// NewUserKey generates a new user RSA key, stores it in disk and returns its base64 encoding
func NewUserKey(username *string, keyLength int, expires *time.Time, out *string) (*string, *pkix.Certificate, *pkix.Key, error) {
//logger.Info.Printf("New User Key: %d bits, user: %s", keyLength, *username)
// generate keys
keys, err := pkix.CreateRSAKey(keyLength)
if err != nil {
return nil, nil, nil, fmt.Errorf("Failed to create key: %s", err)
}
// create user self-signed certificate
userCert, err := pkix.CreateUserCertificate(keys, *username, *expires)
if out != nil {
if err := keys.SavePrivate(out); err != nil {
return nil, nil, nil, fmt.Errorf("failed to write private key: %s", err)
}
certOut := (*out) + ".crt"
if err := userCert.Save(&certOut); err != nil {
return nil, nil, nil, fmt.Errorf("failed to write public key certificate: %s", err)
}
}
// encode public key
encodedCertificate, err := userCert.EncodeBase64()
if err != nil {
return nil, nil, nil, fmt.Errorf("failed to encode user certificate: %s", err)
}
return encodedCertificate, userCert, keys, nil
}
//AuthenticateAndSave generates a key, creates a CSR, sends to CA and stores the generated private key and certificate
func AuthenticateAndSave(endpoint, token, keyOut, crtOut, caCertOut *string, keysize int, cn, ip, domain, organization, country *string, caCertificateHash *[]byte) error {
key, err := pkix.CreateRSAKey(keysize)
if err != nil {
logger.Error.Printf("Unable to generate keys. %s", err)
return err
}
ipListArray, domainListArray, err := util.GetHostnameAndIp()
if err != nil {
return fmt.Errorf("Unable to obtain hostname and ip: %s", err)
}
ipList := util.ListToString(ipListArray, *ip)
domainList := util.ListToString(domainListArray, *domain)
logger.Info.Printf("Register Cert with: %s ; %s", *domainList, *ipList)
certProp := CertificateProperties{
name: *cn,
ip_list: *ipList,
domain_list: *domainList,
organization: *organization,
country: *country,
}
logger.Info.Println(certProp)
cert, err := Authenticate(endpoint, token, key, &certProp, caCertificateHash)
if err != nil {
return fmt.Errorf("Unable to authenticate. %s", err)
}
if err := key.SavePrivate(keyOut); err != nil {
return fmt.Errorf("Unable to save key: %s", err)
}
if err := cert.Save(crtOut); err != nil {
return fmt.Errorf("Unable to save certificate: %s", err)
}
caCert, err := GetCACertificate(endpoint)
if err != nil {
return fmt.Errorf("Unable to get CA Certificate. %s", err)
}
if err := caCert.Save(caCertOut); err != nil {
return fmt.Errorf("Unable to save CA certificate: %s", err)
}
return nil
}
//NewRootCertificate creates a new certificate authority root certificate
func NewRootCertificate(keylength int, expires time.Time, organization, country string) (*pkix.Key, *pkix.Certificate, *pkix.CertificateAuthorityInfo, error) {
cKey, err := pkix.CreateRSAKey(keylength)
if err != nil {
logger.Error.Printf("Failed to create root key pair: %s", err)
return nil, nil, nil, err
}
caKey = cKey
caCertificate, caInfo, err = pkix.CreateCertificateAuthority(caKey, expires, organization, country)
if err != nil {
logger.Error.Printf("Failed to create certificate authority: %s", err)
return nil, nil, nil, err
}
return caKey, caCertificate, caInfo, nil
}
//CreateHTTPSKeys generates a key-pair signed by the CA to be used in its HTTPS server
func CreateHTTPSKeys(outKey, outCert *string) error {
logger.Info.Println("Creating https key")
keyLength := 4096
// create keys
keys, err := pkix.CreateRSAKey(keyLength)
if err != nil {
return err
}
caIPList, caDomainList, err = util.GetHostnameAndIp()
// create csr
name := "ca"
ipListStr := util.ListToString(caIPList, "")
domainListStr := util.ListToString(caDomainList, "")
organization := "symbios"
country := "PT-PT"
ttl := 2 // years
logger.Info.Printf("HTTPS Cert with: %s ; %s", *domainListStr, *ipListStr)
csr, err := pkix.CreateCertificateSigningRequest(keys, name, *ipListStr, *domainListStr, organization, country)
if err != nil {
return err
}
certificate, err := pkix.CreateCertificateHost(caCertificate, caInfo, caKey, csr, ttl)
if err := keys.SavePrivate(outKey); err != nil {
return fmt.Errorf("Unable to save https key: %s", err)
}
if err := certificate.Save(outCert); err != nil {
return fmt.Errorf("Unable to save https certificate: %s", err)
}
return nil
}
func TestContainer(t *testing.T) {
logger.InitLogs(os.Stdout, os.Stdout, os.Stderr)
// create root keys
keysize := 2048
key, err := pkix.CreateRSAKey(keysize)
if err != nil {
t.Fatal("Unable to generate keys.", err)
}
// start CA
keylength := 4098
organization := "org"
country := "PT-PT"
expiresDays := 10
expires := time.Now().AddDate(0, 0, expiresDays).UTC()
_, caCert, _, err := ca.NewRootCertificate(keylength, expires, organization, country)
caFingerprint, err := caCert.Fingerprint()
if err != nil {
t.Fatal("Unable to generate keys.", err)
}
// add user to CA
keyLength := 2048
username := "******"
userExpires := time.Now().AddDate(1, 0, 0).UTC()
// generate private key
_, userCert, userPrivateKey, err := client.NewUserKey(&username, keyLength, &userExpires, nil)
if err != nil {
t.Error(err)
}
ca.SetUserCertificate(userCert)
userPrivateKeyBytes, err := userPrivateKey.ExportPrivate()
if err != nil {
t.Error(err)
}
tokenExpires := time.Duration(time.Second * 20)
token, err := client.NewToken(userPrivateKeyBytes, username, tokenExpires)
if err != nil {
t.Error(err)
}
//setup mockHTTPServer
ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
// /cert
if r.URL.String() == "/v1/cert" {
ca.HandleCertRequest(w, r)
}
if r.URL.String() == "/v1/csr" {
ca.HandleCSR(w, r)
}
}))
defer ts.Close()
fmt.Println(ts.URL)
certProp := CertificateProperties{
name: "Tommy",
ip_list: "192.168.1.1",
domain_list: "symbios",
organization: "symbios",
country: "US",
}
_, err = Authenticate(&ts.URL, token, key, &certProp, &caFingerprint)
if err != nil {
t.Fatalf("Unable to authenticate.", err)
}
}
