From 9d077f2cccbf8247677fa257bb86f09af37902d9 Mon Sep 17 00:00:00 2001 From: Matt Drollette Date: Sun, 14 Dec 2014 23:12:14 -0600 Subject: [PATCH] prompt to generate new keys if none exist --- .gitignore | 1 + cmd/keygen.go | 89 ++++++----------------------------- cmd/reseeder.go | 51 ++++++++++++-------- cmd/utils.go | 120 ++++++++++++++++++++++++++++++++++++++++++++++++ main.go | 4 ++ 5 files changed, 169 insertions(+), 96 deletions(-) diff --git a/.gitignore b/.gitignore index 3920bdc..33f8d9a 100644 --- a/.gitignore +++ b/.gitignore @@ -5,3 +5,4 @@ i2pseeds.su3 reseed_cert.pem reseed_private.pem +/build diff --git a/cmd/keygen.go b/cmd/keygen.go index 2aa84fe..27fd1ce 100644 --- a/cmd/keygen.go +++ b/cmd/keygen.go @@ -1,16 +1,8 @@ package cmd import ( - "crypto/rand" - "crypto/rsa" - "crypto/x509" - "encoding/pem" "fmt" - "log" - "os" - "github.com/MDrollette/go-i2p/reseed" - "github.com/MDrollette/go-i2p/su3" "github.com/codegangsta/cli" ) @@ -25,7 +17,7 @@ func NewKeygenCommand() cli.Command { Usage: "Generate a private key and certificate for the given su3 signing ID (ex. something@mail.i2p)", }, cli.StringFlag{ - Name: "host", + Name: "tlsHost", Usage: "Generate a self-signed TLS certificate and private key for the given host", }, }, @@ -34,79 +26,24 @@ func NewKeygenCommand() cli.Command { func keygenAction(c *cli.Context) { signerId := c.String("signer") - host := c.String("host") + tlsHost := c.String("tlsHost") - if signerId == "" && host == "" { - fmt.Println("You must specify either --host or --signer") + if signerId == "" && tlsHost == "" { + fmt.Println("You must specify either --tlsHost or --signer") return } if signerId != "" { - createSigner(signerId) + if err := createSigningCertificate(signerId); nil != err { + fmt.Println(err) + return + } } - if host != "" { - createTLSCertificate(host) + if tlsHost != "" { + if err := createTLSCertificate(tlsHost); nil != err { + fmt.Println(err) + return + } } } - -func createSigner(signerId string) { - // generate private key - fmt.Println("Generating signing keys. This may take a minute...") - signerKey, err := rsa.GenerateKey(rand.Reader, 4096) - if err != nil { - log.Fatalln(err) - } - - signerCert, err := su3.NewSigningCertificate(signerId, signerKey) - - // save cert - certFile := signerFile(signerId) + ".crt" - certOut, err := os.Create(certFile) - if err != nil { - log.Printf("failed to open %s for writing\n", certFile) - log.Fatalln(err) - } - pem.Encode(certOut, &pem.Block{Type: "CERTIFICATE", Bytes: signerCert}) - certOut.Close() - fmt.Println("signing certificate saved to:", certFile) - - // save signing private key - privFile := signerFile(signerId) + ".pem" - keyOut, err := os.OpenFile(privFile, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0600) - if err != nil { - log.Printf("failed to open %s for writing\n", privFile) - log.Fatalln(err) - } - pem.Encode(keyOut, &pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(signerKey)}) - keyOut.Close() - fmt.Println("signing private key saved to:", privFile) -} - -func createTLSCertificate(host string) { - fmt.Println("Generating TLS keys. This may take a minute...") - priv, err := rsa.GenerateKey(rand.Reader, 4096) - if err != nil { - log.Fatalln("failed to generate TLS private key:", err) - } - - tlsCert, err := reseed.NewTLSCertificate(host, priv) - - // save the TLS certificate - certOut, err := os.Create("tls_cert.pem") - if err != nil { - log.Fatalln("failed to open tls_cert.pem for writing:", err) - } - pem.Encode(certOut, &pem.Block{Type: "CERTIFICATE", Bytes: tlsCert}) - certOut.Close() - fmt.Println("TLS certificate saved to: tls_cert.pem") - - // save the TLS private key - keyOut, err := os.OpenFile("tls_key.pem", os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0600) - if