prompt to generate new keys if none exist

This commit is contained in:
Matt Drollette
2014-12-14 23:12:14 -06:00
parent ed933f89b6
commit 9d077f2ccc
5 changed files with 169 additions and 96 deletions

1
.gitignore vendored
View File

@ -5,3 +5,4 @@
i2pseeds.su3
reseed_cert.pem
reseed_private.pem
/build

View File

@ -1,16 +1,8 @@
package cmd
import (
"crypto/rand"
"crypto/rsa"
"crypto/x509"
"encoding/pem"
"fmt"
"log"
"os"
"github.com/MDrollette/go-i2p/reseed"
"github.com/MDrollette/go-i2p/su3"
"github.com/codegangsta/cli"
)
@ -25,7 +17,7 @@ func NewKeygenCommand() cli.Command {
Usage: "Generate a private key and certificate for the given su3 signing ID (ex. something@mail.i2p)",
},
cli.StringFlag{
Name: "host",
Name: "tlsHost",
Usage: "Generate a self-signed TLS certificate and private key for the given host",
},
},
@ -34,79 +26,24 @@ func NewKeygenCommand() cli.Command {
func keygenAction(c *cli.Context) {
signerId := c.String("signer")
host := c.String("host")
tlsHost := c.String("tlsHost")
if signerId == "" && host == "" {
fmt.Println("You must specify either --host or --signer")
if signerId == "" && tlsHost == "" {
fmt.Println("You must specify either --tlsHost or --signer")
return
}
if signerId != "" {
createSigner(signerId)
if err := createSigningCertificate(signerId); nil != err {
fmt.Println(err)
return
}
}
if host != "" {
createTLSCertificate(host)
if tlsHost != "" {
if err := createTLSCertificate(tlsHost); nil != err {
fmt.Println(err)
return
}
}
}
func createSigner(signerId string) {
// generate private key
fmt.Println("Generating signing keys. This may take a minute...")
signerKey, err := rsa.GenerateKey(rand.Reader, 4096)
if err != nil {
log.Fatalln(err)
}
signerCert, err := su3.NewSigningCertificate(signerId, signerKey)
// save cert
certFile := signerFile(signerId) + ".crt"
certOut, err := os.Create(certFile)
if err != nil {
log.Printf("failed to open %s for writing\n", certFile)
log.Fatalln(err)
}
pem.Encode(certOut, &pem.Block{Type: "CERTIFICATE", Bytes: signerCert})
certOut.Close()
fmt.Println("signing certificate saved to:", certFile)
// save signing private key
privFile := signerFile(signerId) + ".pem"
keyOut, err := os.OpenFile(privFile, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0600)
if err != nil {
log.Printf("failed to open %s for writing\n", privFile)
log.Fatalln(err)
}
pem.Encode(keyOut, &pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(signerKey)})
keyOut.Close()
fmt.Println("signing private key saved to:", privFile)
}
func createTLSCertificate(host string) {
fmt.Println("Generating TLS keys. This may take a minute...")
priv, err := rsa.GenerateKey(rand.Reader, 4096)
if err != nil {
log.Fatalln("failed to generate TLS private key:", err)
}
tlsCert, err := reseed.NewTLSCertificate(host, priv)
// save the TLS certificate
certOut, err := os.Create("tls_cert.pem")
if err != nil {
log.Fatalln("failed to open tls_cert.pem for writing:", err)
}
pem.Encode(certOut, &pem.Block{Type: "CERTIFICATE", Bytes: tlsCert})
certOut.Close()
fmt.Println("TLS certificate saved to: tls_cert.pem")
// save the TLS private key
keyOut, err := os.OpenFile("tls_key.pem", os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0600)
if err != nil {
log.Fatalln("failed to open tls_key.pem for writing:", err)
}
pem.Encode(keyOut, &pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(priv)})
keyOut.Close()
fmt.Println("TLS private key saved to: tls_key.pem")
}

