plane-watch · mikenye · May 10, 2024 · May 10, 2024 · May 10, 2024 · May 10, 2024
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -16,6 +16,10 @@ jobs:
  run: |
  cd pw-feeder
  go mod tidy
+ - name: "go generate"
+ run: |
+ cd pw-feeder
+ go generate ./...
  - name: "go test"
  run: |
  cd pw-feeder
@@ -40,6 +44,10 @@ jobs:
  run: |
  cd pw-feeder
  go mod tidy
+ - name: "go generate"
+ run: |
+ cd pw-feeder
+ go generate ./...
  - name: "go build"
  run: |
  cd pw-feeder

diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
@@ -39,6 +39,10 @@ jobs:
  run: |
  cd pw-feeder
  go mod tidy
+ - name: "go generate"
+ run: |
+ cd pw-feeder
+ go generate ./...
  - name: "go test"
  run: |
  cd pw-feeder

diff --git a/.gitignore b/.gitignore
@@ -1 +1,2 @@
 pw-feeder/pw-feeder
+pw-feeder/lib/stunnel/*.pem
diff --git a/README.md b/README.md
@@ -25,5 +25,6 @@ Tunnels BEAST and MLAT data from your client to plane.watch over a TLS tunnel.
 * Clone the repo
 * Change into the `pw-feeder` directory
 * Run `go mod tidy` to download required modules
+* Run `go generate ./...` to download required CA certs
 * Test: `go test ./...`
 * Build & Install: `go build -o /usr/local/bin/pw-feeder ./cmd/pw-feeder`
diff --git a/pw-feeder/cmd/pw-feeder/main.go b/pw-feeder/cmd/pw-feeder/main.go
@@ -23,8 +23,9 @@ import (
 var (
  app = &cli.App{
  Name: "pw-feeder",
+ Usage: "feed ADS-B data to plane.watch",
  Description: `Plane Watch Feeder Client`,
- Version: "0.0.2",
+ Version: "0.0.3",
  Flags: []cli.Flag{
  &cli.StringFlag{
  Name: "apikey",

diff --git a/pw-feeder/lib/stunnel/cacerts.go b/pw-feeder/lib/stunnel/cacerts.go
@@ -0,0 +1,27 @@
+package stunnel
+
+import (
+ "embed"
+)
+
+// Let's Encrypt CAs
+
+//go:generate curl --progress-bar -w %{filename_effective}\n -O https://letsencrypt.org/certs/isrgrootx1.pem
+//go:generate curl --progress-bar -w %{filename_effective}\n -O https://letsencrypt.org/certs/isrg-root-x2.pem
+//go:generate curl --progress-bar -w %{filename_effective}\n -O https://letsencrypt.org/certs/2024/e5.pem
+//go:generate curl --progress-bar -w %{filename_effective}\n -O https://letsencrypt.org/certs/2024/e6.pem
+//go:generate curl --progress-bar -w %{filename_effective}\n -O https://letsencrypt.org/certs/2024/e7.pem
+//go:generate curl --progress-bar -w %{filename_effective}\n -O https://letsencrypt.org/certs/2024/e8.pem
+//go:generate curl --progress-bar -w %{filename_effective}\n -O https://letsencrypt.org/certs/2024/e9.pem
+//go:generate curl --progress-bar -w %{filename_effective}\n -O https://letsencrypt.org/certs/2024/r10.pem
+//go:generate curl --progress-bar -w %{filename_effective}\n -O https://letsencrypt.org/certs/2024/r11.pem
+//go:generate curl --progress-bar -w %{filename_effective}\n -O https://letsencrypt.org/certs/2024/r12.pem
+//go:generate curl --progress-bar -w %{filename_effective}\n -O https://letsencrypt.org/certs/2024/r13.pem
+//go:generate curl --progress-bar -w %{filename_effective}\n -O https://letsencrypt.org/certs/2024/r14.pem
+//go:generate curl --progress-bar -w %{filename_effective}\n -O https://letsencrypt.org/certs/lets-encrypt-e1.pem
+//go:generate curl --progress-bar -w %{filename_effective}\n -O https://letsencrypt.org/certs/lets-encrypt-e2.pem
+//go:generate curl --progress-bar -w %{filename_effective}\n -O https://letsencrypt.org/certs/lets-encrypt-r3.pem
+//go:generate curl --progress-bar -w %{filename_effective}\n -O https://letsencrypt.org/certs/lets-encrypt-r4.pem
+
+//go:embed *.pem
+var caCertPEMs embed.FS
diff --git a/pw-feeder/lib/stunnel/stunnel.go b/pw-feeder/lib/stunnel/stunnel.go
@@ -3,13 +3,63 @@ package stunnel
 import (
  "crypto/tls"
  "crypto/x509"
+ "encoding/pem"
  "net"
  "strings"
  "time"
 
  "github.com/rs/zerolog/log"
 )
 
