示例#1
0
func GetCACertificate(endpoint *string) (*pkix.Certificate, error) {
	//logger.Info.Printf("Get CA Certificate")
	// ignore TLS. We will check the certificate fingerprint

	tr := &http.Transport{
		TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
	}
	client := &http.Client{Transport: tr}

	res, err := client.Get(fmt.Sprintf("%s/v1/cert", *endpoint))
	if err != nil {
		return nil, fmt.Errorf("A problem occurred during communication with the Symbios CA. %s", err)
	}
	// read the response body and get it into certificate form
	defer res.Body.Close()
	data, err := ioutil.ReadAll(res.Body)
	if err != nil {
		return nil, fmt.Errorf("A problem occurred while reading the CA certificate from the Symbios CA. %s", err)
	}
	cert, err := pkix.NewCertificateFromPEM(data)
	if err != nil {
		return nil, fmt.Errorf("A problem occurred while converting the CA certificate from the Symbios CA. %s", err)
	}
	return cert, err
}
示例#2
0
func sendCSR(client *http.Client, csr []byte, token *string, endpoint *string) (*pkix.Certificate, error) {
	if csr == nil {
		return nil, fmt.Errorf("csr is nil")
	}
	if token == nil {
		return nil, fmt.Errorf("token is nil")
	}
	if endpoint == nil {
		return nil, fmt.Errorf("endpoint is nil")
	}

	// Execute a POST request to upload the provided CSR
	req, err := http.NewRequest("POST", fmt.Sprintf("%s/v1/csr", *endpoint), bytes.NewReader(csr))
	if err != nil {
		return nil, fmt.Errorf("Unable to form the HTTPS request. %s", err)
	}
	req.Header.Set("X-Auth-Token", *token)
	signTimeStart := time.Now()
	res, err := client.Do(req)
	logger.Info.Printf("[TIMER] [%s] Uploaded CSR and retrieved CRT.", time.Since(signTimeStart))
	if err != nil {
		return nil, fmt.Errorf("A problem occurred during communication with the Symbios CA. %s", err)
	}

	// read the response body and get it into certificate form
	logger.Info.Printf("CRT received: %d ", req.ContentLength)
	defer res.Body.Close()
	data, err := ioutil.ReadAll(res.Body)

	fmt.Println(res.Status)
	if res.Status != "200 OK" {
		return nil, fmt.Errorf(string(data))
	}

	if err != nil {
		return nil, fmt.Errorf("A problem occurred while reading the certificate from the Symbios CA.  %s", err)
	}

	cert, err := pkix.NewCertificateFromPEM(data)
	if err != nil {
		return nil, fmt.Errorf("A problem occurred while parsing the certificate from the Symbios CA. %s", err)
	}

	return cert, nil
}
示例#3
0
文件: ca.go 项目: dnascimento/symbios
func readUserCertificate(encodedUserKey string) (*pkix.Certificate, error) {
	if len(encodedUserKey) == 0 {
		return nil, errors.New("user key is required")
	}
	userCertificateBytes, err := b64.StdEncoding.DecodeString(encodedUserKey)
	if err != nil {
		logger.Error.Printf("failed to decode certificate: %s", err)
		return nil, err
	}

	// convert to KeyPair
	cert, err := pkix.NewCertificateFromPEM(userCertificateBytes)
	if err != nil {
		logger.Error.Printf("failed to create certificate: %s", err)
		return nil, err
	}
	return cert, nil
}
示例#4
0
func TestClient(t *testing.T) {
	logger.InitLogs(os.Stdout, os.Stdout, os.Stderr)

	keyLength := 2048
	hostname := "symbios"
	privateKeyPath := "id_test"
	expires := time.Now().AddDate(1, 0, 0).UTC()

	// generate private key
	userKeyBase64, _, _, err := NewUserKey(&hostname, keyLength, &expires, &privateKeyPath)
	if err != nil {
		t.Error(err)
	}
	pubKeyPath := privateKeyPath + ".crt"

	defer os.Remove(privateKeyPath)
	defer os.Remove(pubKeyPath)

	// compare generated public key and base64encoded key
	userKey, err := b64.StdEncoding.DecodeString(*userKeyBase64)
	if err != nil {
		t.Error(err)
	}

	rawCsr, err := ioutil.ReadFile(pubKeyPath)

	if !bytes.Equal(userKey, rawCsr) {
		t.Fail()
	}

	userCert, err := pkix.NewCertificateFromPEM(rawCsr)
	if err != nil {
		t.Error(err)
	}

	tokenExpires := time.Duration(time.Second * 10)

	// generate token using private key
	userToken, err := NewTokenUsingPrivateKeyFile(privateKeyPath, hostname, tokenExpires)
	if err != nil {
		t.Error(err)
	}

	if err := ca.ValidateToken(*userToken, userCert, &hostname); err != nil {
		t.Fatalf("Token validation failed: %s", err)
	}

	// replay attack
	if err := ca.ValidateToken(*userToken, userCert, &hostname); err == nil {
		t.Fatalf("Replay attack detection fail: %s", err)
	}

	// expired token
	tokenExpires = time.Duration(time.Second * 1)
	userToken, err = NewTokenUsingPrivateKeyFile(privateKeyPath, hostname, tokenExpires)
	if err != nil {
		t.Error(err)
	}
	time.Sleep(time.Duration(time.Second * 5))

	if err := ca.ValidateToken(*userToken, userCert, &hostname); err == nil {
		t.Fatalf("Expired token detection fail: %s", err)
	}

}