libmachine/ssh/keys.go

package ssh

import (
	"crypto/md5"
	"crypto/rand"
	"crypto/rsa"
	"crypto/x509"
	"encoding/base64"
	"encoding/pem"
	"errors"
	"fmt"
	"io"
	"os"
	"runtime"

	gossh "golang.org/x/crypto/ssh"
)

var (
	ErrKeyGeneration     = errors.New("Unable to generate key")
	ErrValidation        = errors.New("Unable to validate key")
	ErrPublicKey         = errors.New("Unable to convert public key")
	ErrUnableToWriteFile = errors.New("Unable to write file")
)

type KeyPair struct {
	PrivateKey []byte
	PublicKey  []byte
}

// NewKeyPair generates a new SSH keypair
// This will return a private & public key encoded as DER.
func NewKeyPair() (keyPair *KeyPair, err error) {
	priv, err := rsa.GenerateKey(rand.Reader, 2048)
	if err != nil {
		return nil, ErrKeyGeneration
	}

	if err := priv.Validate(); err != nil {
		return nil, ErrValidation
	}

	privDer := x509.MarshalPKCS1PrivateKey(priv)

	pubSSH, err := gossh.NewPublicKey(&priv.PublicKey)
	if err != nil {
		return nil, ErrPublicKey
	}

	return &KeyPair{
		PrivateKey: privDer,
		PublicKey:  gossh.MarshalAuthorizedKey(pubSSH),
	}, nil
}

// WriteToFile writes keypair to files
func (kp *KeyPair) WriteToFile(privateKeyPath string, publicKeyPath string) error {
	files := []struct {
		File  string
		Type  string
		Value []byte
	}{
		{
			File:  privateKeyPath,
			Value: pem.EncodeToMemory(&pem.Block{Type: "RSA PRIVATE KEY", Headers: nil, Bytes: kp.PrivateKey}),
		},
		{
			File:  publicKeyPath,
			Value: kp.PublicKey,
		},
	}

	for _, v := range files {
		f, err := os.Create(v.File)
		if err != nil {
			return ErrUnableToWriteFile
		}

		if _, err := f.Write(v.Value); err != nil {
			return ErrUnableToWriteFile
		}

		// windows does not support chmod
		switch runtime.GOOS {
		case "darwin", "linux":
			if err := f.Chmod(0600); err != nil {
				return err
			}
		}
	}

	return nil
}

// Fingerprint calculates the fingerprint of the public key
func (kp *KeyPair) Fingerprint() string {
	b, _ := base64.StdEncoding.DecodeString(string(kp.PublicKey))
	h := md5.New()

	io.WriteString(h, string(b))

	return fmt.Sprintf("%x", h.Sum(nil))
}

// GenerateSSHKey generates SSH keypair based on path of the private key
// The public key would be generated to the same path with ".pub" added
func GenerateSSHKey(path string) error {
	if _, err := os.Stat(path); err != nil {
		if !os.IsNotExist(err) {
			return fmt.Errorf("Desired directory for SSH keys does not exist: %s", err)
		}

		kp, err := NewKeyPair()
		if err != nil {
			return fmt.Errorf("Error generating key pair: %s", err)
		}

		if err := kp.WriteToFile(path, fmt.Sprintf("%s.pub", path)); err != nil {
			return fmt.Errorf("Error writing keys to file(s): %s", err)
		}
	}

	return nil
}
Add SSH key generation Signed-off-by: Simon Thulbourn <simon+github@thulbourn.com> 2015-03-26 12:31:34 +00:00			`package ssh`

			`import (`
			`"crypto/md5"`
			`"crypto/rand"`
			`"crypto/rsa"`
			`"crypto/x509"`
			`"encoding/base64"`
			`"encoding/pem"`
			`"errors"`
			`"fmt"`
			`"io"`
			`"os"`
fix ssh key gen bug windows Signed-off-by: Evan Hazlett <ejhazlett@gmail.com> 2015-04-10 10:35:25 -04:00			`"runtime"`
Add SSH key generation Signed-off-by: Simon Thulbourn <simon+github@thulbourn.com> 2015-03-26 12:31:34 +00:00
			`gossh "golang.org/x/crypto/ssh"`
			`)`

			`var (`
			`ErrKeyGeneration = errors.New("Unable to generate key")`
			`ErrValidation = errors.New("Unable to validate key")`
			`ErrPublicKey = errors.New("Unable to convert public key")`
			`ErrUnableToWriteFile = errors.New("Unable to write file")`
			`)`

