Checkpoint

2025-10-01 15:37:55 +02:00
parent 4a60059ff2
commit 03352e3312
31 changed files with 2611 additions and 384 deletions
--- a/internal/cryptutil/tls.go
+++ b/internal/cryptutil/tls.go
@@ -0,0 +1,168 @@
+package cryptutil
+
+import (
+	"bufio"
+	"bytes"
+	"crypto/tls"
+	"crypto/x509"
+	"encoding/pem"
+	"io"
+	"net"
+	"os"
+	"slices"
+	"strings"
+
+	"git.maze.io/maze/styx/internal/netutil"
+	"git.maze.io/maze/styx/internal/sliceutil"
+	"git.maze.io/maze/styx/logger"
+)
+
+var (
+	supportedCipherSuites = tls.CipherSuites()
+	supportedCipherSuite  = make(map[uint16]bool)
+	supportedVersions     = []uint16{
+		tls.VersionTLS13,
+		tls.VersionTLS12,
+		tls.VersionTLS11,
+		tls.VersionTLS10,
+	}
+)
+
+func init() {
+	for _, suite := range supportedCipherSuites {
+		supportedCipherSuite[suite.ID] = true
+	}
+}
+
+func DecodeTLSCertificate(b []byte) (tls.Certificate, error) {
+	var (
+		cert  tls.Certificate
+		chain []*x509.Certificate
+		rest  = b
+		block *pem.Block
+		err   error
+	)
+	for {
+		if block, rest = pem.Decode(rest); block == nil {
+			break
+		}
+		switch block.Type {
+		case "CERTIFICATE":
+			cert.Certificate = append(cert.Certificate, block.Bytes)
+			if x509Cert, err := x509.ParseCertificate(block.Bytes); err != nil {
+				return tls.Certificate{}, err
+			} else {
+				chain = append(chain, x509Cert)
+				cert.Leaf = x509Cert
+			}
+		case "PRIVATE KEY":
+			if cert.PrivateKey, err = x509.ParsePKCS8PrivateKey(block.Bytes); err != nil {
+				return tls.Certificate{}, err
+			}
+		case "RSA PRIVATE KEY":
+			if cert.PrivateKey, err = x509.ParsePKCS1PrivateKey(block.Bytes); err != nil {
+				return tls.Certificate{}, err
+			}
+		case "EC PRIVATE KEY":
+			if cert.PrivateKey, err = x509.ParseECPrivateKey(block.Bytes); err != nil {
+				return tls.Certificate{}, err
+			}
+		}
+	}
+
+	return cert, nil
+}
+
+func LoadTLSCertificate(certFile, keyFile string) (tls.Certificate, error) {
+	var (
+		b   []byte
+		err error
+	)
+	if strings.Contains(certFile, "-----BEGIN") {
+		logger.StandardLog.Trace("Loading X.509 certificate")
+		b = []byte(certFile)
+	} else {
+		logger.StandardLog.Value("name", certFile).Trace("Loading X.509 certificate")
+		if b, err = os.ReadFile(certFile); err != nil {
+			return tls.Certificate{}, err
+		}
+	}
+	if strings.Contains(keyFile, "-----BEGIN") {
+		logger.StandardLog.Trace("Loading private key")
+		b = append(b, []byte(keyFile)...)
+	} else if keyFile != "" {
+		logger.StandardLog.Value("name", keyFile).Trace("Loading private key")
+		var k []byte
+		if k, err = os.ReadFile(keyFile); err != nil {
+			return tls.Certificate{}, err
+		}
+		b = append(b, k...)
+	}
+	return DecodeTLSCertificate(b)
+}
+
+// CheckTLSBuffer is like [CheckTLSHandshake] but restores the original buffered reader.
+func CheckTLSBuffer(r *bufio.Reader) (bool, error) {
+	b, err := r.ReadByte()
+	if err != nil {
+		return false, err
+	}
+	if err = r.UnreadByte(); err != nil {
+		return false, err
+	}
+	return b == 0x16, nil
+}
+
+// CheckTLSHandshake checks if the next byte available in r looks like a TLS handshake.
+func CheckTLSHandshake(r io.Reader) (bool, error) {
+	// Peek first byte received in tunneled connection, client initiates the TLS connection or plain HTTP request
+	b := make([]byte, 1)
+	if _, err := io.ReadFull(r, b); err != nil {
+		return false, err
+	}
+
+	// TLS handshake: https://tools.ietf.org/html/rfc5246#section-6.2.1
+	return b[0] == 0x16, nil
+}
+
+// SniffClientHello uses ReadClientHello to sniff the TLS handshake and returns a new [net.Conn] that
+// contains the original byte sequences.
+func SniffClientHello(c net.Conn) (net.Conn, *tls.ClientHelloInfo, error) {
+	b := new(bytes.Buffer)
+	h, err := ReadClientHello(io.TeeReader(c, b))
+	return netutil.ReaderConn{
+		Conn:   c,
+		Reader: io.MultiReader(b, c),
+	}, h, err
+}
+
+// ReadClientHello reads a TLS client hello message from the TLS handshake.
+func ReadClientHello(r io.Reader) (*tls.ClientHelloInfo, error) {
+	var hello *tls.ClientHelloInfo
+	err := tls.Server(netutil.ReadOnlyConn{Reader: r}, &tls.Config{
+		GetConfigForClient: func(clientHello *tls.ClientHelloInfo) (*tls.Config, error) {
+			hello = new(tls.ClientHelloInfo)
+			*hello = *clientHello
+			return nil, nil
+		},
+	}).Handshake()
+	if hello == nil {
+		return nil, err
+	}
+	return hello, nil
+}
+
+// IsSupportedCipherSuite checks if Go can support the cipher suite.
+func IsSupportedCipherSuite(id uint16) bool {
+	return supportedCipherSuite[id]
+}
+
+// IsSupportedVersion checks if Go can support the TLS version.
+func IsSupportedVersion(version uint16) bool {
+	return slices.Contains(supportedVersions, version)
+}
+
+// OnlySecureCipherSuites removes any cipher suite that isn't supported by Go.
+func OnlySecureCipherSuites(ids []uint16) []uint16 {
+	return sliceutil.Filter(ids, IsSupportedCipherSuite)
+}
--- a/internal/cryptutil/x509.go
+++ b/internal/cryptutil/x509.go
@@ -18,7 +18,8 @@ import (
 	"strings"
 	"time"

