-
Notifications
You must be signed in to change notification settings - Fork 228
/
shim.go
158 lines (136 loc) · 4.02 KB
/
shim.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
package keyvault
import (
"context"
"crypto"
"crypto/ecdsa"
"crypto/ed25519"
"crypto/rsa"
"crypto/tls"
"crypto/x509"
"encoding/base64"
"encoding/pem"
"strings"
"github.com/Azure/azure-sdk-for-go/sdk/azcore"
"github.com/Azure/azure-sdk-for-go/sdk/keyvault/azsecrets"
"github.com/pkg/errors"
"golang.org/x/crypto/pkcs12"
)
const (
pemContentType = "application/x-pem-file"
pkcs12ContentType = "application/x-pkcs12"
)
type secretFetcher interface {
GetSecret(ctx context.Context, secretName, version string, opts *azsecrets.GetSecretOptions) (azsecrets.GetSecretResponse, error)
}
// Shim provides convenience methods for working with KeyVault.
type Shim struct {
sf secretFetcher
}
// NewShim constructs a Shim for a KeyVault instance located at the provided url. The azcore.TokenCredential will
// only be used during method calls, it is not verified at initialization.
func NewShim(vaultURL string, cred azcore.TokenCredential) (*Shim, error) {
c, err := azsecrets.NewClient(vaultURL, cred, nil)
if err != nil {
return nil, errors.Wrap(err, "could not create new azsecrets.Client")
}
return &Shim{sf: c}, nil
}
// GetLatestTLSCertificate fetches the latest version of a keyvault certificate and transforms it into a usable tls.Certificate.
func (s *Shim) GetLatestTLSCertificate(ctx context.Context, certName string) (tls.Certificate, error) {
resp, err := s.sf.GetSecret(ctx, certName, "", nil)
if err != nil {
return tls.Certificate{}, errors.Wrap(err, "could not get secret")
}
pemBlocks, err := getPEMBlocks(*resp.ContentType, *resp.Value)
if err != nil {
return tls.Certificate{}, errors.Wrap(err, "could not get pem blocks")
}
var (
key crypto.PrivateKey
leaf *x509.Certificate
leafBytes []byte
cas [][]byte
)
for _, v := range pemBlocks {
switch {
case strings.Contains(v.Type, "PRIVATE KEY"):
key, err = parsePrivateKey(v.Bytes)
if err != nil {
return tls.Certificate{}, errors.Wrap(err, "could not parse private key")
}
case strings.Contains(v.Type, "CERTIFICATE"):
c, err := x509.ParseCertificate(v.Bytes)
if err != nil {
return tls.Certificate{}, errors.Wrap(err, "could not parse certificate")
}
if !c.IsCA {
leaf = c
leafBytes = v.Bytes
continue
}
cas = append(cas, v.Bytes)
}
}
if leaf == nil {
return tls.Certificate{}, errors.New("could not find leaf certificate")
}
return tls.Certificate{
PrivateKey: key,
Certificate: append([][]byte{leafBytes}, cas...),
Leaf: leaf,
}, nil
}
func getPEMBlocks(contentType, payload string) ([]*pem.Block, error) {
switch contentType {
case pkcs12ContentType:
return handlePFXBytes(payload)
case pemContentType:
return handlePEMBytes(payload)
}
return nil, errors.Errorf("unsupported content type %s", contentType)
}
func handlePFXBytes(v string) ([]*pem.Block, error) {
pfxBytes, err := base64.StdEncoding.DecodeString(v)
if err != nil {
return nil, errors.Wrap(err, "could not base64 decode keyvault.SecretBundle.Value")
}
bl, err := pkcs12.ToPEM(pfxBytes, "")
if err != nil {
return nil, errors.Wrap(err, "could not convert pfx to pem")
}
return bl, nil
}
func handlePEMBytes(v string) ([]*pem.Block, error) {
pemData := []byte(v)
var pemBlocks []*pem.Block
for {
b, rest := pem.Decode(pemData)
if b == nil {
break
}
pemBlocks = append(pemBlocks, b)
pemData = rest
}
if len(pemBlocks) == 0 {
return nil, errors.New("no pem blocks in input bytes")
}
return pemBlocks, nil
}
// from crypto/tls/tls.go
func parsePrivateKey(der []byte) (crypto.PrivateKey, error) {
if key, err := x509.ParsePKCS1PrivateKey(der); err == nil {
return key, nil
}
if key, err := x509.ParsePKCS8PrivateKey(der); err == nil {
switch key := key.(type) {
case *rsa.PrivateKey, *ecdsa.PrivateKey, ed25519.PrivateKey:
return key, nil
default:
return nil, errors.New("tls: found unknown private key type in PKCS#8 wrapping")
}
}
if key, err := x509.ParseECPrivateKey(der); err == nil {
return key, nil
}
return nil, errors.New("tls: failed to parse private key")
}