e75902ffbf
This second codepath is redundent, since tlsConfig.InsecureSkipVerify is assigned to earlier in that function body. In addition, there's no need to wrap the assignment in a check on that boolean value in this case. Signed-off-by: Paul Tagliamonte <paultag@gmail.com>
200 lines
4.8 KiB
Go
200 lines
4.8 KiB
Go
package utils
|
|
|
|
import (
|
|
"crypto/rand"
|
|
"crypto/rsa"
|
|
"crypto/tls"
|
|
"crypto/x509"
|
|
"crypto/x509/pkix"
|
|
"encoding/pem"
|
|
"io/ioutil"
|
|
"math/big"
|
|
"net"
|
|
"os"
|
|
"time"
|
|
)
|
|
|
|
func getTLSConfig(caCert, cert, key []byte, allowInsecure bool) (*tls.Config, error) {
|
|
// TLS config
|
|
var tlsConfig tls.Config
|
|
tlsConfig.InsecureSkipVerify = allowInsecure
|
|
certPool := x509.NewCertPool()
|
|
|
|
certPool.AppendCertsFromPEM(caCert)
|
|
tlsConfig.RootCAs = certPool
|
|
keypair, err := tls.X509KeyPair(cert, key)
|
|
if err != nil {
|
|
return &tlsConfig, err
|
|
}
|
|
tlsConfig.Certificates = []tls.Certificate{keypair}
|
|
|
|
return &tlsConfig, nil
|
|
}
|
|
|
|
func newCertificate(org string) (*x509.Certificate, error) {
|
|
now := time.Now()
|
|
// need to set notBefore slightly in the past to account for time
|
|
// skew in the VMs otherwise the certs sometimes are not yet valid
|
|
notBefore := time.Date(now.Year(), now.Month(), now.Day(), now.Hour(), now.Minute()-5, 0, 0, time.Local)
|
|
notAfter := notBefore.Add(time.Hour * 24 * 1080)
|
|
|
|
serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)
|
|
serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
return &x509.Certificate{
|
|
SerialNumber: serialNumber,
|
|
Subject: pkix.Name{
|
|
Organization: []string{org},
|
|
},
|
|
NotBefore: notBefore,
|
|
NotAfter: notAfter,
|
|
|
|
KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageKeyAgreement,
|
|
BasicConstraintsValid: true,
|
|
}, nil
|
|
|
|
}
|
|
|
|
// GenerateCACertificate generates a new certificate authority from the specified org
|
|
// and bit size and stores the resulting certificate and key file
|
|
// in the arguments.
|
|
func GenerateCACertificate(certFile, keyFile, org string, bits int) error {
|
|
template, err := newCertificate(org)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
template.IsCA = true
|
|
template.KeyUsage |= x509.KeyUsageCertSign
|
|
template.KeyUsage |= x509.KeyUsageKeyEncipherment
|
|
template.KeyUsage |= x509.KeyUsageKeyAgreement
|
|
|
|
priv, err := rsa.GenerateKey(rand.Reader, bits)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
derBytes, err := x509.CreateCertificate(rand.Reader, template, template, &priv.PublicKey, priv)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
certOut, err := os.Create(certFile)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
pem.Encode(certOut, &pem.Block{Type: "CERTIFICATE", Bytes: derBytes})
|
|
certOut.Close()
|
|
|
|
keyOut, err := os.OpenFile(keyFile, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0600)
|
|
if err != nil {
|
|
return err
|
|
|
|
}
|
|
|
|
pem.Encode(keyOut, &pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(priv)})
|
|
keyOut.Close()
|
|
|
|
return nil
|
|
}
|
|
|
|
// GenerateCert generates a new certificate signed using the provided
|
|
// certificate authority files and stores the result in the certificate
|
|
// file and key provided. The provided host names are set to the
|
|
// appropriate certificate fields.
|
|
func GenerateCert(hosts []string, certFile, keyFile, caFile, caKeyFile, org string, bits int) error {
|
|
template, err := newCertificate(org)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
// client
|
|
if len(hosts) == 1 && hosts[0] == "" {
|
|
template.ExtKeyUsage = []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth}
|
|
template.KeyUsage = x509.KeyUsageDigitalSignature
|
|
} else { // server
|
|
template.ExtKeyUsage = []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth}
|
|
for _, h := range hosts {
|
|
if ip := net.ParseIP(h); ip != nil {
|
|
template.IPAddresses = append(template.IPAddresses, ip)
|
|
} else {
|
|
template.DNSNames = append(template.DNSNames, h)
|
|
}
|
|
}
|
|
}
|
|
|
|
tlsCert, err := tls.LoadX509KeyPair(caFile, caKeyFile)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
priv, err := rsa.GenerateKey(rand.Reader, bits)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
x509Cert, err := x509.ParseCertificate(tlsCert.Certificate[0])
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
derBytes, err := x509.CreateCertificate(rand.Reader, template, x509Cert, &priv.PublicKey, tlsCert.PrivateKey)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
certOut, err := os.Create(certFile)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
pem.Encode(certOut, &pem.Block{Type: "CERTIFICATE", Bytes: derBytes})
|
|
certOut.Close()
|
|
|
|
keyOut, err := os.OpenFile(keyFile, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0600)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
pem.Encode(keyOut, &pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(priv)})
|
|
keyOut.Close()
|
|
|
|
return nil
|
|
}
|
|
|
|
func ValidateCertificate(addr, caCertPath, serverCertPath, serverKeyPath string) (bool, error) {
|
|
caCert, err := ioutil.ReadFile(caCertPath)
|
|
if err != nil {
|
|
return false, err
|
|
}
|
|
|
|
serverCert, err := ioutil.ReadFile(serverCertPath)
|
|
if err != nil {
|
|
return false, err
|
|
}
|
|
|
|
serverKey, err := ioutil.ReadFile(serverKeyPath)
|
|
if err != nil {
|
|
return false, err
|
|
}
|
|
|
|
tlsConfig, err := getTLSConfig(caCert, serverCert, serverKey, false)
|
|
if err != nil {
|
|
return false, err
|
|
}
|
|
|
|
dialer := &net.Dialer{
|
|
Timeout: time.Second * 2,
|
|
}
|
|
|
|
_, err = tls.DialWithDialer(dialer, "tcp", addr, tlsConfig)
|
|
if err != nil {
|
|
return false, nil
|
|
}
|
|
|
|
return true, nil
|
|
}
|