From db3534211bd03b95aa08505c051735861655347f Mon Sep 17 00:00:00 2001 From: Eugene Medvedev Date: Thu, 22 Jun 2023 11:24:45 +0300 Subject: [PATCH] =?UTF-8?q?=E2=AD=90=20Allows=20use=20of=20on-site=20roots?= =?UTF-8?q?.?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- main.go | 28 +++++++++++++++++++++++----- 1 file changed, 23 insertions(+), 5 deletions(-) diff --git a/main.go b/main.go index a90177a..d6b6d58 100644 --- a/main.go +++ b/main.go @@ -52,6 +52,7 @@ var outputFile string var sigFile string var dataDir string +var chainCacheDir string var rootsCacheDir string // SigBlock is a struct containing the signature and associated data. @@ -114,9 +115,10 @@ Released under the terms of MIT license.` flaggy.Parse() // This needs to be done here, after we've parsed the flags. + chainCacheDir = filepath.Join(dataDir, "chain") rootsCacheDir = filepath.Join(dataDir, "roots") // Yeah, that is a pythonism. - for _, d := range []string{dataDir, rootsCacheDir} { + for _, d := range []string{dataDir, chainCacheDir, rootsCacheDir} { if _, err := os.Stat(d); os.IsNotExist(err) { err := os.MkdirAll(d, os.ModeDir|0o755) check(err, "Could not create or open "+d) @@ -259,6 +261,22 @@ func main() { rootCerts = append(rootCerts, crt) } + // If our cache includes any extra trusted roots -- + // which would have to be placed there manually, we never save them -- + // slurp them in as well. + // This is also what lets us use a complete dummy hierarchy of certificates for testing. + rootFiles, _ = os.ReadDir(rootsCacheDir) + for _, f := range rootFiles { + if strings.HasSuffix(strings.ToLower(f.Name()), ".der") { + der, err := dataFiles.ReadFile(filepath.Join(rootsCacheDir, f.Name())) + check(err, "Failed to read a root certificate from cache.") + crt, err := x509.ParseCertificate(der) + check(err, "Failed to parse a root certificate from cache.") + roots.AddCert(crt) + rootCerts = append(rootCerts, crt) + } + } + if signCmd.Used { // Signing a file keyData, err := os.ReadFile(keyFile) @@ -480,10 +498,10 @@ func main() { extraCerts.AddCert(crt) } // If we have any intermediate certificates in the cache, dump them into the pool too. - cachedRootFiles, _ := os.ReadDir(rootsCacheDir) + cachedRootFiles, _ := os.ReadDir(chainCacheDir) for _, f := range cachedRootFiles { - if strings.HasSuffix(f.Name(), ".der") { - der, err := os.ReadFile(filepath.Join(rootsCacheDir, f.Name())) + if strings.HasSuffix(strings.ToLower(f.Name()), ".der") { + der, err := os.ReadFile(filepath.Join(chainCacheDir, f.Name())) check(err, "Could not read file from intermediary certificate cache.") crt, err := x509.ParseCertificate(der) check(err, "Could not parse intermediary certificate cache file "+f.Name()) @@ -536,7 +554,7 @@ func main() { for _, chain := range chains { for _, c := range chain { if !certInList(rootCerts, c) && c.IsCA { - cacheRootFile := filepath.Join(rootsCacheDir, hex.EncodeToString(c.SubjectKeyId)+".der") + cacheRootFile := filepath.Join(chainCacheDir, hex.EncodeToString(c.SubjectKeyId)+".der") if _, err := os.Stat(cacheRootFile); errors.Is(err, os.ErrNotExist) { err = os.WriteFile(cacheRootFile, c.Raw, 0666) check(err, "Could not save intermediate root certificate to cache.")