func Authenticate(endpoint *string, token *string, containerKey *pkix.Key, certProp *CertificateProperties, caCertificateHash *[]byte) (*pkix.Certificate, error) { logger.Info.Printf("Authenticating token on CA %s", *endpoint) caCertificate, err := GetCACertificate(endpoint) if err != nil { return nil, err } err = caCertificate.VerifyFingerprint(caCertificateHash) if err != nil { return nil, fmt.Errorf("Invalid CA certificate") } // Add CA certificate to CertPool pool := x509.NewCertPool() rawCaCert, err := caCertificate.Export() if err != nil { return nil, err } pool.AppendCertsFromPEM(rawCaCert) // Generate a CSR csr, err := pkix.CreateCertificateSigningRequest(containerKey, certProp.name, certProp.ip_list, certProp.domain_list, certProp.organization, certProp.country) if err != nil { return nil, err } // PEM encode the CSR pemCSR, err := csr.Export() if err != nil { return nil, err } // TLS client is MANDATORY to avoid attacks var client *http.Client tr := &http.Transport{ TLSClientConfig: &tls.Config{RootCAs: pool}, DisableCompression: true, } client = &http.Client{ Transport: tr, } // Fetch a signed certificate crt, err := sendCSR(client, pemCSR, token, endpoint) if err != nil { return nil, err } return crt, err }
//CreateHTTPSKeys generates a key-pair signed by the CA to be used in its HTTPS server func CreateHTTPSKeys(outKey, outCert *string) error { logger.Info.Println("Creating https key") keyLength := 4096 // create keys keys, err := pkix.CreateRSAKey(keyLength) if err != nil { return err } caIPList, caDomainList, err = util.GetHostnameAndIp() // create csr name := "ca" ipListStr := util.ListToString(caIPList, "") domainListStr := util.ListToString(caDomainList, "") organization := "symbios" country := "PT-PT" ttl := 2 // years logger.Info.Printf("HTTPS Cert with: %s ; %s", *domainListStr, *ipListStr) csr, err := pkix.CreateCertificateSigningRequest(keys, name, *ipListStr, *domainListStr, organization, country) if err != nil { return err } certificate, err := pkix.CreateCertificateHost(caCertificate, caInfo, caKey, csr, ttl) if err := keys.SavePrivate(outKey); err != nil { return fmt.Errorf("Unable to save https key: %s", err) } if err := certificate.Save(outCert); err != nil { return fmt.Errorf("Unable to save https certificate: %s", err) } return nil }