			`type KeyPair struct {`
			`PrivateKey []byte`
			`PublicKey []byte`
			`}`

Lint, step 1 The easy stuff Signed-off-by: Olivier Gambier <olivier@docker.com> 2015-11-04 14:11:36 -08:00			`// NewKeyPair generates a new SSH keypair`
Add SSH key generation Signed-off-by: Simon Thulbourn <simon+github@thulbourn.com> 2015-03-26 12:31:34 +00:00			`// This will return a private & public key encoded as DER.`
			`func NewKeyPair() (keyPair *KeyPair, err error) {`
			`priv, err := rsa.GenerateKey(rand.Reader, 2048)`
			`if err != nil {`
			`return nil, ErrKeyGeneration`
			`}`

			`if err := priv.Validate(); err != nil {`
			`return nil, ErrValidation`
			`}`

			`privDer := x509.MarshalPKCS1PrivateKey(priv)`

			`pubSSH, err := gossh.NewPublicKey(&priv.PublicKey)`
			`if err != nil {`
			`return nil, ErrPublicKey`
			`}`

			`return &KeyPair{`
			`PrivateKey: privDer,`
			`PublicKey: gossh.MarshalAuthorizedKey(pubSSH),`
			`}, nil`
			`}`

Lint, step 1 The easy stuff Signed-off-by: Olivier Gambier <olivier@docker.com> 2015-11-04 14:11:36 -08:00			`// WriteToFile writes keypair to files`
Add SSH key generation Signed-off-by: Simon Thulbourn <simon+github@thulbourn.com> 2015-03-26 12:31:34 +00:00			`func (kp *KeyPair) WriteToFile(privateKeyPath string, publicKeyPath string) error {`
			`files := []struct {`
			`File string`
			`Type string`
			`Value []byte`
			`}{`
			`{`
			`File: privateKeyPath,`
Fix vet errors and enforce vet on travis Signed-off-by: Olivier Gambier <olivier@docker.com> 2015-09-19 16:09:44 -07:00			`Value: pem.EncodeToMemory(&pem.Block{Type: "RSA PRIVATE KEY", Headers: nil, Bytes: kp.PrivateKey}),`
Add SSH key generation Signed-off-by: Simon Thulbourn <simon+github@thulbourn.com> 2015-03-26 12:31:34 +00:00			`},`
			`{`
			`File: publicKeyPath,`
			`Value: kp.PublicKey,`
			`},`
			`}`

			`for _, v := range files {`
			`f, err := os.Create(v.File)`
			`if err != nil {`
			`return ErrUnableToWriteFile`
			`}`

			`if _, err := f.Write(v.Value); err != nil {`
			`return ErrUnableToWriteFile`
			`}`

fix ssh key gen bug windows Signed-off-by: Evan Hazlett <ejhazlett@gmail.com> 2015-04-10 10:35:25 -04:00			`// windows does not support chmod`
			`switch runtime.GOOS {`
			`case "darwin", "linux":`
			`if err := f.Chmod(0600); err != nil {`
			`return err`
			`}`
Add SSH key generation Signed-off-by: Simon Thulbourn <simon+github@thulbourn.com> 2015-03-26 12:31:34 +00:00			`}`
			`}`

			`return nil`
			`}`

Lint, step 1 The easy stuff Signed-off-by: Olivier Gambier <olivier@docker.com> 2015-11-04 14:11:36 -08:00			`// Fingerprint calculates the fingerprint of the public key`
Add SSH key generation Signed-off-by: Simon Thulbourn <simon+github@thulbourn.com> 2015-03-26 12:31:34 +00:00			`func (kp *KeyPair) Fingerprint() string {`
			`b, _ := base64.StdEncoding.DecodeString(string(kp.PublicKey))`
			`h := md5.New()`

