From 010e8c0e5880a22632156d47eb76c101c7c27dfa Mon Sep 17 00:00:00 2001
From: Adam Cooke <me@adamcooke.io>
Date: Fri, 5 May 2017 09:57:39 +0100
Subject: [PATCH] add a default certificate for the fast server

---
 .gitignore                        |  2 ++
 config/postal.defaults.yml        |  2 ++
 lib/postal/config.rb              | 33 +++++++++++++++++++++++++++----
 lib/postal/fast_server/client.rb  |  6 +++---
 script/generate_initial_config.rb | 19 ++++++++++++++++++
 5 files changed, 55 insertions(+), 7 deletions(-)

diff --git a/.gitignore b/.gitignore
index c80c54e..9ddce22 100644
--- a/.gitignore
+++ b/.gitignore
@@ -21,6 +21,8 @@ config/smtp.cert
 config/smtp.key
 config/lets_encrypt.pem
 config/signing.key
+config/fast_server.cert
+config/fast_server.key
 
 public/assets
 vendor/bundle
diff --git a/config/postal.defaults.yml b/config/postal.defaults.yml
index 939269d..a0bd18a 100644
--- a/config/postal.defaults.yml
+++ b/config/postal.defaults.yml
@@ -25,6 +25,8 @@ fast_server:
   port: 5010
   ssl_port: 5011
   proxy_protocol: false
+  default_private_key_path: # Defaults to config/fast_server.key
+  default_tls_certificate_path: # Defaults to config/fast_server.cert
 
 main_db:
   host: 127.0.0.1
diff --git a/lib/postal/config.rb b/lib/postal/config.rb
index 06d0066..d18a359 100644
--- a/lib/postal/config.rb
+++ b/lib/postal/config.rb
@@ -103,14 +103,14 @@ module Postal
     config.smtp&.from_address || "postal@example.com"
   end
 
-  def self.smtp_private_key
-    @smtp_private_key ||= OpenSSL::PKey::RSA.new(File.read(smtp_private_key_path))
-  end
-
   def self.smtp_private_key_path
     config.smtp_server.tls_private_key_path || config_root.join('smtp.key')
   end
 
+  def self.smtp_private_key
+    @smtp_private_key ||= OpenSSL::PKey::RSA.new(File.read(smtp_private_key_path))
+  end
+
   def self.smtp_certificate_path
     config.smtp_server.tls_certificate_path || config_root.join('smtp.cert')
   end
@@ -128,6 +128,31 @@ module Postal
     end
   end
 
+  def self.fast_server_default_private_key_path
+    config.fast_server.default_private_key_path || config_root.join('fast_server.key')
+  end
+
+  def self.fast_server_default_private_key
+    @fast_server_default_private_key ||= OpenSSL::PKey::RSA.new(File.read(fast_server_default_private_key_path))
+  end
+
+  def self.fast_server_default_certificate_path
+    config.fast_server.default_tls_certificate_path || config_root.join('fast_server.cert')
+  end
+
+  def self.fast_server_default_certificate_data
+    @fast_server_default_certificate_data ||= File.read(fast_server_default_certificate_path)
+  end
+
+  def self.fast_server_default_certificates
+    @fast_server_default_certificates ||= begin
+      certs = self.fast_server_default_certificate_data.scan(/-----BEGIN CERTIFICATE-----.+?-----END CERTIFICATE-----/m)
+      certs.map do |c|
+        OpenSSL::X509::Certificate.new(c)
+      end.freeze
+    end
+  end
+
   def self.lets_encrypt_private_key_path
     @lets_encrypt_private_key_path ||= Postal.config_root.join('lets_encrypt.pem')
   end
diff --git a/lib/postal/fast_server/client.rb b/lib/postal/fast_server/client.rb
index e146346..270c594 100644
--- a/lib/postal/fast_server/client.rb
+++ b/lib/postal/fast_server/client.rb
@@ -140,9 +140,9 @@ module Postal
           end
 
           if ssl_context.cert.nil?
-            ssl_context.cert = Postal.smtp_certificates[0]
-            ssl_context.extra_chain_cert = Postal.smtp_certificates[1..-1]
-            ssl_context.key  = Postal.smtp_private_key
+            ssl_context.cert = Postal.fast_server_default_certificates[0]
+            ssl_context.extra_chain_cert = Postal.fast_server_default_certificates[1..-1]
+            ssl_context.key  = Postal.fast_server_default_private_key
           end
 
           ssl_context.ssl_version = "SSLv23"
diff --git a/script/generate_initial_config.rb b/script/generate_initial_config.rb
index 56d5154..f255116 100755
--- a/script/generate_initial_config.rb
+++ b/script/generate_initial_config.rb
@@ -26,3 +26,22 @@ unless File.exists?(Postal.signing_key_path)
   File.open(Postal.signing_key_path, 'w') { |f| f.write(key) }
   puts "Created new signing key for DKIM & HTTP requests"
 end
+
+unless File.exists?(Postal.fast_server_default_private_key_path)
+  key = OpenSSL::PKey::RSA.new(2048).to_s
+  File.open(Postal.fast_server_default_private_key_path, 'w') { |f| f.write(key) }
+  puts "Created new private key for default fast server TLS connections"
+end
+
+unless File.exist?(Postal.fast_server_default_certificate_path)
+  cert = OpenSSL::X509::Certificate.new
+  cert.subject = cert.issuer = OpenSSL::X509::Name.parse("/C=GB/O=Default/OU=Default/CN=default")
+  cert.not_before = Time.now
+  cert.not_after = Time.now + (365 * 24 * 60 * 60) * 10
+  cert.public_key = Postal.fast_server_default_private_key.public_key
+  cert.serial = 0x0
+  cert.version = 2
+  cert.sign Postal.fast_server_default_private_key, OpenSSL::Digest::SHA256.new
+  File.open(Postal.fast_server_default_certificate_path, 'w') { |f| f.write(cert.to_pem) }
+  puts "Created new self signed certificate for default fast server TLS connections"
+end