func initializeServer() *server.Server {
var hosts string
fmt.Print("Keyserver Hostnames/IPs (comma-seperated): ")
fmt.Scanln(&hosts)
hostnames := strings.Split(hosts, ",")
csr, key, err := csr.ParseRequest(&csr.CertificateRequest{
CN: "Keyless Server Authentication Certificate",
Hosts: hostnames,
KeyRequest: &csr.BasicKeyRequest{
A: "ecdsa",
S: 384,
},
})
if err != nil {
log.Fatal(err)
}
if err := ioutil.WriteFile(keyFile, key, 0400); err != nil {
log.Fatal(err)
}
log.Infof("Key generated and saved to %s\n", keyFile)
log.Info("Server entering initialization state")
s, err := server.NewServerFromFile(initCertFile, initKeyFile, caFile,
net.JoinHostPort("", port), net.JoinHostPort("", metricsPort))
if err != nil {
log.Fatal(err)
}
s.ActivationToken = []byte(initToken)
go func() {
log.Fatal(s.ListenAndServe())
}()
cert, err := initAPICall(hostnames, string(csr))
if err != nil {
log.Fatal(err)
}
if err := ioutil.WriteFile(certFile, cert, 0644); err != nil {
log.Fatal(err)
}
log.Infof("Cert saved to %s\n", certFile)
// Remove server from activation state and initialize issued certificate.
s.ActivationToken = s.ActivationToken[:0]
tlsCert, err := tls.LoadX509KeyPair(certFile, keyFile)
if err != nil {
log.Fatal(err)
}
s.Config.Certificates = []tls.Certificate{tlsCert}
return s
}
func main() {
var s *server.Server
if initToken != "" {
s = initializeServer()
} else {
s, err := server.NewServerFromFile(certFile, keyFile, caFile,
net.JoinHostPort("", port), net.JoinHostPort("", metricsPort))
if err != nil {
log.Warningf("Could not create server. Run with `gokeyless -init-token=XXX` to get %s and %s", keyFile, certFile)
log.Fatal(err)
}
if err := s.LoadKeysFromDir(keyDir, LoadKey); err != nil {
log.Fatal(err)
}
// Start server in background, then listen for SIGHUPs to reload keys.
go func() {
log.Fatal(s.ListenAndServe())
}()
}
if pidFile != "" {
if f, err := os.Create(pidFile); err != nil {
log.Errorf("error creating pid file: %v", err)
} else {
fmt.Fprintf(f, "%d", os.Getpid())
f.Close()
}
}
c := make(chan os.Signal, 1)
signal.Notify(c, syscall.SIGHUP)
for {
select {
case <-c:
log.Info("Received SIGHUP, reloading keys...")
if err := s.LoadKeysFromDir(keyDir, LoadKey); err != nil {
log.Fatal(err)
}
}
}
}
func main() {
var logOut io.Writer
if silent {
logOut = ioutil.Discard
} else {
logOut = os.Stdout
}
s, err := server.NewServerFromFile(certFile, keyFile, caFile, net.JoinHostPort("", port), logOut)
if err != nil {
log.Fatal(err)
}
keys, err := LoadKeysFromDir(keyDir)
if err != nil {
log.Fatal(err)
}
for _, key := range keys {
s.RegisterKey(key)
}
log.Fatal(s.ListenAndServe())
}
// Set up compatible server and client for use by tests.
func init() {
var err error
var pemBytes []byte
var p *pem.Block
var priv crypto.Signer
var pub crypto.PublicKey
log.Level = log.LevelFatal
s, err = server.NewServerFromFile(serverCert, serverKey, keylessCA, serverAddr, "")
if err != nil {
log.Fatal(err)
}
if pemBytes, err = ioutil.ReadFile(rsaPrivKey); err != nil {
log.Fatal(err)
}
p, _ = pem.Decode(pemBytes)
if priv, err = x509.ParsePKCS1PrivateKey(p.Bytes); err != nil {
log.Fatal(err)
}
if err = s.Keys.Add(nil, priv); err != nil {
log.Fatal(err)
}
if pemBytes, err = ioutil.ReadFile(ecdsaPrivKey); err != nil {
log.Fatal(err)
}
p, _ = pem.Decode(pemBytes)
if priv, err = x509.ParseECPrivateKey(p.Bytes); err != nil {
log.Fatal(err)
}
if err = s.Keys.Add(nil, priv); err != nil {
log.Fatal(err)
}
listening := make(chan bool)
go func() {
listening <- true
if err := s.ListenAndServe(); err != nil {
log.Fatal(err)
}
}()
<-listening
if c, err = client.NewClientFromFile(clientCert, clientKey, keyserverCA); err != nil {
log.Fatal(err)
}
if pemBytes, err = ioutil.ReadFile(rsaPubKey); err != nil {
log.Fatal(err)
}
p, _ = pem.Decode(pemBytes)
if pub, err = x509.ParsePKIXPublicKey(p.Bytes); err != nil {
log.Fatal(err)
}
if rsaKey, err = c.RegisterPublicKey(serverAddr, pub); err != nil {
log.Fatal(err)
}
if pemBytes, err = ioutil.ReadFile(ecdsaPubKey); err != nil {
log.Fatal(err)
}
p, _ = pem.Decode(pemBytes)
if pub, err = x509.ParsePKIXPublicKey(p.Bytes); err != nil {
log.Fatal(err)
}
if ecdsaKey, err = c.RegisterPublicKey(serverAddr, pub); err != nil {
log.Fatal(err)
}
}
func main() {
if initCert {
var hosts string
fmt.Print("Keyserver Hostnames/IPs (comma-seperated): ")
fmt.Scanln(&hosts)
csr, key, err := csr.ParseRequest(&csr.CertificateRequest{
CN: "Keyless Server Authentication Certificate",
Hosts: strings.Split(hosts, ","),
KeyRequest: &csr.KeyRequest{Algo: "ecdsa", Size: 384},
})
if err != nil {
log.Fatal(err)
}
if err := ioutil.WriteFile(keyFile, key, 0400); err != nil {
log.Fatal(err)
}
fmt.Printf("Key generated and saved to %s\n", keyFile)
fmt.Printf("Email this CSR to [email protected] for signing and save the resulting certificate to %s:\n", certFile)
fmt.Print(string(csr))
return
}
s, err := server.NewServerFromFile(certFile, keyFile, caFile,
net.JoinHostPort("", port), net.JoinHostPort("", metricsPort))
if err != nil {
log.Warningf("Could not create server. Run `gokeyless -init` to get %s and %s", keyFile, certFile)
log.Fatal(err)
}
if err := s.LoadKeysFromDir(keyDir, LoadKey); err != nil {
log.Fatal(err)
}
// Start server in background, then listen for SIGHUPs to reload keys.
go func() {
log.Fatal(s.ListenAndServe())
}()
if pidFile != "" {
if f, err := os.Create(pidFile); err != nil {
log.Errorf("error creating pid file: %v", err)
} else {
fmt.Fprintf(f, "%d", os.Getpid())
f.Close()
}
}
c := make(chan os.Signal, 1)
signal.Notify(c, syscall.SIGHUP)
for {
select {
case <-c:
log.Info("Received SIGHUP, reloading keys...")
if err := s.LoadKeysFromDir(keyDir, LoadKey); err != nil {
log.Fatal(err)
}
}
}
}
