196 lines
5.4 KiB
JavaScript
196 lines
5.4 KiB
JavaScript
"use strict";
|
|
|
|
var sni = module.exports;
|
|
var tls = require("tls");
|
|
var servernameRe = /^[a-z0-9\.\-]+$/i;
|
|
|
|
// a nice, round, irrational number - about every 6¼ hours
|
|
var refreshOffset = Math.round(Math.PI * 2 * (60 * 60 * 1000));
|
|
// and another, about 15 minutes
|
|
var refreshStagger = Math.round(Math.PI * 5 * (60 * 1000));
|
|
// and another, about 30 seconds
|
|
var smallStagger = Math.round(Math.PI * (30 * 1000));
|
|
|
|
//secureOpts.SNICallback = sni.create(greenlock, secureOpts);
|
|
sni.create = function(greenlock, secureOpts) {
|
|
var _cache = {};
|
|
var defaultServername = greenlock.servername || "";
|
|
|
|
if (secureOpts.cert) {
|
|
// Note: it's fine if greenlock.servername is undefined,
|
|
// but if the caller wants this to auto-renew, they should define it
|
|
_cache[defaultServername] = {
|
|
refreshAt: 0,
|
|
secureContext: tls.createSecureContext(secureOpts)
|
|
};
|
|
}
|
|
|
|
return getSecureContext;
|
|
|
|
function notify(ev, args) {
|
|
try {
|
|
// TODO _notify() or notify()?
|
|
(greenlock.notify || greenlock._notify)(ev, args);
|
|
} catch (e) {
|
|
console.error(e);
|
|
console.error(ev, args);
|
|
}
|
|
}
|
|
|
|
function getSecureContext(servername, cb) {
|
|
//console.log("debug sni", servername);
|
|
if ("string" !== typeof servername) {
|
|
// this will never happen... right? but stranger things have...
|
|
console.error("[sanity fail] non-string servername:", servername);
|
|
cb(new Error("invalid servername"), null);
|
|
return;
|
|
}
|
|
|
|
var secureContext = getCachedContext(servername);
|
|
if (secureContext) {
|
|
//console.log("debug sni got cached context", servername, getCachedMeta(servername));
|
|
cb(null, secureContext);
|
|
return;
|
|
}
|
|
|
|
getFreshContext(servername)
|
|
.then(function(secureContext) {
|
|
if (secureContext) {
|
|
//console.log("debug sni got fresh context", servername, getCachedMeta(servername));
|
|
cb(null, secureContext);
|
|
return;
|
|
}
|
|
// Note: this does not replace tlsSocket.setSecureContext()
|
|
// as it only works when SNI has been sent
|
|
//console.log("debug sni got default context", servername, getCachedMeta(servername));
|
|
cb(null, getDefaultContext());
|
|
})
|
|
.catch(function(err) {
|
|
if (!err.context) {
|
|
err.context = "sni_callback";
|
|
}
|
|
notify("error", err);
|
|
//console.log("debug sni error", servername, err);
|
|
cb(err);
|
|
});
|
|
}
|
|
|
|
function getCachedMeta(servername) {
|
|
var meta = _cache[servername];
|
|
if (!meta) {
|
|
if (!_cache[wildname(servername)]) {
|
|
return null;
|
|
}
|
|
}
|
|
return meta;
|
|
}
|
|
|
|
function getCachedContext(servername) {
|
|
var meta = getCachedMeta(servername);
|
|
if (!meta) {
|
|
return null;
|
|
}
|
|
|
|
// always renew in background
|
|
if (!meta.refreshAt || Date.now() >= meta.refreshAt) {
|
|
getFreshContext(servername).catch(function(e) {
|
|
if (!e.context) {
|
|
e.context = "sni_background_refresh";
|
|
}
|
|
notify("error", e);
|
|
});
|
|
}
|
|
|
|
// under normal circumstances this would never be expired
|
|
// and, if it is expired, something is so wrong it's probably
|
|
// not worth wating for the renewal - it has probably failed
|
|
return meta.secureContext;
|
|
}
|
|
|
|
function getFreshContext(servername) {
|
|
var meta = getCachedMeta(servername);
|
|
if (!meta && !validServername(servername)) {
|
|
return Promise.resolve(null);
|
|
}
|
|
|
|
if (meta) {
|
|
// prevent stampedes
|
|
meta.refreshAt = Date.now() + randomRefreshOffset();
|
|
}
|
|
|
|
// TODO greenlock.get({ servername: servername })
|
|
// TODO don't get unknown certs at all, rely on auto-updates from greenlock
|
|
// Note: greenlock.renew() will return an existing fresh cert or issue a new one
|
|
return greenlock.renew({ servername: servername }).then(function(matches) {
|
|
var meta = getCachedMeta(servername);
|
|
if (!meta) {
|
|
meta = _cache[servername] = { secureContext: {} };
|
|
}
|
|
// prevent from being punked by bot trolls
|
|
meta.refreshAt = Date.now() + smallStagger;
|
|
|
|
// nothing to do
|
|
if (!matches.length) {
|
|
return null;
|
|
}
|
|
|
|
// we only care about the first one
|
|
var pems = matches[0].pems;
|
|
var site = matches[0].site;
|
|
var match = matches[0];
|
|
if (!pems || !pems.cert) {
|
|
// nothing to do
|
|
// (and the error should have been reported already)
|
|
return null;
|
|
}
|
|
|
|
meta = {
|
|
refreshAt: Date.now() + randomRefreshOffset(),
|
|
secureContext: tls.createSecureContext({
|
|
// TODO support passphrase-protected privkeys
|
|
key: pems.privkey,
|
|
cert: pems.cert + "\n" + pems.chain + "\n"
|
|
})
|
|
};
|
|
|
|
// copy this same object into every place
|
|
[match.altnames || site.altnames || [match.subject || site.subject]].forEach(function(altname) {
|
|
_cache[altname] = meta;
|
|
});
|
|
|
|
return meta.secureContext;
|
|
});
|
|
}
|
|
|
|
function getDefaultContext() {
|
|
return getCachedContext(defaultServername);
|
|
}
|
|
};
|
|
|
|
// whenever we need to know when to refresh next
|
|
function randomRefreshOffset() {
|
|
var stagger = Math.round(refreshStagger / 2) - Math.round(Math.random() * refreshStagger);
|
|
return refreshOffset + stagger;
|
|
}
|
|
|
|
function validServername(servername) {
|
|
// format and (lightly) sanitize sni so that users can be naive
|
|
// and not have to worry about SQL injection or fs discovery
|
|
|
|
servername = (servername || "").toLowerCase();
|
|
// hostname labels allow a-z, 0-9, -, and are separated by dots
|
|
// _ is sometimes allowed, but not as a "hostname", and not by Let's Encrypt ACME
|
|
// REGEX // https://www.codeproject.com/Questions/1063023/alphanumeric-validation-javascript-without-regex
|
|
return servernameRe.test(servername) && -1 === servername.indexOf("..");
|
|
}
|
|
|
|
function wildname(servername) {
|
|
return (
|
|
"*." +
|
|
servername
|
|
.split(".")
|
|
.slice(1)
|
|
.join(".")
|
|
);
|
|
}
|