local-server/cmd/dkl-local-server/secrets.go

package main

import (
	"encoding/json"
	"errors"
	"io/ioutil"
	"os"
	"path/filepath"
	"time"

	"github.com/cloudflare/cfssl/certinfo"
	"github.com/cloudflare/cfssl/config"
	"github.com/cloudflare/cfssl/log"
)

type SecretData struct {
	clusters map[string]*ClusterSecrets
	config   *config.Config
}

type ClusterSecrets struct {
	CAs         map[string]*CA
	Tokens      map[string]string
	Passwords   map[string]string
	SSHKeyPairs map[string][]SSHKeyPair
}

type KeyCert struct {
	Key     []byte
	Cert    []byte
	ReqHash string
}

func secretDataPath() string {
	return filepath.Join(*dataDir, "secret-data.json")
}

func loadSecretData(config *config.Config) (sd *SecretData, err error) {
	log.Info("Loading secret data")

	sd = &SecretData{
		clusters: make(map[string]*ClusterSecrets),
		config:   config,
	}

	ba, err := ioutil.ReadFile(secretDataPath())
	if err != nil {
		if os.IsNotExist(err) {
			err = nil
			return
		}
		return
	}

	if err = json.Unmarshal(ba, &sd.clusters); err != nil {
		return
	}

	return
}

func checkCertUsable(certPEM []byte) error {
	cert, err := certinfo.ParseCertificatePEM(certPEM)
	if err != nil {
		return err
	}

	certDuration := cert.NotAfter.Sub(cert.NotBefore)
	delayBeforeRegen := certDuration / 3 // TODO allow configuration

	if cert.NotAfter.Sub(time.Now()) < delayBeforeRegen {
		return errors.New("too old")
	}

	return nil
}