Merge pull request #63 from harshavardhana/pr_out_implement_tls_server

2025-11-07 04:42:56 -05:00 · 2015-01-25 17:23:21 -08:00
parent 18ffa44c52 063832baaf
commit 9e6eedfbbc
23 changed files with 3435 additions and 10 deletions
--- a/pkg/httpserver/httpserver.go
+++ b/pkg/httpserver/httpserver.go
@@ -22,24 +22,39 @@ import (
 	"time"
 )

-func Start(handler http.Handler, address string) (chan<- string, <-chan error) {
+type HttpServer struct {
+	Address  string
+	TLS      bool
+	CertFile string
+	KeyFile  string
+}
+
+func Start(handler http.Handler, srv HttpServer) (chan<- string, <-chan error) {
 	ctrlChannel := make(chan string)
 	errorChannel := make(chan error)
-	go start(ctrlChannel, errorChannel, handler, address)
+	go start(ctrlChannel, errorChannel, handler, srv)
 	return ctrlChannel, errorChannel
 }

-func start(ctrlChannel <-chan string, errorChannel chan<- error, router http.Handler, address string) {
-	log.Println("Starting HTTP Server on " + address)
+func start(ctrlChannel <-chan string, errorChannel chan<- error, router http.Handler, srv HttpServer) {
+	var err error
+
 	// Minio server config
 	server := &http.Server{
-		Addr:           address,
+		Addr:           srv.Address,
 		Handler:        router,
 		ReadTimeout:    10 * time.Second,
 		WriteTimeout:   10 * time.Second,
 		MaxHeaderBytes: 1 << 20,
 	}
-	err := server.ListenAndServe()
+	log.Println("Starting HTTP Server on " + srv.Address)
+
+	if srv.TLS {
+		server.TLSConfig = getDefaultTLSConfig()
+		err = server.ListenAndServeTLS(srv.CertFile, srv.KeyFile)
+	} else {
+		err = server.ListenAndServe()
+	}
 	errorChannel <- err
 	close(errorChannel)
 }
--- a/pkg/httpserver/tlshelpers.go
+++ b/pkg/httpserver/tlshelpers.go
@@ -0,0 +1,29 @@
+package httpserver
+
+import "crypto/tls"
+
+func getDefaultTLSConfig() *tls.Config {
+	config := &tls.Config{}
+
+	//Use only modern ciphers
+	config.CipherSuites = []uint16{
+		tls.TLS_RSA_WITH_AES_128_CBC_SHA,
+		tls.TLS_RSA_WITH_AES_256_CBC_SHA,
+		tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
+		tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
+		tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
+		tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
+		tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+		tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+	}
+
+	//Use only TLS v1.2
+	config.MinVersion = tls.VersionTLS12
+
+	// Ignore client auth for now
+	config.ClientAuth = tls.NoClientCert
+
+	//Don't allow session resumption
+	config.SessionTicketsDisabled = true
+	return config
+}
--- a/pkg/server/server.go
+++ b/pkg/server/server.go
@@ -26,19 +26,29 @@ import (
 	"github.com/minio-io/minio/pkg/webapi/minioapi"
 )

-func Start() {
+func Start(hostname string, tls bool, certFile, keyFile string) {
 	var ctrlChans []chan<- string
 	var statusChans []<-chan error

 	var ctrlChan chan<- string
 	var statusChan <-chan error
 	var storage mstorage.Storage
+	var srv = httpserver.HttpServer{}
+	srv.Address = hostname
+	srv.TLS = tls
+
+	if certFile != "" {
+		srv.CertFile = certFile
+	}
+	if keyFile != "" {
+		srv.KeyFile = keyFile
+	}

 	ctrlChan, statusChan, storage = inmemory.Start()
 	ctrlChans = append(ctrlChans, ctrlChan)
 	statusChans = append(statusChans, statusChan)

-	ctrlChan, statusChan = httpserver.Start(minioapi.HttpHandler(storage), ":8080")
+	ctrlChan, statusChan = httpserver.Start(minioapi.HttpHandler(storage), srv)
 	ctrlChans = append(ctrlChans, ctrlChan)
 	statusChans = append(statusChans, statusChan)

