Beispiel #1
0
func (cont *CSRController) GetCSR(id string) (*x509.CSR, error) {
	logger.Debug("getting CSR")
	logger.Tracef("received CSR id '%s'", id)

	logger.Debug("getting CSR from org")
	csrContainerJson, err := cont.env.api.GetPrivate(cont.env.controllers.org.OrgId(), id)
	if err != nil {
		return nil, err
	}

	logger.Debug("creating new container")
	csrContainer, err := document.NewContainer(csrContainerJson)
	if err != nil {
		return nil, err
	}

	logger.Debug("decrypting container")
	csrJson, err := cont.env.controllers.org.org.VerifyThenDecrypt(csrContainer)
	if err != nil {
		return nil, err
	}

	logger.Debug("loading CSR json")
	csr, err := x509.NewCSR(csrJson)
	if err != nil {
		return nil, err
	}

	logger.Trace("returning CSR")
	return csr, nil
}
Beispiel #2
0
func (app *NodeApp) NewCSR() {
	logger.Info("Creating new CSR")
	csr, err := x509.NewCSR(nil)
	checkAppFatal("Could not generate CSR: %s", err)

	csr.Data.Body.Id = NewID()
	csr.Data.Body.Name = app.entities.node.Data.Body.Name
	csr.Generate()

	logger.Info("Saving local CSR")

	csrContainer, err := app.entities.node.EncryptThenSignString(csr.Dump(), nil)
	checkAppFatal("Could not encrypt CSR: %s", err)

	err = app.fs.api.SendPrivate(app.entities.node.Data.Body.Id, csr.Data.Body.Id, csrContainer.Dump())
	checkAppFatal("Could not save CSR: %s", err)

	logger.Info("Pushing public CSR")
	csrPublic, err := csr.Public()
	checkAppFatal("Could not get public CSR: %s", err)

	csrPublicContainer, err := app.entities.node.SignString(csrPublic.Dump())
	checkAppFatal("Could not sign public CSR: %s", err)

	err = app.fs.api.PushOutgoing("csrs", csrPublicContainer.Dump())
	checkAppFatal("Could not send public CSR: %s", err)
}
Beispiel #3
0
func (cont *NodeController) NewCSR() error {
	logger.Debug("creating new CSR")

	csr, err := x509.NewCSR(nil)
	if err != nil {
		return err
	}

	csr.Data.Body.Id = x509.NewID()
	csr.Data.Body.Name = cont.node.Data.Body.Name
	subject := pkix.Name{CommonName: csr.Data.Body.Name}
	csr.Generate(&subject)

	logger.Debug("creating encrypted CSR container")
	csrContainer, err := cont.node.EncryptThenSignString(csr.Dump(), nil)
	if err != nil {
		return err
	}

	logger.Debug("saving node CSR")
	if err := cont.env.api.SendPrivate(cont.node.Data.Body.Id, csr.Data.Body.Id, csrContainer.Dump()); err != nil {
		return err
	}

	logger.Debug("getting public CSR")
	csrPublic, err := csr.Public()
	if err != nil {
		return err
	}

	logger.Debug("signing public CSR as node")
	csrPublicContainer, err := cont.node.SignString(csrPublic.Dump())
	if err != nil {
		return err
	}

	logger.Debug("putting public CSR in outgoing queue")
	if err := cont.env.api.PushOutgoing(cont.node.Data.Body.Id, "csrs", csrPublicContainer.Dump()); err != nil {
		return err
	}

	logger.Trace("returning nil error")
	return nil
}
Beispiel #4
0
func (app *AdminApp) SignCSRForNode(node *node.Node, caId, tag string) {
	logger.Info("Getting CSR for node")
	csrContainerJson, err := app.fs.api.PopOutgoing(node.Data.Body.Id, "csrs")
	checkAppFatal("Couldn't get a csr: %s", err)

	csrContainer, err := document.NewContainer(csrContainerJson)
	checkAppFatal("Couldn't create container from json: %s", err)

	err = node.Verify(csrContainer)
	checkAppFatal("Couldn't verify CSR: %s", err)

	csrJson := csrContainer.Data.Body
	csr, err := x509.NewCSR(csrJson)
	checkAppFatal("Couldn't create csr from json: %s", err)

	logger.Info("Setting CSR name from node")
	csr.Data.Body.Name = node.Data.Body.Name

	ca := app.GetCA(caId)

	logger.Info("Creating certificate")
	cert, err := ca.Sign(csr)
	checkAppFatal("Couldn't sign csr: %s", err)

	logger.Info("Tagging cert")
	cert.Data.Body.Tags = append(cert.Data.Body.Tags, tag)

	logger.Info("Signing cert")
	certContainer, err := document.NewContainer(nil)
	checkAppFatal("Couldn't create cert container: %s", err)

	certContainer.Data.Options.Source = app.entities.org.Data.Body.Id
	certContainer.Data.Body = cert.Dump()
	err = app.entities.org.Sign(certContainer)
	checkAppFatal("Couldn't sign cert container: %s", err)

