package main import ( "encoding/json" "errors" "io/ioutil" "os" "path/filepath" "time" "github.com/cloudflare/cfssl/certinfo" "github.com/cloudflare/cfssl/config" "github.com/cloudflare/cfssl/log" ) type SecretData struct { clusters map[string]*ClusterSecrets config *config.Config } type ClusterSecrets struct { CAs map[string]*CA Tokens map[string]string Passwords map[string]string SSHKeyPairs map[string][]SSHKeyPair } type KeyCert struct { Key []byte Cert []byte ReqHash string } func secretDataPath() string { return filepath.Join(*dataDir, "secret-data.json") } func loadSecretData(config *config.Config) (sd *SecretData, err error) { log.Info("Loading secret data") sd = &SecretData{ clusters: make(map[string]*ClusterSecrets), config: config, } ba, err := ioutil.ReadFile(secretDataPath()) if err != nil { if os.IsNotExist(err) { err = nil return } return } if err = json.Unmarshal(ba, &sd.clusters); err != nil { return } return } func checkCertUsable(certPEM []byte) error { cert, err := certinfo.ParseCertificatePEM(certPEM) if err != nil { return err } certDuration := cert.NotAfter.Sub(cert.NotBefore) delayBeforeRegen := certDuration / 3 // TODO allow configuration if cert.NotAfter.Sub(time.Now()) < delayBeforeRegen { return errors.New("too old") } return nil }