func main() {
flagAddr := flag.String("a", ":8888", "listening address")
flagRootFile := flag.String("roots", "", "configuration file specifying root keys")
flagDefaultLabel := flag.String("l", "", "specify a default label")
flagEndpointCert := flag.String("tls-cert", "", "server certificate")
flagEndpointKey := flag.String("tls-key", "", "server private key")
flag.IntVar(&log.Level, "loglevel", log.LevelInfo, "log level (0 = DEBUG, 4 = ERROR)")
flag.Parse()
if *flagRootFile == "" {
log.Fatal("no root file specified")
}
roots, err := config.Parse(*flagRootFile)
if err != nil {
log.Fatalf("%v", err)
}
for label, root := range roots {
s, err := parseSigner(root)
if err != nil {
log.Criticalf("%v", err)
}
signers[label] = s
if root.ACL != nil {
whitelists[label] = root.ACL
}
log.Info("loaded signer ", label)
}
defaultLabel = *flagDefaultLabel
initStats()
infoHandler, err := info.NewMultiHandler(signers, defaultLabel)
if err != nil {
log.Criticalf("%v", err)
}
var localhost = whitelist.NewBasic()
localhost.Add(net.ParseIP("127.0.0.1"))
localhost.Add(net.ParseIP("::1"))
metrics, err := whitelist.NewHandlerFunc(dumpMetrics, metricsDisallowed, localhost)
if err != nil {
log.Criticalf("failed to set up the metrics whitelist: %v", err)
}
http.HandleFunc("/api/v1/cfssl/authsign", dispatchRequest)
http.Handle("/api/v1/cfssl/info", infoHandler)
http.Handle("/api/v1/cfssl/metrics", metrics)
if *flagEndpointCert == "" && *flagEndpointKey == "" {
log.Info("Now listening on ", *flagAddr)
log.Fatal(http.ListenAndServe(*flagAddr, nil))
} else {
log.Info("Now listening on https:// ", *flagAddr)
log.Fatal(http.ListenAndServeTLS(*flagAddr, *flagEndpointCert, *flagEndpointKey, nil))
}
}
func main() {
c, err := client.NewClientFromFile(certFile, keyFile, caFile)
if err != nil {
log.Fatal(err)
}
c.Config.InsecureSkipVerify = insecureSkipVerify
if server != "" {
in := &testapi.Input{
Keyserver: server,
CertsPEM: testcerts,
Domain: domain,
ServerIP: serverIP,
}
results, err := tests.RunAPITests(in, c, testLen, workers)
if err != nil {
log.Fatal(err)
}
out, err := json.MarshalIndent(results, "", " ")
if err != nil {
log.Fatal(err)
}
fmt.Println(string(out))
}
if apiPort != "" {
log.Fatal(tests.ListenAndServeAPI(net.JoinHostPort("", apiPort), testLen, workers, c))
}
}
func main() {
c, err := client.NewClientFromFile(certFile, keyFile, caFile)
if err != nil {
log.Fatal(err)
}
privkeys, err := c.RegisterDir(server, pubkeyDir, LoadPEMPubKey)
if err != nil {
log.Fatal(err)
}
tests.RunServerTests(testLen, workers, c, server, privkeys)
}
func main() {
var s *server.Server
if initToken != "" {
s = initializeServer()
} else {
s, err := server.NewServerFromFile(certFile, keyFile, caFile,
net.JoinHostPort("", port), net.JoinHostPort("", metricsPort))
if err != nil {
log.Warningf("Could not create server. Run with `gokeyless -init-token=XXX` to get %s and %s", keyFile, certFile)
log.Fatal(err)
}
if err := s.LoadKeysFromDir(keyDir, LoadKey); err != nil {
log.Fatal(err)
}
// Start server in background, then listen for SIGHUPs to reload keys.
go func() {
log.Fatal(s.ListenAndServe())
}()
}
if pidFile != "" {
if f, err := os.Create(pidFile); err != nil {
log.Errorf("error creating pid file: %v", err)
} else {
fmt.Fprintf(f, "%d", os.Getpid())
f.Close()
}
}
c := make(chan os.Signal, 1)
signal.Notify(c, syscall.SIGHUP)
for {
select {
case <-c:
log.Info("Received SIGHUP, reloading keys...")
if err := s.LoadKeysFromDir(keyDir, LoadKey); err != nil {
log.Fatal(err)
}
}
}
}
func initializeServer() *server.Server {
var hosts string
fmt.Print("Keyserver Hostnames/IPs (comma-seperated): ")
fmt.Scanln(&hosts)
hostnames := strings.Split(hosts, ",")
csr, key, err := csr.ParseRequest(&csr.CertificateRequest{
CN: "Keyless Server Authentication Certificate",
Hosts: hostnames,
KeyRequest: &csr.BasicKeyRequest{
A: "ecdsa",
S: 384,
},
})
if err != nil {
log.Fatal(err)
}
if err := ioutil.WriteFile(keyFile, key, 0400); err != nil {
log.Fatal(err)
}
log.Infof("Key generated and saved to %s\n", keyFile)
log.Info("Server entering initialization state")
s, err := server.NewServerFromFile(initCertFile, initKeyFile, caFile,
net.JoinHostPort("", port), net.JoinHostPort("", metricsPort))
if err != nil {
log.Fatal(err)
}
s.ActivationToken = []byte(initToken)
go func() {
log.Fatal(s.ListenAndServe())
}()
cert, err := initAPICall(hostnames, string(csr))
if err != nil {
log.Fatal(err)
}
if err := ioutil.WriteFile(certFile, cert, 0644); err != nil {
log.Fatal(err)
}
log.Infof("Cert saved to %s\n", certFile)
// Remove server from activation state and initialize issued certificate.
