| 
									
										
										
										
											2016-08-10 20:37:03 -04:00
										 |  |  | 'use strict'; | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | // autoSni = { notBefore, notAfter, getCertificates, httpsOptions, _dbg_now }
 | 
					
						
							|  |  |  | module.exports.create = function (autoSni) { | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |   var DAY = 24 * 60 * 60 * 1000; | 
					
						
							|  |  |  |   var MIN = 60 * 1000; | 
					
						
							|  |  |  |   if (!autoSni.getCertificatesAsync) { autoSni.getCertificatesAsync = require('bluebird').promisify(autoSni.getCertificates); } | 
					
						
							|  |  |  |   if (!autoSni.notBefore) { throw new Error("must supply options.notBefore (and options.notAfter)"); } | 
					
						
							|  |  |  |   if (!autoSni.notAfter) { autoSni.notAfter = autoSni.notBefore - (3 * DAY); } | 
					
						
							| 
									
										
										
										
											2016-08-11 02:46:53 -04:00
										 |  |  |   if (!autoSni.httpsOptions) { autoSni.httpsOptions = {}; } | 
					
						
							| 
									
										
										
										
											2016-08-10 20:37:03 -04:00
										 |  |  | 
 | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |   //autoSni.renewWithin = autoSni.notBefore;                    // i.e. 15 days
 | 
					
						
							|  |  |  |   autoSni.renewWindow = autoSni.notBefore - autoSni.notAfter;      // i.e. 1 day
 | 
					
						
							|  |  |  |   //autoSni.renewRatio = autoSni.notBefore = autoSni.renewWindow;  // i.e. 1/15 (6.67%)
 | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |   var tls = require('tls'); | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |   var _autoSni = { | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |     // in-process cache
 | 
					
						
							|  |  |  |     _ipc: {} | 
					
						
							|  |  |  |     // just to account for clock skew
 | 
					
						
							|  |  |  |   , _fiveMin: 5 * MIN | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |     // cache and format incoming certs
 | 
					
						
							|  |  |  |   , _cacheCerts: function (certs) { | 
					
						
							|  |  |  |       var meta = { | 
					
						
							|  |  |  |         certs: certs | 
					
						
							| 
									
										
										
										
											2016-08-11 02:46:53 -04:00
										 |  |  |       , tlsContext: 'string' === typeof certs.cert && tls.createSecureContext({ | 
					
						
							| 
									
										
										
										
											2016-08-10 20:37:03 -04:00
										 |  |  |           key: certs.privkey | 
					
						
							|  |  |  |         , cert: certs.cert + certs.chain | 
					
						
							|  |  |  |         , rejectUnauthorized: autoSni.httpsOptions.rejectUnauthorized | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |         , requestCert: autoSni.httpsOptions.requestCert  // request peer verification
 | 
					
						
							|  |  |  |         , ca: autoSni.httpsOptions.ca                    // this chain is for incoming peer connctions
 | 
					
						
							|  |  |  |         , crl: autoSni.httpsOptions.crl                  // this crl is for incoming peer connections
 | 
					
						
							|  |  |  |         }) || { '_fake_tls_context_': true } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |       , subject: certs.subject | 
					
						
							|  |  |  |         // stagger renewal time by a little bit of randomness
 | 
					
						
							|  |  |  |       , renewAt: (certs.expiresAt - (autoSni.notBefore - (autoSni.renewWindow * Math.random()))) | 
					
						
							|  |  |  |         // err just barely on the side of safety
 | 
					
						
							|  |  |  |       , expiresNear: certs.expiresAt - autoSni._fiveMin | 
					
						
							|  |  |  |       }; | 
					
						
							|  |  |  |       var link = { subject: certs.subject }; | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |       certs.altnames.forEach(function (domain) { | 
					
						
							|  |  |  |         autoSni._ipc[domain] = link; | 
					
						
							|  |  |  |       }); | 
					
						
							|  |  |  |       autoSni._ipc[certs.subject] = meta; | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |       return meta; | 
					
						
							|  |  |  |     } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |     // automate certificate registration on request
 | 
					
						
							|  |  |  |   , sniCallback: function (domain, cb) { | 
					
						
							|  |  |  |       var certMeta = autoSni._ipc[domain]; | 
					
						
							|  |  |  |       var promise; | 
					
						
							|  |  |  |       var now = (autoSni._dbg_now || Date.now()); | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |       if (certMeta && certMeta.subject !== domain) { | 
					
						
							| 
									
										
										