-	"git.maze.io/maze/styx/internal/log"
+	"git.maze.io/maze/styx/logger"
+	"github.com/rs/zerolog/log"
 )

 // Supported key types.
@@ -36,6 +37,62 @@ const (
 	pemTypeAny   = "PRIVATE KEY"
 )

+// DecodeRoots loads all PEM encoded certificates from b.
+func DecodeRoots(b []byte) (*x509.CertPool, error) {
+	var (
+		pool  = x509.NewCertPool()
+		rest  = b
+		block *pem.Block
+	)
+	for {
+		if block, rest = pem.Decode(rest); block == nil {
+			break
+		} else if block.Type == pemTypeCert {
+			cert, err := x509.ParseCertificate(block.Bytes)
+			if err != nil {
+				return nil, err
+			} else if cert.IsCA {
+				pool.AddCert(cert)
+			}
+		}
+	}
+	return pool, nil
+}
+
+// LoadRoots loads a certificate authority bundle.
+func LoadRoots(roots string) (*x509.CertPool, error) {
+	if strings.Contains(roots, "-----BEGIN CERTIFICATE") {
+		logger.StandardLog.Trace("Parsing X.509 certificates")
+		return DecodeRoots([]byte(roots))
+	}
+	var b []byte
+	i, err := os.Stat(roots)
+	if err != nil {
+		return nil, err
+	} else if i.IsDir() {
+		logger.StandardLog.Value("path", roots).Trace("Loading X.509 certificates from *.crt *.pem")
+		for _, ext := range []string{"*.crt", "*.pem"} {
+			var files []string
+			if files, err = filepath.Glob(filepath.Join(roots, ext)); err != nil {
+				return nil, err
+			}
+			for _, file := range files {
+				var v []byte
+				if v, err = os.ReadFile(file); err != nil {
+					return nil, err
+				}
+				b = append(b, v...)
+			}
+		}
+	} else {
+		logger.StandardLog.Value("path", roots).Trace("Loading X.509 certificates")
+		if b, err = os.ReadFile(roots); err != nil {
+			return nil, err
+		}
+	}
+	return DecodeRoots(b)
+}
+
 // LoadKeyPair loads a certificate and private key, certdata and keydata can be a PEM encoded block or a file.
 //
 // If [keydata] is empty, then the private key is assumed to be contained in [certdata].
@@ -44,23 +101,23 @@ func LoadKeyPair(certdata, keydata string) (cert *x509.Certificate, key crypto.P
 		keydata = certdata
 	}
 	if strings.Contains(certdata, "-----BEGIN "+pemTypeCert) {
-		log.Trace().Msg("parsing X.509 certificate")
+		logger.StandardLog.Trace("Parsing X.509 certificate")
 		if cert, err = decodePEMBCertificate([]byte(certdata)); err != nil {
 			return
 		}
 	} else {
-		log.Trace().Str("name", certdata).Msg("loading X.509 certificate")
+		logger.StandardLog.Value("name", certdata).Trace("Loading X.509 certificate")
 		if cert, err = LoadCertificate(certdata); err != nil {
 			return
 		}
 	}
 	if strings.Contains(keydata, pemTypeAny+"-----") {
-		log.Trace().Msg("parsing private key")
+		logger.StandardLog.Trace("Parsing private key")
 		if key, err = decodePEMPrivateKey([]byte(keydata)); err != nil {
 			return
 		}
 	} else if key, err = LoadPrivateKey(keydata); err != nil {
-		log.Trace().Str("name", keydata).Msg("loading private key")
+		logger.StandardLog.Value("name", keydata).Trace("Loading private key")
 		return
 	}
 	return