func TestTLSConnection(t *testing.T) {
reactor := NewReactor()
client := reactor.CreateServer("local")
initialiseServerConnection(client)
// generate a test certificate to use
priv, _ := ecdsa.GenerateKey(elliptic.P521(), rand.Reader)
duration30Days, _ := time.ParseDuration("-30h")
notBefore := time.Now().Add(duration30Days) // valid 30 hours ago
duration1Year, _ := time.ParseDuration("90h")
notAfter := notBefore.Add(duration1Year) // for 90 hours
serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)
serialNumber, _ := rand.Int(rand.Reader, serialNumberLimit)
template := x509.Certificate{
SerialNumber: serialNumber,
Subject: pkix.Name{
Organization: []string{"gIRC-Go Co"},
},
NotBefore: notBefore,
NotAfter: notAfter,
KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
BasicConstraintsValid: true,
IsCA: true,
}
template.IPAddresses = append(template.IPAddresses, net.ParseIP("127.0.0.1"))
template.IPAddresses = append(template.IPAddresses, net.ParseIP("::"))
template.DNSNames = append(template.DNSNames, "localhost")
derBytes, _ := x509.CreateCertificate(rand.Reader, &template, &template, &priv.PublicKey, priv)
c := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: derBytes})
b, _ := x509.MarshalECPrivateKey(priv)
k := pem.EncodeToMemory(&pem.Block{Type: "EC PRIVATE KEY", Bytes: b})
// we mock up a server connection to test the client
listenerKeyPair, _ := tls.X509KeyPair(c, k)
var listenerTLSConfig tls.Config
listenerTLSConfig.Certificates = make([]tls.Certificate, 0)
listenerTLSConfig.Certificates = append(listenerTLSConfig.Certificates, listenerKeyPair)
listener, _ := tls.Listen("tcp", ":0", &listenerTLSConfig)
// mock up the client side too
clientTLSCertPool := x509.NewCertPool()
clientTLSCertPool.AppendCertsFromPEM(c)
var clientTLSConfig tls.Config
clientTLSConfig.RootCAs = clientTLSCertPool
clientTLSConfig.ServerName = "localhost"
go client.Connect(listener.Addr().String(), true, &clientTLSConfig)
go client.ReceiveLoop()
testServerConnection(t, reactor, client, listener)
}
func GenerateCertificateForTest() *v2tls.Certificate {
priv, err := rsa.GenerateKey(rand.Reader, 2048)
common.Must(err)
serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)
serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
if err != nil {
log.Fatalf("failed to generate serial number: %s", err)
}
template := x509.Certificate{
SerialNumber: serialNumber,
Subject: pkix.Name{
Organization: []string{"V2Ray Inc"},
},
NotBefore: time.Now(),
NotAfter: time.Now().Add(time.Hour),
KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
BasicConstraintsValid: true,
DNSNames: []string{"www.v2ray.com"},
}
derBytes, err := x509.CreateCertificate(rand.Reader, &template, &template, &priv.PublicKey, priv)
common.Must(err)
certPEM := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: derBytes})
keyPEM := pem.EncodeToMemory(&pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(priv)})
return &v2tls.Certificate{
Certificate: certPEM,
Key: keyPEM,
}
}
func GenerateKey() (pkPem []byte, pubkPem []byte, pubSSHAK []byte, err error) {
pk, err := rsa.GenerateKey(rand.Reader, 2048)
if err != nil {
return
}
pkDer := x509.MarshalPKCS1PrivateKey(pk)
pkBlock := pem.Block{
Type: "RSA PRIVATE KEY",
Headers: nil,
Bytes: pkDer,
}
pkPem = pem.EncodeToMemory(&pkBlock)
pubk := pk.PublicKey
pubkDer, err := x509.MarshalPKIXPublicKey(&pubk)
if err != nil {
return
}
pubkBlock := pem.Block{
Type: "PUBLIC KEY",
Headers: nil,
Bytes: pubkDer,
}
pubkPem = pem.EncodeToMemory(&pubkBlock)
pubSSH, err := ssh.NewPublicKey(&pubk)
if err != nil {
return
}
pubSSHAK = ssh.MarshalAuthorizedKey(pubSSH)
return
}
func (crtkit *CertKit) GenerateServer(subject pkix.Name, host, email string, NotBefore ...time.Time) error {
var e error
var derBytes []byte
var notBefore time.Time
priv, err := rsa.GenerateKey(rand.Reader, 2048)
if err != nil {
return errors.New(fmt.Sprintf("failed to generate private key: %s", err))
}
if len(NotBefore) > 0 {
notBefore = NotBefore[0]
} else {
notBefore = time.Now()
}
serialNumber, err := rand.Int(rand.Reader, new(big.Int).Lsh(big.NewInt(1), 128))
if err != nil {
