Split CertFP logic into separate file

This commit is contained in:
Simon Ser 2021-10-08 09:47:25 +02:00
parent 81782fefe8
commit e3b4687ac7
2 changed files with 96 additions and 80 deletions

72
certfp.go Normal file
View File

@ -0,0 +1,72 @@
package soju
import (
"crypto"
"crypto/ecdsa"
"crypto/ed25519"
"crypto/elliptic"
"crypto/rand"
"crypto/rsa"
"crypto/x509"
"crypto/x509/pkix"
"math/big"
"time"
)
func generateCertFP(keyType string, bits int) (privKeyBytes, certBytes []byte, err error) {
var (
privKey crypto.PrivateKey
pubKey crypto.PublicKey
)
switch keyType {
case "rsa":
key, err := rsa.GenerateKey(rand.Reader, bits)
if err != nil {
return nil, nil, err
}
privKey = key
pubKey = key.Public()
case "ecdsa":
key, err := ecdsa.GenerateKey(elliptic.P521(), rand.Reader)
if err != nil {
return nil, nil, err
}
privKey = key
pubKey = key.Public()
case "ed25519":
var err error
pubKey, privKey, err = ed25519.GenerateKey(rand.Reader)
if err != nil {
return nil, nil, err
}
}
// Using PKCS#8 allows easier extension for new key types.
privKeyBytes, err = x509.MarshalPKCS8PrivateKey(privKey)
if err != nil {
return nil, nil, err
}
notBefore := time.Now()
// Lets make a fair assumption nobody will use the same cert for more than 20 years...
notAfter := notBefore.Add(24 * time.Hour * 365 * 20)
serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)
serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
if err != nil {
return nil, nil, err
}
cert := &x509.Certificate{
SerialNumber: serialNumber,
Subject: pkix.Name{CommonName: "soju auto-generated certificate"},
NotBefore: notBefore,
NotAfter: notAfter,
KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth},
}
certBytes, err = x509.CreateCertificate(rand.Reader, cert, cert, pubKey, privKey)
if err != nil {
return nil, nil, err
}
return privKeyBytes, certBytes, nil
}