										
											2016-08-11 02:46:53 -04:00
										 |  |  |         //log(autoSni.debug, "LINK CERT", domain);
 | 
					
						
							|  |  |  |         certMeta = autoSni._ipc[certMeta.subject]; | 
					
						
							| 
									
										
										
										
											2016-08-10 20:37:03 -04:00
										 |  |  |       } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |       if (!certMeta) { | 
					
						
							| 
									
										
										
										
											2016-08-11 02:46:53 -04:00
										 |  |  |         //log(autoSni.debug, "NO CERT", domain);
 | 
					
						
							| 
									
										
										
										
											2016-08-10 20:37:03 -04:00
										 |  |  |         // we don't have a cert and must get one
 | 
					
						
							|  |  |  |         promise = autoSni.getCertificatesAsync(domain, null); | 
					
						
							|  |  |  |       } | 
					
						
							|  |  |  |       else if (now >= certMeta.expiresNear) { | 
					
						
							| 
									
										
										
										
											2016-08-11 02:46:53 -04:00
										 |  |  |         //log(autoSni.debug, "EXPIRED CERT");
 | 
					
						
							| 
									
										
										
										
											2016-08-10 20:37:03 -04:00
										 |  |  |         // we have a cert, but it's no good for the average user
 | 
					
						
							|  |  |  |         promise = autoSni.getCertificatesAsync(domain, certMeta.certs); | 
					
						
							|  |  |  |       } else { | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |         // it's time to renew the cert
 | 
					
						
							|  |  |  |         if (now >= certMeta.renewAt) { | 
					
						
							| 
									
										
										
										
											2016-08-11 02:46:53 -04:00
										 |  |  |           //log(autoSni.debug, "RENEWABLE CERT");
 | 
					
						
							| 
									
										
										
										
											2016-08-10 20:37:03 -04:00
										 |  |  |           // give the cert some time (2-5 min) to be validated and replaced before trying again
 | 
					
						
							|  |  |  |           certMeta.renewAt = (autoSni._dbg_now || Date.now()) + (2 * MIN) + (3 * MIN * Math.random()); | 
					
						
							|  |  |  |           // let the update happen in the background
 | 
					
						
							|  |  |  |           autoSni.getCertificatesAsync(domain, certMeta.certs).then(autoSni._cacheCerts); | 
					
						
							|  |  |  |         } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |         // return the valid cert right away
 | 
					
						
							|  |  |  |         cb(null, certMeta.tlsContext); | 
					
						
							|  |  |  |         return; | 
					
						
							|  |  |  |       } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |       // promise the non-existent or expired cert
 | 
					
						
							|  |  |  |       promise.then(autoSni._cacheCerts).then(function (certMeta) { | 
					
						
							|  |  |  |         cb(null, certMeta.tlsContext); | 
					
						
							| 
									
										
										
										
											2016-08-11 02:46:53 -04:00
										 |  |  |       }, function (err) { | 
					
						
							|  |  |  |         console.error('ERROR in le-sni-auto:'); | 
					
						
							|  |  |  |         console.error(err.stack || err); | 
					
						
							|  |  |  |         cb(err); | 
					
						
							|  |  |  |       }); | 
					
						
							| 
									
										
										
										
											2016-08-10 20:37:03 -04:00
										 |  |  |     } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |   }; | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |   Object.keys(_autoSni).forEach(function (key) { | 
					
						
							|  |  |  |     autoSni[key] = _autoSni[key]; | 
					
						
							|  |  |  |   }); | 
					
						
							|  |  |  |   _autoSni = null; | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |   return autoSni; | 
					
						
							|  |  |  | }; |