err != nil { - log.Fatalln("failed to open tls_key.pem for writing:", err) - } - pem.Encode(keyOut, &pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(priv)}) - keyOut.Close() - fmt.Println("TLS private key saved to: tls_key.pem") -} diff --git a/cmd/reseeder.go b/cmd/reseeder.go index 65e646b..bf272c8 100644 --- a/cmd/reseeder.go +++ b/cmd/reseeder.go @@ -4,8 +4,6 @@ import ( "fmt" "log" "net" - "os" - "runtime" "time" "github.com/MDrollette/go-i2p/reseed" @@ -22,6 +20,10 @@ func NewReseedCommand() cli.Command { Name: "signer", Usage: "Your su3 signing ID (ex. something@mail.i2p)", }, + cli.StringFlag{ + Name: "tlsHost", + Usage: "The public hostname used on your TLS certificate", + }, cli.StringFlag{ Name: "key", Usage: "Path to your su3 signing private key", @@ -32,12 +34,10 @@ func NewReseedCommand() cli.Command { }, cli.StringFlag{ Name: "tlsCert", - Value: "tls_cert.pem", Usage: "Path to a TLS certificate", }, cli.StringFlag{ Name: "tlsKey", - Value: "tls_key.pem", Usage: "Path to a TLS private key", }, cli.StringFlag{ @@ -92,9 +92,26 @@ func reseedAction(c *cli.Context) { return } - signerKey := c.String("key") - if signerKey == "" { - signerKey = signerFile(signerId) + ".pem" + var tlsCert, tlsKey string + tlsHost := c.String("tlsHost") + if tlsHost != "" { + tlsKey = c.String("tlsKey") + // if no key is specified, default to the host.pem in the current dir + if tlsKey == "" { + tlsKey = tlsHost + ".pem" + } + + tlsCert = c.String("tlsCert") + // if no certificate is specified, default to the host.crt in the current dir + if tlsCert == "" { + tlsCert = tlsHost + ".crt" + } + + // prompt to create tls keys if they don't exist? + err := checkOrNewTLSCert(tlsHost, &tlsCert, &tlsKey) + if nil != err { + log.Fatalln(err) + } } reloadIntvl, err := time.ParseDuration(c.String("interval")) @@ -103,18 +120,14 @@ func reseedAction(c *cli.Context) { return } - // @todo: prompt to generate a new key - tlsKey := c.String("tlsKey") - tlsCert := c.String("tlsCert") - - // use all cores - cpus := runtime.NumCPU() - runtime.GOMAXPROCS(cpus) - log.Printf("Using %d CPU cores.\n", cpus) + signerKey := c.String("key") + // if no key is specified, default to the signerId.pem in the current dir + if signerKey == "" { + signerKey = signerFile(signerId) + ".pem" + } // load our signing privKey - // @todo: prompt to generate a new signing key if this one doesn't exist - privKey, err := loadPrivateKey(signerKey) + privKey, err := getOrNewSigningCert(&signerKey, signerId) if nil != err { log.Fatalln(err) } @@ -136,9 +149,7 @@ func reseedAction(c *cli.Context) { server.Reseeder = reseeder server.Addr = net.JoinHostPort(c.String("ip"), c.String("port")) - _, certErr := os.Stat(tlsCert) - _, keyErr := os.Stat(tlsKey) - if certErr == nil && keyErr == nil { + if tlsHost != "" && tlsCert != "" && tlsKey != "" { log.Printf("HTTPS server started on %s\n", server.Addr) log.Fatalln(server.ListenAndServeTLS(tlsCert, tlsKey)) } else { diff --git a/cmd/utils.go b/cmd/utils.go index 51e34f9..7234322 100644 --- a/cmd/utils.go +++ b/cmd/utils.go @@ -1,11 +1,18 @@ package cmd import ( + "bufio" + "crypto/rand" "crypto/rsa" "crypto/x509" "encoding/pem" + "fmt" "io/ioutil" + "os" "strings" + + "github.com/MDrollette/go-i2p/reseed" + "github.com/MDrollette/go-i2p/su3" ) func loadPrivateKey(path string) (*rsa.PrivateKey, error) { @@ -26,3 +33,116 @@ func loadPrivateKey(path string) (*rsa.PrivateKey, error) { func signerFile(signerId string) string { return strings.Replace(signerId, "@", "_at_", 1) } + +func getOrNewSigningCert(signerKey *string, signerId string) (*rsa.PrivateKey, error) { + if _, err := os.Stat(*signerKey); nil != err { + fmt.Printf("Unable to read signing key '%s'\n", *signerKey) + fmt.Printf("Would you like to generate a new signing key for %s? (y or n): ", signerId) + reader := bufio.NewReader(os.Stdin) + input, _ := reader.ReadString('\n') + if []byte(input)[0] != 'y' { + return nil, fmt.Errorf("A signing key is required") + } else { + if err := createSigningCertificate(signerId); nil != err { + return nil, err + } + + *signerKey = signerFile(signerId) + ".pem" + } + } + + return loadPrivateKey(*signerKey) +} + +func checkOrNewTLSCert(tlsHost string, tlsCert, tlsKey *string) error { + _, certErr := os.Stat(*tlsCert) + _, keyErr := os.Stat(*tlsKey) + if certErr != nil || keyErr != nil { + if certErr != nil { + fmt.Printf("Unable to read TLS certificate '%s'\n", *tlsCert) + } + if keyErr != nil { + fmt.Printf("Unable to read TLS key '%s'\n", *tlsKey) + } + + fmt.Printf("Would you like to generate a new self-signed certificate for '%s'? (y or n): ", tlsHost) + reader := bufio.NewReader(os.Stdin) + input, _ := reader.ReadString('\n') + if []byte(input)[0] != 'y' { + fmt.Println("Continuing without TLS") + return nil + } else { + if err := createTLSCertificate(tlsHost); nil != err { + return err + } + + *tlsCert = tlsHost + ".crt" + *tlsKey = tlsHost + ".pem" + } + } + + return nil +} + +func createSigningCertificate(signerId string) error { + // generate private key + fmt.Println("Generating signing keys. This may take a minute...") + signerKey, err := rsa.GenerateKey(rand.Reader, 4096) + if err != nil { + return err + } + + signerCert, err := su3.NewSigningCertificate(signerId, signerKey) + + // save cert + certFile := signerFile(signerId) + ".crt" + certOut, err := os.Create(certFile) + if err != nil { + return fmt.Errorf("failed to open %s for writing: %s\n", certFile, err) + } + pem.Encode(certOut, &pem.Block{Type: "CERTIFICATE", Bytes: signerCert}) + certOut.Close() + fmt.Println("signing certificate saved to:", certFile) + + // save signing private key + privFile := signerFile(signerId) + ".pem" + keyOut, err := os.OpenFile(privFile, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0600) + if err != nil { + return fmt.Errorf("failed to open %s for writing: %s\n", privFile, err) + } + pem.Encode(keyOut, &pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(signerKey)}) + keyOut.Close() + fmt.Println("signing private key saved to:", privFile) + + return nil +} + +func createTLSCertificate(host string) error { + fmt.Println("Generating TLS keys. This may take a minute...") + priv, err := rsa.GenerateKey(rand.Reader, 4096) + if err != nil { + return fmt.Errorf("failed to generate TLS private key:", err) + } + + tlsCert, err := reseed.NewTLSCertificate(host, priv) + + // save the TLS certificate + certOut, err := os.Create(host + ".crt") + if err != nil { + return fmt.Errorf("failed to open %s for writing: %s", host+".crt", err) + } + pem.Encode(certOut, &pem.Block{Type: "CERTIFICATE", Bytes: tlsCert}) + certOut.Close() + fmt.Printf("TLS certificate saved to: %s\n", host+".crt") + + // save the TLS private key + keyOut, err := os.OpenFile(host+".pem", os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0600) + if err != nil { + return fmt.Errorf("failed to open %s for writing: %s", host+".pem", err) + } + pem.Encode(keyOut, &pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(priv)}) + keyOut.Close() + fmt.Printf("TLS private key saved to: %s\n", host+".pem") + + return nil +} diff --git a/main.go b/main.go index 9c65a52..ffd7243 100644 --- a/main.go +++ b/main.go @@ -2,12 +2,16 @@ package main import ( "os" + "runtime" "github.com/MDrollette/go-i2p/cmd" "github.com/codegangsta/cli" ) func main() { + // use at most half the cpu cores + runtime.GOMAXPROCS(runtime.NumCPU() / 2) + app := cli.NewApp() app.Name = "go-i2p" app.Version = "0.1.0"