return errors.New(fmt.Sprintf("failed to generate serial number: %s", err))
}
if host == "" {
host, _ = os.Hostname()
}
Goose.Generator.Logf(6, "Certificate authority used: %#v", crtkit.CACert)
template := x509.Certificate{
SerialNumber: serialNumber,
Subject: subject,
IsCA: false,
NotBefore: notBefore,
NotAfter: notBefore.Add(365 * 24 * time.Hour),
DNSNames: []string{host, strings.Split(host, ".")[0]},
AuthorityKeyId: crtkit.CACert.SubjectKeyId,
KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageContentCommitment,
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth},
BasicConstraintsValid: true,
}
Goose.Generator.Logf(4, "X509 Template: %#v", template)
if crtkit.CACert.CRLDistributionPoints != nil {
template.CRLDistributionPoints = crtkit.CACert.CRLDistributionPoints
} else {
Goose.Generator.Logf(1, "Certificate authority without CRL distribution points")
}
crtkit.ServerKey = priv
crtkit.ServerCert = &template
derBytes, e = x509.CreateCertificate(rand.Reader, &template, crtkit.CACert, &priv.PublicKey, crtkit.CAKey)
if e != nil {
return errors.New(fmt.Sprintf("Failed to create certificate: %s", e))
}
Goose.Generator.Logf(4, "DER Certificate: %s", derBytes)
crtkit.ServerCertPem = pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: derBytes})
crtkit.ServerKeyPem = pem.EncodeToMemory(&pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(priv)})
Goose.Generator.Logf(4, "PEM Certificate: %s", crtkit.ServerCertPem)
return nil
}
func generateSshKeyUsingGo() (string, string, error) {
privateKey, err := rsa.GenerateKey(rand.Reader, 2014)
if err != nil {
return "", "", err
}
fmt.Printf("----> creating ssh private key using Golang\n")
privateKeyDer := x509.MarshalPKCS1PrivateKey(privateKey)
privateKeyBlock := pem.Block{
Type: "RSA PRIVATE KEY",
Headers: nil,
Bytes: privateKeyDer,
}
privateKeyPem := string(pem.EncodeToMemory(&privateKeyBlock))
fmt.Printf("----> creating ssh public key using Golang\n")
publicKey := privateKey.PublicKey
publicKeyDer, err := x509.MarshalPKIXPublicKey(&publicKey)
if err != nil {
return "", "", err
}
publicKeyBlock := pem.Block{
Type: "PUBLIC KEY",
Headers: nil,
Bytes: publicKeyDer,
}
publicKeyPem := string(pem.EncodeToMemory(&publicKeyBlock))
return privateKeyPem, publicKeyPem, nil
}
func (reg Registration) Export(password string) (*RegistrationExport, error) {
keyBlock, err := reg.SigningKey.EncryptPrivateKey(password, utils.PemDefaultCipher)
if nil != err {
return nil, err
}
jsonBytes, err := json.Marshal(rawRegistrationExportJson{
Resource: reg.Resource,
LinkTermsOfService: reg.LinkTermsOfService,
RecoveryToken: reg.RecoveryToken,
})
if nil != err {
return nil, err
}
jsonBlock := &pem.Block{
Type: pemTypeAcmeJsonRegistration,
Bytes: jsonBytes,
}
if err := utils.EncryptPemBlock(jsonBlock, password, utils.PemDefaultCipher); nil != err {
return nil, err
}
return &RegistrationExport{
JsonPem: pem.EncodeToMemory(jsonBlock),
SigningKeyPem: pem.EncodeToMemory(keyBlock),
Location: reg.Location,
Name: reg.Name,
}, nil
}
// newLeaf generates a certificate/key pair suitable for use by a leaf node.
func newLeaf(caCertPEM, caKeyPEM string, expiry time.Time, hostnames []string, extKeyUsage []x509.ExtKeyUsage) (certPEM, keyPEM string, err error) {
tlsCert, err := tls.X509KeyPair([]byte(caCertPEM), []byte(caKeyPEM))
if err != nil {
return "", "", err
}
if len(tlsCert.Certificate) != 1 {
return "", "", fmt.Errorf("more than one certificate for CA")
}
caCert, err := x509.ParseCertificate(tlsCert.Certificate[0])
if err != nil {
return "", "", err
}
if !caCert.BasicConstraintsValid || !caCert.IsCA {
return "", "", fmt.Errorf("CA certificate is not a valid CA")
}
caKey, ok := tlsCert.PrivateKey.(*rsa.PrivateKey)
if !ok {
return "", "", fmt.Errorf("CA private key has unexpected type %T", tlsCert.PrivateKey)
}
key, err := rsa.GenerateKey(rand.Reader, KeyBits)
if err != nil {
return "", "", fmt.Errorf("cannot generate key: %v", err)
}
now := time.Now()
template := &x509.Certificate{
SerialNumber: new(big.Int),
Subject: pkix.Name{
// This won't match host names with dots. The hostname
// is hardcoded when connecting to avoid the issue.