View File

@ -4,8 +4,6 @@ import (
"fmt"
"log"
"net"
"os"
"runtime"
"time"
"github.com/MDrollette/go-i2p/reseed"
@ -22,6 +20,10 @@ func NewReseedCommand() cli.Command {
Name: "signer",
Usage: "Your su3 signing ID (ex. something@mail.i2p)",
},
cli.StringFlag{
Name: "tlsHost",
Usage: "The public hostname used on your TLS certificate",
},
cli.StringFlag{
Name: "key",
Usage: "Path to your su3 signing private key",
@ -32,12 +34,10 @@ func NewReseedCommand() cli.Command {
},
cli.StringFlag{
Name: "tlsCert",
Value: "tls_cert.pem",
Usage: "Path to a TLS certificate",
},
cli.StringFlag{
Name: "tlsKey",
Value: "tls_key.pem",
Usage: "Path to a TLS private key",
},
cli.StringFlag{
@ -92,9 +92,26 @@ func reseedAction(c *cli.Context) {
return
}
signerKey := c.String("key")
if signerKey == "" {
signerKey = signerFile(signerId) + ".pem"
var tlsCert, tlsKey string
tlsHost := c.String("tlsHost")
if tlsHost != "" {
tlsKey = c.String("tlsKey")
// if no key is specified, default to the host.pem in the current dir
if tlsKey == "" {
tlsKey = tlsHost + ".pem"
}
tlsCert = c.String("tlsCert")
// if no certificate is specified, default to the host.crt in the current dir
if tlsCert == "" {
tlsCert = tlsHost + ".crt"
}
// prompt to create tls keys if they don't exist?
err := checkOrNewTLSCert(tlsHost, &tlsCert, &tlsKey)
if nil != err {
log.Fatalln(err)
}
}
reloadIntvl, err := time.ParseDuration(c.String("interval"))
@ -103,18 +120,14 @@ func reseedAction(c *cli.Context) {
return
}
// @todo: prompt to generate a new key
tlsKey := c.String("tlsKey")
tlsCert := c.String("tlsCert")
// use all cores
cpus := runtime.NumCPU()
runtime.GOMAXPROCS(cpus)
log.Printf("Using %d CPU cores.\n", cpus)
signerKey := c.String("key")
// if no key is specified, default to the signerId.pem in the current dir
if signerKey == "" {
signerKey = signerFile(signerId) + ".pem"
}
// load our signing privKey
// @todo: prompt to generate a new signing key if this one doesn't exist
privKey, err := loadPrivateKey(signerKey)
privKey, err := getOrNewSigningCert(&signerKey, signerId)
if nil != err {
log.Fatalln(err)
}
@ -136,9 +149,7 @@ func reseedAction(c *cli.Context) {
server.Reseeder = reseeder
server.Addr = net.JoinHostPort(c.String("ip"), c.String("port"))
_, certErr := os.Stat(tlsCert)
_, keyErr := os.Stat(tlsKey)
if certErr == nil && keyErr == nil {
if tlsHost != "" && tlsCert != "" && tlsKey != "" {
log.Printf("HTTPS server started on %s\n", server.Addr)
log.Fatalln(server.ListenAndServeTLS(tlsCert, tlsKey))
} else {

