func main() {
// Generate client key.
clientKey, err := libtrust.GenerateECP256PrivateKey()
if err != nil {
log.Fatal(err)
}
// Add a comment for the client key.
clientKey.AddExtendedField("comment", "TLS Demo Client")
// Save the client key, public and private versions.
err = libtrust.SaveKey("client_data/private_key.pem", clientKey)
if err != nil {
log.Fatal(err)
}
err = libtrust.SavePublicKey("client_data/public_key.pem", clientKey.PublicKey())
if err != nil {
log.Fatal(err)
}
// Generate server key.
serverKey, err := libtrust.GenerateECP256PrivateKey()
if err != nil {
log.Fatal(err)
}
// Set the list of addresses to use for the server.
serverKey.AddExtendedField("hosts", []string{"localhost", "docker.example.com"})
// Save the server key, public and private versions.
err = libtrust.SaveKey("server_data/private_key.pem", serverKey)
if err != nil {
log.Fatal(err)
}
err = libtrust.SavePublicKey("server_data/public_key.pem", serverKey.PublicKey())
if err != nil {
log.Fatal(err)
}
// Generate Authorized Keys file for server.
err = libtrust.AddKeySetFile("server_data/trusted_clients.pem", clientKey.PublicKey())
if err != nil {
log.Fatal(err)
}
// Generate Known Host Keys file for client.
err = libtrust.AddKeySetFile("client_data/trusted_hosts.pem", serverKey.PublicKey())
if err != nil {
log.Fatal(err)
}
}
// NewIdentityAuthTLSConfig creates a tls.Config for the client to use for
// libtrust identity authentication
func NewIdentityAuthTLSConfig(trustKey libtrust.PrivateKey, knownHostsPath, proto, addr string) (*tls.Config, error) {
tlsConfig := createTLSConfig()
// Load known hosts
knownHosts, err := libtrust.LoadKeySetFile(knownHostsPath)
if err != nil {
return nil, fmt.Errorf("Could not load trusted hosts file: %s", err)
}
// Generate CA pool from known hosts
allowedHosts, err := libtrust.FilterByHosts(knownHosts, addr, false)
if err != nil {
return nil, fmt.Errorf("Error filtering hosts: %s", err)
}
certPool, err := libtrust.GenerateCACertPool(trustKey, allowedHosts)
if err != nil {
return nil, fmt.Errorf("Could not create CA pool: %s", err)
}
tlsConfig.ServerName = "docker"
tlsConfig.RootCAs = certPool
// Generate client cert from trust key
x509Cert, err := libtrust.GenerateSelfSignedClientCert(trustKey)
if err != nil {
return nil, fmt.Errorf("Certificate generation error: %s", err)
}
tlsConfig.Certificates = []tls.Certificate{{
Certificate: [][]byte{x509Cert.Raw},
PrivateKey: trustKey.CryptoPrivateKey(),
Leaf: x509Cert,
}}
// Connect to server to see if it is a known host
tlsConfig.InsecureSkipVerify = true
testConn, err := tls.Dial(proto, addr, tlsConfig)
if err != nil {
return nil, fmt.Errorf("TLS Handshake error: %s", err)
}
opts := x509.VerifyOptions{
Roots: tlsConfig.RootCAs,
CurrentTime: time.Now(),
DNSName: tlsConfig.ServerName,
Intermediates: x509.NewCertPool(),
}
certs := testConn.ConnectionState().PeerCertificates
for i, cert := range certs {
if i == 0 {
continue
}
opts.Intermediates.AddCert(cert)
}
_, err = certs[0].Verify(opts)
if err != nil {
if _, ok := err.(x509.UnknownAuthorityError); ok {
pubKey, err := libtrust.FromCryptoPublicKey(certs[0].PublicKey)
if err != nil {
return nil, fmt.Errorf("Error extracting public key from certificate: %s", err)
}
// If server is not a known host, prompt user to ask whether it should
// be trusted and add to the known hosts file
if promptUnknownKey(pubKey, addr) {
pubKey.AddExtendedField("hosts", []string{addr})
err = libtrust.AddKeySetFile(knownHostsPath, pubKey)
if err != nil {
return nil, fmt.Errorf("Error saving updated host keys file: %s", err)
}
ca, err := libtrust.GenerateCACert(trustKey, pubKey)
if err != nil {
return nil, fmt.Errorf("Error generating CA: %s", err)
}
tlsConfig.RootCAs.AddCert(ca)
} else {
return nil, fmt.Errorf("Cancelling request due to invalid certificate")
}
} else {
return nil, fmt.Errorf("TLS verification error: %s", err)
}
}
testConn.Close()
tlsConfig.InsecureSkipVerify = false
return tlsConfig, nil
}
