1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
|
// SPDX-License-Identifier: GPL-3.0-or-later
package x509check
import (
"crypto/tls"
"crypto/x509"
"encoding/pem"
"fmt"
"net"
"net/smtp"
"net/url"
"os"
"time"
"github.com/netdata/netdata/go/go.d.plugin/pkg/tlscfg"
)
type provider interface {
certificates() ([]*x509.Certificate, error)
}
type fromFile struct {
path string
}
type fromNet struct {
url *url.URL
tlsConfig *tls.Config
timeout time.Duration
}
type fromSMTP struct {
url *url.URL
tlsConfig *tls.Config
timeout time.Duration
}
func newProvider(config Config) (provider, error) {
sourceURL, err := url.Parse(config.Source)
if err != nil {
return nil, fmt.Errorf("source parse: %v", err)
}
tlsCfg, err := tlscfg.NewTLSConfig(config.TLSConfig)
if err != nil {
return nil, fmt.Errorf("create tls config: %v", err)
}
if tlsCfg == nil {
tlsCfg = &tls.Config{}
}
tlsCfg.ServerName = sourceURL.Hostname()
switch sourceURL.Scheme {
case "file":
return &fromFile{path: sourceURL.Path}, nil
case "https", "udp", "udp4", "udp6", "tcp", "tcp4", "tcp6":
if sourceURL.Scheme == "https" {
sourceURL.Scheme = "tcp"
}
return &fromNet{url: sourceURL, tlsConfig: tlsCfg, timeout: config.Timeout.Duration()}, nil
case "smtp":
sourceURL.Scheme = "tcp"
return &fromSMTP{url: sourceURL, tlsConfig: tlsCfg, timeout: config.Timeout.Duration()}, nil
default:
return nil, fmt.Errorf("unsupported scheme '%s'", sourceURL)
}
}
func (f fromFile) certificates() ([]*x509.Certificate, error) {
content, err := os.ReadFile(f.path)
if err != nil {
return nil, fmt.Errorf("error on reading '%s': %v", f.path, err)
}
block, _ := pem.Decode(content)
if block == nil {
return nil, fmt.Errorf("error on decoding '%s': %v", f.path, err)
}
cert, err := x509.ParseCertificate(block.Bytes)
if err != nil {
return nil, fmt.Errorf("error on parsing certificate '%s': %v", f.path, err)
}
return []*x509.Certificate{cert}, nil
}
func (f fromNet) certificates() ([]*x509.Certificate, error) {
ipConn, err := net.DialTimeout(f.url.Scheme, f.url.Host, f.timeout)
if err != nil {
return nil, fmt.Errorf("error on dial to '%s': %v", f.url, err)
}
defer func() { _ = ipConn.Close() }()
conn := tls.Client(ipConn, f.tlsConfig.Clone())
defer func() { _ = conn.Close() }()
if err := conn.Handshake(); err != nil {
return nil, fmt.Errorf("error on SSL handshake with '%s': %v", f.url, err)
}
certs := conn.ConnectionState().PeerCertificates
return certs, nil
}
func (f fromSMTP) certificates() ([]*x509.Certificate, error) {
ipConn, err := net.DialTimeout(f.url.Scheme, f.url.Host, f.timeout)
if err != nil {
return nil, fmt.Errorf("error on dial to '%s': %v", f.url, err)
}
defer func() { _ = ipConn.Close() }()
host, _, _ := net.SplitHostPort(f.url.Host)
smtpClient, err := smtp.NewClient(ipConn, host)
if err != nil {
return nil, fmt.Errorf("error on creating SMTP client: %v", err)
}
defer func() { _ = smtpClient.Quit() }()
err = smtpClient.StartTLS(f.tlsConfig.Clone())
if err != nil {
return nil, fmt.Errorf("error on startTLS with '%s': %v", f.url, err)
}
conn, ok := smtpClient.TLSConnectionState()
if !ok {
return nil, fmt.Errorf("startTLS didn't succeed")
}
return conn.PeerCertificates, nil
}
|