multi domain cert/key support

amppkg.example.toml

@@ -90,6 +90,12 @@ ForwardedRequestHeaders = []
     # certificate must cover this domain.
     Domain = "amppackageexample.com"
 
+    # The CertFile used, defaulting to the top level defined CertFile if not provided.
+    # CertFile = "./pems/amppackageexample.com/cert.pem"
+
+    # The KeyFile used, defaulting to the top level defined KeyFile if not provided.
+    # KeyFile = "./pems/amppackageexample.com/privkey.pem"
+
     # A full-match regexp on the path (not including the ?query). Defaults to
     # ".*".
     #

cmd/amppkg/main.go

@@ -18,6 +18,8 @@
 package main
 
 import (
+  "crypto"
+  "crypto/x509"
 	"flag"
 	"fmt"
 	"io/ioutil"
@@ -73,42 +75,37 @@ func main() {
 		die(errors.Wrapf(err, "parsing config at %s", *flagConfig))
 	}
 
-	// TODO(twifkak): Document what cert/key storage formats this accepts.
-	certPem, err := ioutil.ReadFile(config.CertFile)
-	if err != nil {
-		die(errors.Wrapf(err, "reading %s", config.CertFile))
-	}
-	keyPem, err := ioutil.ReadFile(config.KeyFile)
-	if err != nil {
-		die(errors.Wrapf(err, "reading %s", config.KeyFile))
-	}
-
-	certs, err := signedexchange.ParseCertificates(certPem)
-	if err != nil {
-		die(errors.Wrapf(err, "parsing %s", config.CertFile))
-	}
-	if certs == nil || len(certs) == 0 {
-		die(fmt.Sprintf("no cert found in %s", config.CertFile))
-	}
-	if err := util.CanSignHttpExchanges(certs[0], time.Now()); err != nil {
-		if *flagDevelopment || *flagInvalidCert {
-			log.Println("WARNING:", err)
-		} else {
-			die(err)
-		}
-	}
-
-	key, err := util.ParsePrivateKey(keyPem)
-	if err != nil {
-		die(errors.Wrapf(err, "parsing %s", config.KeyFile))
-	}
-
-	for _, urlSet := range config.URLSet {
-		domain := urlSet.Sign.Domain
-		if err := util.CertificateMatches(certs[0], key, domain); err != nil {
-			die(errors.Wrapf(err, "checking %s", config.CertFile))
-		}
-	}
+  // TODO(twifkak): Document what cert/key storage formats this accepts.
+  certPem := readFile(config.CertFile)
+  keyPem := readFile(config.KeyFile)
+  certs := parseCertificates(certPem, config.CertFile)
+  canSignHttpExchanges(certs[0], time.Now())
+  key := parsePrivateKey(keyPem, config.KeyFile)
+
+  for _, urlSet := range config.URLSet {
+    domain := urlSet.Sign.Domain
+    // Check for Sign level CertFile and/or KeyFile, otherwise use the one
+    // defined at the top level.
+    signCert := urlSet.Sign.CertFile
+    if signCert != "" {
+      fmt.Println("Using Cert: ", signCert, "for domain: ", domain)
+      certPem = readFile(signCert)
+      certs = parseCertificates(certPem, signCert)
+      canSignHttpExchanges(certs[0], time.Now())
+    } else {
+      fmt.Println("Using Cert: ", config.CertFile, "for domain: ", domain)
+    }
+    if urlSet.Sign.KeyFile != "" {
+      fmt.Println("Using key: ", urlSet.Sign.KeyFile, "for domain: ", domain)
+      keyPem = readFile(urlSet.Sign.KeyFile)
+      key = parsePrivateKey(keyPem, urlSet.Sign.KeyFile)
+    } else {
+      fmt.Println("Using Key: ", config.KeyFile, "for domain: ", domain)
+    }
+    if err := util.CertificateMatches(certs[0], key, domain); err != nil {
+      die(errors.Wrapf(err, "checking %s", config.CertFile))
+    }
+  }
 
 	validityMap, err := validitymap.New()
 	if err != nil {
@@ -180,3 +177,40 @@ func main() {
 		log.Fatal(server.ListenAndServe())
 	}
 }
+
+func canSignHttpExchanges(cert *x509.Certificate, now time.Time) {
+  if err := util.CanSignHttpExchanges(cert, time.Now()); err != nil {
+		if *flagDevelopment || *flagInvalidCert {
+			log.Println("WARNING:", err)
+		} else {
+			die(err)
+		}
+	}
+}
+
+func readFile(fileName string) []byte {
+  file, err := ioutil.ReadFile(fileName)
+  if err != nil {
+    die(errors.Wrapf(err, "reading %s", fileName))
+  }
+  return file
+}
+
+func parseCertificates(certPem []byte, certFileName string) []*x509.Certificate {
+  certs, err := signedexchange.ParseCertificates(certPem)
+  if err != nil {
+    die(errors.Wrapf(err, "parsing %s", certFileName))
+  }
+  if certs == nil || len(certs) == 0 {
+    die(fmt.Sprintf("no cert found in %s", certFileName))
+  }
+  return certs
+}
+
+func parsePrivateKey(keyPem []byte, keyFileName string) crypto.PrivateKey {
+  key, err := util.ParsePrivateKey(keyPem)
+  if err != nil {
+    die(errors.Wrapf(err, "parsing %s", keyFileName))
+  }
+  return key
+}