--- a/pkg/utils/crypto/x509/generator.go
+++ b/pkg/utils/crypto/x509/generator.go
@@ -0,0 +1,132 @@
+package x509
+
+import (
+	"crypto/ecdsa"
+	"crypto/elliptic"
+	"crypto/rand"
+	"crypto/rsa"
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"encoding/pem"
+	"fmt"
+	"math/big"
+	"net"
+	"os"
+	"time"
+)
+
+// Based on http://golang.org/src/crypto/tls/generate_cert.go
+type Certificates struct {
+	CertPemBlock []byte
+	CertKeyBlock []byte
+}
+
+type X509Params struct {
+	Hostname   string
+	IsCA       bool
+	EcdsaCurve string
+	ValidFrom  string // Date formatted as Jan 1 15:04:05 2011
+	ValidFor   time.Duration
+}
+
+func publicKey(priv interface{}) interface{} {
+	switch k := priv.(type) {
+	case *rsa.PrivateKey:
+		return k.Public()
+	case *ecdsa.PrivateKey:
+		return k.Public()
+	default:
+		return nil
+	}
+}
+
+func pemBlockForKey(priv interface{}) *pem.Block {
+	switch k := priv.(type) {
+	case *rsa.PrivateKey:
+		return &pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(k)}
+	case *ecdsa.PrivateKey:
+		b, err := x509.MarshalECPrivateKey(k)
+		if err != nil {
+			fmt.Fprintf(os.Stderr, "Unable to marshal ECDSA private key: %v", err)
+			os.Exit(2)
+		}
+		return &pem.Block{Type: "EC PRIVATE KEY", Bytes: b}
+	default:
+		return nil
+	}
+}
+
+func (tls *Certificates) GenerateCertificates(params X509Params) error {
+	var rsaBits int = 2048
+	var priv interface{}
+	var err error
+
+	switch params.EcdsaCurve {
+	case "":
+		priv, err = rsa.GenerateKey(rand.Reader, rsaBits)
+	case "P224":
+		priv, err = ecdsa.GenerateKey(elliptic.P224(), rand.Reader)
+	case "P256":
+		priv, err = ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	case "P384":
+		priv, err = ecdsa.GenerateKey(elliptic.P384(), rand.Reader)
+	case "P521":
+		priv, err = ecdsa.GenerateKey(elliptic.P521(), rand.Reader)
+	default:
+		return fmt.Errorf("Unrecognized elliptic curve: %q", params.EcdsaCurve)
+	}
+
+	if err != nil {
+		return fmt.Errorf("failed to generate private key: %s", err)
+	}
+
+	var notBefore time.Time
+	if len(params.ValidFrom) == 0 {
+		notBefore = time.Now()
+	} else {
+		notBefore, err = time.Parse("Jan 2 15:04:05 2006", params.ValidFrom)
+		if err != nil {
+			return fmt.Errorf("Failed to parse creation date: %s", err)
+		}
+	}
+	notAfter := notBefore.Add(time.Duration(params.ValidFor))
+
+	serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)
+	serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
+	if err != nil {
+		return fmt.Errorf("failed to generate serial number: %s", err)
+	}
+	orgName := pkix.Name{
+		Organization: []string{"Minio"},
+	}
+	template := x509.Certificate{
+		SerialNumber:          serialNumber,
+		Subject:               orgName,
+		NotBefore:             notBefore,
+		NotAfter:              notAfter,
+		KeyUsage:              x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
+		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
+		BasicConstraintsValid: true,
+	}
+
+	if ip := net.ParseIP(params.Hostname); ip != nil {
+		template.IPAddresses = append(template.IPAddresses, ip)
+	} else {
+		template.DNSNames = append(template.DNSNames, params.Hostname)
+	}
+
+	if params.IsCA {
+		template.IsCA = true
+		template.KeyUsage |= x509.KeyUsageCertSign
+	}
+
+	derBytes, err := x509.CreateCertificate(rand.Reader, &template, &template, publicKey(priv), priv)
+	if err != nil {
+		return fmt.Errorf("Failed to create certificate: %s", err)
+	}
+
+	tls.CertPemBlock = pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: derBytes})
+	tls.CertKeyBlock = pem.EncodeToMemory(pemBlockForKey(priv))
+
+	return nil
+}