This repository has been archived by the owner on Jan 27, 2021. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 2
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Currently the proxy generates certificates on every start for dev purposes. This commit adds an option to make this behaviour configurable. This also removes the dependency on konnectd`s crypto code and copies it instead, as this library is a first version which is not meant for usage by other services. A proper cert-generation lib should be added to ocis-pkg instead. Then this code can be refactored to use it.
- Loading branch information
Showing
7 changed files
with
178 additions
and
108 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
Enhancement: Make TLS-Cert configurable | ||
|
||
Before a generates certificates on every start was used for dev purposes. | ||
|
||
https://github.com/owncloud/ocis-proxy/pull/14 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,123 @@ | ||
package crypto | ||
|
||
import ( | ||
"crypto/ecdsa" | ||
"crypto/rand" | ||
"crypto/rsa" | ||
"crypto/x509" | ||
"crypto/x509/pkix" | ||
"encoding/pem" | ||
"math/big" | ||
"net" | ||
"os" | ||
"time" | ||
|
||
"github.com/owncloud/ocis-pkg/v2/log" | ||
) | ||
|
||
func publicKey(priv interface{}) interface{} { | ||
switch k := priv.(type) { | ||
case *rsa.PrivateKey: | ||
return &k.PublicKey | ||
case *ecdsa.PrivateKey: | ||
return &k.PublicKey | ||
default: | ||
return nil | ||
} | ||
} | ||
|
||
func pemBlockForKey(priv interface{}, l log.Logger) *pem.Block { | ||
switch k := priv.(type) { | ||
case *rsa.PrivateKey: | ||
return &pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(k)} | ||
case *ecdsa.PrivateKey: | ||
b, err := x509.MarshalECPrivateKey(k) | ||
if err != nil { | ||
l.Fatal().Err(err).Msg("Unable to marshal ECDSA private key") | ||
} | ||
return &pem.Block{Type: "EC PRIVATE KEY", Bytes: b} | ||
default: | ||
return nil | ||
} | ||
} | ||
|
||
// GenCert generates TLS-Certificates | ||
func GenCert(l log.Logger) error { | ||
var priv interface{} | ||
var err error | ||
|
||
priv, err = rsa.GenerateKey(rand.Reader, 2048) | ||
|
||
if err != nil { | ||
l.Fatal().Err(err).Msg("Failed to generate private key") | ||
} | ||
|
||
notBefore := time.Now() | ||
notAfter := notBefore.Add(24 * time.Hour * 365) | ||
|
||
serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128) | ||
serialNumber, err := rand.Int(rand.Reader, serialNumberLimit) | ||
if err != nil { | ||
l.Fatal().Err(err).Msg("Failed to generate serial number") | ||
} | ||
|
||
template := x509.Certificate{ | ||
SerialNumber: serialNumber, | ||
Subject: pkix.Name{ | ||
Organization: []string{"Acme Corp"}, | ||
CommonName: "OCIS", | ||
}, | ||
NotBefore: notBefore, | ||
NotAfter: notAfter, | ||
|
||
KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature, | ||
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth}, | ||
BasicConstraintsValid: true, | ||
} | ||
|
||
hosts := []string{"127.0.0.1", "localhost"} | ||
for _, h := range hosts { | ||
if ip := net.ParseIP(h); ip != nil { | ||
template.IPAddresses = append(template.IPAddresses, ip) | ||
} else { | ||
template.DNSNames = append(template.DNSNames, h) | ||
} | ||
} | ||
|
||
//template.IsCA = true | ||
//template.KeyUsage |= x509.KeyUsageCertSign | ||
|
||
derBytes, err := x509.CreateCertificate(rand.Reader, &template, &template, publicKey(priv), priv) | ||
if err != nil { | ||
l.Fatal().Err(err).Msg("Failed to create certificate") | ||
} | ||
|
||
certOut, err := os.Create("server.crt") | ||
if err != nil { | ||
l.Fatal().Err(err).Msg("Failed to open server.crt for writing") | ||
} | ||
err = pem.Encode(certOut, &pem.Block{Type: "CERTIFICATE", Bytes: derBytes}) | ||
if err != nil { | ||
l.Fatal().Err(err).Msg("Failed to encode certificate") | ||
} | ||
err = certOut.Close() | ||
if err != nil { | ||
l.Fatal().Err(err).Msg("Failed to write cert") | ||
} | ||
l.Info().Msg("Written server.crt") | ||
|
||
keyOut, err := os.OpenFile("server.key", os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0600) | ||
if err != nil { | ||
l.Fatal().Err(err).Msg("Failed to open server.key for writing") | ||
} | ||
err = pem.Encode(keyOut, pemBlockForKey(priv, l)) | ||
if err != nil { | ||
l.Fatal().Err(err).Msg("Failed to encode key") | ||
} | ||
err = keyOut.Close() | ||
if err != nil { | ||
l.Fatal().Err(err).Msg("Failed to write key") | ||
} | ||
l.Info().Msg("Written server.key") | ||
return nil | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters