/*

* MinIO Cloud Storage, (C) 2018 MinIO, Inc.

*

* Licensed under the Apache License, Version 2.0 (the "License");

* you may not use this file except in compliance with the License.

* You may obtain a copy of the License at

*

* http://www.apache.org/licenses/LICENSE-2.0

*

* Unless required by applicable law or agreed to in writing, software

* distributed under the License is distributed on an "AS IS" BASIS,

* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

* See the License for the specific language governing permissions and

* limitations under the License.

*/

package certs

import (

"context"

"crypto/tls"

"crypto/x509"

"errors"

"fmt"

"os"

"path/filepath"

"sync"

"time"

"github.com/rjeczalik/notify"

)

// LoadX509KeyPairFunc is a function that parses a private key and

// certificate file and returns a TLS certificate on success.

type LoadX509KeyPairFunc func(certFile, keyFile string) (tls.Certificate, error)

// GetCertificateFunc is a callback that allows a TLS stack deliver different

// certificates based on the client trying to establish a TLS connection.

//

// For example, a GetCertificateFunc can return different TLS certificates depending

// upon the TLS SNI sent by the client.

type GetCertificateFunc func(hello *tls.ClientHelloInfo) (*tls.Certificate, error)

// Manager is a TLS certificate manager that can handle multiple certificates.

// When a client tries to establish a TLS connection, Manager will try to

// pick a certificate that can be validated by the client.

//

// For instance, if the client specifies a TLS SNI then Manager will try to

// find the corresponding certificate. If there is no such certificate it

// will fallback to the certificate named public.crt.

//

// Manager will automatically reload certificates if the corresponding file changes.

type Manager struct {

lock sync.RWMutex

certificates map[pair]*tls.Certificate // Mapping: certificate file name => TLS certificates

defaultCert pair

loadX509KeyPair LoadX509KeyPairFunc

events chan notify.EventInfo

ctx context.Context

}

// pair represents a certificate and private key file tuple.

type pair struct {

KeyFile string

CertFile string

}

// NewManager returns a new Manager that handles one certificate specified via

// the certFile and keyFile. It will use the loadX509KeyPair function to (re)load

// certificates.

//

// The certificate loaded from certFile is considered the default certificate.

// If a client does not send the TLS SNI extension then Manager will return

// this certificate.

func NewManager(ctx context.Context, certFile, keyFile string, loadX509KeyPair LoadX509KeyPairFunc) (manager *Manager, err error) {

certFile, err = filepath.Abs(certFile)

if err != nil {

return nil, err

}

keyFile, err = filepath.Abs(keyFile)

if err != nil {

return nil, err

}

manager = &Manager{

certificates: map[pair]*tls.Certificate{},

defaultCert: pair{

KeyFile: keyFile,

CertFile: certFile,

},

loadX509KeyPair: loadX509KeyPair,

events: make(chan notify.EventInfo, 1),

ctx: ctx,

}

if err := manager.AddCertificate(certFile, keyFile); err != nil {

return nil, err

}

go manager.watchFileEvents()

return manager, nil

}

// AddCertificate adds the TLS certificate in certFile resp. keyFile

// to the Manager.

//

// If there is already a certificate with the same base name it will be

// replaced by the newly added one.

func (m *Manager) AddCertificate(certFile, keyFile string) (err error) {

certFile, err = filepath.Abs(certFile)

if err != nil {

return err

}

keyFile, err = filepath.Abs(keyFile)

if err != nil {

return err

}

certFileIsLink, err := isSymlink(certFile)

if err != nil {

return err

}

keyFileIsLink, err := isSymlink(keyFile)

if err != nil {

return err

}

if certFileIsLink && !keyFileIsLink {

return fmt.Errorf("certs: '%s' is a symlink but '%s' is a regular file", certFile, keyFile)

}

if keyFileIsLink && !certFileIsLink {

return fmt.Errorf("certs: '%s' is a symlink but '%s' is a regular file", keyFile, certFile)

}

certificate, err := m.loadX509KeyPair(certFile, keyFile)

if err != nil {

return err

}

// We set the certificate leaf to the actual certificate such that

// we don't have to do the parsing (multiple times) when matching the

// certificate to the client hello. This a performance optimisation.

if certificate.Leaf == nil {

certificate.Leaf, err = x509.ParseCertificate(certificate.Certificate[0])

if err != nil {

return err

}

}

p := pair{

CertFile: certFile,

KeyFile: keyFile,

}

m.lock.Lock()

defer m.lock.Unlock()

// We don't allow IP SANs in certificates - except for the "default" certificate

// which is, by convention, the first certificate added to the manager. The problem

// with allowing IP SANs in more than one certificate is that the manager usually can't

// match the client SNI to a SAN since the SNI is meant to communicate the destination

// host name and clients will not set the SNI to an IP address.

// Allowing multiple certificates with IP SANs lead to errors that confuses users - like:

// "It works for `https://instance.minio.local` but not for `https://10.0.2.1`"

if len(m.certificates) > 0 && len(certificate.Leaf.IPAddresses) > 0 {

return errors.New("cert: certificate must not contain any IP SANs: only the default certificate may contain IP SANs")

}

m.certificates[p] = &certificate

if certFileIsLink && keyFileIsLink {

go m.watchSymlinks(certFile, keyFile)

} else {

// Windows doesn't allow for watching file changes but instead allows

// for directory changes only, while we can still watch for changes

// on files on other platforms. Watch parent directory on all platforms

// for simplicity.

if err = notify.Watch(filepath.Dir(certFile), m.events, eventWrite...); err != nil {

return err

}

if err = notify.Watch(filepath.Dir(keyFile), m.events, eventWrite...); err != nil {

return err

}

}

return nil

}

// watchSymlinks starts an endless loop reloading the

// certFile and keyFile periodically.

func (m *Manager) watchSymlinks(certFile, keyFile string) {

for {

select {

case <-m.ctx.Done():

return // Once stopped exits this routine.

case <-time.After(24 * time.Hour):

certificate, err := m.loadX509KeyPair(certFile, keyFile)

if err != nil {

continue

}

if certificate.Leaf == nil { // This is a performance optimisation

certificate.Leaf, err = x509.ParseCertificate(certificate.Certificate[0])

if err != nil {

continue

}

}

p := pair{

CertFile: certFile,

KeyFile: keyFile,

}

m.lock.Lock()

m.certificates[p] = &certificate

m.lock.Unlock()

}

}

}

// watchFileEvents starts an endless loop waiting for file systems events.

// Once an event occurs it reloads the private key and certificate that

// has changed, if any.

func (m *Manager) watchFileEvents() {

for {

select {

case <-m.ctx.Done():

return

case event := <-m.events:

if !isWriteEvent(event.Event()) {

continue

}

for pair := range m.certificates {

if p := event.Path(); pair.KeyFile == p || pair.CertFile == p {

certificate, err := m.loadX509KeyPair(pair.CertFile, pair.KeyFile)

if err != nil {

continue

}

if certificate.Leaf == nil { // This is performance optimisation

certificate.Leaf, err = x509.ParseCertificate(certificate.Certificate[0])

if err != nil {

continue

}

}

m.lock.Lock()

m.certificates[pair] = &certificate

m.lock.Unlock()

}

}

}

}

}

// GetCertificate returns a TLS certificate based on the client hello.

//

// It tries to find a certificate that would be accepted by the client

// according to the client hello. However, if no certificate can be

// found GetCertificate returns the certificate loaded from the

// Public file.

func (m *Manager) GetCertificate(hello *tls.ClientHelloInfo) (*tls.Certificate, error) {

m.lock.RLock()

defer m.lock.RUnlock()

// If the client does not send a SNI we return the "default"

// certificate. A client may not send a SNI - e.g. when trying

// to connect to an IP directly (https://<ip>:<port>).

//

// In this case we don't know which the certificate the client

// asks for. It may be a public-facing certificate issued by a

// public CA or an internal certificate containing internal domain

// names.

// Now, we should not serve "the first" certificate that would be

// accepted by the client based on the Client Hello. Otherwise, we

// may expose an internal certificate to the client that contains

// internal domain names. That way we would disclose internal

// infrastructure details.

//

// Therefore, we serve the "default" certificate - which by convention

// is the first certificate added to the Manager. It's the calling code's

// responsibility to ensure that the "public-facing" certificate is used

// when creating a Manager instance.

if hello.ServerName == "" {

certificate := m.certificates[m.defaultCert]

return certificate, nil

}

// Optimization: If there is just one certificate, always serve that one.

if len(m.certificates) == 1 {

for _, certificate := range m.certificates {

return certificate, nil

}

}

// Iterate over all certificates and return the first one that would

// be accepted by the peer (TLS client) based on the client hello.

// In particular, the client usually specifies the requested host/domain

// via SNI.

//

// Note: The certificate.Leaf should be non-nil and contain the actual

// client certificate of MinIO that should be presented to the peer (TLS client).

// Otherwise, the leaf certificate has to be parsed again - which is kind of

// expensive and may cause a performance issue. For more information, check the

// docs of tls.ClientHelloInfo.SupportsCertificate.

for _, certificate := range m.certificates {

if err := hello.SupportsCertificate(certificate); err == nil {

return certificate, nil

}

}

return nil, errors.New("certs: no server certificate is supported by peer")

}

// GetClientCertificate returns a TLS certificate for mTLS based on the

// certificate request.

//

// It tries to find a certificate that would be accepted by the server

// according to the certificate request. However, if no certificate can be

// found GetClientCertificate returns the certificate loaded from the

// Public file.

func (m *Manager) GetClientCertificate(reqInfo *tls.CertificateRequestInfo) (*tls.Certificate, error) {

m.lock.RLock()

defer m.lock.RUnlock()

// Optimization: If there is just one certificate, always serve that one.

if len(m.certificates) == 1 {

for _, certificate := range m.certificates {

return certificate, nil

}

}

// Iterate over all certificates and return the first one that would

// be accepted by the peer (TLS server) based on reqInfo.

//

// Note: The certificate.Leaf should be non-nil and contain the actual

// client certificate of MinIO that should be presented to the peer (TLS server).

// Otherwise, the leaf certificate has to be parsed again - which is kind of

// expensive and may cause a performance issue. For more information, check the

// docs of tls.CertificateRequestInfo.SupportsCertificate.

for _, certificate := range m.certificates {

if err := reqInfo.SupportsCertificate(certificate); err == nil {

return certificate, nil

}

}

return nil, errors.New("certs: no client certificate is supported by peer")

}

// isSymlink returns true if the given file

// is a symbolic link.

func isSymlink(file string) (bool, error) {

st, err := os.Lstat(file)

if err != nil {

return false, err

}

return st.Mode()&os.ModeSymlink == os.ModeSymlink, nil

}