	logger.Info("Pushing certificate to node")
	err = app.fs.api.PushIncoming(node.Data.Body.Id, "certs", certContainer.Dump())
	checkAppFatal("Couldn't push cert to node: %s", err)
}
Beispiel #5
0
func (app *NodeApp) ProcessNextCert() {
	certContainerJson, err := app.fs.api.PopIncoming("certs")
	checkAppFatal("Can't pop cert: %s", err)

	certContainer, err := document.NewContainer(certContainerJson)
	checkAppFatal("Can't create cert container: %s", err)

	err = app.entities.org.Verify(certContainer)
	checkAppFatal("Cert didn't verify: %s", err)

	cert, err := x509.NewCertificate(certContainer.Data.Body)
	checkAppFatal("Can't load certificate: %s", err)

	csrContainerJson, err := app.fs.api.GetPrivate(app.entities.node.Data.Body.Id, cert.Data.Body.Id)
	checkAppFatal("Couldn't load csr file: %s", err)

	csrContainer, err := document.NewContainer(csrContainerJson)
	checkAppFatal("Couldn't load CSR container: %s", err)

	csrJson, err := app.entities.node.VerifyThenDecrypt(csrContainer)
	checkAppFatal("Couldn't verify and decrypt container: %s", err)

	csr, err := x509.NewCSR(csrJson)
	checkAppFatal("Couldn't load csr: %s", err)

	// Set the private key from the csr
	cert.Data.Body.PrivateKey = csr.Data.Body.PrivateKey

	updatedCertContainer, err := app.entities.node.EncryptThenSignString(cert.Dump(), nil)
	checkAppFatal("Could not encrypt then sign cert: %s", err)

	err = app.fs.api.SendPrivate(app.entities.node.Data.Body.Id, cert.Data.Body.Id, updatedCertContainer.Dump())
	checkAppFatal("Could save cert: %s", err)

	err = app.index.node.AddCertTags(cert.Data.Body.Id, cert.Data.Body.Tags)
	checkAppFatal("Could not add cert tags: %s", err)
}
Beispiel #6
0
func (cont *OrgController) SignCSR(node *node.Node, caId, tag string) error {
	logger.Debug("signing CSR for node")
	logger.Tracef("received node with id '%s', ca id '%s' and tag '%s'", node.Id(), caId, tag)

	logger.Debugf("popping outgoing CSr from node '%s'", node.Id())
	csrContainerJson, err := cont.env.api.PopOutgoing(node.Data.Body.Id, "csrs")
	if err != nil {
		return err
	}

	logger.Debug("creating new CSR container")
	csrContainer, err := document.NewContainer(csrContainerJson)
	if err != nil {
		return err
	}

	logger.Debug("verifying CSR container with node")
	if err := node.Verify(csrContainer); err != nil {
		return err
	}

	logger.Debug("creating CSR from JSON")
	csrJson := csrContainer.Data.Body
	csr, err := x509.NewCSR(csrJson)
	if err != nil {
		return err
	}

	csr.Data.Body.Name = node.Data.Body.Name

	ca, err := cont.GetCA(caId)
	if err != nil {
		return err
	}

	logger.Debugf("Signing CSR with ca '%s'", caId)
	cert, err := ca.Sign(csr, false)
	if err != nil {
		return err
	}

	logger.Debug("tagging certificate")
	cert.Data.Body.Tags = append(cert.Data.Body.Tags, tag)

	logger.Debug("creating certificate container")
	certContainer, err := document.NewContainer(nil)
	if err != nil {
		return err
	}

	org := cont.env.controllers.org.org
	certContainer.Data.Options.Source = org.Id()
	certContainer.Data.Body = cert.Dump()

	logger.Debug("signing certificate container with org")
	if err := org.Sign(certContainer); err != nil {
		return err
	}

	logger.Debug("pushing certificate to node")
	if err := cont.env.api.PushIncoming(node.Data.Body.Id, "certs", certContainer.Dump()); err != nil {
		return err
	}

	index, err := cont.GetIndex()
	if err != nil {
		return err
	}

	if err := index.AddCertTags(cert.Data.Body.Id, cert.Data.Body.Tags); err != nil {
		return err
	}

	if err := cont.SaveIndex(index); err != nil {
		return err
	}

	logger.Trace("returning nil error")
	return nil
}
Beispiel #7
0
func (cont *NodeController) ProcessNextCert() error {
	logger.Debug("processing next certificate")

	logger.Debug("getting next incoming certificate JSON")
	certContainerJson, err := cont.env.api.PopIncoming(cont.node.Data.Body.Id, "certs")
	if err != nil {
		return err
	}

	logger.Debug("creating certificate container from JSON")
	certContainer, err := document.NewContainer(certContainerJson)
	if err != nil {
		return err
	}

	logger.Debug("verifying container is signed by org")
	if err := cont.env.controllers.org.org.Verify(certContainer); err != nil {
		return err
	}

	logger.Debug("creating new certificate struct")
	cert, err := x509.NewCertificate(certContainer.Data.Body)
	if err != nil {
		return err
	}

