Merge pull request #5 from quix-labs/dev

Automatically fetch missing certificates to complete the certificate chain.

Author: alancolant

README.md

@@ -70,6 +70,10 @@ https://your-domain {
         get_certificate pfx {
             path test.pfx
             password password
+            
+            # If set to false, only the certificates from the .pfx file will be sent. 
+            # If set to true (default), all the intermediate certificates will be downloaded, including those up to the root CA.
+            fetch_full_chain true 
         }
         
         # Or shortcut -> get_certificate pfx test.pfx password

certificates.go

@@ -0,0 +1,133 @@
+package CADDY_PFX_CERTIFICATES
+
+import (
+	"crypto/x509"
+	"encoding/pem"
+	"errors"
+	"fmt"
+	"io"
+	"net/http"
+)
+
+func getCertificateChain(initialCerts []*x509.Certificate) ([]*x509.Certificate, error) {
+	certsState := &certState{}
+	var fullChain []*x509.Certificate
+
+	// Add initial certificates to the state
+	for _, cert := range initialCerts {
+		addOrUpdateState(certsState, cert)
+		fullChain = append(fullChain, cert)
+	}
+
+	// Resolve the full chain, including downloading missing certificates
+	resolvedCerts, err := getUnresolvedCertificates(certsState)
+	if err != nil {
+		return nil, err
+	}
+
+	// Append resolved certificates to the PEM data
+	for _, cert := range resolvedCerts {
+		fullChain = append(fullChain, cert)
+	}
+
+	return fullChain, nil
+}
+
+type CertificateState struct {
+	SubjectKeyId           string
+	AuthorityKeyId         string
+	Resolved               bool
+	IssuingCertificateURLs []string
+}
+
+type certState []CertificateState
+
+func addOrUpdateState(certsState *certState, cert *x509.Certificate) {
+	for i := range *certsState {
+		if (*certsState)[i].SubjectKeyId == string(cert.SubjectKeyId) {
+			return
+		}
+	}
+
+	*certsState = append(*certsState, CertificateState{
+		SubjectKeyId:           string(cert.SubjectKeyId),
+		AuthorityKeyId:         string(cert.AuthorityKeyId),
+		IssuingCertificateURLs: cert.IssuingCertificateURL,
+	})
+
+	var unresolvedCerts []CertificateState
+	for _, state := range *certsState {
+		if state.AuthorityKeyId != string(cert.SubjectKeyId) {
+			unresolvedCerts = append(unresolvedCerts, state)
+		}
+	}
+	*certsState = unresolvedCerts
+}
+
+func getUnresolvedCertificates(certsState *certState) ([]*x509.Certificate, error) {
+	var resolvedCerts []*x509.Certificate
+	if len(*certsState) == 0 {
+		return resolvedCerts, nil
+	}
+
+	state := (*certsState)[0]
+	*certsState = (*certsState)[1:] // Shift
+
+	for _, url := range state.IssuingCertificateURLs {
+		cert, err := fetchCertificateFromURL(url)
+		if err != nil {
+			continue // Skip on error but continue processing
+		}
+		resolvedCerts = append(resolvedCerts, cert)
+		addOrUpdateState(certsState, cert) // Recursively append remaining certificates
+	}
+
+	// Recur for the remaining unresolved certificates
+	moreResolved, err := getUnresolvedCertificates(certsState)
+	if err != nil {
+		return nil, err
+	}
+
+	// Combine resolved certificates
+	resolvedCerts = append(resolvedCerts, moreResolved...)
+	return resolvedCerts, nil
+}
+
+func fetchCertificateFromURL(url string) (cert *x509.Certificate, err error) {
+	resp, err := http.Get(url)
+	if err != nil {
+		return nil, fmt.Errorf("failed to fetch certificate from URL %s: %v", url, err)
+	}
+	defer func() {
+		if closeErr := resp.Body.Close(); closeErr != nil {
+			err = errors.Join(err, closeErr)
+		}
+	}()
+
+	if resp.StatusCode != http.StatusOK {
+		return nil, fmt.Errorf("received non-OK HTTP status: %s", resp.Status)
+	}
+
+	certData, err := io.ReadAll(resp.Body)
+	if err != nil {
+		return nil, fmt.Errorf("failed to read certificate data: %v", err)
+	}
+
+	// Try to decode in PEM
+	block, _ := pem.Decode(certData)
+	if block != nil && block.Type == "CERTIFICATE" {
+		cert, err := x509.ParseCertificate(block.Bytes)
+		if err != nil {
+			return nil, fmt.Errorf("failed to parse PEM certificate: %v", err)
+		}
+		return cert, nil
+	}
+
+	// Try to decode in DER
+	cert, err = x509.ParseCertificate(certData)
+	if err != nil {
+		return nil, fmt.Errorf("failed to parse DER certificate: %v", err)
+	}
+
+	return cert, nil
+}

module.go

@@ -23,10 +23,12 @@ func init() {
 
 // PfxCertGetter allow user to set path to .pfx file to load TLS certificate
 type PfxCertGetter struct {
-	// The path to file with domain-certificate dictionary. Required.
+	// Path to your .pfx file.
 	Path string `json:"path,omitempty"`
-	// The password used to decode pfx file. Required.
+	// Password used to decode pfx file. Required.
 	Password string `json:"password,omitempty"`
+	// FetchFullChain allows Caddy server to automatically download the certificate chain.
+	FetchFullChain *bool `json:"fetch_full_chain,omitempty"`
 
 	CacheCertName string
 
@@ -49,14 +51,23 @@ func (getter *PfxCertGetter) Provision(ctx caddy.Context) error {
 		return fmt.Errorf("path is required")
 	}
 
