Exemple #1
0
// NewHandler creates a new bundler that uses the root bundle and
// intermediate bundle in the trust chain.
func NewHandler(caBundleFile, intBundleFile string) (http.Handler, error) {
	var err error

	b := new(Handler)
	if b.bundler, err = bundler.NewBundler(caBundleFile, intBundleFile); err != nil {
		return nil, err
	}

	log.Info("bundler API ready")
	return api.HTTPHandler{Handler: b, Method: "POST"}, nil
}
Exemple #2
0
// bundlerMain is the main CLI of bundler functionality.
func bundlerMain(args []string, c cli.Config) (err error) {
	ubiquity.LoadPlatforms(c.Metadata)
	flavor := bundler.BundleFlavor(c.Flavor)
	// Initialize a bundler with CA bundle and intermediate bundle.
	b, err := bundler.NewBundler(c.CABundleFile, c.IntBundleFile)
	if err != nil {
		return
	}

	var bundle *bundler.Bundle
	if c.CertFile != "" {
		if c.CertFile == "-" {
			var certPEM, keyPEM []byte
			certPEM, err = cli.ReadStdin(c.CertFile)
			if err != nil {
				return
			}
			if c.KeyFile != "" {
				keyPEM, err = cli.ReadStdin(c.KeyFile)
				if err != nil {
					return
				}
			}
			bundle, err = b.BundleFromPEM(certPEM, keyPEM, flavor)
			if err != nil {
				return
			}
		} else {
			// Bundle the client cert
			bundle, err = b.BundleFromFile(c.CertFile, c.KeyFile, flavor)
			if err != nil {
				return
			}
		}
	} else if c.Domain != "" {
		bundle, err = b.BundleFromRemote(c.Domain, c.IP, flavor)
		if err != nil {
			return
		}
	} else {
		return errors.New("Must specify bundle target through -cert or -domain")
	}

	marshaled, err := bundle.MarshalJSON()
	if err != nil {
		return
	}
	fmt.Printf("%s", marshaled)
	return
}
Exemple #3
0
// intermediateCAScan scans for new intermediate CAs not in the trust store.
func intermediateCAScan(host string) (grade Grade, output Output, err error) {
	cidr, port, _ := net.SplitHostPort(host)
	_, ipnet, err := net.ParseCIDR(cidr)
	if err != nil {
		return Skipped, nil, nil
	}
	b, err := bundler.NewBundler(caBundleFile, intBundleFile)
	if err != nil {
		return
	}
	var wg sync.WaitGroup
	wg.Add(numWorkers)
	dialer := &net.Dialer{Timeout: timeout}
	config := &tls.Config{InsecureSkipVerify: true}
	addrs := make(chan string)
	chains := make(chan []*x509.Certificate, numWorkers)
	go func() {
		for chain := range chains {
			b.Bundle(chain, nil, bundler.Force)
		}
	}()
	for i := 0; i < numWorkers; i++ {
		go func() {
			for addr := range addrs {
				conn, err := tls.DialWithDialer(dialer, Network, addr, config)
				if err != nil {
					continue
				}
				conn.Close()
				if conn.ConnectionState().HandshakeComplete {
					chains <- conn.ConnectionState().PeerCertificates
				}
			}
			wg.Done()
		}()
	}
	for ip := ipnet.IP.To16(); ipnet.Contains(ip); incrementBytes(ip) {
		addrs <- net.JoinHostPort(ip.String(), port)
	}
	close(addrs)
	wg.Wait()
	close(chains)
	grade = Good
	return
}