			`io.WriteString(h, string(b))`

			`return fmt.Sprintf("%x", h.Sum(nil))`
			`}`

Lint, step 1 The easy stuff Signed-off-by: Olivier Gambier <olivier@docker.com> 2015-11-04 14:11:36 -08:00			`// GenerateSSHKey generates SSH keypair based on path of the private key`
Add SSH key generation Signed-off-by: Simon Thulbourn <simon+github@thulbourn.com> 2015-03-26 12:31:34 +00:00			`// The public key would be generated to the same path with ".pub" added`
			`func GenerateSSHKey(path string) error {`
			`if _, err := os.Stat(path); err != nil {`
			`if !os.IsNotExist(err) {`
Make libmachine usable by outside world - Clear out some cruft tightly coupling libmachine to filestore - Comment out drivers other than virtualbox for now - Change way too many things - Mostly, break out the code to be more modular. - Destroy all traces of "provider" in its current form. It will be brought back as something more sensible, instead of something which overlaps in function with both Host and Store. - Fix mis-managed config passthru - Remove a few instances of state stored in env vars - This should be explicitly communicated in Go-land, not through the shell. - Rename "store" module to "persist" - This is done mostly to avoid confusion about the fact that a concrete instance of a "Store" interface is oftentimes referred to as "store" in the code. - Rip out repetitive antipattern for getting store - This replaces the previous repetive idiom for getting the cert info, and consequently the store, with a much less repetitive idiom. - Also, some redundant methods in commands.go for accessing hosts have either been simplified or removed entirely. - First steps towards fixing up tests - Test progress continues - Replace unit tests with integration tests - MAKE ALL UNIT TESTS PASS YAY - Add helper test files - Don't write to disk in libmachine/host - Heh.. coverage check strikes again - Fix remove code - Move cert code around - Continued progress: simplify Driver - Fixups and make creation work with new model - Move drivers module inside of libmachine - Move ssh module inside of libmachine - Move state module to libmachine - Move utils module to libmachine - Move version module to libmachine - Move log module to libmachine - Modify some constructor methods around - Change Travis build dep structure - Boring gofmt fix - Add version module - Move NewHost to store - Update some boring cert path infos to make API easier to use - Fix up some issues around the new model - Clean up some cert path stuff - Don't use shady functions to get store path :D - Continue artifact work - Fix silly machines dir bug - Continue fixing silly path issues - Change up output of vbm a bit - Continue work to make example go - Change output a little more - Last changes needed to make create finish properly - Fix config.go to use libmachine - Cut down code duplication and make both methods work with libmachine - Add pluggable logging implementation - Return error when machine already in desired state - Update example to show log method - Fix file:// bug - Fix Swarm defaults - Remove unused TLS settings from Engine and Swarm options - Remove spurious error - Correct bug detecting if migration was performed - Fix compilation errors from tests - Fix most of remaining test issues - Fix final silly bug in tests - Remove extraneous debug code - Add -race to test command - Appease the gofmt - Appease the generate coverage - Making executive decision to remove Travis coverage check In the early days I thought this would be a good idea because it would encourage people to write tests in case they added a new module. Well, in fact it has just turned into a giant nuisance and made refactoring work like this even more difficult. - Move Get to Load - Move HostListItem code to CLI Signed-off-by: Nathan LeClaire <nathan.leclaire@gmail.com> 2015-08-18 11:26:42 +09:00			`return fmt.Errorf("Desired directory for SSH keys does not exist: %s", err)`
Add SSH key generation Signed-off-by: Simon Thulbourn <simon+github@thulbourn.com> 2015-03-26 12:31:34 +00:00			`}`

			`kp, err := NewKeyPair()`
			`if err != nil {`
Make libmachine usable by outside world - Clear out some cruft tightly coupling libmachine to filestore - Comment out drivers other than virtualbox for now - Change way too many things - Mostly, break out the code to be more modular. - Destroy all traces of "provider" in its current form. It will be brought back as something more sensible, instead of something which overlaps in function with both Host and Store. - Fix mis-managed config passthru - Remove a few instances of state stored in env vars - This should be explicitly communicated in Go-land, not through the shell. - Rename "store" module to "persist" - This is done mostly to avoid confusion about the fact that a concrete instance of a "Store" interface is oftentimes referred to as "store" in the code. - Rip out repetitive antipattern for getting store - This replaces the previous repetive idiom for getting the cert info, and consequently the store, with a much less repetitive idiom. - Also, some redundant methods in commands.go for accessing hosts have either been simplified or removed entirely. - First steps towards fixing up tests - Test progress continues - Replace unit tests with integration tests - MAKE ALL UNIT TESTS PASS YAY - Add helper test files - Don't write to disk in libmachine/host - Heh.. coverage check strikes again - Fix remove code - Move cert code around - Continued progress: simplify Driver - Fixups and make creation work with new model - Move drivers module inside of libmachine - Move ssh module inside of libmachine - Move state module to libmachine - Move utils module to libmachine - Move version module to libmachine - Move log module to libmachine - Modify some constructor methods around - Change Travis build dep structure - Boring gofmt fix - Add version module - Move NewHost to store - Update some boring cert path infos to make API easier to use - Fix up some issues around the new model - Clean up some cert path stuff - Don't use shady functions to get store path :D - Continue artifact work - Fix silly machines dir bug - Continue fixing silly path issues - Change up output of vbm a bit - Continue work to make example go - Change output a little more - Last changes needed to make create finish properly - Fix config.go to use libmachine - Cut down code duplication and make both methods work with libmachine - Add pluggable logging implementation - Return error when machine already in desired state - Update example to show log method - Fix file:// bug - Fix Swarm defaults - Remove unused TLS settings from Engine and Swarm options - Remove spurious error - Correct bug detecting if migration was performed - Fix compilation errors from tests - Fix most of remaining test issues - Fix final silly bug in tests - Remove extraneous debug code - Add -race to test command - Appease the gofmt - Appease the generate coverage - Making executive decision to remove Travis coverage check In the early days I thought this would be a good idea because it would encourage people to write tests in case they added a new module. Well, in fact it has just turned into a giant nuisance and made refactoring work like this even more difficult. - Move Get to Load - Move HostListItem code to CLI Signed-off-by: Nathan LeClaire <nathan.leclaire@gmail.com> 2015-08-18 11:26:42 +09:00			`return fmt.Errorf("Error generating key pair: %s", err)`
Add SSH key generation Signed-off-by: Simon Thulbourn <simon+github@thulbourn.com> 2015-03-26 12:31:34 +00:00			`}`

