get.pme.sh/pnats@v0.0.0-20240304004023-26bb5a137ed0/server/certstore/certstore.go

get.pme.sh/pnats@v0.0.0-20240304004023-26bb5a137ed0/server/certstore/certstore.go (about)

     1  // Copyright 2022-2023 The NATS Authors
     2  // Licensed under the Apache License, Version 2.0 (the "License");
     3  // you may not use this file except in compliance with the License.
     4  // You may obtain a copy of the License at
     5  //
     6  // http://www.apache.org/licenses/LICENSE-2.0
     7  //
     8  // Unless required by applicable law or agreed to in writing, software
     9  // distributed under the License is distributed on an "AS IS" BASIS,
    10  // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    11  // See the License for the specific language governing permissions and
    12  // limitations under the License.
    13  
    14  package certstore
    15  
    16  import (
    17  	"crypto"
    18  	"crypto/x509"
    19  	"io"
    20  	"runtime"
    21  	"strings"
    22  )
    23  
    24  type StoreType int
    25  
    26  const MATCHBYEMPTY = 0
    27  const STOREEMPTY = 0
    28  
    29  const (
    30  	windowsCurrentUser StoreType = iota + 1
    31  	windowsLocalMachine
    32  )
    33  
    34  var StoreMap = map[string]StoreType{
    35  	"windowscurrentuser":  windowsCurrentUser,
    36  	"windowslocalmachine": windowsLocalMachine,
    37  }
    38  
    39  var StoreOSMap = map[StoreType]string{
    40  	windowsCurrentUser:  "windows",
    41  	windowsLocalMachine: "windows",
    42  }
    43  
    44  type MatchByType int
    45  
    46  const (
    47  	matchByIssuer MatchByType = iota + 1
    48  	matchBySubject
    49  )
    50  
    51  var MatchByMap = map[string]MatchByType{
    52  	"issuer":  matchByIssuer,
    53  	"subject": matchBySubject,
    54  }
    55  
    56  var Usage = `
    57  In place of cert_file and key_file you may use the windows certificate store:
    58  
    59      tls {
    60          cert_store:     "WindowsCurrentUser"
    61          cert_match_by:  "Subject"
    62          cert_match:     "MyServer123"
    63      }
    64  `
    65  
    66  func ParseCertStore(certStore string) (StoreType, error) {
    67  	certStoreType, exists := StoreMap[strings.ToLower(certStore)]
    68  	if !exists {
    69  		return 0, ErrBadCertStore
    70  	}
    71  	validOS, exists := StoreOSMap[certStoreType]
    72  	if !exists || validOS != runtime.GOOS {
    73  		return 0, ErrOSNotCompatCertStore
    74  	}
    75  	return certStoreType, nil
    76  }
    77  
    78  func ParseCertMatchBy(certMatchBy string) (MatchByType, error) {
    79  	certMatchByType, exists := MatchByMap[strings.ToLower(certMatchBy)]
    80  	if !exists {
    81  		return 0, ErrBadMatchByType
    82  	}
    83  	return certMatchByType, nil
    84  }
    85  
    86  func GetLeafIssuer(leaf *x509.Certificate, vOpts x509.VerifyOptions) (issuer *x509.Certificate) {
    87  	chains, err := leaf.Verify(vOpts)
    88  	if err != nil || len(chains) == 0 {
    89  		issuer = nil
    90  	} else {
    91  		issuer = chains[0][1]
    92  	}
    93  	return
    94  }
    95  
    96  // credential provides access to a public key and is a crypto.Signer.
    97  type credential interface {
    98  	// Public returns the public key corresponding to the leaf certificate.
    99  	Public() crypto.PublicKey
   100  	// Sign signs digest with the private key.
   101  	Sign(rand io.Reader, digest []byte, opts crypto.SignerOpts) (signature []byte, err error)
   102  }