rawlinp commented on a change in pull request #4625: updated to store Lets
Encrypt user account information
URL: https://github.com/apache/trafficcontrol/pull/4625#discussion_r410303966
##########
File path: traffic_ops/traffic_ops_golang/deliveryservice/letsencryptcert.go
##########
@@ -330,7 +374,86 @@ func GetLetsEncryptCertificates(cfg *config.Config, req
tc.DeliveryServiceLetsEn
}
tx2.Commit()
+ if !foundPreviousAccount {
+ userKeyDer := x509.MarshalPKCS1PrivateKey(userPrivateKey)
+ if userKeyDer == nil {
+ log.Errorf("marshalling private key: nil der")
+ api.CreateChangeLogRawTx(api.ApiChange, "DS:
"+*req.DeliveryService+", ID: "+strconv.Itoa(dsID)+", ACTION: FAILED to add SSL
keys with Lets Encrypt", currentUser, logTx)
+ return errors.New("marshalling private key: nil der")
+ }
+ userKeyBuf := bytes.Buffer{}
+ if err := pem.Encode(&userKeyBuf, &pem.Block{Type: "RSA PRIVATE
KEY", Bytes: userKeyDer}); err != nil {
+ log.Errorf("pem-encoding private key: " + err.Error())
+ api.CreateChangeLogRawTx(api.ApiChange, "DS:
"+*req.DeliveryService+", ID: "+strconv.Itoa(dsID)+", ACTION: FAILED to add SSL
keys with Lets Encrypt", currentUser, logTx)
+ return errors.New("pem-encoding private key: " +
err.Error())
+ }
+ userKeyPem := userKeyBuf.Bytes()
+ err = storeLEAccountInfo(userTx, myUser.Email,
string(userKeyPem), myUser.Registration.URI)
+ if err != nil {
+ log.Errorf("storing user account info: " + err.Error())
+ api.CreateChangeLogRawTx(api.ApiChange, "DS:
"+*req.DeliveryService+", ID: "+strconv.Itoa(dsID)+", ACTION: FAILED to add SSL
keys with Lets Encrypt", currentUser, logTx)
+ return errors.New("storing user account info: " +
err.Error())
+ }
+ }
+
api.CreateChangeLogRawTx(api.ApiChange, "DS: "+*req.DeliveryService+",
ID: "+strconv.Itoa(dsID)+", ACTION: Added SSL keys with Lets Encrypt",
currentUser, logTx)
return nil
}
+
+func getStoredLetsEncryptInfo(tx *sql.Tx, email string) (*LEInfo, error) {
+ leInfoList := []LEInfo{}
+ selectQuery := `SELECT email, private_key, uri FROM
lets_encrypt_account WHERE email = $1`
+ rows, err := tx.Query(selectQuery, email)
+ if err != nil {
+ return nil, errors.New("getting dns challenge records: " +
err.Error())
+ }
+ defer rows.Close()
+
+ for rows.Next() {
+ leInfo := LEInfo{}
+ if err := rows.Scan(&leInfo.Email, &leInfo.Key, &leInfo.URI);
err != nil {
+ return nil, errors.New("scanning : lets_encrypt_account
" + err.Error())
+ }
+
+ leInfoList = append(leInfoList, leInfo)
+ }
+
+ if len(leInfoList) == 0 {
+ return nil, nil
+ }
+
+ firstInfo := leInfoList[0]
+ decodedKeyBlock, _ := pem.Decode([]byte(*firstInfo.Key))
+ decodedKey, err := x509.ParsePKCS1PrivateKey(decodedKeyBlock.Bytes)
+ if err != nil {
+ return nil, errors.New("decoding private key for user account")
+ }
+ firstInfo.PrivateKey = decodedKey
+
+ return &firstInfo, nil
+}
+
+func storeLEAccountInfo(tx *sql.Tx, email string, privateKey string, uri
string) error {
+ q := `INSERT INTO lets_encrypt_account (email, private_key, uri) VALUES
($1, $2, $3)`
+ response, err := tx.Exec(q, email, privateKey, uri)
+ if err != nil {
+ return err
+ } else {
+ rows, err := response.RowsAffected()
+ if err != nil {
+ return err
+ }
+ if rows == 0 {
+ return errors.New("zero rows affected when inserting
Let's Encrypt account information")
+ }
+ }
+ return nil
+}
+
+type LEInfo struct {
+ Email *string `db:"email"`
Review comment:
Do any of these fields actually have to be nullable? The DB fields are `NOT
NULL`, and it looks like `PrivateKey` could set by dereferencing the
`decodedKey` pointer on L432.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
With regards,
Apache Git Services
