func GetCACertificate(endpoint *string) (*pkix.Certificate, error) {
//logger.Info.Printf("Get CA Certificate")
// ignore TLS. We will check the certificate fingerprint
tr := &http.Transport{
TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
}
client := &http.Client{Transport: tr}
res, err := client.Get(fmt.Sprintf("%s/v1/cert", *endpoint))
if err != nil {
return nil, fmt.Errorf("A problem occurred during communication with the Symbios CA. %s", err)
}
// read the response body and get it into certificate form
defer res.Body.Close()
data, err := ioutil.ReadAll(res.Body)
if err != nil {
return nil, fmt.Errorf("A problem occurred while reading the CA certificate from the Symbios CA. %s", err)
}
cert, err := pkix.NewCertificateFromPEM(data)
if err != nil {
return nil, fmt.Errorf("A problem occurred while converting the CA certificate from the Symbios CA. %s", err)
}
return cert, err
}
func sendCSR(client *http.Client, csr []byte, token *string, endpoint *string) (*pkix.Certificate, error) {
if csr == nil {
return nil, fmt.Errorf("csr is nil")
}
if token == nil {
return nil, fmt.Errorf("token is nil")
}
if endpoint == nil {
return nil, fmt.Errorf("endpoint is nil")
}
// Execute a POST request to upload the provided CSR
req, err := http.NewRequest("POST", fmt.Sprintf("%s/v1/csr", *endpoint), bytes.NewReader(csr))
if err != nil {
return nil, fmt.Errorf("Unable to form the HTTPS request. %s", err)
}
req.Header.Set("X-Auth-Token", *token)
signTimeStart := time.Now()
res, err := client.Do(req)
logger.Info.Printf("[TIMER] [%s] Uploaded CSR and retrieved CRT.", time.Since(signTimeStart))
if err != nil {
return nil, fmt.Errorf("A problem occurred during communication with the Symbios CA. %s", err)
}
// read the response body and get it into certificate form
logger.Info.Printf("CRT received: %d ", req.ContentLength)
defer res.Body.Close()
data, err := ioutil.ReadAll(res.Body)
fmt.Println(res.Status)
if res.Status != "200 OK" {
return nil, fmt.Errorf(string(data))
}
if err != nil {
return nil, fmt.Errorf("A problem occurred while reading the certificate from the Symbios CA. %s", err)
}
cert, err := pkix.NewCertificateFromPEM(data)
if err != nil {
return nil, fmt.Errorf("A problem occurred while parsing the certificate from the Symbios CA. %s", err)
}
return cert, nil
}
func readUserCertificate(encodedUserKey string) (*pkix.Certificate, error) {
if len(encodedUserKey) == 0 {
return nil, errors.New("user key is required")
}
userCertificateBytes, err := b64.StdEncoding.DecodeString(encodedUserKey)
if err != nil {
logger.Error.Printf("failed to decode certificate: %s", err)
return nil, err
}
// convert to KeyPair
cert, err := pkix.NewCertificateFromPEM(userCertificateBytes)
if err != nil {
logger.Error.Printf("failed to create certificate: %s", err)
return nil, err
}
return cert, nil
}
func TestClient(t *testing.T) {
logger.InitLogs(os.Stdout, os.Stdout, os.Stderr)
keyLength := 2048
hostname := "symbios"
privateKeyPath := "id_test"
expires := time.Now().AddDate(1, 0, 0).UTC()
// generate private key
userKeyBase64, _, _, err := NewUserKey(&hostname, keyLength, &expires, &privateKeyPath)
if err != nil {
t.Error(err)
}
pubKeyPath := privateKeyPath + ".crt"
defer os.Remove(privateKeyPath)
defer os.Remove(pubKeyPath)
// compare generated public key and base64encoded key
userKey, err := b64.StdEncoding.DecodeString(*userKeyBase64)
if err != nil {
t.Error(err)
}
rawCsr, err := ioutil.ReadFile(pubKeyPath)
if !bytes.Equal(userKey, rawCsr) {
t.Fail()
}
userCert, err := pkix.NewCertificateFromPEM(rawCsr)
if err != nil {
t.Error(err)
}
tokenExpires := time.Duration(time.Second * 10)
// generate token using private key
userToken, err := NewTokenUsingPrivateKeyFile(privateKeyPath, hostname, tokenExpires)
if err != nil {
t.Error(err)
}
if err := ca.ValidateToken(*userToken, userCert, &hostname); err != nil {
t.Fatalf("Token validation failed: %s", err)
}
// replay attack
if err := ca.ValidateToken(*userToken, userCert, &hostname); err == nil {
t.Fatalf("Replay attack detection fail: %s", err)
}
// expired token
tokenExpires = time.Duration(time.Second * 1)
userToken, err = NewTokenUsingPrivateKeyFile(privateKeyPath, hostname, tokenExpires)
if err != nil {
t.Error(err)
}
time.Sleep(time.Duration(time.Second * 5))
if err := ca.ValidateToken(*userToken, userCert, &hostname); err == nil {
t.Fatalf("Expired token detection fail: %s", err)
}
}