CommonName: "*",
Organization: []string{"juju"},
},
NotBefore: now.UTC().AddDate(0, 0, -7),
NotAfter: expiry.UTC(),
SubjectKeyId: bigIntHash(key.N),
KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageKeyAgreement,
ExtKeyUsage: extKeyUsage,
}
for _, hostname := range hostnames {
if ip := net.ParseIP(hostname); ip != nil {
template.IPAddresses = append(template.IPAddresses, ip)
} else {
template.DNSNames = append(template.DNSNames, hostname)
}
}
certDER, err := x509.CreateCertificate(rand.Reader, template, caCert, &key.PublicKey, caKey)
if err != nil {
return "", "", err
}
certPEMData := pem.EncodeToMemory(&pem.Block{
Type: "CERTIFICATE",
Bytes: certDER,
})
keyPEMData := pem.EncodeToMemory(&pem.Block{
Type: "RSA PRIVATE KEY",
Bytes: x509.MarshalPKCS1PrivateKey(key),
})
return string(certPEMData), string(keyPEMData), nil
}
func CreatePrivateKey(d *schema.ResourceData, meta interface{}) error {
keyAlgoName := d.Get("algorithm").(string)
var keyFunc keyAlgo
var ok bool
if keyFunc, ok = keyAlgos[keyAlgoName]; !ok {
return fmt.Errorf("invalid key_algorithm %#v", keyAlgoName)
}
key, err := keyFunc(d)
if err != nil {
return err
}
var keyPemBlock *pem.Block
switch k := key.(type) {
case *rsa.PrivateKey:
keyPemBlock = &pem.Block{
Type: "RSA PRIVATE KEY",
Bytes: x509.MarshalPKCS1PrivateKey(k),
}
case *ecdsa.PrivateKey:
keyBytes, err := x509.MarshalECPrivateKey(k)
if err != nil {
return fmt.Errorf("error encoding key to PEM: %s", err)
}
keyPemBlock = &pem.Block{
Type: "EC PRIVATE KEY",
Bytes: keyBytes,
}
default:
return fmt.Errorf("unsupported private key type")
}
keyPem := string(pem.EncodeToMemory(keyPemBlock))
pubKey := publicKey(key)
pubKeyBytes, err := x509.MarshalPKIXPublicKey(pubKey)
if err != nil {
return fmt.Errorf("failed to marshal public key: %s", err)
}
pubKeyPemBlock := &pem.Block{
Type: "PUBLIC KEY",
Bytes: pubKeyBytes,
}
d.SetId(hashForState(string((pubKeyBytes))))
d.Set("private_key_pem", keyPem)
d.Set("public_key_pem", string(pem.EncodeToMemory(pubKeyPemBlock)))
sshPubKey, err := ssh.NewPublicKey(pubKey)
if err == nil {
// Not all EC types can be SSH keys, so we'll produce this only
// if an appropriate type was selected.
