mark22k/reseed-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

prompt to generate new keys if none exist

Browse Source
This commit is contained in:
Matt Drollette
2014-12-14 23:12:14 -06:00
parent ed933f89b6
commit 9d077f2ccc
5 changed files with 169 additions and 96 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -5,3 +5,4 @@
i2pseeds.su3 i2pseeds.su3
reseed_cert.pem reseed_cert.pem
reseed_private.pem reseed_private.pem
/build

89
cmd/keygen.go
View File

@ -1,16 +1,8 @@
package cmd package cmd
import ( import (
"crypto/rand"
"crypto/rsa"
"crypto/x509"
"encoding/pem"
"fmt" "fmt"
"log"
"os"
"github.com/MDrollette/go-i2p/reseed"
"github.com/MDrollette/go-i2p/su3"
"github.com/codegangsta/cli" "github.com/codegangsta/cli"
) )
@ -25,7 +17,7 @@ func NewKeygenCommand() cli.Command {
Usage: "Generate a private key and certificate for the given su3 signing ID (ex. something@mail.i2p)", Usage: "Generate a private key and certificate for the given su3 signing ID (ex. something@mail.i2p)",
}, },
cli.StringFlag{ cli.StringFlag{
Name: "host", Name: "tlsHost",
Usage: "Generate a self-signed TLS certificate and private key for the given host", Usage: "Generate a self-signed TLS certificate and private key for the given host",
}, },
}, },
@ -34,79 +26,24 @@ func NewKeygenCommand() cli.Command {
func keygenAction(c *cli.Context) { func keygenAction(c *cli.Context) {
signerId := c.String("signer") signerId := c.String("signer")
host := c.String("host") tlsHost := c.String("tlsHost")
if signerId == "" && host == "" { if signerId == "" && tlsHost == "" {
fmt.Println("You must specify either --host or --signer") fmt.Println("You must specify either --tlsHost or --signer")
return return
} }
if signerId != "" { if signerId != "" {
createSigner(signerId) if err := createSigningCertificate(signerId); nil != err {
fmt.Println(err)
return
}
} }
if host != "" { if tlsHost != "" {
createTLSCertificate(host) if err := createTLSCertificate(tlsHost); nil != err {
fmt.Println(err)
return
}
} }
} }
func createSigner(signerId string) {
// generate private key
fmt.Println("Generating signing keys. This may take a minute...")
signerKey, err := rsa.GenerateKey(rand.Reader, 4096)
if err != nil {
log.Fatalln(err)
}
signerCert, err := su3.NewSigningCertificate(signerId, signerKey)
// save cert
certFile := signerFile(signerId) + ".crt"
certOut, err := os.Create(certFile)
if err != nil {
log.Printf("failed to open %s for writing\n", certFile)
log.Fatalln(err)
}
pem.Encode(certOut, &pem.Block{Type: "CERTIFICATE", Bytes: signerCert})
certOut.Close()
fmt.Println("signing certificate saved to:", certFile)
// save signing private key
privFile := signerFile(signerId) + ".pem"
keyOut, err := os.OpenFile(privFile, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0600)
if err != nil {
log.Printf("failed to open %s for writing\n", privFile)
log.Fatalln(err)
}
pem.Encode(keyOut, &pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(signerKey)})
keyOut.Close()
fmt.Println("signing private key saved to:", privFile)
}
func createTLSCertificate(host string) {
fmt.Println("Generating TLS keys. This may take a minute...")
priv, err := rsa.GenerateKey(rand.Reader, 4096)
if err != nil {
log.Fatalln("failed to generate TLS private key:", err)
}
tlsCert, err := reseed.NewTLSCertificate(host, priv)
// save the TLS certificate
certOut, err := os.Create("tls_cert.pem")
if err != nil {
log.Fatalln("failed to open tls_cert.pem for writing:", err)
}
pem.Encode(certOut, &pem.Block{Type: "CERTIFICATE", Bytes: tlsCert})
certOut.Close()
fmt.Println("TLS certificate saved to: tls_cert.pem")
// save the TLS private key
keyOut, err := os.OpenFile("tls_key.pem", os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0600)
if err != nil {
log.Fatalln("failed to open tls_key.pem for writing:", err)
}
pem.Encode(keyOut, &pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(priv)})
keyOut.Close()
fmt.Println("TLS private key saved to: tls_key.pem")
}