+func addEmbeddedCertsToCertPool(scp *x509.CertPool) error {
+ // load embedded Let's Encrypt CAs
+ // get list of files in caCertPEMs embed.FS
+ pemFiles, err := caCertPEMs.ReadDir(".")
+ if err != nil {
+ return err
+ }
+
+ // for each file...
+ for _, pemFile := range pemFiles {
+
+ func() {
+
+ log := log.With().Str("cafile", pemFile.Name()).Logger()
+
+ // open file
+ f, err := caCertPEMs.Open(pemFile.Name())
+ if err != nil {
+ log.Err(err).Msg("could not open embedded CA cert")
+ }
+ defer f.Close()
+
+ // get file stat (for size)
+ s, err := f.Stat()
+ if err != nil {
+ log.Err(err).Msg("could not stat embedded CA cert")
+ }
+
+ // read bytes from file
+ b := make([]byte, s.Size())
+ n, err := f.Read(b)
+ if err != nil {
+ log.Err(err).Msg("could not read embedded CA cert")
+ }
+
+ // parse cert
+ p, _ := pem.Decode(b[:n])
+ c, err := x509.ParseCertificate(p.Bytes)
+ if err != nil {
+ log.Err(err).Msg("could not parse embedded CA cert")
+ }
+
+ // add cert to system cert pool
+ scp.AddCert(c)
+ }()
+ }
+ return nil
+}
+
 func StunnelConnect(name, addr, sni string) (c *tls.Conn, err error) {
 
  log := log.With().Str("name", name).Str("addr", addr).Logger()
@@ -40,12 +90,16 @@ func StunnelConnect(name, addr, sni string) (c *tls.Conn, err error) {
  return err
  }
 
- // load root CAs
+ // load system cert pool CAs
  scp, err := x509.SystemCertPool()
  if err != nil {
  log.Err(err).Caller().Msg("could not use system cert pool")
  return err
  }
+ err = addEmbeddedCertsToCertPool(scp)
+ if err != nil {
+ return err
+ }
 
  // TODO: fix this
  // verify server cert
@@ -55,7 +109,6 @@ func StunnelConnect(name, addr, sni string) (c *tls.Conn, err error) {
  vo.DNSName = remoteHost
  _, err = cert.Verify(vo)
  if err != nil {
- log.Err(err).Caller().Msg("could not verify server cert")
  return err
  }
  }
@@ -66,7 +119,11 @@ func StunnelConnect(name, addr, sni string) (c *tls.Conn, err error) {
  // load root CAs
  scp, err := x509.SystemCertPool()
  if err != nil {
- log.Err(err).Caller().Msg("could not use system cert pool")
+ // log.Err(err).Caller().Msg("could not use system cert pool")
+ return c, err
+ }
+ err = addEmbeddedCertsToCertPool(scp)
+ if err != nil {
  return c, err
  }
 
@@ -85,18 +142,18 @@ func StunnelConnect(name, addr, sni string) (c *tls.Conn, err error) {
  // dial remote
  c, err = tls.DialWithDialer(&d, "tcp", addr, &tlsConfig)
  if err != nil {
- log.Err(err).Caller().Msg("could not connect")
+ // log.Err(err).Caller().Msg("could not connect")
  return c, err
  }
 
  // perform handshake
  err = c.Handshake()
  if err != nil {
- log.Err(err).Caller().Msg("handshake error")
+ // log.Err(err).Caller().Msg("handshake error")
  return c, err
  }
 
- log.Debug().Msg("endpoint connected")
+ // log.Debug().Msg("endpoint connected")
  return c, err
 
 }
diff --git a/pw-feeder/lib/stunnel/stunnel_test.go b/pw-feeder/lib/stunnel/stunnel_test.go
@@ -33,6 +33,45 @@ func init() {
  log.Logger = log.Output(zerolog.ConsoleWriter{Out: os.Stderr, TimeFormat: time.UnixDate})
 }
 
+func TestCACerts(t *testing.T) {
+
+ // get list of files in caCertPEMs embed.FS
+ pemFiles, err := caCertPEMs.ReadDir(".")
+ require.NoError(t, err)
+
+ // for each file...
+ for _, pemFile := range pemFiles {
+ t.Run(pemFile.Name(), func(t *testing.T) {
+
+ // open file
+ f, err := caCertPEMs.Open(pemFile.Name())
+ require.NoError(t, err)
+ defer f.Close()
+
+ // get file stat (for size)
+ s, err := f.Stat()
+ require.NoError(t, err)
+
+ // read bytes from file
+ b := make([]byte, s.Size())
+ n, err := f.Read(b)
+ require.NoError(t, err)
+
+ // parse cert
+ p, _ := pem.Decode(b[:n])
+ c, err := x509.ParseCertificate(p.Bytes)
+ require.NoError(t, err)
+
+ // check validity
+ assert.True(t, c.NotBefore.Before(time.Now()), "Certificate not yet valid")
+ assert.False(t, c.NotAfter.Before(time.Now()), "Certificate expired")
+
+ // check if certs are due to expire within 90 days
+ assert.True(t, c.NotAfter.After(time.Now().Add(time.Hour*24*90)), "Certificate expires within 90 days")
+ })
+ }
+}
+
 func GenerateSelfSignedTLSCertAndKey(keyFile, certFile *os.File) error {
  // Thanks to: https://go.dev/src/crypto/tls/generate_cert.go