View File

@ -1,23 +1,14 @@
package soju package soju
import ( import (
"crypto"
"crypto/ecdsa"
"crypto/ed25519"
"crypto/elliptic"
"crypto/rand"
"crypto/rsa"
"crypto/sha1" "crypto/sha1"
"crypto/sha256" "crypto/sha256"
"crypto/sha512" "crypto/sha512"
"crypto/x509"
"crypto/x509/pkix"
"encoding/hex" "encoding/hex"
"errors" "errors"
"flag" "flag"
"fmt" "fmt"
"io/ioutil" "io/ioutil"
"math/big"
"sort" "sort"
"strconv" "strconv"
"strings" "strings"
@ -238,12 +229,12 @@ func init() {
"generate": { "generate": {
usage: "[-key-type rsa|ecdsa|ed25519] [-bits N] <network name>", usage: "[-key-type rsa|ecdsa|ed25519] [-bits N] <network name>",
desc: "generate a new self-signed certificate, defaults to using RSA-3072 key", desc: "generate a new self-signed certificate, defaults to using RSA-3072 key",
handle: handleServiceCertfpGenerate, handle: handleServiceCertFPGenerate,
}, },
"fingerprint": { "fingerprint": {
usage: "<network name>", usage: "<network name>",
desc: "show fingerprints of certificate associated with the network", desc: "show fingerprints of certificate associated with the network",
handle: handleServiceCertfpFingerprints, handle: handleServiceCertFPFingerprints,
}, },
}, },
}, },
@ -621,7 +612,16 @@ func handleServiceNetworkQuote(dc *downstreamConn, params []string) error {
return nil return nil
} }
func handleServiceCertfpGenerate(dc *downstreamConn, params []string) error { func sendCertfpFingerprints(dc *downstreamConn, cert []byte) {
sha1Sum := sha1.Sum(cert)
sendServicePRIVMSG(dc, "SHA-1 fingerprint: "+hex.EncodeToString(sha1Sum[:]))
sha256Sum := sha256.Sum256(cert)
sendServicePRIVMSG(dc, "SHA-256 fingerprint: "+hex.EncodeToString(sha256Sum[:]))
sha512Sum := sha512.Sum512(cert)
sendServicePRIVMSG(dc, "SHA-512 fingerprint: "+hex.EncodeToString(sha512Sum[:]))
}
func handleServiceCertFPGenerate(dc *downstreamConn, params []string) error {
fs := newFlagSet() fs := newFlagSet()
keyType := fs.String("key-type", "rsa", "key type to generate (rsa, ecdsa, ed25519)") keyType := fs.String("key-type", "rsa", "key type to generate (rsa, ecdsa, ed25519)")
bits := fs.Int("bits", 3072, "size of key to generate, meaningful only for RSA") bits := fs.Int("bits", 3072, "size of key to generate, meaningful only for RSA")
@ -639,65 +639,17 @@ func handleServiceCertfpGenerate(dc *downstreamConn, params []string) error {
return fmt.Errorf("unknown network %q", fs.Arg(0)) return fmt.Errorf("unknown network %q", fs.Arg(0))
} }
var ( if *bits <= 0 || *bits > maxRSABits {
privKey crypto.PrivateKey return fmt.Errorf("invalid value for -bits")
pubKey crypto.PublicKey
)
switch *keyType {
case "rsa":
if *bits <= 0 || *bits > maxRSABits {
return fmt.Errorf("invalid value for -bits")
}
key, err := rsa.GenerateKey(rand.Reader, *bits)
if err != nil {
return err
}
privKey = key
pubKey = key.Public()
case "ecdsa":
key, err := ecdsa.GenerateKey(elliptic.P521(), rand.Reader)
if err != nil {
return err
}
privKey = key
pubKey = key.Public()
case "ed25519":
var err error
pubKey, privKey, err = ed25519.GenerateKey(rand.Reader)
if err != nil {
return err
}
} }
// Using PKCS#8 allows easier extension for new key types. privKey, cert, err := generateCertFP(*keyType, *bits)
privKeyBytes, err := x509.MarshalPKCS8PrivateKey(privKey)
if err != nil { if err != nil {
return err return err
} }
notBefore := time.Now() net.SASL.External.CertBlob = cert
// Lets make a fair assumption nobody will use the same cert for more than 20 years... net.SASL.External.PrivKeyBlob = privKey
notAfter := notBefore.Add(24 * time.Hour * 365 * 20)
serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)
serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
if err != nil {
return err
}
cert := &x509.Certificate{
SerialNumber: serialNumber,
Subject: pkix.Name{CommonName: "soju auto-generated certificate"},
NotBefore: notBefore,
NotAfter: notAfter,
KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth},
}
derBytes, err := x509.CreateCertificate(rand.Reader, cert, cert, pubKey, privKey)
if err != nil {
return err
}
net.SASL.External.CertBlob = derBytes
net.SASL.External.PrivKeyBlob = privKeyBytes
net.SASL.Mechanism = "EXTERNAL" net.SASL.Mechanism = "EXTERNAL"
if err := dc.srv.db.StoreNetwork(dc.user.ID, &net.Network); err != nil { if err := dc.srv.db.StoreNetwork(dc.user.ID, &net.Network); err != nil {
@ -705,18 +657,11 @@ func handleServiceCertfpGenerate(dc *downstreamConn, params []string) error {
} }
sendServicePRIVMSG(dc, "certificate generated") sendServicePRIVMSG(dc, "certificate generated")
sendCertfpFingerprints(dc, cert)
sha1Sum := sha1.Sum(derBytes)
sendServicePRIVMSG(dc, "SHA-1 fingerprint: "+hex.EncodeToString(sha1Sum[:]))
sha256Sum := sha256.Sum256(derBytes)
sendServicePRIVMSG(dc, "SHA-256 fingerprint: "+hex.EncodeToString(sha256Sum[:]))
sha512Sum := sha512.Sum512(derBytes)
sendServicePRIVMSG(dc, "SHA-512 fingerprint: "+hex.EncodeToString(sha512Sum[:]))
return nil return nil
} }
func handleServiceCertfpFingerprints(dc *downstreamConn, params []string) error { func handleServiceCertFPFingerprints(dc *downstreamConn, params []string) error {
if len(params) != 1 { if len(params) != 1 {
return fmt.Errorf("expected exactly one argument") return fmt.Errorf("expected exactly one argument")
} }
@ -726,12 +671,11 @@ func handleServiceCertfpFingerprints(dc *downstreamConn, params []string) error
return fmt.Errorf("unknown network %q", params[0]) return fmt.Errorf("unknown network %q", params[0])
} }
sha1Sum := sha1.Sum(net.SASL.External.CertBlob) if net.SASL.Mechanism != "EXTERNAL" {
sendServicePRIVMSG(dc, "SHA-1 fingerprint: "+hex.EncodeToString(sha1Sum[:])) return fmt.Errorf("CertFP not set up")
sha256Sum := sha256.Sum256(net.SASL.External.CertBlob) }
sendServicePRIVMSG(dc, "SHA-256 fingerprint: "+hex.EncodeToString(sha256Sum[:]))
sha512Sum := sha512.Sum512(net.SASL.External.CertBlob) sendCertfpFingerprints(dc, net.SASL.External.CertBlob)
sendServicePRIVMSG(dc, "SHA-512 fingerprint: "+hex.EncodeToString(sha512Sum[:]))
return nil return nil
} }