51
cmd/reseeder.go
View File

@ -4,8 +4,6 @@ import (
"fmt" "fmt"
"log" "log"
"net" "net"
"os"
"runtime"
"time" "time"
"github.com/MDrollette/go-i2p/reseed" "github.com/MDrollette/go-i2p/reseed"
@ -22,6 +20,10 @@ func NewReseedCommand() cli.Command {
Name: "signer", Name: "signer",
Usage: "Your su3 signing ID (ex. something@mail.i2p)", Usage: "Your su3 signing ID (ex. something@mail.i2p)",
}, },
cli.StringFlag{
Name: "tlsHost",
Usage: "The public hostname used on your TLS certificate",
},
cli.StringFlag{ cli.StringFlag{
Name: "key", Name: "key",
Usage: "Path to your su3 signing private key", Usage: "Path to your su3 signing private key",
@ -32,12 +34,10 @@ func NewReseedCommand() cli.Command {
}, },
cli.StringFlag{ cli.StringFlag{
Name: "tlsCert", Name: "tlsCert",
Value: "tls_cert.pem",
Usage: "Path to a TLS certificate", Usage: "Path to a TLS certificate",
}, },
cli.StringFlag{ cli.StringFlag{
Name: "tlsKey", Name: "tlsKey",
Value: "tls_key.pem",
Usage: "Path to a TLS private key", Usage: "Path to a TLS private key",
}, },
cli.StringFlag{ cli.StringFlag{
@ -92,9 +92,26 @@ func reseedAction(c *cli.Context) {
return return
} }
signerKey := c.String("key") var tlsCert, tlsKey string
if signerKey == "" { tlsHost := c.String("tlsHost")
signerKey = signerFile(signerId) + ".pem" if tlsHost != "" {
tlsKey = c.String("tlsKey")
// if no key is specified, default to the host.pem in the current dir
if tlsKey == "" {
tlsKey = tlsHost + ".pem"
}
tlsCert = c.String("tlsCert")
// if no certificate is specified, default to the host.crt in the current dir
if tlsCert == "" {
tlsCert = tlsHost + ".crt"
}
// prompt to create tls keys if they don't exist?
err := checkOrNewTLSCert(tlsHost, &tlsCert, &tlsKey)
if nil != err {
log.Fatalln(err)
}
} }
reloadIntvl, err := time.ParseDuration(c.String("interval")) reloadIntvl, err := time.ParseDuration(c.String("interval"))
@ -103,18 +120,14 @@ func reseedAction(c *cli.Context) {
return return
} }
// @todo: prompt to generate a new key signerKey := c.String("key")
tlsKey := c.String("tlsKey") // if no key is specified, default to the signerId.pem in the current dir
tlsCert := c.String("tlsCert") if signerKey == "" {
signerKey = signerFile(signerId) + ".pem"
// use all cores }
cpus := runtime.NumCPU()
runtime.GOMAXPROCS(cpus)
log.Printf("Using %d CPU cores.\n", cpus)
// load our signing privKey // load our signing privKey
// @todo: prompt to generate a new signing key if this one doesn't exist privKey, err := getOrNewSigningCert(&signerKey, signerId)
privKey, err := loadPrivateKey(signerKey)
if nil != err { if nil != err {
log.Fatalln(err) log.Fatalln(err)
} }
@ -136,9 +149,7 @@ func reseedAction(c *cli.Context) {
server.Reseeder = reseeder server.Reseeder = reseeder
server.Addr = net.JoinHostPort(c.String("ip"), c.String("port")) server.Addr = net.JoinHostPort(c.String("ip"), c.String("port"))
_, certErr := os.Stat(tlsCert) if tlsHost != "" && tlsCert != "" && tlsKey != "" {
_, keyErr := os.Stat(tlsKey)
if certErr == nil && keyErr == nil {
log.Printf("HTTPS server started on %s\n", server.Addr) log.Printf("HTTPS server started on %s\n", server.Addr)
log.Fatalln(server.ListenAndServeTLS(tlsCert, tlsKey)) log.Fatalln(server.ListenAndServeTLS(tlsCert, tlsKey))
} else { } else {