+	if getter.FetchFullChain == nil {
+		tmp := true
+		getter.FetchFullChain = &tmp
+	}
+
 	// Get the modification time of the file
 	fileInfo, err := os.Stat(getter.Path)
 	if err != nil {
 		return err
 	}
 	modTime := fileInfo.ModTime()
 
-	getter.CacheCertName = getter.Path + "." + modTime.Format(time.RFC3339) + "-chain+pkey.pem"
+	if *getter.FetchFullChain {
+		getter.CacheCertName = getter.Path + "." + modTime.Format(time.RFC3339) + "-fullchain+pkey.pem"
+	} else {
+		getter.CacheCertName = getter.Path + "." + modTime.Format(time.RFC3339) + "-chain+pkey.pem"
+	}
 
 	return nil
 }
@@ -86,23 +97,14 @@ func (getter *PfxCertGetter) GetCertificate(ctx context.Context, hello *tls.Clie
 		}
 
 		switch block.Type {
-		case "CERTIFICATE":
-			cert.Certificate = append(cert.Certificate, block.Bytes)
-
-			// If leaf already defined, skip
-			if cert.Leaf != nil {
-				break
-			}
-
-			// Mark first certificate as leaf
-			if cert.Leaf, err = x509.ParseCertificate(block.Bytes); err != nil {
-				return nil, err
-			}
-
 		case "RSA PRIVATE KEY":
 			if cert.PrivateKey, err = x509.ParsePKCS1PrivateKey(block.Bytes); err != nil {
 				return nil, err
 			}
+			break
+		case "CERTIFICATE":
+			cert.Certificate = append(cert.Certificate, block.Bytes)
+			break
 		}
 
 		pemData = rest
@@ -126,11 +128,35 @@ func (getter *PfxCertGetter) UnmarshalCaddyfile(d *caddyfile.Dispenser) error {
 					return d.ArgErr()
 				}
 				getter.Path = d.Val()
-			} else if key == "password" {
+				continue
+			}
+			if key == "password" {
 				if !d.NextArg() {
 					return d.ArgErr()
 				}
 				getter.Password = d.Val()
+				continue
+			}
+			if key == "fetch_full_chain" {
+				if !d.NextArg() {
+					return d.ArgErr()
+				}
+
+				if d.Val() == "true" {
+					tmp := true
+					getter.FetchFullChain = &tmp
+				} else if d.Val() == "false" {
+					tmp := false
+					getter.FetchFullChain = &tmp
+				} else {
+					return d.Err(d.Val() + " is not a valid value for fetch_full_chain")
+				}
+
+				// Ensure no more arguments
+				if d.NextArg() {
+					return d.ArgErr()
+				}
+				continue
 			} else {
 				return d.Err(key + " not allowed here")
 			}
@@ -178,8 +204,14 @@ func (getter *PfxCertGetter) GenerateParsedKeys(ctx context.Context) error {
 		Bytes: x509.MarshalPKCS1PrivateKey(privateKey.(*rsa.PrivateKey)),
 	})...)
 
-	// Append leaf + intermediates certificate
-	for _, caCert := range append([]*x509.Certificate{certificate}, caCerts...) {
+	// Combine leaf and intermediates from PFX and fetch the full chain automatically
+	chain, err := getCertificateChain(append([]*x509.Certificate{certificate}, caCerts...))
+	if err != nil {
+		return err
+	}
+
+	// Append all certificates
+	for _, caCert := range chain {
 		pemData = append(pemData, pem.EncodeToMemory(&pem.Block{
 			Type:  "CERTIFICATE",
 			Bytes: caCert.Raw,

scripts/transform_certs.sh

@@ -0,0 +1,36 @@
+#!/usr/bin/env bash
+
+IN=./path/to/your.pfx
+PASS=pfx_password
+OUT_PATH=./your_output
+
+mkdir -p $OUT_PATH
+
+function openssl-pass {
+  openssl pkcs12 -in "$IN" -password "pass:$PASS" "$@"
+}
+
+# Extract the RSA Key from the PFX file:
+openssl-pass -nocerts -nodes -out "$OUT_PATH/rsa-key-pfx.pem"
+
+# Extract the Public Certificate from the PFX file:
+openssl-pass -clcerts -nokeys -out "$OUT_PATH/public-cert-pfx.pem"
+
+# Extract the CA Chain from the PFX file:
+openssl-pass -cacerts -nokeys -chain -out "$OUT_PATH/ca-pfx.pem"
+
+# Convert the RSA Key from PFX format to PEM:
+openssl rsa -in $OUT_PATH/rsa-key-pfx.pem -out "$OUT_PATH/rsa-key.pem"
+
+# Convert the x509 Public Certificate and CA Chain from PFX to PEM format:
+openssl x509 -in "$OUT_PATH/public-cert-pfx.pem" -out "$OUT_PATH/cert.pem"
+openssl x509 -in "$OUT_PATH/ca-pfx.pem" -out "$OUT_PATH/ca.pem"
+
+# Combine certs to generate chain
+cat "$OUT_PATH/cert.pem" "$OUT_PATH/ca.pem" > "$OUT_PATH/chain.pem"
+
+# Remove unused/unnecessary files
+rm "$OUT_PATH/ca-pfx.pem" "$OUT_PATH/public-cert-pfx.pem" "$OUT_PATH/rsa-key-pfx.pem"
+
+# Run openssl to verify certificate
+openssl verify -CAfile "$OUT_PATH/chain.pem" "$OUT_PATH/ca.pem"