persist.go

Documentation: github.com/Azure/go-autorest/autorest/adal

     1  package adal
     2  
     3  // Copyright 2017 Microsoft Corporation
     4  //
     5  //  Licensed under the Apache License, Version 2.0 (the "License");
     6  //  you may not use this file except in compliance with the License.
     7  //  You may obtain a copy of the License at
     8  //
     9  //      http://www.apache.org/licenses/LICENSE-2.0
    10  //
    11  //  Unless required by applicable law or agreed to in writing, software
    12  //  distributed under the License is distributed on an "AS IS" BASIS,
    13  //  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    14  //  See the License for the specific language governing permissions and
    15  //  limitations under the License.
    16  
    17  import (
    18  	"crypto/rsa"
    19  	"crypto/x509"
    20  	"encoding/json"
    21  	"errors"
    22  	"fmt"
    23  	"io/ioutil"
    24  	"os"
    25  	"path/filepath"
    26  
    27  	"golang.org/x/crypto/pkcs12"
    28  )
    29  
    30  var (
    31  	// ErrMissingCertificate is returned when no local certificate is found in the provided PFX data.
    32  	ErrMissingCertificate = errors.New("adal: certificate missing")
    33  
    34  	// ErrMissingPrivateKey is returned when no private key is found in the provided PFX data.
    35  	ErrMissingPrivateKey = errors.New("adal: private key missing")
    36  )
    37  
    38  // LoadToken restores a Token object from a file located at 'path'.
    39  func LoadToken(path string) (*Token, error) {
    40  	file, err := os.Open(path)
    41  	if err != nil {
    42  		return nil, fmt.Errorf("failed to open file (%s) while loading token: %v", path, err)
    43  	}
    44  	defer file.Close()
    45  
    46  	var token Token
    47  
    48  	dec := json.NewDecoder(file)
    49  	if err = dec.Decode(&token); err != nil {
    50  		return nil, fmt.Errorf("failed to decode contents of file (%s) into Token representation: %v", path, err)
    51  	}
    52  	return &token, nil
    53  }
    54  
    55  // SaveToken persists an oauth token at the given location on disk.
    56  // It moves the new file into place so it can safely be used to replace an existing file
    57  // that maybe accessed by multiple processes.
    58  func SaveToken(path string, mode os.FileMode, token Token) error {
    59  	dir := filepath.Dir(path)
    60  	err := os.MkdirAll(dir, os.ModePerm)
    61  	if err != nil {
    62  		return fmt.Errorf("failed to create directory (%s) to store token in: %v", dir, err)
    63  	}
    64  
    65  	newFile, err := ioutil.TempFile(dir, "token")
    66  	if err != nil {
    67  		return fmt.Errorf("failed to create the temp file to write the token: %v", err)
    68  	}
    69  	tempPath := newFile.Name()
    70  
    71  	if err := json.NewEncoder(newFile).Encode(token); err != nil {
    72  		return fmt.Errorf("failed to encode token to file (%s) while saving token: %v", tempPath, err)
    73  	}
    74  	if err := newFile.Close(); err != nil {
    75  		return fmt.Errorf("failed to close temp file %s: %v", tempPath, err)
    76  	}
    77  
    78  	// Atomic replace to avoid multi-writer file corruptions
    79  	if err := os.Rename(tempPath, path); err != nil {
    80  		return fmt.Errorf("failed to move temporary token to desired output location. src=%s dst=%s: %v", tempPath, path, err)
    81  	}
    82  	if err := os.Chmod(path, mode); err != nil {
    83  		return fmt.Errorf("failed to chmod the token file %s: %v", path, err)
    84  	}
    85  	return nil
    86  }
    87  
    88  // DecodePfxCertificateData extracts the x509 certificate and RSA private key from the provided PFX data.
    89  // The PFX data must contain a private key along with a certificate whose public key matches that of the
    90  // private key or an error is returned.
    91  // If the private key is not password protected pass the empty string for password.
    92  func DecodePfxCertificateData(pfxData []byte, password string) (*x509.Certificate, *rsa.PrivateKey, error) {
    93  	blocks, err := pkcs12.ToPEM(pfxData, password)
    94  	if err != nil {
    95  		return nil, nil, err
    96  	}
    97  	// first extract the private key
    98  	var priv *rsa.PrivateKey
    99  	for _, block := range blocks {
   100  		if block.Type == "PRIVATE KEY" {
   101  			priv, err = x509.ParsePKCS1PrivateKey(block.Bytes)
   102  			if err != nil {
   103  				return nil, nil, err
   104  			}
   105  			break
   106  		}
   107  	}
   108  	if priv == nil {
   109  		return nil, nil, ErrMissingPrivateKey
   110  	}
   111  	// now find the certificate with the matching public key of our private key
   112  	var cert *x509.Certificate
   113  	for _, block := range blocks {
   114  		if block.Type == "CERTIFICATE" {
   115  			pcert, err := x509.ParseCertificate(block.Bytes)
   116  			if err != nil {
   117  				return nil, nil, err
   118  			}
   119  			certKey, ok := pcert.PublicKey.(*rsa.PublicKey)
   120  			if !ok {
   121  				// keep looking
   122  				continue
   123  			}
   124  			if priv.E == certKey.E && priv.N.Cmp(certKey.N) == 0 {
   125  				// found a match
   126  				cert = pcert
   127  				break
   128  			}
   129  		}
   130  	}
   131  	if cert == nil {
   132  		return nil, nil, ErrMissingCertificate
   133  	}
   134  	return cert, priv, nil
   135  }
   136
View as plain text