minio/cmd/certs.go

139 lines
3.7 KiB
Go

/*
* Minio Cloud Storage, (C) 2015, 2016 Minio, Inc.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package cmd
import (
"crypto/x509"
"encoding/pem"
"errors"
"io/ioutil"
"path/filepath"
)
// getCertsPath get certs path.
func getCertsPath() string {
return filepath.Join(getConfigDir(), globalMinioCertsDir)
}
// getCertFile must get cert file.
func getCertFile() string {
return filepath.Join(getCertsPath(), globalMinioCertFile)
}
// getKeyFile must get key file.
func getKeyFile() string {
return filepath.Join(getCertsPath(), globalMinioKeyFile)
}
// createCertsPath create certs path.
func createCertsPath() error {
rootCAsPath := filepath.Join(getCertsPath(), globalMinioCertsCADir)
return mkdirAll(rootCAsPath, 0700)
}
// getCAFiles must get the list of the CA certificates stored in minio config dir
func getCAFiles() (caCerts []string) {
CAsDir := filepath.Join(getCertsPath(), globalMinioCertsCADir)
if caFiles, err := ioutil.ReadDir(CAsDir); err == nil {
// Ignore any error.
for _, cert := range caFiles {
caCerts = append(caCerts, filepath.Join(CAsDir, cert.Name()))
}
}
return caCerts
}
// getSystemCertPool returns empty cert pool in case of error (windows)
func getSystemCertPool() *x509.CertPool {
pool, err := x509.SystemCertPool()
if err != nil {
pool = x509.NewCertPool()
}
return pool
}
// isCertFileExists verifies if cert file exists, returns true if
// found, false otherwise.
func isCertFileExists() bool {
return isFile(getCertFile())
}
// isKeyFileExists verifies if key file exists, returns true if found,
// false otherwise.
func isKeyFileExists() bool {
return isFile(getKeyFile())
}
// isSSL - returns true with both cert and key exists.
func isSSL() bool {
return isCertFileExists() && isKeyFileExists()
}
// Reads certificated file and returns a list of parsed certificates.
func readCertificateChain() ([]*x509.Certificate, error) {
bytes, err := ioutil.ReadFile(getCertFile())
if err != nil {
return nil, err
}
// Proceed to parse the certificates.
return parseCertificateChain(bytes)
}
// Parses certificate chain, returns a list of parsed certificates.
func parseCertificateChain(bytes []byte) ([]*x509.Certificate, error) {
var certs []*x509.Certificate
var block *pem.Block
current := bytes
// Parse all certs in the chain.
for len(current) > 0 {
block, current = pem.Decode(current)
if block == nil {
return nil, errors.New("Could not PEM block")
}
// Parse the decoded certificate.
cert, err := x509.ParseCertificate(block.Bytes)
if err != nil {
return nil, err
}
certs = append(certs, cert)
}
return certs, nil
}
// loadRootCAs fetches CA files provided in minio config and adds them to globalRootCAs
// Currently under Windows, there is no way to load system + user CAs at the same time
func loadRootCAs() {
caFiles := getCAFiles()
if len(caFiles) == 0 {
return
}
// Get system cert pool, and empty cert pool under Windows because it is not supported
globalRootCAs = getSystemCertPool()
// Load custom root CAs for client requests
for _, caFile := range caFiles {
caCert, err := ioutil.ReadFile(caFile)
if err != nil {
fatalIf(err, "Unable to load a CA file")
}
globalRootCAs.AppendCertsFromPEM(caCert)
}
}