/
cert.go
117 lines (102 loc) · 2.75 KB
/
cert.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
package serve
import (
"crypto"
"crypto/tls"
"crypto/x509"
"errors"
"fmt"
"os"
"time"
"github.com/IPA-CyberLab/kmgm/cli"
"github.com/IPA-CyberLab/kmgm/cli/issue"
"github.com/IPA-CyberLab/kmgm/cli/serve/authprofile"
"github.com/IPA-CyberLab/kmgm/dname"
"github.com/IPA-CyberLab/kmgm/keyusage"
"github.com/IPA-CyberLab/kmgm/san"
"github.com/IPA-CyberLab/kmgm/storage"
"github.com/IPA-CyberLab/kmgm/wcrypto"
)
func ensurePrivateKey(env *cli.Environment, authp *storage.Profile) (crypto.PrivateKey, error) {
priv, err := authp.ReadServerPrivateKey()
if err != nil {
if !errors.Is(err, os.ErrNotExist) {
return nil, err
}
priv, err := wcrypto.GenerateKey(env.Randr, wcrypto.ServerKeyType, "server ", env.Logger)
if err != nil {
return nil, err
}
if err := authp.WriteServerPrivateKey(priv); err != nil {
return nil, err
}
return priv, nil
}
return priv, nil
}
func ensureServerCert(env *cli.Environment, authp *storage.Profile, ns san.Names) (*tls.Certificate, string, error) {
priv, err := ensurePrivateKey(env, authp)
if err != nil {
return nil, "", err
}
pub, err := wcrypto.ExtractPublicKey(priv)
if err != nil {
return nil, "", err
}
now := time.Now()
cacert, err := authp.ReadCACertificate()
if err != nil {
return nil, "", err
}
if err := wcrypto.VerifyCACert(cacert, now); err != nil {
return nil, "", err
}
cert, err := authp.ReadServerCertificate()
// FIXME[P2]: check if ns matches
if err != nil {
if !errors.Is(err, os.ErrNotExist) {
return nil, "", err
}
var srvEnv cli.Environment
srvEnv = *env
srvEnv.ProfileName = authprofile.ProfileName
issueCfg := issue.Config{
Subject: &dname.Config{
CommonName: "kmgm server",
},
Names: ns,
KeyUsage: keyusage.KeyUsageTLSServer.Clone(),
Validity: issue.ValidityPeriod{Days: 820},
KeyType: wcrypto.ServerKeyType,
NoIssueDBEntry: true,
}
certDer, err := issue.Run(&srvEnv, pub, &issueCfg)
if err != nil {
return nil, "", fmt.Errorf("Failed to issue server cert: %w", err)
}
cert, err = x509.ParseCertificate(certDer)
if err != nil {
return nil, "", fmt.Errorf("Failed to parse server cert: %w", err)
}
if err := authp.WriteServerCertificate(cert); err != nil {
return nil, "", err
}
}
now = time.Now()
if err := wcrypto.VerifyServerCert(cert, cacert, now); err != nil {
// FIXME[P2]: try reissueing cert once
return nil, "", err
}
pub, ok := cert.PublicKey.(crypto.PublicKey)
if !ok {
return nil, "", errors.New("Failed to extract cert's public key as crypto.PublicKey")
}
tlscert := &tls.Certificate{
Certificate: [][]byte{cert.Raw, cacert.Raw},
PrivateKey: priv,
}
pubkeyhash, err := wcrypto.PubKeyPinString(pub)
if err != nil {
return nil, "", err
}
return tlscert, pubkeyhash, nil
}