sshPubKeyBytes := ssh.MarshalAuthorizedKey(sshPubKey)
d.Set("public_key_openssh", string(sshPubKeyBytes))
} else {
d.Set("public_key_openssh", "")
}
return nil
}
func TestExportKeysByID(t *testing.T) {
s := NewTestExportStore()
b := &pem.Block{}
b.Bytes = make([]byte, 1000)
rand.Read(b.Bytes)
c := &pem.Block{}
c.Bytes = make([]byte, 1000)
rand.Read(c.Bytes)
bBytes := pem.EncodeToMemory(b)
cBytes := pem.EncodeToMemory(c)
s.data["ankh"] = bBytes
s.data["morpork/identifier"] = cBytes
buf := bytes.NewBuffer(nil)
err := ExportKeysByID(buf, s, []string{"identifier"})
require.NoError(t, err)
out, err := ioutil.ReadAll(buf)
require.NoError(t, err)
cFinal, rest := pem.Decode(out)
require.Equal(t, c.Bytes, cFinal.Bytes)
require.Equal(t, "morpork/identifier", cFinal.Headers["path"])
require.Len(t, rest, 0)
}
func newConfig() (client, server *tls.Config) {
now := time.Now()
tpl := x509.Certificate{
SerialNumber: new(big.Int).SetInt64(42),
Subject: pkix.Name{CommonName: ServerName},
NotBefore: now.Add(-2 * time.Hour).UTC(),
NotAfter: now.Add(2 * time.Hour).UTC(),
BasicConstraintsValid: true,
IsCA: true,
}
priv, err := rsa.GenerateKey(rand.Reader, 512)
if err != nil {
panic(err)
}
crt, err := x509.CreateCertificate(rand.Reader, &tpl, &tpl, &priv.PublicKey, priv)
if err != nil {
panic(err)
}
key := x509.MarshalPKCS1PrivateKey(priv)
pair, err := tls.X509KeyPair(
pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: crt}),
pem.EncodeToMemory(&pem.Block{Type: "RSA PRIVATE KEY", Bytes: key}),
)
if err != nil {
panic(err)
}
root, err := x509.ParseCertificate(crt)
if err != nil {
panic(err)
}
server = &tls.Config{Certificates: []tls.Certificate{pair}}
client = &tls.Config{RootCAs: x509.NewCertPool(), ServerName: ServerName}
client.RootCAs.AddCert(root)
return
}
func jwsTestKey(notBefore, notAfter time.Time) (pemKey []byte, pemCert []byte) {
key, err := rsa.GenerateKey(rand.Reader, 1024)
if err != nil {
panic(fmt.Sprintf("rsa.GenerateKey: %v", err))
}
pemKey = pem.EncodeToMemory(&pem.Block{
Type: "RSA PRIVATE KEY",
Bytes: x509.MarshalPKCS1PrivateKey(key),
})
tcert := x509.Certificate{
SerialNumber: big.NewInt(1),
Subject: pkix.Name{CommonName: "www.example.org"},
Issuer: pkix.Name{CommonName: "www.example.org"},
NotBefore: notBefore,
NotAfter: notAfter,
KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth},
BasicConstraintsValid: true,
}
var cert []byte
cert, err = x509.CreateCertificate(rand.Reader, &tcert, &tcert, &key.PublicKey, key)
if err != nil {
panic(fmt.Sprintf("x509.CreateCertificate: %v", err))
}
pemCert = pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: cert})
return pemKey, pemCert
}
// newKey realiza la generación y codificación de las claves RSA en codificación PEM.
func newKey() *Key {
privateKey, err := rsa.GenerateKey(rand.Reader, 2048)
if err != nil {
log.LogE("failed to generate private key", "pkg", "try6", "func", "NewKey(string) *Key", "error", err.Error())
return nil
}
privPEM := pem.EncodeToMemory(
&pem.Block{
Type: "RSA PRIVATE KEY",
Bytes: x509.MarshalPKCS1PrivateKey(privateKey),
},
)
pubKeyPKIX, err := x509.MarshalPKIXPublicKey(&privateKey.PublicKey)
if err != nil {
log.LogE("failed to generate DER public key", "pkg", "try6", "func", "NewKey(string) *Key", "error", err.Error())
return nil
}
pubPEM := pem.EncodeToMemory(&pem.Block{
Type: "RSA PUBLIC KEY",
Bytes: pubKeyPKIX,
})
return &Key{
PubKey: pubPEM,
PrivKey: privPEM,
}
}
func genKey() (private, public []byte) {
priKey, err := rsa.GenerateKey(rand.Reader, 2048)
if err != nil {
fmt.Println(err)
return
}
priDer := x509.MarshalPKCS1PrivateKey(priKey)
private = pem.EncodeToMemory(
&pem.Block{
Type: "RSA PRIVATE KEY",
Bytes: priDer,
},
)
pub := priKey.PublicKey
pubDer, err := x509.MarshalPKIXPublicKey(&pub)
if err != nil {
fmt.Println(err)
return
}
public = pem.EncodeToMemory(
&pem.Block{
Type: "PUBLIC KEY",
Headers: nil,
Bytes: pubDer,
},
)
ioutil.WriteFile("public.pem", public, 0644)
ioutil.WriteFile("private.pem", private, 0644)
return
}
func generateRSAKeys(bits int) (string, string, error) {
if err := validateRSABits(bits); err != nil {
return "", "", err
}
privateKey, err := rsa.GenerateKey(rand.Reader, bits)
if err != nil {
return "", "", err
}
pubASN1, err := x509.MarshalPKIXPublicKey(&privateKey.PublicKey)
if err != nil {
return "", "", err
}
publicKeyBytes := pem.EncodeToMemory(
&pem.Block{
Type: rsaPublicBlockType,
Bytes: pubASN1,
},
)
