prompt to generate new keys if none exist
This commit is contained in:
1
.gitignore
vendored
1
.gitignore
vendored
@ -5,3 +5,4 @@
|
||||
i2pseeds.su3
|
||||
reseed_cert.pem
|
||||
reseed_private.pem
|
||||
/build
|
||||
|
@ -1,16 +1,8 @@
|
||||
package cmd
|
||||
|
||||
import (
|
||||
"crypto/rand"
|
||||
"crypto/rsa"
|
||||
"crypto/x509"
|
||||
"encoding/pem"
|
||||
"fmt"
|
||||
"log"
|
||||
"os"
|
||||
|
||||
"github.com/MDrollette/go-i2p/reseed"
|
||||
"github.com/MDrollette/go-i2p/su3"
|
||||
"github.com/codegangsta/cli"
|
||||
)
|
||||
|
||||
@ -25,7 +17,7 @@ func NewKeygenCommand() cli.Command {
|
||||
Usage: "Generate a private key and certificate for the given su3 signing ID (ex. something@mail.i2p)",
|
||||
},
|
||||
cli.StringFlag{
|
||||
Name: "host",
|
||||
Name: "tlsHost",
|
||||
Usage: "Generate a self-signed TLS certificate and private key for the given host",
|
||||
},
|
||||
},
|
||||
@ -34,79 +26,24 @@ func NewKeygenCommand() cli.Command {
|
||||
|
||||
func keygenAction(c *cli.Context) {
|
||||
signerId := c.String("signer")
|
||||
host := c.String("host")
|
||||
tlsHost := c.String("tlsHost")
|
||||
|
||||
if signerId == "" && host == "" {
|
||||
fmt.Println("You must specify either --host or --signer")
|
||||
if signerId == "" && tlsHost == "" {
|
||||
fmt.Println("You must specify either --tlsHost or --signer")
|
||||
return
|
||||
}
|
||||
|
||||
if signerId != "" {
|
||||
createSigner(signerId)
|
||||
if err := createSigningCertificate(signerId); nil != err {
|
||||
fmt.Println(err)
|
||||
return
|
||||
}
|
||||
}
|
||||
|
||||
if host != "" {
|
||||
createTLSCertificate(host)
|
||||
if tlsHost != "" {
|
||||
if err := createTLSCertificate(tlsHost); nil != err {
|
||||
fmt.Println(err)
|
||||
return
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
func createSigner(signerId string) {
|
||||
// generate private key
|
||||
fmt.Println("Generating signing keys. This may take a minute...")
|
||||
signerKey, err := rsa.GenerateKey(rand.Reader, 4096)
|
||||
if err != nil {
|
||||
log.Fatalln(err)
|
||||
}
|
||||
|
||||
signerCert, err := su3.NewSigningCertificate(signerId, signerKey)
|
||||
|
||||
// save cert
|
||||
certFile := signerFile(signerId) + ".crt"
|
||||
certOut, err := os.Create(certFile)
|
||||
if err != nil {
|
||||
log.Printf("failed to open %s for writing\n", certFile)
|
||||
log.Fatalln(err)
|
||||
}
|
||||
pem.Encode(certOut, &pem.Block{Type: "CERTIFICATE", Bytes: signerCert})
|
||||
certOut.Close()
|
||||
fmt.Println("signing certificate saved to:", certFile)
|
||||
|
||||
// save signing private key
|
||||
privFile := signerFile(signerId) + ".pem"
|
||||
keyOut, err := os.OpenFile(privFile, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0600)
|
||||
if err != nil {
|
||||
log.Printf("failed to open %s for writing\n", privFile)
|
||||
log.Fatalln(err)
|
||||
}
|
||||
pem.Encode(keyOut, &pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(signerKey)})
|
||||
keyOut.Close()
|
||||
fmt.Println("signing private key saved to:", privFile)
|
||||
}
|
||||
|
||||
func createTLSCertificate(host string) {
|
||||
fmt.Println("Generating TLS keys. This may take a minute...")
