Rename check_cert

cert_checker.go

@@ -0,0 +1,147 @@
+package xmpp
+
+import (
+	"crypto/tls"
+	"encoding/xml"
+	"errors"
+	"fmt"
+	"net"
+	"strings"
+	"time"
+
+	"gosrc.io/xmpp/stanza"
+)
+
+// TODO: Should I move this as an extension of the client?
+//    I should probably make the code more modular, but keep concern separated to keep it simple.
+type ServerCheck struct {
+	address string
+	domain  string
+}
+
+func NewChecker(address, domain string) (*ServerCheck, error) {
+	client := ServerCheck{}
+
+	var err error
+	var host string
+	if client.address, host, err = extractParams(address); err != nil {
+		return &client, err
+	}
+
+	if domain != "" {
+		client.domain = domain
+	} else {
+		client.domain = host
+	}
+
+	return &client, nil
+}
+
+// Check triggers actual TCP connection, based on previously defined parameters.
+func (c *ServerCheck) Check() error {
+	var tcpconn net.Conn
+	var err error
+
+	timeout := 15 * time.Second
+	tcpconn, err = net.DialTimeout("tcp", c.address, timeout)
+	if err != nil {
+		return err
+	}
+
+	decoder := xml.NewDecoder(tcpconn)
+
+	// Send stream open tag
+	if _, err = fmt.Fprintf(tcpconn, xmppStreamOpen, c.domain, stanza.NSClient, stanza.NSStream); err != nil {
+		return err
+	}
+
+	// Set xml decoder and extract streamID from reply (not used for now)
+	_, err = stanza.InitStream(decoder)
+	if err != nil {
+		return err
+	}
+
+	// extract stream features
+	var f stanza.StreamFeatures
+	packet, err := stanza.NextPacket(decoder)
+	if err != nil {
+		err = fmt.Errorf("stream open decode features: %s", err)
+		return err
+	}
+
+	switch p := packet.(type) {
+	case stanza.StreamFeatures:
+		f = p
+	case stanza.StreamError:
+		return errors.New("open stream error: " + p.Error.Local)
+	default:
+		return errors.New("expected packet received while expecting features, got " + p.Name())
+	}
+
+	if _, ok := f.DoesStartTLS(); ok {
+		fmt.Fprintf(tcpconn, "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>")
+
+		var k stanza.TLSProceed
+		if err = decoder.DecodeElement(&k, nil); err != nil {
+			return fmt.Errorf("expecting starttls proceed: %s", err)
+		}
+
+		stanza.DefaultTlsConfig.ServerName = c.domain
+		tlsConn := tls.Client(tcpconn, &stanza.DefaultTlsConfig)
+		// We convert existing connection to TLS
+		if err = tlsConn.Handshake(); err != nil {
+			return err
+		}
+
+		// We check that cert matches hostname
+		if err = tlsConn.VerifyHostname(c.domain); err != nil {
+			return err
+		}
+
+		if err = checkExpiration(tlsConn); err != nil {
+			return err
+		}
+		return nil
+	}
+	return errors.New("TLS not supported on server")
+}
+
+// Check expiration date for the whole certificate chain and returns an error
+// if the expiration date is in less than 48 hours.
+func checkExpiration(tlsConn *tls.Conn) error {
+	checkedCerts := make(map[string]struct{})
+	for _, chain := range tlsConn.ConnectionState().VerifiedChains {
+		for _, cert := range chain {
+			if _, checked := checkedCerts[string(cert.Signature)]; checked {
+				continue
+			}
+			checkedCerts[string(cert.Signature)] = struct{}{}
+
+			// Check the expiration.
+			timeNow := time.Now()
+			expiresInHours := int64(cert.NotAfter.Sub(timeNow).Hours())
+			// fmt.Printf("Cert '%s' expires in %d days\n", cert.Subject.CommonName, expiresInHours/24)
+			if expiresInHours <= 48 {
+				return fmt.Errorf("certificate '%s' will expire on %s", cert.Subject.CommonName, cert.NotAfter)
+			}
+		}
+	}
+	return nil
+}
+
+func extractParams(addr string) (string, string, error) {
+	var err error
+	hostport := strings.Split(addr, ":")
+	if len(hostport) > 2 {
+		err = errors.New("too many colons in xmpp server address")
+		return addr, hostport[0], err
+	}
+
+	// Address is composed of two parts, we are good
+	if len(hostport) == 2 && hostport[1] != "" {
+		return addr, hostport[0], err
+	}
+
+	// Port was not passed, we append XMPP default port:
+	return strings.Join([]string{hostport[0], "5222"}, ":"), hostport[0], err
+}