fleet/server/service/service_certificate.go

package service

import (
	"bytes"
	"context"
	"crypto/tls"
	"crypto/x509"
	"encoding/pem"
	"io"
	"net"
	"net/url"

	"github.com/pkg/errors"
)

// Certificate returns the PEM encoded certificate chain for osqueryd TLS termination.
func (svc *Service) CertificateChain(ctx context.Context) ([]byte, error) {
	config, err := svc.AppConfig(ctx)
	if err != nil {
		return nil, err
	}

	u, err := url.Parse(config.ServerSettings.ServerURL)
	if err != nil {
		return nil, errors.Wrap(err, "parsing serverURL")
	}

	conn, err := connectTLS(u)
	if err != nil {
		return nil, err
	}

	return chain(conn.ConnectionState(), u.Hostname())
}

func connectTLS(serverURL *url.URL) (*tls.Conn, error) {
	var hostport string
	if serverURL.Port() == "" {
		hostport = net.JoinHostPort(serverURL.Host, "443")
	} else {
		hostport = serverURL.Host
	}

	// attempt dialing twice, first with a secure conn, and then
	// if that fails, use insecure
	dial := func(insecure bool) (*tls.Conn, error) {
		conn, err := tls.Dial("tcp", hostport, &tls.Config{
			InsecureSkipVerify: insecure})
		if err != nil {
			return nil, errors.Wrap(err, "dial tls")
		}
		defer conn.Close()
		return conn, nil
	}

	var (
		conn *tls.Conn
		err  error
	)

	conn, err = dial(false)
	if err == nil {
		return conn, nil
	}
	conn, err = dial(true)
	return conn, err
}

// chain builds a PEM encoded certificate chain using the PeerCertificates
// in tls.ConnectionState. chain uses the hostname to omit the Leaf certificate
// from the chain.
func chain(cs tls.ConnectionState, hostname string) ([]byte, error) {
	buf := bytes.NewBuffer([]byte(""))

	verifyEncode := func(chain []*x509.Certificate) error {
		for _, cert := range chain {
			if len(chain) > 1 {
				// drop the leaf certificate from the chain. osqueryd does not
				// need it to establish a secure connection
				if err := cert.VerifyHostname(hostname); err == nil {
					continue
				}
			}
			if err := encodePEMCertificate(buf, cert); err != nil {
				return err
			}
		}
		return nil
	}

	// use verified chains if available(which adds the root CA), otherwise
	// use the certificate chain offered by the server (if terminated with
	// self-signed certs)
	if len(cs.VerifiedChains) != 0 {
		for _, chain := range cs.VerifiedChains {
			if err := verifyEncode(chain); err != nil {
				return nil, errors.Wrap(err, "encode verified chains pem")
			}
		}
	} else {
		if err := verifyEncode(cs.PeerCertificates); err != nil {
			return nil, errors.Wrap(err, "encode peer certificates pem")
		}
	}
	return buf.Bytes(), nil
}

func encodePEMCertificate(buf io.Writer, cert *x509.Certificate) error {
	block := &pem.Block{
		Type:  "CERTIFICATE",
		Bytes: cert.Raw,
	}
	return pem.Encode(buf, block)
}
add endpoint to serve the kolide certificate back to the user (#1025) add endpoint to serve the kolide certificate back to the user The API will attempt to establish a TLS connection and fetch the certificate from the TLS ConnectionState. The PEM encoded certificate will be served to the client in a JSON response as a base64 encoded string. Closes #1012 2017-01-20 19:32:10 +00:00			`package service`

			`import (`
			`"bytes"`
Update go-kit to 0.4.0 (#1411) Notable refactoring: - Use stdlib "context" in place of "golang.org/x/net/context" - Go-kit no longer wraps errors, so we remove the unwrap in transport_error.go - Use MakeHandler when setting up endpoint tests (fixes test bug caught during this refactoring) Closes #1411. 2017-03-15 15:55:30 +00:00			`"context"`
add endpoint to serve the kolide certificate back to the user (#1025) add endpoint to serve the kolide certificate back to the user The API will attempt to establish a TLS connection and fetch the certificate from the TLS ConnectionState. The PEM encoded certificate will be served to the client in a JSON response as a base64 encoded string. Closes #1012 2017-01-20 19:32:10 +00:00			`"crypto/tls"`
			`"crypto/x509"`
			`"encoding/pem"`
			`"io"`
			`"net"`
			`"net/url"`