privateKeyBytes := pem.EncodeToMemory(
&pem.Block{
Type: rsaPrivateBlockType,
Bytes: x509.MarshalPKCS1PrivateKey(privateKey),
},
)
return string(publicKeyBytes), string(privateKeyBytes), nil
}
func getCertificate(clientHello *tls.ClientHelloInfo) (*tls.Certificate, error) {
fmt.Printf("getCertificate(%#v)", clientHello)
// name := clientHello.ServerName
name := "www.gov.cn"
glog.Infof("Generating RootCA for %s", name)
template := x509.Certificate{
IsCA: true,
SerialNumber: big.NewInt(1),
Subject: pkix.Name{
Organization: []string{name},
},
NotBefore: time.Now().Add(-time.Duration(5 * time.Minute)),
NotAfter: time.Now().Add(180 * 24 * time.Hour),
KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
BasicConstraintsValid: true,
}
priv, err := rsa.GenerateKey(rand.Reader, 1024)
if err != nil {
return nil, err
}
derBytes, err := x509.CreateCertificate(rand.Reader, &template, &template, &priv.PublicKey, priv)
if err != nil {
return nil, err
}
certPEMBlock := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: derBytes})
keyPEMBlock := pem.EncodeToMemory(&pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(priv)})
cert, err := tls.X509KeyPair(certPEMBlock, keyPEMBlock)
return &cert, err
}
func CreateTLS() *tls.Config {
priv, err := rsa.GenerateKey(rand.Reader, 2048)
if err != nil {
log.Fatal("failed to generate private key:", err)
}
var notBefore time.Time
notBefore = time.Now()
notAfter := notBefore.Add(365 * 24 * time.Hour)
serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)
serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
if err != nil {
log.Fatal("failed to generate serial number:", err)
}
template := x509.Certificate{
SerialNumber: serialNumber,
Subject: pkix.Name{
Organization: []string{"Wago"},
},
NotBefore: notBefore,
NotAfter: notAfter,
KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
BasicConstraintsValid: true,
}
hosts := []string{"127.0.0.1", "::1", "localhost"}
for _, h := range hosts {
if ip := net.ParseIP(h); ip != nil {
template.IPAddresses = append(template.IPAddresses, ip)
} else {
template.DNSNames = append(template.DNSNames, h)
}
}
template.IsCA = true
template.KeyUsage |= x509.KeyUsageCertSign
derBytes, err := x509.CreateCertificate(rand.Reader, &template, &template, &priv.PublicKey, priv)
if err != nil {
log.Fatal("Failed to create certificate:", err)
}
certPEMBlock := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: derBytes})
keyPEMBlock := pem.EncodeToMemory(&pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(priv)})
cert, err := tls.X509KeyPair(certPEMBlock, keyPEMBlock)
if err != nil {
log.Fatal(err)
}
return &tls.Config{
Certificates: []tls.Certificate{cert},
}
}
func createTLSConfig(host string) (certPEMBlock, keyPEMBlock []byte, err error) {
now := time.Now()
tpl := x509.Certificate{
SerialNumber: new(big.Int).SetInt64(0),
Subject: pkix.Name{CommonName: host},
NotBefore: now.Add(-24 * time.Hour).UTC(),
NotAfter: now.AddDate(1, 0, 0).UTC(),
KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
BasicConstraintsValid: true,
MaxPathLen: 1,
IsCA: true,
SubjectKeyId: []byte{1, 2, 3, 4},
Version: 2,
}
key, err := rsa.GenerateKey(rand.Reader, 2048)
if err != nil {
return
}
der, err := x509.CreateCertificate(rand.Reader, &tpl, &tpl, &key.PublicKey, key)
if err != nil {
return
}
certPEMBlock = pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: der})
keyPEMBlock = pem.EncodeToMemory(&pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(key)})
return
}
// generate RSA key pair
func GenerateKeyPair() (map[string]string, error) {
kp := make(map[string]string)
privateKey, err := rsa.GenerateKey(rand.Reader, 2048)
if err != nil {
return kp, err
}
// calculations to speed up private key operations and
// some basic sanity checks
privateKey.Precompute()
if err = privateKey.Validate(); err != nil {
return kp, err
}
// convert private key to pem encode
privBlock := &pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(privateKey)}
privPEMData := pem.EncodeToMemory(privBlock)
// convert public key to pem encode
PubASN1, err := x509.MarshalPKIXPublicKey(&privateKey.PublicKey)
if err != nil {
return kp, err
}
pubPEMData := pem.EncodeToMemory(&pem.Block{
Type: "PUBLIC KEY",
Bytes: PubASN1,
})
kp["private_key"] = string(privPEMData)
kp["public_key"] = string(pubPEMData)
return kp, nil
}
func (ca *CA) createCAKeyPair(name string) *ecdsa.PrivateKey {
caLogger.Debug("Creating CA key pair.")