120
cmd/utils.go
View File

@ -1,11 +1,18 @@
package cmd package cmd
import ( import (
"bufio"
"crypto/rand"
"crypto/rsa" "crypto/rsa"
"crypto/x509" "crypto/x509"
"encoding/pem" "encoding/pem"
"fmt"
"io/ioutil" "io/ioutil"
"os"
"strings" "strings"
"github.com/MDrollette/go-i2p/reseed"
"github.com/MDrollette/go-i2p/su3"
) )
func loadPrivateKey(path string) (*rsa.PrivateKey, error) { func loadPrivateKey(path string) (*rsa.PrivateKey, error) {
@ -26,3 +33,116 @@ func loadPrivateKey(path string) (*rsa.PrivateKey, error) {
func signerFile(signerId string) string { func signerFile(signerId string) string {
return strings.Replace(signerId, "@", "_at_", 1) return strings.Replace(signerId, "@", "_at_", 1)
} }
func getOrNewSigningCert(signerKey *string, signerId string) (*rsa.PrivateKey, error) {
if _, err := os.Stat(*signerKey); nil != err {
fmt.Printf("Unable to read signing key '%s'\n", *signerKey)
fmt.Printf("Would you like to generate a new signing key for %s? (y or n): ", signerId)
reader := bufio.NewReader(os.Stdin)
input, _ := reader.ReadString('\n')
if []byte(input)[0] != 'y' {
return nil, fmt.Errorf("A signing key is required")
} else {
if err := createSigningCertificate(signerId); nil != err {
return nil, err
}
*signerKey = signerFile(signerId) + ".pem"
}
}
return loadPrivateKey(*signerKey)
}
func checkOrNewTLSCert(tlsHost string, tlsCert, tlsKey *string) error {
_, certErr := os.Stat(*tlsCert)
_, keyErr := os.Stat(*tlsKey)
if certErr != nil || keyErr != nil {
if certErr != nil {
fmt.Printf("Unable to read TLS certificate '%s'\n", *tlsCert)
}
if keyErr != nil {
fmt.Printf("Unable to read TLS key '%s'\n", *tlsKey)
}
fmt.Printf("Would you like to generate a new self-signed certificate for '%s'? (y or n): ", tlsHost)
reader := bufio.NewReader(os.Stdin)
input, _ := reader.ReadString('\n')
if []byte(input)[0] != 'y' {
fmt.Println("Continuing without TLS")
return nil
} else {
if err := createTLSCertificate(tlsHost); nil != err {
return err
}
*tlsCert = tlsHost + ".crt"
*tlsKey = tlsHost + ".pem"
}
}
return nil
}
func createSigningCertificate(signerId string) error {
// generate private key
fmt.Println("Generating signing keys. This may take a minute...")
signerKey, err := rsa.GenerateKey(rand.Reader, 4096)
if err != nil {
return err
}
signerCert, err := su3.NewSigningCertificate(signerId, signerKey)
// save cert
certFile := signerFile(signerId) + ".crt"
certOut, err := os.Create(certFile)
if err != nil {
return fmt.Errorf("failed to open %s for writing: %s\n", certFile, err)
}
pem.Encode(certOut, &pem.Block{Type: "CERTIFICATE", Bytes: signerCert})
certOut.Close()
fmt.Println("signing certificate saved to:", certFile)
// save signing private key
privFile := signerFile(signerId) + ".pem"
keyOut, err := os.OpenFile(privFile, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0600)
if err != nil {
return fmt.Errorf("failed to open %s for writing: %s\n", privFile, err)
}
pem.Encode(keyOut, &pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(signerKey)})
keyOut.Close()
fmt.Println("signing private key saved to:", privFile)
return nil
}
func createTLSCertificate(host string) error {
fmt.Println("Generating TLS keys. This may take a minute...")
priv, err := rsa.GenerateKey(rand.Reader, 4096)
if err != nil {
return fmt.Errorf("failed to generate TLS private key:", err)
}
tlsCert, err := reseed.NewTLSCertificate(host, priv)
// save the TLS certificate
certOut, err := os.Create(host + ".crt")
if err != nil {
return fmt.Errorf("failed to open %s for writing: %s", host+".crt", err)
}
pem.Encode(certOut, &pem.Block{Type: "CERTIFICATE", Bytes: tlsCert})
certOut.Close()
fmt.Printf("TLS certificate saved to: %s\n", host+".crt")
// save the TLS private key
keyOut, err := os.OpenFile(host+".pem", os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0600)
if err != nil {
return fmt.Errorf("failed to open %s for writing: %s", host+".pem", err)
}
pem.Encode(keyOut, &pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(priv)})
keyOut.Close()
fmt.Printf("TLS private key saved to: %s\n", host+".pem")
return nil
}

4
main.go
View File

@ -2,12 +2,16 @@ package main
import ( import (
"os" "os"
"runtime"
"github.com/MDrollette/go-i2p/cmd" "github.com/MDrollette/go-i2p/cmd"
"github.com/codegangsta/cli" "github.com/codegangsta/cli"
) )
func main() { func main() {
// use at most half the cpu cores
runtime.GOMAXPROCS(runtime.NumCPU() / 2)
app := cli.NewApp() app := cli.NewApp()
app.Name = "go-i2p" app.Name = "go-i2p"
app.Version = "0.1.0" app.Version = "0.1.0"