Beispiel #1
0
// Save set options to a configuration file. If categories are given, only those
// options in one of the categories is saved.
func Save(path, comment string, category ...string) error {
	file, err := util.CreatePath(path, 0777, 0777)
	if err != nil {
		return err
	}
	defer file.Close()

	set := make(map[string]bool)
	flag.Visit(func(f *flag.Flag) {
		set[f.Name] = true
	})

	for _, s := range strings.Split(comment, "\n") {
		fmt.Fprintf(file, "# %s\n", s)
	}
	fmt.Fprintf(file, "# Generated on %s\n", time.Now())

	for _, opt := range Options {
		f := flag.Lookup(opt.Name)
		if !opt.Relevant(category...) || f == nil {
			continue
		}
		fmt.Fprintf(file, "\n# %s\n", opt.Help)
		if set[opt.Name] {
			fmt.Fprintf(file, "%s = %v\n", opt.Name, f.Value)
		} else {
			fmt.Fprintf(file, "# %s = %v\n", opt.Name, f.Value)
		}
	}
	return nil
}
Beispiel #2
0
// Save writes all domain configuration and policy data.
func (d *Domain) Save() error {
	file, err := util.CreatePath(d.ConfigPath, 0777, 0666)
	if err != nil {
		return err
	}
	ds := proto.MarshalTextString(&d.Config)
	fmt.Fprint(file, ds)
	file.Close()
	return d.Guard.Save(d.Keys.SigningKey)
}
Beispiel #3
0
func initHost(domain *tao.Domain) {
	var cfg tao.LinuxHostConfig

	configureFromOptions(&cfg)
	_, err := loadHost(domain, &cfg)
	options.FailIf(err, "Can't create host")

	// If we get here, keys were created and flags must be ok.

	file, err := util.CreatePath(hostConfigPath(), 0777, 0666)
	options.FailIf(err, "Can't create host configuration")
	cs := proto.MarshalTextString(&cfg)
	fmt.Fprint(file, cs)
	file.Close()
}
Beispiel #4
0
// NewOnDiskPBEKeys creates a new Keys structure with the specified key types
// store under PBE on disk. If keys are generated and name is not nil, then a
// self-signed x509 certificate will be generated and saved as well.
func NewOnDiskPBEKeys(keyTypes KeyType, password []byte, path string, name *pkix.Name) (*Keys, error) {
	if keyTypes == 0 || (keyTypes & ^Signing & ^Crypting & ^Deriving != 0) {
		return nil, newError("bad key type")
	}

	if path == "" {
		return nil, newError("bad init call: no path for keys")
	}

	k := &Keys{
		keyTypes: keyTypes,
		dir:      path,
	}

	if len(password) == 0 {
		// This means there's no secret information: just load a public
		// verifying key.
		if k.keyTypes & ^Signing != 0 {
			return nil, newError("without a password, only a verifying key can be loaded")
		}

		err := k.loadCert()
		if err != nil {
			return nil, err
		}
		if k.Cert == nil {
			return nil, newError("no password and can't load cert: %s", k.X509Path())
		}

		if k.VerifyingKey, err = FromX509(k.Cert); err != nil {
			return nil, err
		}
	} else {
		// There are two different types of keysets: in one there's
		// just a Signer, so we use an encrypted PEM format. In the
		// other, there are multiple keys, so we use a custom protobuf
		// format.
		if k.keyTypes & ^Signing != 0 {
			// Check to see if there are already keys.
			f, err := os.Open(k.PBEKeysetPath())
			if err == nil {
				defer f.Close()
				ks, err := ioutil.ReadAll(f)
				if err != nil {
					return nil, err
				}

				data, err := PBEDecrypt(ks, password)
				if err != nil {
					return nil, err
				}
				defer ZeroBytes(data)

				var cks CryptoKeyset
				if err = proto.Unmarshal(data, &cks); err != nil {
					return nil, err
				}

				// TODO(tmroeder): defer zeroKeyset(&cks)

				ktemp, err := UnmarshalKeyset(&cks)
				if err != nil {
					return nil, err
				}

				// Note that this loads the certificate if it's
				// present, and it returns nil otherwise.
				err = k.loadCert()
				if err != nil {
					return nil, err
				}

				k.SigningKey = ktemp.SigningKey
				k.VerifyingKey = ktemp.VerifyingKey
				k.CryptingKey = ktemp.CryptingKey
				k.DerivingKey = ktemp.DerivingKey
			} else {
				// Create and store a new set of keys.
				k, err = NewTemporaryKeys(keyTypes)
				if err != nil {
					return nil, err
				}

				k.dir = path

				cks, err := MarshalKeyset(k)
				if err != nil {
					return nil, err
				}

				// TODO(tmroeder): defer zeroKeyset(cks)

				m, err := proto.Marshal(cks)
				if err != nil {
					return nil, err
				}
				defer ZeroBytes(m)