curve := primitives.GetDefaultCurve()
priv, err := ecdsa.GenerateKey(curve, rand.Reader)
if err == nil {
raw, _ := x509.MarshalECPrivateKey(priv)
cooked := pem.EncodeToMemory(
&pem.Block{
Type: "ECDSA PRIVATE KEY",
Bytes: raw,
})
err = ioutil.WriteFile(ca.path+"/"+name+".priv", cooked, 0644)
if err != nil {
caLogger.Panic(err)
}
raw, _ = x509.MarshalPKIXPublicKey(&priv.PublicKey)
cooked = pem.EncodeToMemory(
&pem.Block{
Type: "ECDSA PUBLIC KEY",
Bytes: raw,
})
err = ioutil.WriteFile(ca.path+"/"+name+".pub", cooked, 0644)
if err != nil {
caLogger.Panic(err)
}
}
if err != nil {
caLogger.Panic(err)
}
return priv
}
func genKeyPair(keySize int) (string, string, error) {
prikey, err := rsa.GenerateKey(rand.Reader, keySize)
if err != nil {
return "", "", err
}
marshaled := x509.MarshalPKCS1PrivateKey(prikey)
marshaledPublic, errpk := x509.MarshalPKIXPublicKey(&prikey.PublicKey)
if errpk != nil {
return "", "", errpk
}
privateKeyPEM := pem.EncodeToMemory(&pem.Block{
Type: "RSA PRIVATE KEY",
Headers: nil,
Bytes: marshaled,
})
publicKeyPEM := pem.EncodeToMemory(&pem.Block{
Type: "RSA PUBLIC KEY",
Headers: nil,
Bytes: marshaledPublic,
})
return string(privateKeyPEM), string(publicKeyPEM), nil
}
// NewCA generates a CA certificate/key pair suitable for signing server
// keys for an environment with the given name.
func NewCA(envName string, expiry time.Time) (certPEM, keyPEM string, err error) {
key, err := rsa.GenerateKey(rand.Reader, KeyBits)
if err != nil {
return "", "", err
}
now := time.Now()
template := &x509.Certificate{
SerialNumber: new(big.Int),
Subject: pkix.Name{
CommonName: fmt.Sprintf("juju-generated CA for environment %q", envName),
Organization: []string{"juju"},
},
NotBefore: now.UTC().AddDate(0, 0, -7),
NotAfter: expiry.UTC(),
SubjectKeyId: bigIntHash(key.N),
KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
IsCA: true,
MaxPathLen: 0, // Disallow delegation for now.
BasicConstraintsValid: true,
}
certDER, err := x509.CreateCertificate(rand.Reader, template, template, &key.PublicKey, key)
if err != nil {
return "", "", fmt.Errorf("cannot create certificate: %v", err)
}
certPEMData := pem.EncodeToMemory(&pem.Block{
Type: "CERTIFICATE",
Bytes: certDER,
})
keyPEMData := pem.EncodeToMemory(&pem.Block{
Type: "RSA PRIVATE KEY",
Bytes: x509.MarshalPKCS1PrivateKey(key),
})
return string(certPEMData), string(keyPEMData), nil
}
func TestExportKeysByID(t *testing.T) {
setUp(t)
tempBaseDir, err := ioutil.TempDir("", "notary-test-")
require.NoError(t, err)
defer os.RemoveAll(tempBaseDir)
output, err := ioutil.TempFile("", "notary-test-import-")
require.NoError(t, err)
defer os.RemoveAll(output.Name())
k := &keyCommander{
configGetter: func() (*viper.Viper, error) {
v := viper.New()
v.SetDefault("trust_dir", tempBaseDir)
return v, nil
},
}
k.outFile = output.Name()
err = output.Close() // close so export can open
require.NoError(t, err)
k.exportKeyIDs = []string{"one", "three"}
b := &pem.Block{}
b.Bytes = make([]byte, 1000)
rand.Read(b.Bytes)
b2 := &pem.Block{}
b2.Bytes = make([]byte, 1000)
rand.Read(b2.Bytes)
c := &pem.Block{}
c.Bytes = make([]byte, 1000)
rand.Read(c.Bytes)
bBytes := pem.EncodeToMemory(b)
b2Bytes := pem.EncodeToMemory(b2)
cBytes := pem.EncodeToMemory(c)
fileStore, err := store.NewPrivateKeyFileStorage(tempBaseDir, notary.KeyExtension)
require.NoError(t, err)
err = fileStore.Set("one", bBytes)
require.NoError(t, err)
err = fileStore.Set("two", b2Bytes)
require.NoError(t, err)
err = fileStore.Set("three", cBytes)
require.NoError(t, err)
err = k.exportKeys(&cobra.Command{}, nil)
require.NoError(t, err)
outRes, err := ioutil.ReadFile(k.outFile)
require.NoError(t, err)
block, rest := pem.Decode(outRes)
require.Equal(t, b.Bytes, block.Bytes)
require.Equal(t, "one", block.Headers["path"])
block, rest = pem.Decode(rest)
require.Equal(t, c.Bytes, block.Bytes)
require.Equal(t, "three", block.Headers["path"])
require.Len(t, rest, 0)
}
// ToCSRBundle converts a byte-based raw DER certificate bundle
// to a PEM-based string certificate bundle
