From f3dfe04a51797515a39c14066e452ecd3832b0d6 Mon Sep 17 00:00:00 2001 From: sp0156 Date: Sun, 21 Feb 2016 11:03:35 +0100 Subject: [PATCH] crl creation added --- README.md | 2 ++ cmd/utils.go | 77 +++++++++++++++++++++++++++++++++++++++++++++++++--- 2 files changed, 75 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index bb333a2..62db3b6 100644 --- a/README.md +++ b/README.md @@ -29,3 +29,5 @@ GOPATH=$HOME/go; cd $GOPATH; bin/i2p-tools reseed --signer=you@mail.i2p --netdb= If this is your first time running a reseed server (ie. you don't have any existing keys), you can simply run the command and follow the prompts to create the appropriate keys and certificates. Afterwards an HTTPS reseed server will start on the default port and generate 4 files in your current directory (a TLS key and certificate, and a signing key and certificate). + +Get a the source code and a pre-build binary anonymously on http://reseed.i2p/ - also short guide and complete tech info. \ No newline at end of file diff --git a/cmd/utils.go b/cmd/utils.go index 000409c..7ce4307 100644 --- a/cmd/utils.go +++ b/cmd/utils.go @@ -13,6 +13,8 @@ import ( "io/ioutil" "os" "strings" + "time" + "crypto/x509/pkix" "github.com/martin61/i2p-tools/reseed" "github.com/martin61/i2p-tools/su3" @@ -108,7 +110,7 @@ func createSigningCertificate(signerId string) error { } pem.Encode(certOut, &pem.Block{Type: "CERTIFICATE", Bytes: signerCert}) certOut.Close() - fmt.Println("signing certificate saved to:", certFile) + fmt.Println("\tSigning certificate saved to:", certFile) // save signing private key privFile := signerFile(signerId) + ".pem" @@ -117,8 +119,42 @@ func createSigningCertificate(signerId string) error { return fmt.Errorf("failed to open %s for writing: %s\n", privFile, err) } pem.Encode(keyOut, &pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(signerKey)}) + pem.Encode(keyOut, &pem.Block{Type: "CERTIFICATE", Bytes: signerCert}) keyOut.Close() - fmt.Println("signing private key saved to:", privFile) + fmt.Println("\tSigning private key saved to:", privFile) + + + // CRL + crlFile := signerFile(signerId) + ".crl" + crlOut, err := os.OpenFile(crlFile, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0600) + if err != nil { + return fmt.Errorf("failed to open %s for writing: %s", crlFile, err) + } + crlcert, err := x509.ParseCertificate(signerCert) + if err != nil { + return fmt.Errorf("Certificate with unknown critical extension was not parsed: %s", err) + } + + now := time.Now() + revokedCerts := []pkix.RevokedCertificate{ + { + SerialNumber: crlcert.SerialNumber, + RevocationTime: now, + }, + } + + crlBytes, err := crlcert.CreateCRL(rand.Reader, signerKey, revokedCerts, now, now) + if err != nil { + return fmt.Errorf("error creating CRL: %s", err) + } + _, err = x509.ParseDERCRL(crlBytes) + if err != nil { + return fmt.Errorf("error reparsing CRL: %s", err) + } + pem.Encode(crlOut, &pem.Block{Type: "X509 CRL", Bytes: crlBytes}) + crlOut.Close() + fmt.Printf("\tSigning CRL saved to: %s\n", crlFile) + return nil } @@ -143,7 +179,7 @@ func createTLSCertificate(host string) error { } pem.Encode(certOut, &pem.Block{Type: "CERTIFICATE", Bytes: tlsCert}) certOut.Close() - fmt.Printf("TLS certificate saved to: %s\n", host+".crt") + fmt.Printf("\tTLS certificate saved to: %s\n", host+".crt") // save the TLS private key privFile := host + ".pem" @@ -159,7 +195,40 @@ func createTLSCertificate(host string) error { pem.Encode(keyOut, &pem.Block{Type: "CERTIFICATE", Bytes: tlsCert}) keyOut.Close() - fmt.Printf("TLS private key saved to: %s\n", privFile) + fmt.Printf("\tTLS private key saved to: %s\n", privFile) + + + // CRL + crlFile := host + ".crl" + crlOut, err := os.OpenFile(crlFile, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0600) + if err != nil { + return fmt.Errorf("failed to open %s for writing: %s", crlFile, err) + } + crlcert, err := x509.ParseCertificate(tlsCert) + if err != nil { + return fmt.Errorf("Certificate with unknown critical extension was not parsed: %s", err) + } + + now := time.Now() + revokedCerts := []pkix.RevokedCertificate{ + { + SerialNumber: crlcert.SerialNumber, + RevocationTime: now, + }, + } + + crlBytes, err := crlcert.CreateCRL(rand.Reader, priv, revokedCerts, now, now) + if err != nil { + return fmt.Errorf("error creating CRL: %s", err) + } + _, err = x509.ParseDERCRL(crlBytes) + if err != nil { + return fmt.Errorf("error reparsing CRL: %s", err) + } + pem.Encode(crlOut, &pem.Block{Type: "X509 CRL", Bytes: crlBytes}) + crlOut.Close() + fmt.Printf("\tTLS CRL saved to: %s\n", crlFile) + return nil }