s.ActivationToken = s.ActivationToken[:0]
tlsCert, err := tls.LoadX509KeyPair(certFile, keyFile)
if err != nil {
log.Fatal(err)
}
s.Config.Certificates = []tls.Certificate{tlsCert}
return s
}
func main() {
c, err := client.NewClientFromFile(certFile, keyFile, caFile)
if err != nil {
log.Fatal(err)
}
if err := testConnect(c, server); err != nil {
log.Fatal(err)
}
pubkeys, err := LoadPubKeysFromDir(pubkeyDir)
if err != nil {
log.Fatal(err)
}
privkeys := make([]*client.PrivateKey, len(pubkeys))
for i := range pubkeys {
var err error
if privkeys[i], err = c.RegisterPublicKey(server, pubkeys[i]); err != nil {
log.Fatal(err)
}
if err := testKey(privkeys[i]); err != nil {
log.Fatal(err)
}
}
log.Fatal(loadTest(func() error {
if err := testConnect(c, server); err != nil {
return err
}
for _, key := range privkeys {
if err := testKey(key); err != nil {
return err
}
}
return nil
}))
}
// Set up compatible server and client for use by tests.
func init() {
var err error
var pemBytes []byte
var p *pem.Block
var priv crypto.Signer
var pub crypto.PublicKey
log.Level = log.LevelFatal
s, err = server.NewServerFromFile(serverCert, serverKey, keylessCA, serverAddr, "")
if err != nil {
log.Fatal(err)
}
if pemBytes, err = ioutil.ReadFile(rsaPrivKey); err != nil {
log.Fatal(err)
}
p, _ = pem.Decode(pemBytes)
if priv, err = x509.ParsePKCS1PrivateKey(p.Bytes); err != nil {
log.Fatal(err)
}
if err = s.Keys.Add(nil, priv); err != nil {
log.Fatal(err)
}
if pemBytes, err = ioutil.ReadFile(ecdsaPrivKey); err != nil {
log.Fatal(err)
}
p, _ = pem.Decode(pemBytes)
if priv, err = x509.ParseECPrivateKey(p.Bytes); err != nil {
log.Fatal(err)
}
if err = s.Keys.Add(nil, priv); err != nil {
log.Fatal(err)
}
listening := make(chan bool)
go func() {
listening <- true
if err := s.ListenAndServe(); err != nil {
log.Fatal(err)
}
}()
<-listening
if c, err = client.NewClientFromFile(clientCert, clientKey, keyserverCA); err != nil {
log.Fatal(err)
}
if pemBytes, err = ioutil.ReadFile(rsaPubKey); err != nil {
log.Fatal(err)
}
p, _ = pem.Decode(pemBytes)
if pub, err = x509.ParsePKIXPublicKey(p.Bytes); err != nil {
log.Fatal(err)
}
if rsaKey, err = c.RegisterPublicKey(serverAddr, pub); err != nil {
log.Fatal(err)
}
if pemBytes, err = ioutil.ReadFile(ecdsaPubKey); err != nil {
log.Fatal(err)
}
p, _ = pem.Decode(pemBytes)
if pub, err = x509.ParsePKIXPublicKey(p.Bytes); err != nil {
log.Fatal(err)
}
if ecdsaKey, err = c.RegisterPublicKey(serverAddr, pub); err != nil {
log.Fatal(err)
}
}
func main() {
if initCert {
var hosts string
fmt.Print("Keyserver Hostnames/IPs (comma-seperated): ")
fmt.Scanln(&hosts)
csr, key, err := csr.ParseRequest(&csr.CertificateRequest{
CN: "Keyless Server Authentication Certificate",
Hosts: strings.Split(hosts, ","),
KeyRequest: &csr.KeyRequest{Algo: "ecdsa", Size: 384},
})
if err != nil {
log.Fatal(err)
}
if err := ioutil.WriteFile(keyFile, key, 0400); err != nil {
log.Fatal(err)
}
fmt.Printf("Key generated and saved to %s\n", keyFile)
fmt.Printf("Email this CSR to [email protected] for signing and save the resulting certificate to %s:\n", certFile)
fmt.Print(string(csr))
return
}
s, err := server.NewServerFromFile(certFile, keyFile, caFile,
net.JoinHostPort("", port), net.JoinHostPort("", metricsPort))
if err != nil {
log.Warningf("Could not create server. Run `gokeyless -init` to get %s and %s", keyFile, certFile)
log.Fatal(err)
}
if err := s.LoadKeysFromDir(keyDir, LoadKey); err != nil {
log.Fatal(err)
}
// Start server in background, then listen for SIGHUPs to reload keys.
go func() {
log.Fatal(s.ListenAndServe())
}()
if pidFile != "" {
if f, err := os.Create(pidFile); err != nil {
log.Errorf("error creating pid file: %v", err)
} else {
fmt.Fprintf(f, "%d", os.Getpid())
f.Close()
}
}
c := make(chan os.Signal, 1)
signal.Notify(c, syscall.SIGHUP)
for {
select {
case <-c:
log.Info("Received SIGHUP, reloading keys...")
if err := s.LoadKeysFromDir(keyDir, LoadKey); err != nil {
log.Fatal(err)
}
}
}
}