			`"github.com/pkg/errors"`
			`)`

			`// Certificate returns the PEM encoded certificate chain for osqueryd TLS termination.`
Refactor teams service methods (#910) - Move team-related service methods to `ee/server/service`. - Instantiate different service on startup based on license key. - Refactor service errors into separate package. - Add support for running E2E tests in both Core and Basic tiers. 2021-06-01 00:07:51 +00:00			`func (svc *Service) CertificateChain(ctx context.Context) ([]byte, error) {`
add endpoint to serve the kolide certificate back to the user (#1025) add endpoint to serve the kolide certificate back to the user The API will attempt to establish a TLS connection and fetch the certificate from the TLS ConnectionState. The PEM encoded certificate will be served to the client in a JSON response as a base64 encoded string. Closes #1012 2017-01-20 19:32:10 +00:00			`config, err := svc.AppConfig(ctx)`
			`if err != nil {`
			`return nil, err`
			`}`

Refactor app config (POC, for now) (#1685) 2021-08-20 15:27:41 +00:00			`u, err := url.Parse(config.ServerSettings.ServerURL)`
add endpoint to serve the kolide certificate back to the user (#1025) add endpoint to serve the kolide certificate back to the user The API will attempt to establish a TLS connection and fetch the certificate from the TLS ConnectionState. The PEM encoded certificate will be served to the client in a JSON response as a base64 encoded string. Closes #1012 2017-01-20 19:32:10 +00:00			`if err != nil {`
			`return nil, errors.Wrap(err, "parsing serverURL")`
			`}`

			`conn, err := connectTLS(u)`
			`if err != nil {`
			`return nil, err`
			`}`

			`return chain(conn.ConnectionState(), u.Hostname())`
			`}`

			`func connectTLS(serverURL url.URL) (tls.Conn, error) {`
			`var hostport string`
			`if serverURL.Port() == "" {`
			`hostport = net.JoinHostPort(serverURL.Host, "443")`
			`} else {`
			`hostport = serverURL.Host`
			`}`

			`// attempt dialing twice, first with a secure conn, and then`
			`// if that fails, use insecure`
			`dial := func(insecure bool) (*tls.Conn, error) {`
			`conn, err := tls.Dial("tcp", hostport, &tls.Config{`
			`InsecureSkipVerify: insecure})`
			`if err != nil {`
			`return nil, errors.Wrap(err, "dial tls")`
			`}`
			`defer conn.Close()`
			`return conn, nil`
			`}`

			`var (`
			`conn *tls.Conn`
			`err error`
			`)`

			`conn, err = dial(false)`
			`if err == nil {`
			`return conn, nil`
			`}`
			`conn, err = dial(true)`
			`return conn, err`
			`}`

			`// chain builds a PEM encoded certificate chain using the PeerCertificates`
			`// in tls.ConnectionState. chain uses the hostname to omit the Leaf certificate`
			`// from the chain.`
			`func chain(cs tls.ConnectionState, hostname string) ([]byte, error) {`
			`buf := bytes.NewBuffer([]byte(""))`

			`verifyEncode := func(chain []*x509.Certificate) error {`
			`for _, cert := range chain {`
			`if len(chain) > 1 {`
			`// drop the leaf certificate from the chain. osqueryd does not`
			`// need it to establish a secure connection`
			`if err := cert.VerifyHostname(hostname); err == nil {`
			`continue`
			`}`
			`}`
			`if err := encodePEMCertificate(buf, cert); err != nil {`
			`return err`
			`}`
			`}`
			`return nil`
			`}`

			`// use verified chains if available(which adds the root CA), otherwise`
			`// use the certificate chain offered by the server (if terminated with`
			`// self-signed certs)`
			`if len(cs.VerifiedChains) != 0 {`
			`for _, chain := range cs.VerifiedChains {`
			`if err := verifyEncode(chain); err != nil {`
			`return nil, errors.Wrap(err, "encode verified chains pem")`
			`}`
			`}`
			`} else {`
			`if err := verifyEncode(cs.PeerCertificates); err != nil {`
			`return nil, errors.Wrap(err, "encode peer certificates pem")`
			`}`
			`}`
			`return buf.Bytes(), nil`
			`}`

			`func encodePEMCertificate(buf io.Writer, cert *x509.Certificate) error {`
			`block := &pem.Block{`
			`Type: "CERTIFICATE",`
			`Bytes: cert.Raw,`
			`}`
			`return pem.Encode(buf, block)`
			`}`