|
||||
priv, err := rsa.GenerateKey(rand.Reader, 4096)
|
||||
if err != nil {
|
||||
log.Fatalln("failed to generate TLS private key:", err)
|
||||
}
|
||||
|
||||
tlsCert, err := reseed.NewTLSCertificate(host, priv)
|
||||
|
||||
// save the TLS certificate
|
||||
certOut, err := os.Create("tls_cert.pem")
|
||||
if err != nil {
|
||||
log.Fatalln("failed to open tls_cert.pem for writing:", err)
|
||||
}
|
||||
pem.Encode(certOut, &pem.Block{Type: "CERTIFICATE", Bytes: tlsCert})
|
||||
certOut.Close()
|
||||
fmt.Println("TLS certificate saved to: tls_cert.pem")
|
||||
|
||||
// save the TLS private key
|
||||
keyOut, err := os.OpenFile("tls_key.pem", os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0600)
|
||||
if err != nil {
|
||||
log.Fatalln("failed to open tls_key.pem for writing:", err)
|
||||
}
|
||||
pem.Encode(keyOut, &pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(priv)})
|
||||
keyOut.Close()
|
||||
fmt.Println("TLS private key saved to: tls_key.pem")
|
||||
}
|
||||
|
@ -4,8 +4,6 @@ import (
|
||||
"fmt"
|
||||
"log"
|
||||
"net"
|
||||
"os"
|
||||
"runtime"
|
||||
"time"
|
||||
|
||||
"github.com/MDrollette/go-i2p/reseed"
|
||||
@ -22,6 +20,10 @@ func NewReseedCommand() cli.Command {
|
||||
Name: "signer",
|
||||
Usage: "Your su3 signing ID (ex. something@mail.i2p)",
|
||||
},
|
||||
cli.StringFlag{
|
||||
Name: "tlsHost",
|
||||
Usage: "The public hostname used on your TLS certificate",
|
||||
},
|
||||
cli.StringFlag{
|
||||
Name: "key",
|
||||
Usage: "Path to your su3 signing private key",
|
||||
@ -32,12 +34,10 @@ func NewReseedCommand() cli.Command {
|
||||
},
|
||||
cli.StringFlag{
|
||||
Name: "tlsCert",
|
||||
Value: "tls_cert.pem",
|
||||
Usage: "Path to a TLS certificate",
|
||||
},
|
||||
cli.StringFlag{
|
||||
Name: "tlsKey",
|
||||
Value: "tls_key.pem",
|
||||
Usage: "Path to a TLS private key",
|
||||
},
|
||||
cli.StringFlag{
|
||||
@ -92,9 +92,26 @@ func reseedAction(c *cli.Context) {
|
||||
return
|
||||
}
|
||||
|
||||
signerKey := c.String("key")
|
||||
if signerKey == "" {
|
||||
signerKey = signerFile(signerId) + ".pem"
|
||||
var tlsCert, tlsKey string
|
||||
tlsHost := c.String("tlsHost")
|
||||
if tlsHost != "" {
|
||||
tlsKey = c.String("tlsKey")
|
||||
// if no key is specified, default to the host.pem in the current dir
|
||||
if tlsKey == "" {
|
||||
tlsKey = tlsHost + ".pem"
|
||||
}
|
||||
|
||||
tlsCert = c.String("tlsCert")
|
||||
// if no certificate is specified, default to the host.crt in the current dir
|
||||
if tlsCert == "" {
|
||||
tlsCert = tlsHost + ".crt"
|
||||
}
|
||||
|
||||
// prompt to create tls keys if they don't exist?