				enc, err := PBEEncrypt(m, password)
				if err != nil {
					return nil, err
				}

				if err = util.WritePath(k.PBEKeysetPath(), enc, 0777, 0600); err != nil {
					return nil, err
				}

				if k.SigningKey != nil && name != nil {
					err = k.newCert(name)
					if err != nil {
						return nil, err
					}
				}
			}
		} else {
			// There's just a signer, so do PEM encryption of the encoded key.
			f, err := os.Open(k.PBESignerPath())
			if err == nil {
				defer f.Close()
				// Read the signer.
				ss, err := ioutil.ReadAll(f)
				if err != nil {
					return nil, err
				}

				pb, rest := pem.Decode(ss)
				if pb == nil || len(rest) > 0 {
					return nil, newError("decoding failure")
				}

				p, err := x509.DecryptPEMBlock(pb, password)
				if err != nil {
					return nil, err
				}
				defer ZeroBytes(p)

				err = k.loadCert()
				if err != nil {
					return nil, err
				}

				if k.SigningKey, err = UnmarshalSignerDER(p); err != nil {
					return nil, err
				}
				k.VerifyingKey = k.SigningKey.GetVerifier()
			} else {
				// Create a fresh key and store it to the PBESignerPath.
				if k.SigningKey, err = GenerateSigner(); err != nil {
					return nil, err
				}

				k.VerifyingKey = k.SigningKey.GetVerifier()
				p, err := MarshalSignerDER(k.SigningKey)
				if err != nil {
					return nil, err
				}
				defer ZeroBytes(p)

				pb, err := x509.EncryptPEMBlock(rand.Reader, "EC PRIVATE KEY", p, password, x509.PEMCipherAES128)
				if err != nil {
					return nil, err
				}

				pbes, err := util.CreatePath(k.PBESignerPath(), 0777, 0600)
				if err != nil {
					return nil, err
				}
				defer pbes.Close()

				if err = pem.Encode(pbes, pb); err != nil {
					return nil, err
				}

				if k.SigningKey != nil && name != nil {
					err = k.newCert(name)
					if err != nil {
						return nil, err
					}
				}
			}
		}
	}

	return k, nil
}
Beispiel #5
0
// InitOnDiskPBEKeys creates a new Keys structure with the specified key types
// stored under PBE on disk. If name is not nil, then a self-signed x509
// certificate will be generated and saved as well.
func InitOnDiskPBEKeys(keyTypes KeyType, password []byte, path string, name *pkix.Name) (*Keys, error) {
	if keyTypes == 0 || (keyTypes & ^Signing & ^Crypting & ^Deriving != 0) {
		return nil, newError("bad key type")
	}

	if path == "" {
		return nil, newError("bad init call: no path for keys")
	}

	if len(password) == 0 {
		return nil, newError("password may not be empty")
	}

	var k *Keys
	var err error

	if keyTypes & ^Signing != 0 {
		// There are are multiple keys, so use a custom protobuf format.
		k, err = NewTemporaryNamedKeys(keyTypes, name)
		if err != nil {
			return nil, err
		}
		k.dir = path

		cks, err := MarshalKeyset(k)
		if err != nil {
			return nil, err
		}

		// TODO(tmroeder): defer zeroKeyset(cks)

		m, err := proto.Marshal(cks)
		if err != nil {
			return nil, err
		}
		defer ZeroBytes(m)

		enc, err := PBEEncrypt(m, password)
		if err != nil {
			return nil, err
		}

		if err = util.WritePath(k.PBEKeysetPath(), enc, 0777, 0600); err != nil {
			return nil, err
		}
	} else {
		k = &Keys{
			keyTypes:        keyTypes,
			dir:             path,
			CertificatePool: NewCertificatePool(),
		}
		// Just a signer, so create fresh key and store it to PBESignerPath.
		if k.SigningKey, err = GenerateSigner(); err != nil {
			return nil, err
		}

		k.VerifyingKey = k.SigningKey.GetVerifier()
		p, err := MarshalSignerDER(k.SigningKey)
		if err != nil {
			return nil, err
		}
		defer ZeroBytes(p)

		pb, err := x509.EncryptPEMBlock(rand.Reader, "EC PRIVATE KEY", p, password, x509.PEMCipherAES128)
		if err != nil {
			return nil, err
		}

		pbes, err := util.CreatePath(k.PBESignerPath(), 0777, 0600)
		if err != nil {
			return nil, err
		}
		defer pbes.Close()

		if err = pem.Encode(pbes, pb); err != nil {
			return nil, err
		}

		if name == nil {
			name = DefaultEphemeralX509Name
		}
		template := k.SigningKey.X509Template(name)
		template.IsCA = true
		cert, err := k.SigningKey.CreateSelfSignedX509(template)
		if err != nil {
			return nil, err
		}
		k.Cert["self"] = cert
		k.Cert["default"] = cert
	}

	if err = k.SaveCerts(); err != nil {
		return nil, err
	}

	return k, nil
}