	logger.Debugf("getting matching CSR for id '%s'", cert.Data.Body.Id)
	csrContainerJson, err := cont.env.api.GetPrivate(cont.node.Data.Body.Id, cert.Data.Body.Id)
	if err != nil {
		return err
	}

	logger.Debug("creating CSR container")
	csrContainer, err := document.NewContainer(csrContainerJson)
	if err != nil {
		return err
	}

	logger.Debug("verifying and decryping CSR container")
	csrJson, err := cont.node.VerifyThenDecrypt(csrContainer)
	if err != nil {
		return err
	}

	logger.Debug("creating CSR struct from JSON")
	csr, err := x509.NewCSR(csrJson)
	if err != nil {
		return err
	}

	logger.Debug("setting new ID for certificate")
	cert.Data.Body.Id = x509.NewID()

	logger.Debug("setting certificate private key from CSR")
	cert.Data.Body.PrivateKey = csr.Data.Body.PrivateKey

	logger.Debug("encrypting and signing certificate for node")
	updatedCertContainer, err := cont.node.EncryptThenSignString(cert.Dump(), nil)
	if err != nil {
		return err
	}

	logger.Debug("saving encrypted certificate for node")
	if err := cont.env.api.SendPrivate(cont.node.Data.Body.Id, cert.Data.Body.Id, updatedCertContainer.Dump()); err != nil {
		return err
	}

	logger.Trace("returning nil error")
	return nil
}
Beispiel #8
0
func (cont *CSRController) New(params *CSRParams) (*x509.CSR, error) {
	logger.Debug("creating new CSR")
	logger.Tracef("received params: %s", params)

	if err := params.ValidateName(true); err != nil {
		return nil, err
	}

	if err := cont.env.LoadAdminEnv(); err != nil {
		return nil, err
	}

	// TODO - This should really be in a CSR function
	subject := pkix.Name{CommonName: *params.Name}

	if *params.DnLocality != "" {
		subject.Locality = []string{*params.DnLocality}
	}
	if *params.DnState != "" {
		subject.Province = []string{*params.DnState}
	}
	if *params.DnOrg != "" {
		subject.Organization = []string{*params.DnOrg}
	}
	if *params.DnOrgUnit != "" {
		subject.OrganizationalUnit = []string{*params.DnOrgUnit}
	}
	if *params.DnCountry != "" {
		subject.Country = []string{*params.DnCountry}
	}
	if *params.DnStreet != "" {
		subject.StreetAddress = []string{*params.DnStreet}
	}
	if *params.DnPostal != "" {
		subject.PostalCode = []string{*params.DnPostal}
	}

	logger.Debug("creating CSR struct")
	csr, err := x509.NewCSR(nil)
	if err != nil {
		return nil, err
	}

	csr.Data.Body.Id = x509.NewID()
	csr.Data.Body.Name = *params.Name

	if *params.CsrFile == "" && *params.KeyFile == "" {
		csr.Data.Body.KeyType = *params.KeyType
		logger.Debug("generating CSR and key")
		csr.Generate(&subject)
	} else {
		if *params.CsrFile == "" {
			return nil, fmt.Errorf("CSR PEM file must be provided if importing")
		}

		logger.Debugf("importing CSR from '%s'", *params.CsrFile)
		ok, err := fs.Exists(*params.CsrFile)
		if err != nil {
			return nil, err
		}

		if !ok {
			logger.Warnf("CSR file '%s' does not exist", *params.CsrFile)
			logger.Tracef("returning nil error")
			return nil, nil
		}

		logger.Debug("reading file")
		csrPem, err := fs.ReadFile(*params.CsrFile)
		if err != nil {
			return nil, err
		}

		logger.Debug("decoding CSR PEM")
		_, err = x509.PemDecodeX509CSR([]byte(csrPem))
		if err != nil {
			return nil, err
		}

		csr.Data.Body.CSR = csrPem

		if *params.KeyFile != "" {
			logger.Debugf("importing private key file from '%s'", *params.KeyFile)
			ok, err := fs.Exists(*params.KeyFile)
			if err != nil {
				return nil, err
			}

			if !ok {
				logger.Warnf("key file '%s' does not exist", *params.KeyFile)
				logger.Trace("returning nil error")
				return nil, nil
			}

			logger.Debugf("reading key file")
			keyPem, err := fs.ReadFile(*params.KeyFile)
			if err != nil {
				return nil, err
			}

			logger.Debug("decoding private key PEM")
			key, err := crypto.PemDecodePrivate([]byte(keyPem))
			if err != nil {
				return nil, err
			}

			keyType, err := crypto.GetKeyType(key)
			if err != nil {
				return nil, err
			}

			csr.Data.Body.KeyType = string(keyType)
			csr.Data.Body.PrivateKey = keyPem
		}
	}

	if *params.StandaloneFile == "" {
		err = cont.SaveCSR(csr)
		if err != nil {
			return nil, err
		}

		var tags string
		if *params.Tags == "NAME" {
			tags = *params.Name
		} else {
			tags = *params.Tags
		}

		err = cont.AddCSRToOrgIndex(csr, tags)
		if err != nil {
			return nil, err
		}
	}

	return csr, nil
}