func (p *ParsedCSRBundle) ToCSRBundle() (*CSRBundle, error) {
result := &CSRBundle{}
block := pem.Block{
Type: "CERTIFICATE REQUEST",
}
if p.CSRBytes != nil && len(p.CSRBytes) > 0 {
block.Bytes = p.CSRBytes
result.CSR = strings.TrimSpace(string(pem.EncodeToMemory(&block)))
}
if p.PrivateKeyBytes != nil && len(p.PrivateKeyBytes) > 0 {
block.Bytes = p.PrivateKeyBytes
switch p.PrivateKeyType {
case RSAPrivateKey:
result.PrivateKeyType = "rsa"
block.Type = "RSA PRIVATE KEY"
case ECPrivateKey:
result.PrivateKeyType = "ec"
block.Type = "EC PRIVATE KEY"
default:
return nil, errutil.InternalError{"Could not determine private key type when creating block"}
}
result.PrivateKey = strings.TrimSpace(string(pem.EncodeToMemory(&block)))
}
return result, nil
}
// GeneratePem generates a new PEM with the config of the current KeyStore instance and returns it.
// This PEM will be stored in the KeyStore instance.
func (instance KeyStore) GeneratePem(name string) ([]byte, *x509.Certificate, error) {
if !instance.enabled {
return []byte{}, nil, errors.New("KeyStore is not enabled.")
}
privateKey, privateKeyBytes, publicKey, err := generatePrivateKey(instance.Config())
if err != nil {
return []byte{}, nil, errors.New("Could not generate pem for '%v'.", name).CausedBy(err)
}
certificateDerBytes, err := instance.generateClientCertificate(name, publicKey, privateKey)
if err != nil {
return []byte{}, nil, err
}
cert, err := x509.ParseCertificate(certificateDerBytes)
if err != nil || cert == nil {
return []byte{}, nil, errors.New("Wow! Could not parse right now created certificate for '%v'?", name).CausedBy(err)
}
pemBytes := []byte{}
pemBytes = append(pemBytes, pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: certificateDerBytes})...)
pemBytes = append(pemBytes, pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: instance.cert.Raw})...)
pemBytes = append(pemBytes, pem.EncodeToMemory(&pem.Block{Type: "RSA PRIVATE KEY", Bytes: privateKeyBytes})...)
return pemBytes, cert, nil
}
// Bundle bundles the certificate with the issuer certificate.
func (c *Client) Bundle(certResp *CertificateResponse) (bundledPEM []byte, err error) {
if !certResp.IsAvailable() {
return nil, errors.New("Cannot bundle without certificate")
}
if certResp.Issuer == "" {
return nil, errors.New("Could not bundle certificates. Issuer not found")
}
resp, err := c.client.Get(certResp.Issuer)
if err != nil {
return nil, fmt.Errorf("Error requesting issuer certificate: %s", err)
}
defer resp.Body.Close()
issuerDER, err := ioutil.ReadAll(resp.Body)
if err != nil {
return nil, fmt.Errorf("Error reading issuer certificate: %s", err)
}
certPEM := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: certResp.Certificate.Raw})
issuerPEM := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: issuerDER})
return append(certPEM, issuerPEM...), nil
}
func generateKeys(c Config) {
keyPath := c.KeyDirectory
username := c.Username
privPath := fmt.Sprintf("%s/privatekey_%s.pem", keyPath, username)
pubPath := fmt.Sprintf("%s/publickey_%s.pem", keyPath, username)
// generate private key
privatekey, err := rsa.GenerateKey(rand.Reader, 1024)
checkError(err)
// Write Private Key
privBytes := pem.EncodeToMemory(&pem.Block{
Type: "RSA PRIVATE KEY",
Bytes: x509.MarshalPKCS1PrivateKey(privatekey),
})
ioutil.WriteFile(privPath, privBytes, 0600)
log.Info("Private Key: ", privPath)
fmt.Println(string(privBytes))
// Write Public Key
ansipub, err := x509.MarshalPKIXPublicKey(&privatekey.PublicKey)
checkError(err)
pubBytes := pem.EncodeToMemory(&pem.Block{
Type: "RSA PUBLIC KEY",
Bytes: ansipub,
})
ioutil.WriteFile(pubPath, pubBytes, 0644)
log.Info("Public Key: ", pubPath)
fmt.Println(string(pubBytes))
}
// GenerateKeys generates private and public RSA keys
func GenerateKeys(bits int) (string, string) {
priv, _ := rsa.GenerateKey(rand.Reader, bits)
// Get der format. priv_der []byte
privDer := x509.MarshalPKCS1PrivateKey(priv)
privBlk := pem.Block{
Type: "RSA PRIVATE KEY",
Headers: nil,
Bytes: privDer,
}
// Resultant private key in PEM format.
