Example #1
0
func Authenticate(endpoint *string, token *string, containerKey *pkix.Key, certProp *CertificateProperties, caCertificateHash *[]byte) (*pkix.Certificate, error) {
	logger.Info.Printf("Authenticating token on CA %s", *endpoint)

	caCertificate, err := GetCACertificate(endpoint)
	if err != nil {
		return nil, err
	}

	err = caCertificate.VerifyFingerprint(caCertificateHash)
	if err != nil {
		return nil, fmt.Errorf("Invalid CA certificate")
	}

	// Add CA certificate to CertPool
	pool := x509.NewCertPool()
	rawCaCert, err := caCertificate.Export()
	if err != nil {
		return nil, err
	}
	pool.AppendCertsFromPEM(rawCaCert)

	// Generate a CSR
	csr, err := pkix.CreateCertificateSigningRequest(containerKey, certProp.name, certProp.ip_list,
		certProp.domain_list, certProp.organization, certProp.country)
	if err != nil {
		return nil, err
	}

	// PEM encode the CSR
	pemCSR, err := csr.Export()
	if err != nil {
		return nil, err
	}

	// TLS client is MANDATORY to avoid attacks
	var client *http.Client
	tr := &http.Transport{
		TLSClientConfig:    &tls.Config{RootCAs: pool},
		DisableCompression: true,
	}
	client = &http.Client{
		Transport: tr,
	}

	// Fetch a signed certificate
	crt, err := sendCSR(client, pemCSR, token, endpoint)
	if err != nil {
		return nil, err
	}

	return crt, err
}
Example #2
0
//CreateHTTPSKeys generates a key-pair signed by the CA to be used in its HTTPS server
func CreateHTTPSKeys(outKey, outCert *string) error {
	logger.Info.Println("Creating https key")

	keyLength := 4096
	// create keys
	keys, err := pkix.CreateRSAKey(keyLength)
	if err != nil {
		return err
	}

	caIPList, caDomainList, err = util.GetHostnameAndIp()
	// create csr
	name := "ca"
	ipListStr := util.ListToString(caIPList, "")
	domainListStr := util.ListToString(caDomainList, "")
	organization := "symbios"
	country := "PT-PT"
	ttl := 2 // years

	logger.Info.Printf("HTTPS Cert with: %s  ; %s", *domainListStr, *ipListStr)

	csr, err := pkix.CreateCertificateSigningRequest(keys, name, *ipListStr, *domainListStr, organization, country)
	if err != nil {
		return err
	}

	certificate, err := pkix.CreateCertificateHost(caCertificate, caInfo, caKey, csr, ttl)

	if err := keys.SavePrivate(outKey); err != nil {
		return fmt.Errorf("Unable to save https key: %s", err)
	}

	if err := certificate.Save(outCert); err != nil {
		return fmt.Errorf("Unable to save https certificate: %s", err)
	}
	return nil
}