// NewUserKey generates a new user RSA key, stores it in disk and returns its base64 encoding func NewUserKey(username *string, keyLength int, expires *time.Time, out *string) (*string, *pkix.Certificate, *pkix.Key, error) { //logger.Info.Printf("New User Key: %d bits, user: %s", keyLength, *username) // generate keys keys, err := pkix.CreateRSAKey(keyLength) if err != nil { return nil, nil, nil, fmt.Errorf("Failed to create key: %s", err) } // create user self-signed certificate userCert, err := pkix.CreateUserCertificate(keys, *username, *expires) if out != nil { if err := keys.SavePrivate(out); err != nil { return nil, nil, nil, fmt.Errorf("failed to write private key: %s", err) } certOut := (*out) + ".crt" if err := userCert.Save(&certOut); err != nil { return nil, nil, nil, fmt.Errorf("failed to write public key certificate: %s", err) } } // encode public key encodedCertificate, err := userCert.EncodeBase64() if err != nil { return nil, nil, nil, fmt.Errorf("failed to encode user certificate: %s", err) } return encodedCertificate, userCert, keys, nil }
//AuthenticateAndSave generates a key, creates a CSR, sends to CA and stores the generated private key and certificate func AuthenticateAndSave(endpoint, token, keyOut, crtOut, caCertOut *string, keysize int, cn, ip, domain, organization, country *string, caCertificateHash *[]byte) error { key, err := pkix.CreateRSAKey(keysize) if err != nil { logger.Error.Printf("Unable to generate keys. %s", err) return err } ipListArray, domainListArray, err := util.GetHostnameAndIp() if err != nil { return fmt.Errorf("Unable to obtain hostname and ip: %s", err) } ipList := util.ListToString(ipListArray, *ip) domainList := util.ListToString(domainListArray, *domain) logger.Info.Printf("Register Cert with: %s ; %s", *domainList, *ipList) certProp := CertificateProperties{ name: *cn, ip_list: *ipList, domain_list: *domainList, organization: *organization, country: *country, } logger.Info.Println(certProp) cert, err := Authenticate(endpoint, token, key, &certProp, caCertificateHash) if err != nil { return fmt.Errorf("Unable to authenticate. %s", err) } if err := key.SavePrivate(keyOut); err != nil { return fmt.Errorf("Unable to save key: %s", err) } if err := cert.Save(crtOut); err != nil { return fmt.Errorf("Unable to save certificate: %s", err) } caCert, err := GetCACertificate(endpoint) if err != nil { return fmt.Errorf("Unable to get CA Certificate. %s", err) } if err := caCert.Save(caCertOut); err != nil { return fmt.Errorf("Unable to save CA certificate: %s", err) } return nil }
//NewRootCertificate creates a new certificate authority root certificate func NewRootCertificate(keylength int, expires time.Time, organization, country string) (*pkix.Key, *pkix.Certificate, *pkix.CertificateAuthorityInfo, error) { cKey, err := pkix.CreateRSAKey(keylength) if err != nil { logger.Error.Printf("Failed to create root key pair: %s", err) return nil, nil, nil, err } caKey = cKey caCertificate, caInfo, err = pkix.CreateCertificateAuthority(caKey, expires, organization, country) if err != nil { logger.Error.Printf("Failed to create certificate authority: %s", err) return nil, nil, nil, err } return caKey, caCertificate, caInfo, nil }
//CreateHTTPSKeys generates a key-pair signed by the CA to be used in its HTTPS server func CreateHTTPSKeys(outKey, outCert *string) error { logger.Info.Println("Creating https key") keyLength := 4096 // create keys keys, err := pkix.CreateRSAKey(keyLength) if err != nil { return err } caIPList, caDomainList, err = util.GetHostnameAndIp() // create csr name := "ca" ipListStr := util.ListToString(caIPList, "") domainListStr := util.ListToString(caDomainList, "") organization := "symbios" country := "PT-PT" ttl := 2 // years logger.Info.Printf("HTTPS Cert with: %s ; %s", *domainListStr, *ipListStr) csr, err := pkix.CreateCertificateSigningRequest(keys, name, *ipListStr, *domainListStr, organization, country) if err != nil { return err } certificate, err := pkix.CreateCertificateHost(caCertificate, caInfo, caKey, csr, ttl) if err := keys.SavePrivate(outKey); err != nil { return fmt.Errorf("Unable to save https key: %s", err) } if err := certificate.Save(outCert); err != nil { return fmt.Errorf("Unable to save https certificate: %s", err) } return nil }
func TestContainer(t *testing.T) { logger.InitLogs(os.Stdout, os.Stdout, os.Stderr) // create root keys keysize := 2048 key, err := pkix.CreateRSAKey(keysize) if err != nil { t.Fatal("Unable to generate keys.", err) } // start CA keylength := 4098 organization := "org" country := "PT-PT" expiresDays := 10 expires := time.Now().AddDate(0, 0, expiresDays).UTC() _, caCert, _, err := ca.NewRootCertificate(keylength, expires, organization, country) caFingerprint, err := caCert.Fingerprint() if err != nil { t.Fatal("Unable to generate keys.", err) } // add user to CA keyLength := 2048 username := "******" userExpires := time.Now().AddDate(1, 0, 0).UTC() // generate private key _, userCert, userPrivateKey, err := client.NewUserKey(&username, keyLength, &userExpires, nil) if err != nil { t.Error(err) } ca.SetUserCertificate(userCert) userPrivateKeyBytes, err := userPrivateKey.ExportPrivate() if err != nil { t.Error(err) } tokenExpires := time.Duration(time.Second * 20) token, err := client.NewToken(userPrivateKeyBytes, username, tokenExpires) if err != nil { t.Error(err) } //setup mockHTTPServer ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { // /cert if r.URL.String() == "/v1/cert" { ca.HandleCertRequest(w, r) } if r.URL.String() == "/v1/csr" { ca.HandleCSR(w, r) } })) defer ts.Close() fmt.Println(ts.URL) certProp := CertificateProperties{ name: "Tommy", ip_list: "192.168.1.1", domain_list: "symbios", organization: "symbios", country: "US", } _, err = Authenticate(&ts.URL, token, key, &certProp, &caFingerprint) if err != nil { t.Fatalf("Unable to authenticate.", err) } }