privPem := string(pem.EncodeToMemory(&privBlk))
// Public Key generation
pub := priv.PublicKey
pubDer, _ := x509.MarshalPKIXPublicKey(&pub)
pubBlk := pem.Block{
Type: "PUBLIC KEY",
Headers: nil,
Bytes: pubDer,
}
// Resultant public key in PEM format.
pubPem := string(pem.EncodeToMemory(&pubBlk))
return privPem, pubPem
}
// GenerateRSAKeys creates a pair of private and public keys for a client.
func GenerateRSAKeys() (string, string, error) {
/* Shamelessly borrowed and adapted from some golang-samples */
priv, err := rsa.GenerateKey(rand.Reader, 2048)
if err != nil {
return "", "", err
}
if err := priv.Validate(); err != nil {
errStr := fmt.Errorf("RSA key validation failed: %s", err)
return "", "", errStr
}
privDer := x509.MarshalPKCS1PrivateKey(priv)
/* For some reason chef doesn't label the keys RSA PRIVATE/PUBLIC KEY */
privBlk := pem.Block{
Type: "RSA PRIVATE KEY",
Headers: nil,
Bytes: privDer,
}
privPem := string(pem.EncodeToMemory(&privBlk))
pub := priv.PublicKey
pubDer, err := x509.MarshalPKIXPublicKey(&pub)
if err != nil {
errStr := fmt.Errorf("Failed to get der format for public key: %s", err)
return "", "", errStr
}
pubBlk := pem.Block{
Type: "PUBLIC KEY",
Headers: nil,
Bytes: pubDer,
}
pubPem := string(pem.EncodeToMemory(&pubBlk))
return privPem, pubPem, nil
}
// GenerateKeys returns a new key pair, with the private and public key
// encoded in PEM format.
func GenerateKeys() (privKey []byte, pubKey []byte, err error) {
// Generate a new key pair
key, err := ecdsa.GenerateKey(elliptic.P521(), rand.Reader)
if err != nil {
return nil, nil, err
}
// Marshal the private key
bs, err := x509.MarshalECPrivateKey(key)
if err != nil {
return nil, nil, err
}
// Encode it in PEM format
privKey = pem.EncodeToMemory(&pem.Block{
Type: "EC PRIVATE KEY",
Bytes: bs,
})
// Marshal the public key
bs, err = x509.MarshalPKIXPublicKey(key.Public())
if err != nil {
return nil, nil, err
}
// Encode it in PEM format
pubKey = pem.EncodeToMemory(&pem.Block{
Type: "EC PUBLIC KEY",
Bytes: bs,
})
return
}
// Generates a self-signed RSA keypair for 127.0.0.1 and returns both key and
// certificate as byte arrays.
func generateRSAKeyPair() (pemCert []byte, pemKey []byte) {
priv, err := rsa.GenerateKey(rand.Reader, 2048)
if err != nil {
panic(fmt.Sprintf("Error generating RSA key: %s", err))
}
key := x509.MarshalPKCS1PrivateKey(priv)
notBefore := time.Now()
notAfter := notBefore.Add(365 * 24 * time.Hour)
serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)
serialNumber, _ := rand.Int(rand.Reader, serialNumberLimit)
template := x509.Certificate{
SerialNumber: serialNumber,
Subject: pkix.Name{Organization: []string{"Example.com"}},
NotBefore: notBefore,
NotAfter: notAfter,
BasicConstraintsValid: true,
IsCA: true,
IPAddresses: []net.IP{net.ParseIP("127.0.0.1")},
}
var cert []byte
cert, err = x509.CreateCertificate(rand.Reader, &template, &template, &priv.PublicKey, priv)
if err != nil {
panic(fmt.Sprintf("Failed to create certificate: %s", err))
}
pemKey = pem.EncodeToMemory(&pem.Block{Type: "RSA PRIVATE KEY", Bytes: key})
pemCert = pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: cert})
return
}