// bundlerMain is the main CLI of bundler functionality.
func bundlerMain(args []string, c cli.Config) (err error) {
bundler.IntermediateStash = c.IntDir
ubiquity.LoadPlatforms(c.Metadata)
flavor := bundler.BundleFlavor(c.Flavor)
var b *bundler.Bundler
// If it is a force bundle, don't require ca bundle and intermediate bundle
// Otherwise, initialize a bundler with CA bundle and intermediate bundle.
if flavor == bundler.Force {
b = &bundler.Bundler{}
} else {
b, err = bundler.NewBundler(c.CABundleFile, c.IntBundleFile)
if err != nil {
return
}
}
var bundle *bundler.Bundle
if c.CertFile != "" {
if c.CertFile == "-" {
var certPEM, keyPEM []byte
certPEM, err = cli.ReadStdin(c.CertFile)
if err != nil {
return
}
if c.KeyFile != "" {
keyPEM, err = cli.ReadStdin(c.KeyFile)
if err != nil {
return
}
}
bundle, err = b.BundleFromPEMorDER(certPEM, keyPEM, flavor, "")
if err != nil {
return
}
} else {
// Bundle the client cert
bundle, err = b.BundleFromFile(c.CertFile, c.KeyFile, flavor, c.Password)
if err != nil {
return
}
}
} else if c.Domain != "" {
bundle, err = b.BundleFromRemote(c.Domain, c.IP, flavor)
if err != nil {
return
}
} else {
return errors.New("Must specify bundle target through -cert or -domain")
}
marshaled, err := bundle.MarshalJSON()
if err != nil {
return
}
fmt.Printf("%s", marshaled)
return
}
// NewHandler creates a new bundler that uses the root bundle and
// intermediate bundle in the trust chain.
func NewHandler(caBundleFile, intBundleFile string) (http.Handler, error) {
var err error
b := new(Handler)
if b.bundler, err = bundler.NewBundler(caBundleFile, intBundleFile); err != nil {
return nil, err
}
log.Info("bundler API ready")
return api.HTTPHandler{Handler: b, Methods: []string{"POST"}}, nil
}
// intermediateCAScan scans for new intermediate CAs not in the trust store.
func intermediateCAScan(addr, hostname string) (grade Grade, output Output, err error) {
cidr, port, _ := net.SplitHostPort(addr)
_, ipnet, err := net.ParseCIDR(cidr)
if err != nil {
return Skipped, nil, nil
}
b, err := bundler.NewBundler(caBundleFile, intBundleFile)
if err != nil {
return
}
var wg sync.WaitGroup
wg.Add(numWorkers)
dialer := &net.Dialer{Timeout: timeout}
config := &tls.Config{InsecureSkipVerify: true}
addrs := make(chan string)
chains := make(chan []*x509.Certificate, numWorkers)
go func() {
for chain := range chains {
b.Bundle(chain, nil, bundler.Force)
}
}()
for i := 0; i < numWorkers; i++ {
go func() {
for addr := range addrs {
conn, err := tls.DialWithDialer(dialer, Network, addr, config)
if err != nil {
continue
}
conn.Close()
if conn.ConnectionState().HandshakeComplete {
chains <- conn.ConnectionState().PeerCertificates
}
}
wg.Done()
}()
}
for ip := ipnet.IP.To16(); ipnet.Contains(ip); incrementBytes(ip) {
addrs <- net.JoinHostPort(ip.String(), port)
}
close(addrs)
wg.Wait()
close(chains)
grade = Good
return
}