15 "github.com/mjl-/bstore"
17 "github.com/mjl-/mox/smtp"
20// TLSPublicKey is a public key for use with TLS client authentication based on the
21// public key of the certificate.
22type TLSPublicKey struct {
23 // Raw-url-base64-encoded Subject Public Key Info of certificate.
25 Created time.Time `bstore:"nonzero,default now"`
26 Type string // E.g. "rsa-2048", "ecdsa-p256", "ed25519"
28 // Descriptive name to identify the key, e.g. the device where key is used.
29 Name string `bstore:"nonzero"`
31 // If set, new immediate authenticated TLS connections are not moved to
32 // "authenticated" state. For clients that don't understand it, and will try an
33 // authenticate command anyway.
36 CertDER []byte `bstore:"nonzero"`
37 Account string `bstore:"nonzero"` // Key authenticates this account.
38 LoginAddress string `bstore:"nonzero"` // Must belong to account.
41// ParseTLSPublicKeyCert parses a certificate, preparing a TLSPublicKey for
42// insertion into the database. Caller must set fields that are not in the
43// certificat, such as Account and LoginAddress.
44func ParseTLSPublicKeyCert(certDER []byte) (TLSPublicKey, error) {
45 cert, err := x509.ParseCertificate(certDER)
47 return TLSPublicKey{}, fmt.Errorf("parsing certificate: %v", err)
49 name := cert.Subject.CommonName
50 if name == "" && cert.SerialNumber != nil {
51 name = fmt.Sprintf("serial %x", cert.SerialNumber.Bytes())
54 buf := sha256.Sum256(cert.RawSubjectPublicKeyInfo)
55 fp := base64.RawURLEncoding.EncodeToString(buf[:])
57 switch k := cert.PublicKey.(type) {
61 return TLSPublicKey{}, fmt.Errorf("rsa keys smaller than 2048 bits not accepted")
63 typ = "rsa-" + fmt.Sprintf("%d", bits)
64 case *ecdsa.PublicKey:
65 typ = "ecdsa-" + strings.ReplaceAll(strings.ToLower(k.Params().Name), "-", "")
66 case ed25519.PublicKey:
69 return TLSPublicKey{}, fmt.Errorf("public key type %T not implemented", cert.PublicKey)
72 return TLSPublicKey{Fingerprint: fp, Type: typ, Name: name, CertDER: certDER}, nil
75// TLSPublicKeyList returns tls public keys. If accountOpt is empty, keys for all
76// accounts are returned.
77func TLSPublicKeyList(ctx context.Context, accountOpt string) ([]TLSPublicKey, error) {
78 q := bstore.QueryDB[TLSPublicKey](ctx, AuthDB)
80 q.FilterNonzero(TLSPublicKey{Account: accountOpt})
85// TLSPublicKeyGet retrieves a single tls public key by fingerprint.
86// If absent, bstore.ErrAbsent is returned.
87func TLSPublicKeyGet(ctx context.Context, fingerprint string) (TLSPublicKey, error) {
88 pubKey := TLSPublicKey{Fingerprint: fingerprint}
89 err := AuthDB.Get(ctx, &pubKey)
93// TLSPublicKeyAdd adds a new tls public key.
95// Caller is responsible for checking the account and email address are valid.
96func TLSPublicKeyAdd(ctx context.Context, pubKey *TLSPublicKey) error {
97 if err := checkTLSPublicKeyAddress(pubKey.LoginAddress); err != nil {
100 return AuthDB.Insert(ctx, pubKey)
103// TLSPublicKeyUpdate updates an existing tls public key.
105// Caller is responsible for checking the account and email address are valid.
106func TLSPublicKeyUpdate(ctx context.Context, pubKey *TLSPublicKey) error {
107 if err := checkTLSPublicKeyAddress(pubKey.LoginAddress); err != nil {
110 return AuthDB.Update(ctx, pubKey)
113func checkTLSPublicKeyAddress(addr string) error {
114 a, err := smtp.ParseAddress(addr)
116 return fmt.Errorf("parsing login address %q: %v", addr, err)
118 if a.String() != addr {
119 return fmt.Errorf("login address %q must be specified in canonical form %q", addr, a.String())
124// TLSPublicKeyRemove removes a tls public key.
125func TLSPublicKeyRemove(ctx context.Context, fingerprint string) error {
126 k := TLSPublicKey{Fingerprint: fingerprint}
127 return AuthDB.Delete(ctx, &k)
130// TLSPublicKeyRemoveForAccount removes all tls public keys for an account.
131func TLSPublicKeyRemoveForAccount(ctx context.Context, account string) error {
132 q := bstore.QueryDB[TLSPublicKey](ctx, AuthDB)
133 q.FilterNonzero(TLSPublicKey{Account: account})