
|
2021-02-28 18:09:06 +00:00
|
|
|
} else if err != nil {
|
2021-03-01 06:49:20 +00:00
|
|
|
return nil, errors.Wrap(err, "error loading certificate")
|
2021-02-28 18:09:06 +00:00
|
|
|
}
|
2021-03-01 06:49:20 +00:00
|
|
|
dbC := new(dbCert)
|
|
|
|
if err := json.Unmarshal(b, dbC); err != nil {
|
|
|
|
return nil, errors.Wrap(err, "error unmarshaling certificate")
|
2021-02-28 18:09:06 +00:00
|
|
|
}
|
|
|
|
|
2021-03-01 06:49:20 +00:00
|
|
|
leaf, err := parseCert(dbC.Leaf)
|
2021-02-28 18:09:06 +00:00
|
|
|
if err != nil {
|
2021-03-01 06:49:20 +00:00
|
|
|
return nil, errors.Wrapf(err, "error parsing leaf of ACME Certificate with ID '%s'", id)
|
2021-02-28 18:09:06 +00:00
|
|
|
}
|
|
|
|
|
2021-03-01 06:49:20 +00:00
|
|
|
intermediates, err := parseBundle(dbC.Intermediates)
|
2021-02-28 18:09:06 +00:00
|
|
|
if err != nil {
|
2021-03-01 06:49:20 +00:00
|
|
|
return nil, errors.Wrapf(err, "error parsing intermediate bundle of ACME Certificate with ID '%s'", id)
|
2021-02-28 18:09:06 +00:00
|
|
|
}
|
|
|
|
|
2021-03-01 06:49:20 +00:00
|
|
|
return &acme.Certificate{
|
|
|
|
ID: dbC.ID,
|
|
|
|
AccountID: dbC.AccountID,
|
|
|
|
OrderID: dbC.OrderID,
|
2021-02-28 18:09:06 +00:00
|
|
|
Leaf: leaf,
|
2021-03-01 06:49:20 +00:00
|
|
|
Intermediates: intermediates,
|
|
|
|
}, nil
|
2021-02-28 18:09:06 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
func parseCert(b []byte) (*x509.Certificate, error) {
|
2021-03-01 06:49:20 +00:00
|
|
|
block, rest := pem.Decode(b)
|
2021-02-28 18:09:06 +00:00
|
|
|
if block == nil || len(rest) > 0 {
|
|
|
|
return nil, errors.New("error decoding PEM block: contains unexpected data")
|
|
|
|
}
|
|
|
|
if block.Type != "CERTIFICATE" {
|
|
|
|
return nil, errors.New("error decoding PEM: block is not a certificate bundle")
|
|
|
|
}
|
2021-03-01 06:49:20 +00:00
|
|
|
cert, err := x509.ParseCertificate(block.Bytes)
|
|
|
|
if err != nil {
|
|
|
|
return nil, errors.Wrap(err, "error parsing x509 certificate")
|
|
|
|
}
|
|
|
|
return cert, nil
|
2021-02-28 18:09:06 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
func parseBundle(b []byte) ([]*x509.Certificate, error) {
|
2021-03-01 06:49:20 +00:00
|
|
|
var (
|
|
|
|
err error
|
|
|
|
block *pem.Block
|
|
|
|
bundle []*x509.Certificate
|
|
|
|
)
|
2021-02-28 18:09:06 +00:00
|
|
|
for len(b) > 0 {
|
|
|
|
block, b = pem.Decode(b)
|
|
|
|
if block == nil {
|
|
|
|
break
|
|
|
|
}
|
|
|
|
if block.Type != "CERTIFICATE" {
|
2021-03-01 06:49:20 +00:00
|
|
|
return nil, errors.New("error decoding PEM: data contains block that is not a certificate")
|
2021-02-28 18:09:06 +00:00
|
|
|
}
|
|
|
|
var crt *x509.Certificate
|
|
|
|
crt, err = x509.ParseCertificate(block.Bytes)
|
|
|
|
if err != nil {
|
2021-03-01 06:49:20 +00:00
|
|
|
return nil, errors.Wrapf(err, "error parsing x509 certificate")
|
2021-02-28 18:09:06 +00:00
|
|
|
}
|
|
|
|
bundle = append(bundle, crt)
|
|
|
|
}
|
|
|
|
if len(b) > 0 {
|
2021-03-01 06:49:20 +00:00
|
|
|
return nil, errors.New("error decoding PEM: unexpected data")
|
2021-02-28 18:09:06 +00:00
|
|
|
}
|
|
|
|
return bundle, nil
|
|
|
|
|
|
|
|
}
|