Beispiel #1
0
func initializeServer() *server.Server {
	var hosts string
	fmt.Print("Keyserver Hostnames/IPs (comma-seperated): ")
	fmt.Scanln(&hosts)
	hostnames := strings.Split(hosts, ",")

	csr, key, err := csr.ParseRequest(&csr.CertificateRequest{
		CN:    "Keyless Server Authentication Certificate",
		Hosts: hostnames,
		KeyRequest: &csr.BasicKeyRequest{
			A: "ecdsa",
			S: 384,
		},
	})
	if err != nil {
		log.Fatal(err)
	}

	if err := ioutil.WriteFile(keyFile, key, 0400); err != nil {
		log.Fatal(err)
	}
	log.Infof("Key generated and saved to %s\n", keyFile)

	log.Info("Server entering initialization state")
	s, err := server.NewServerFromFile(initCertFile, initKeyFile, caFile,
		net.JoinHostPort("", port), net.JoinHostPort("", metricsPort))
	if err != nil {
		log.Fatal(err)
	}
	s.ActivationToken = []byte(initToken)
	go func() {
		log.Fatal(s.ListenAndServe())
	}()

	cert, err := initAPICall(hostnames, string(csr))
	if err != nil {
		log.Fatal(err)
	}

	if err := ioutil.WriteFile(certFile, cert, 0644); err != nil {
		log.Fatal(err)
	}
	log.Infof("Cert saved to %s\n", certFile)

	// Remove server from activation state and initialize issued certificate.
	s.ActivationToken = s.ActivationToken[:0]
	tlsCert, err := tls.LoadX509KeyPair(certFile, keyFile)
	if err != nil {
		log.Fatal(err)
	}

	s.Config.Certificates = []tls.Certificate{tlsCert}
	return s
}
Beispiel #2
0
func main() {
	var s *server.Server
	if initToken != "" {
		s = initializeServer()
	} else {
		s, err := server.NewServerFromFile(certFile, keyFile, caFile,
			net.JoinHostPort("", port), net.JoinHostPort("", metricsPort))
		if err != nil {
			log.Warningf("Could not create server. Run with `gokeyless -init-token=XXX` to get %s and %s", keyFile, certFile)
			log.Fatal(err)
		}

		if err := s.LoadKeysFromDir(keyDir, LoadKey); err != nil {
			log.Fatal(err)
		}

		// Start server in background, then listen for SIGHUPs to reload keys.
		go func() {
			log.Fatal(s.ListenAndServe())
		}()
	}

	if pidFile != "" {
		if f, err := os.Create(pidFile); err != nil {
			log.Errorf("error creating pid file: %v", err)
		} else {
			fmt.Fprintf(f, "%d", os.Getpid())
			f.Close()
		}
	}

	c := make(chan os.Signal, 1)
	signal.Notify(c, syscall.SIGHUP)
	for {
		select {
		case <-c:
			log.Info("Received SIGHUP, reloading keys...")
			if err := s.LoadKeysFromDir(keyDir, LoadKey); err != nil {
				log.Fatal(err)
			}
		}
	}
}
Beispiel #3
0
func main() {
	var logOut io.Writer
	if silent {
		logOut = ioutil.Discard
	} else {
		logOut = os.Stdout
	}

	s, err := server.NewServerFromFile(certFile, keyFile, caFile, net.JoinHostPort("", port), logOut)
	if err != nil {
		log.Fatal(err)
	}

	keys, err := LoadKeysFromDir(keyDir)
	if err != nil {
		log.Fatal(err)
	}

	for _, key := range keys {
		s.RegisterKey(key)
	}

	log.Fatal(s.ListenAndServe())
}
Beispiel #4
0
// Set up compatible server and client for use by tests.
func init() {
	var err error
	var pemBytes []byte
	var p *pem.Block
	var priv crypto.Signer
	var pub crypto.PublicKey

	log.Level = log.LevelFatal

	s, err = server.NewServerFromFile(serverCert, serverKey, keylessCA, serverAddr, "")
	if err != nil {
		log.Fatal(err)
	}