View File

@ -1,11 +1,18 @@
package cmd
import (
"bufio"
"crypto/rand"
"crypto/rsa"
"crypto/x509"
"encoding/pem"
"fmt"
"io/ioutil"
"os"
"strings"
"github.com/MDrollette/go-i2p/reseed"
"github.com/MDrollette/go-i2p/su3"
)
func loadPrivateKey(path string) (*rsa.PrivateKey, error) {
@ -26,3 +33,116 @@ func loadPrivateKey(path string) (*rsa.PrivateKey, error) {
func signerFile(signerId string) string {
return strings.Replace(signerId, "@", "_at_", 1)
}
func getOrNewSigningCert(signerKey *string, signerId string) (*rsa.PrivateKey, error) {
if _, err := os.Stat(*signerKey); nil != err {
fmt.Printf("Unable to read signing key '%s'\n", *signerKey)
fmt.Printf("Would you like to generate a new signing key for %s? (y or n): ", signerId)
reader := bufio.NewReader(os.Stdin)
input, _ := reader.ReadString('\n')
if []byte(input)[0] != 'y' {
return nil, fmt.Errorf("A signing key is required")
} else {
if err := createSigningCertificate(signerId); nil != err {
return nil, err
}
*signerKey = signerFile(signerId) + ".pem"
}
}
return loadPrivateKey(*signerKey)
}
func checkOrNewTLSCert(tlsHost string, tlsCert, tlsKey *string) error {
_, certErr := os.Stat(*tlsCert)
_, keyErr := os.Stat(*tlsKey)
if certErr != nil || keyErr != nil {
if certErr != nil {
fmt.Printf("Unable to read TLS certificate '%s'\n", *tlsCert)
}
if keyErr != nil {
fmt.Printf("Unable to read TLS key '%s'\n", *tlsKey)
}
fmt.Printf("Would you like to generate a new self-signed certificate for '%s'? (y or n): ", tlsHost)
reader := bufio.NewReader(os.Stdin)
input, _ := reader.ReadString('\n')
if []byte(input)[0] != 'y' {
fmt.Println("Continuing without TLS")
return nil
} else {
if err := createTLSCertificate(tlsHost); nil != err {
return err
}
*tlsCert = tlsHost + ".crt"
*tlsKey = tlsHost + ".pem"
}
}
return nil
}
func createSigningCertificate(signerId string) error {
// generate private key
fmt.Println("Generating signing keys. This may take a minute...")
signerKey, err := rsa.GenerateKey(rand.Reader, 4096)
if err != nil {
return err
}
signerCert, err := su3.NewSigningCertificate(signerId, signerKey)
// save cert
certFile := signerFile(signerId) + ".crt"
certOut, err := os.Create(certFile)
if err != nil {
return fmt.Errorf("failed to open %s for writing: %s\n", certFile, err)
}
pem.Encode(certOut, &pem.Block{Type: "CERTIFICATE", Bytes: signerCert})
certOut.Close()
fmt.Println("signing certificate saved to:", certFile)
// save signing private key
privFile := signerFile(signerId) + ".pem"
keyOut, err := os.OpenFile(privFile, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0600)
if err != nil {
return fmt.Errorf("failed to open %s for writing: %s\n", privFile, err)
}
pem.Encode(keyOut, &pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(signerKey)})
keyOut.Close()
fmt.Println("signing private key saved to:", privFile)
return nil
}
func createTLSCertificate(host string) error {
fmt.Println("Generating TLS keys. This may take a minute...")
priv, err := rsa.GenerateKey(rand.Reader, 4096)
if err != nil {
return fmt.Errorf("failed to generate TLS private key:", err)
}
tlsCert, err := reseed.NewTLSCertificate(host, priv)
// save the TLS certificate
certOut, err := os.Create(host + ".crt")
if err != nil {
return fmt.Errorf("failed to open %s for writing: %s", host+".crt", err)
}
pem.Encode(certOut, &pem.Block{Type: "CERTIFICATE", Bytes: tlsCert})
certOut.Close()
fmt.Printf("TLS certificate saved to: %s\n", host+".crt")
// save the TLS private key
keyOut, err := os.OpenFile(host+".pem", os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0600)
if err != nil {
return fmt.Errorf("failed to open %s for writing: %s", host+".pem", err)
}
pem.Encode(keyOut, &pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(priv)})
keyOut.Close()
fmt.Printf("TLS private key saved to: %s\n", host+".pem")
return nil
}

View File

@ -2,12 +2,16 @@ package main
import (
"os"
"runtime"
"github.com/MDrollette/go-i2p/cmd"
"github.com/codegangsta/cli"
)
func main() {
// use at most half the cpu cores
runtime.GOMAXPROCS(runtime.NumCPU() / 2)
app := cli.NewApp()
app.Name = "go-i2p"
app.Version = "0.1.0"