Files
wehub-resource-sync 1b8708893a
Security Scan / tests (push) Has been cancelled
chore: import upstream snapshot with attribution
2026-07-13 13:12:26 +08:00

178 lines
4.9 KiB
Go

// Package mitm implements a TLS man-in-the-middle proxy that
// applies per-request PII redaction to allowlisted LLM API hosts
// while tunnelling everything else byte-for-byte.
package mitm
import (
"crypto/ecdsa"
"crypto/elliptic"
"crypto/rand"
"crypto/x509"
"crypto/x509/pkix"
"encoding/pem"
"fmt"
"math/big"
"os"
"path/filepath"
"sync"
"time"
)
type CA struct {
cert *x509.Certificate
key *ecdsa.PrivateKey
publicPEM []byte
mu sync.Mutex
leaves map[string]*leafEntry
}
// LoadOrCreateCA loads the CA from dir if both files exist, or
// generates a new ECDSA-P256 CA and persists it. The key file is
// mode 0600.
func LoadOrCreateCA(dir string) (*CA, error) {
if err := os.MkdirAll(dir, 0o700); err != nil {
return nil, fmt.Errorf("mitm: create ca dir %q: %w", dir, err)
}
certPath := filepath.Join(dir, "ca.crt")
keyPath := filepath.Join(dir, "ca.key")
certPEM, err1 := os.ReadFile(certPath)
keyPEM, err2 := os.ReadFile(keyPath)
if err1 == nil && err2 == nil {
ca, err := parseCA(certPEM, keyPEM)
if err == nil {
return ca, nil
}
// Fall through and regenerate. We don't auto-delete the
// existing files — the operator might have hand-edited
// them. Surface the parse error instead.
return nil, fmt.Errorf("mitm: parse existing CA at %s: %w (delete to regenerate)", dir, err)
}
ca, certPEMOut, keyPEMOut, err := generateCA()
if err != nil {
return nil, err
}
if err := os.WriteFile(certPath, certPEMOut, 0o644); err != nil {
return nil, fmt.Errorf("mitm: write ca cert %q: %w", certPath, err)
}
if err := os.WriteFile(keyPath, keyPEMOut, 0o600); err != nil {
return nil, fmt.Errorf("mitm: write ca key %q: %w", keyPath, err)
}
return ca, nil
}
func generateCA() (*CA, []byte, []byte, error) {
key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
if err != nil {
return nil, nil, nil, fmt.Errorf("mitm: generate ca key: %w", err)
}
serial, err := rand.Int(rand.Reader, new(big.Int).Lsh(big.NewInt(1), 128))
if err != nil {
return nil, nil, nil, fmt.Errorf("mitm: serial: %w", err)
}
now := time.Now().UTC()
tmpl := &x509.Certificate{
SerialNumber: serial,
Subject: pkix.Name{
CommonName: "LocalAI MITM Proxy CA",
Organization: []string{"LocalAI"},
},
NotBefore: now.Add(-1 * time.Hour),
NotAfter: now.Add(10 * 365 * 24 * time.Hour),
KeyUsage: x509.KeyUsageCertSign | x509.KeyUsageCRLSign | x509.KeyUsageDigitalSignature,
BasicConstraintsValid: true,
IsCA: true,
MaxPathLenZero: true,
}
der, err := x509.CreateCertificate(rand.Reader, tmpl, tmpl, &key.PublicKey, key)
if err != nil {
return nil, nil, nil, fmt.Errorf("mitm: create ca cert: %w", err)
}
cert, err := x509.ParseCertificate(der)
if err != nil {
return nil, nil, nil, fmt.Errorf("mitm: re-parse ca cert: %w", err)
}
certPEM := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: der})
keyDER, err := x509.MarshalECPrivateKey(key)
if err != nil {
return nil, nil, nil, fmt.Errorf("mitm: marshal ca key: %w", err)
}
keyPEM := pem.EncodeToMemory(&pem.Block{Type: "EC PRIVATE KEY", Bytes: keyDER})
return &CA{
cert: cert,
key: key,
publicPEM: certPEM,
leaves: make(map[string]*leafEntry),
}, certPEM, keyPEM, nil
}
// NewInMemoryCA mints an ephemeral CA for tests.
func NewInMemoryCA() (*CA, error) {
ca, _, _, err := generateCA()
return ca, err
}
func parseCA(certPEM, keyPEM []byte) (*CA, error) {
certBlock, _ := pem.Decode(certPEM)
if certBlock == nil || certBlock.Type != "CERTIFICATE" {
return nil, fmt.Errorf("mitm: ca cert PEM block missing or wrong type")
}
cert, err := x509.ParseCertificate(certBlock.Bytes)
if err != nil {
return nil, fmt.Errorf("mitm: parse ca cert: %w", err)
}
if !cert.IsCA {
return nil, fmt.Errorf("mitm: stored cert at is not a CA")
}
keyBlock, _ := pem.Decode(keyPEM)
if keyBlock == nil {
return nil, fmt.Errorf("mitm: ca key PEM block missing")
}
var key *ecdsa.PrivateKey
switch keyBlock.Type {
case "EC PRIVATE KEY":
k, err := x509.ParseECPrivateKey(keyBlock.Bytes)
if err != nil {
return nil, fmt.Errorf("mitm: parse ec ca key: %w", err)
}
key = k
case "PRIVATE KEY":
k, err := x509.ParsePKCS8PrivateKey(keyBlock.Bytes)
if err != nil {
return nil, fmt.Errorf("mitm: parse pkcs8 ca key: %w", err)
}
ecKey, ok := k.(*ecdsa.PrivateKey)
if !ok {
return nil, fmt.Errorf("mitm: pkcs8 key is not ECDSA")
}
key = ecKey
default:
return nil, fmt.Errorf("mitm: unsupported ca key PEM type %q", keyBlock.Type)
}
return &CA{
cert: cert,
key: key,
publicPEM: certPEM,
leaves: make(map[string]*leafEntry),
}, nil
}
// PublicCertPEM returns a copy of the PEM-encoded CA certificate.
func (c *CA) PublicCertPEM() []byte {
out := make([]byte, len(c.publicPEM))
copy(out, c.publicPEM)
return out
}
func (c *CA) Cert() *x509.Certificate { return c.cert }