|
||||
err := checkOrNewTLSCert(tlsHost, &tlsCert, &tlsKey)
|
||||
if nil != err {
|
||||
log.Fatalln(err)
|
||||
}
|
||||
}
|
||||
|
||||
reloadIntvl, err := time.ParseDuration(c.String("interval"))
|
||||
@ -103,18 +120,14 @@ func reseedAction(c *cli.Context) {
|
||||
return
|
||||
}
|
||||
|
||||
// @todo: prompt to generate a new key
|
||||
tlsKey := c.String("tlsKey")
|
||||
tlsCert := c.String("tlsCert")
|
||||
|
||||
// use all cores
|
||||
cpus := runtime.NumCPU()
|
||||
runtime.GOMAXPROCS(cpus)
|
||||
log.Printf("Using %d CPU cores.\n", cpus)
|
||||
signerKey := c.String("key")
|
||||
// if no key is specified, default to the signerId.pem in the current dir
|
||||
if signerKey == "" {
|
||||
signerKey = signerFile(signerId) + ".pem"
|
||||
}
|
||||
|
||||
// load our signing privKey
|
||||
// @todo: prompt to generate a new signing key if this one doesn't exist
|
||||
privKey, err := loadPrivateKey(signerKey)
|
||||
privKey, err := getOrNewSigningCert(&signerKey, signerId)
|
||||
if nil != err {
|
||||
log.Fatalln(err)
|
||||
}
|
||||
@ -136,9 +149,7 @@ func reseedAction(c *cli.Context) {
|
||||
server.Reseeder = reseeder
|
||||
server.Addr = net.JoinHostPort(c.String("ip"), c.String("port"))
|
||||
|
||||
_, certErr := os.Stat(tlsCert)
|
||||
_, keyErr := os.Stat(tlsKey)
|
||||
if certErr == nil && keyErr == nil {
|
||||
if tlsHost != "" && tlsCert != "" && tlsKey != "" {
|
||||
log.Printf("HTTPS server started on %s\n", server.Addr)
|
||||
log.Fatalln(server.ListenAndServeTLS(tlsCert, tlsKey))
|
||||
} else {
|
||||
|
120
cmd/utils.go
120
cmd/utils.go
@ -1,11 +1,18 @@
|
||||
package cmd
|
||||
|
||||
import (
|
||||
"bufio"
|
||||
"crypto/rand"
|
||||
"crypto/rsa"
|
||||
"crypto/x509"
|
||||
"encoding/pem"
|
||||
"fmt"
|
||||
"io/ioutil"
|
||||
"os"
|
||||
"strings"
|
||||
|
||||
"github.com/MDrollette/go-i2p/reseed"
|
||||
"github.com/MDrollette/go-i2p/su3"
|
||||
)
|
||||
|
||||
func loadPrivateKey(path string) (*rsa.PrivateKey, error) {
|
||||
@ -26,3 +33,116 @@ func loadPrivateKey(path string) (*rsa.PrivateKey, error) {
|
||||
func signerFile(signerId string) string {
|
||||
return strings.Replace(signerId, "@", "_at_", 1)
|
||||
}
|
||||
|
||||
func getOrNewSigningCert(signerKey *string, signerId string) (*rsa.PrivateKey, error) {
|
||||
if _, err := os.Stat(*signerKey); nil != err {
|
||||
fmt.Printf("Unable to read signing key '%s'\n", *signerKey)
|
||||
fmt.Printf("Would you like to generate a new signing key for %s? (y or n): ", signerId)
|
||||
reader := bufio.NewReader(os.Stdin)
|
||||
input, _ := reader.ReadString('\n')
|
||||
if []byte(input)[0] != 'y' {
|
||||
return nil, fmt.Errorf("A signing key is required")
|
||||
} else {
|
||||
if err := createSigningCertificate(signerId); nil != err {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
*signerKey = signerFile(signerId) + ".pem"
|
||||
}
|
||||
}
|
||||
|
||||
return loadPrivateKey(*signerKey)
|
||||
}
|
||||
|
||||
func checkOrNewTLSCert(tlsHost string, tlsCert, tlsKey *string) error {
|
||||
_, certErr := os.Stat(*tlsCert)
|
||||
_, keyErr := os.Stat(*tlsKey)
|
||||
if certErr != nil || keyErr != nil {
|
||||
if certErr != nil {
|
||||