	if pemBytes, err = ioutil.ReadFile(rsaPrivKey); err != nil {
		log.Fatal(err)
	}
	p, _ = pem.Decode(pemBytes)
	if priv, err = x509.ParsePKCS1PrivateKey(p.Bytes); err != nil {
		log.Fatal(err)
	}
	if err = s.Keys.Add(nil, priv); err != nil {
		log.Fatal(err)
	}

	if pemBytes, err = ioutil.ReadFile(ecdsaPrivKey); err != nil {
		log.Fatal(err)
	}
	p, _ = pem.Decode(pemBytes)
	if priv, err = x509.ParseECPrivateKey(p.Bytes); err != nil {
		log.Fatal(err)
	}
	if err = s.Keys.Add(nil, priv); err != nil {
		log.Fatal(err)
	}

	listening := make(chan bool)
	go func() {
		listening <- true
		if err := s.ListenAndServe(); err != nil {
			log.Fatal(err)
		}
	}()
	<-listening

	if c, err = client.NewClientFromFile(clientCert, clientKey, keyserverCA); err != nil {
		log.Fatal(err)
	}

	if pemBytes, err = ioutil.ReadFile(rsaPubKey); err != nil {
		log.Fatal(err)
	}
	p, _ = pem.Decode(pemBytes)
	if pub, err = x509.ParsePKIXPublicKey(p.Bytes); err != nil {
		log.Fatal(err)
	}
	if rsaKey, err = c.RegisterPublicKey(serverAddr, pub); err != nil {
		log.Fatal(err)
	}

	if pemBytes, err = ioutil.ReadFile(ecdsaPubKey); err != nil {
		log.Fatal(err)
	}
	p, _ = pem.Decode(pemBytes)
	if pub, err = x509.ParsePKIXPublicKey(p.Bytes); err != nil {
		log.Fatal(err)
	}
	if ecdsaKey, err = c.RegisterPublicKey(serverAddr, pub); err != nil {
		log.Fatal(err)
	}
}
Beispiel #5
0
func main() {
	if initCert {
		var hosts string
		fmt.Print("Keyserver Hostnames/IPs (comma-seperated): ")
		fmt.Scanln(&hosts)

		csr, key, err := csr.ParseRequest(&csr.CertificateRequest{
			CN:         "Keyless Server Authentication Certificate",
			Hosts:      strings.Split(hosts, ","),
			KeyRequest: &csr.KeyRequest{Algo: "ecdsa", Size: 384},
		})
		if err != nil {
			log.Fatal(err)
		}

		if err := ioutil.WriteFile(keyFile, key, 0400); err != nil {
			log.Fatal(err)
		}
		fmt.Printf("Key generated and saved to %s\n", keyFile)

		fmt.Printf("Email this CSR to [email protected] for signing and save the resulting certificate to %s:\n", certFile)
		fmt.Print(string(csr))
		return
	}

	s, err := server.NewServerFromFile(certFile, keyFile, caFile,
		net.JoinHostPort("", port), net.JoinHostPort("", metricsPort))
	if err != nil {
		log.Warningf("Could not create server. Run `gokeyless -init` to get %s and %s", keyFile, certFile)
		log.Fatal(err)
	}

	if err := s.LoadKeysFromDir(keyDir, LoadKey); err != nil {
		log.Fatal(err)
	}

	// Start server in background, then listen for SIGHUPs to reload keys.
	go func() {
		log.Fatal(s.ListenAndServe())
	}()

	if pidFile != "" {
		if f, err := os.Create(pidFile); err != nil {
			log.Errorf("error creating pid file: %v", err)
		} else {
			fmt.Fprintf(f, "%d", os.Getpid())
			f.Close()
		}
	}

	c := make(chan os.Signal, 1)
	signal.Notify(c, syscall.SIGHUP)
	for {
		select {
		case <-c:
			log.Info("Received SIGHUP, reloading keys...")
			if err := s.LoadKeysFromDir(keyDir, LoadKey); err != nil {
				log.Fatal(err)
			}
		}
	}
}