			`if err := kp.WriteToFile(path, fmt.Sprintf("%s.pub", path)); err != nil {`
Make libmachine usable by outside world - Clear out some cruft tightly coupling libmachine to filestore - Comment out drivers other than virtualbox for now - Change way too many things - Mostly, break out the code to be more modular. - Destroy all traces of "provider" in its current form. It will be brought back as something more sensible, instead of something which overlaps in function with both Host and Store. - Fix mis-managed config passthru - Remove a few instances of state stored in env vars - This should be explicitly communicated in Go-land, not through the shell. - Rename "store" module to "persist" - This is done mostly to avoid confusion about the fact that a concrete instance of a "Store" interface is oftentimes referred to as "store" in the code. - Rip out repetitive antipattern for getting store - This replaces the previous repetive idiom for getting the cert info, and consequently the store, with a much less repetitive idiom. - Also, some redundant methods in commands.go for accessing hosts have either been simplified or removed entirely. - First steps towards fixing up tests - Test progress continues - Replace unit tests with integration tests - MAKE ALL UNIT TESTS PASS YAY - Add helper test files - Don't write to disk in libmachine/host - Heh.. coverage check strikes again - Fix remove code - Move cert code around - Continued progress: simplify Driver - Fixups and make creation work with new model - Move drivers module inside of libmachine - Move ssh module inside of libmachine - Move state module to libmachine - Move utils module to libmachine - Move version module to libmachine - Move log module to libmachine - Modify some constructor methods around - Change Travis build dep structure - Boring gofmt fix - Add version module - Move NewHost to store - Update some boring cert path infos to make API easier to use - Fix up some issues around the new model - Clean up some cert path stuff - Don't use shady functions to get store path :D - Continue artifact work - Fix silly machines dir bug - Continue fixing silly path issues - Change up output of vbm a bit - Continue work to make example go - Change output a little more - Last changes needed to make create finish properly - Fix config.go to use libmachine - Cut down code duplication and make both methods work with libmachine - Add pluggable logging implementation - Return error when machine already in desired state - Update example to show log method - Fix file:// bug - Fix Swarm defaults - Remove unused TLS settings from Engine and Swarm options - Remove spurious error - Correct bug detecting if migration was performed - Fix compilation errors from tests - Fix most of remaining test issues - Fix final silly bug in tests - Remove extraneous debug code - Add -race to test command - Appease the gofmt - Appease the generate coverage - Making executive decision to remove Travis coverage check In the early days I thought this would be a good idea because it would encourage people to write tests in case they added a new module. Well, in fact it has just turned into a giant nuisance and made refactoring work like this even more difficult. - Move Get to Load - Move HostListItem code to CLI Signed-off-by: Nathan LeClaire <nathan.leclaire@gmail.com> 2015-08-18 11:26:42 +09:00			`return fmt.Errorf("Error writing keys to file(s): %s", err)`
Add SSH key generation Signed-off-by: Simon Thulbourn <simon+github@thulbourn.com> 2015-03-26 12:31:34 +00:00			`}`
			`}`

			`return nil`
			`}`