fmt.Printf("Unable to read TLS certificate '%s'\n", *tlsCert)
|
||||
}
|
||||
if keyErr != nil {
|
||||
fmt.Printf("Unable to read TLS key '%s'\n", *tlsKey)
|
||||
}
|
||||
|
||||
fmt.Printf("Would you like to generate a new self-signed certificate for '%s'? (y or n): ", tlsHost)
|
||||
reader := bufio.NewReader(os.Stdin)
|
||||
input, _ := reader.ReadString('\n')
|
||||
if []byte(input)[0] != 'y' {
|
||||
fmt.Println("Continuing without TLS")
|
||||
return nil
|
||||
} else {
|
||||
if err := createTLSCertificate(tlsHost); nil != err {
|
||||
return err
|
||||
}
|
||||
|
||||
*tlsCert = tlsHost + ".crt"
|
||||
*tlsKey = tlsHost + ".pem"
|
||||
}
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
func createSigningCertificate(signerId string) error {
|
||||
// generate private key
|
||||
fmt.Println("Generating signing keys. This may take a minute...")
|
||||
signerKey, err := rsa.GenerateKey(rand.Reader, 4096)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
signerCert, err := su3.NewSigningCertificate(signerId, signerKey)
|
||||
|
||||
// save cert
|
||||
certFile := signerFile(signerId) + ".crt"
|
||||
certOut, err := os.Create(certFile)
|
||||
if err != nil {
|
||||
return fmt.Errorf("failed to open %s for writing: %s\n", certFile, err)
|
||||
}
|
||||
pem.Encode(certOut, &pem.Block{Type: "CERTIFICATE", Bytes: signerCert})
|
||||
certOut.Close()
|
||||
fmt.Println("signing certificate saved to:", certFile)
|
||||
|
||||
// save signing private key
|
||||
privFile := signerFile(signerId) + ".pem"
|
||||
keyOut, err := os.OpenFile(privFile, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0600)
|
||||
if err != nil {
|
||||
return fmt.Errorf("failed to open %s for writing: %s\n", privFile, err)
|
||||
}
|
||||
pem.Encode(keyOut, &pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(signerKey)})
|
||||
keyOut.Close()
|
||||
fmt.Println("signing private key saved to:", privFile)
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
func createTLSCertificate(host string) error {
|
||||
fmt.Println("Generating TLS keys. This may take a minute...")
|
||||
priv, err := rsa.GenerateKey(rand.Reader, 4096)
|
||||
if err != nil {
|
||||
return fmt.Errorf("failed to generate TLS private key:", err)
|
||||
}
|
||||
|
||||
tlsCert, err := reseed.NewTLSCertificate(host, priv)
|
||||
|
||||
// save the TLS certificate
|
||||
certOut, err := os.Create(host + ".crt")
|
||||
if err != nil {
|
||||
return fmt.Errorf("failed to open %s for writing: %s", host+".crt", err)
|
||||
}
|
||||
pem.Encode(certOut, &pem.Block{Type: "CERTIFICATE", Bytes: tlsCert})
|
||||
certOut.Close()
|
||||
fmt.Printf("TLS certificate saved to: %s\n", host+".crt")
|
||||
|
||||
// save the TLS private key
|
||||
keyOut, err := os.OpenFile(host+".pem", os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0600)
|
||||
if err != nil {
|
||||
return fmt.Errorf("failed to open %s for writing: %s", host+".pem", err)
|
||||
}
|
||||
pem.Encode(keyOut, &pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(priv)})
|
||||
keyOut.Close()
|
||||
fmt.Printf("TLS private key saved to: %s\n", host+".pem")
|
||||
|
||||
return nil
|
||||
}
|
||||
|
Reference in New Issue
Block a user