aboutsummaryrefslogtreecommitdiff
path: root/cmd/cashier/client
diff options
context:
space:
mode:
authorNiall Sheridan <nsheridan@gmail.com>2016-09-03 19:14:13 +0100
committerNiall Sheridan <nsheridan@gmail.com>2016-09-03 19:14:13 +0100
commit0af43a29b7cabb6710cd1cb335785ff60dbf758f (patch)
tree28733eca29ef955254ba449504534fb3e6da0986 /cmd/cashier/client
parentdba3de4451f29fc0b8cb6474b9bbb18ed61d9eac (diff)
Move signing & agent logic out of the main package
Diffstat (limited to 'cmd/cashier/client')
-rw-r--r--cmd/cashier/client/client.go111
-rw-r--r--cmd/cashier/client/client_test.go117
-rw-r--r--cmd/cashier/client/config.go36
-rw-r--r--cmd/cashier/client/keys.go82
-rw-r--r--cmd/cashier/client/keys_test.go28
5 files changed, 374 insertions, 0 deletions
diff --git a/cmd/cashier/client/client.go b/cmd/cashier/client/client.go
new file mode 100644
index 0000000..d8def27
--- /dev/null
+++ b/cmd/cashier/client/client.go
@@ -0,0 +1,111 @@
+package client
+
+import (
+ "bytes"
+ "crypto/tls"
+ "encoding/json"
+ "fmt"
+ "io/ioutil"
+ "net/http"
+ "net/url"
+ "path"
+ "time"
+
+ "github.com/nsheridan/cashier/lib"
+ "golang.org/x/crypto/ssh"
+ "golang.org/x/crypto/ssh/agent"
+)
+
+// InstallCert adds the private key and signed certificate to the ssh agent.
+func InstallCert(a agent.Agent, cert *ssh.Certificate, key Key) error {
+ t := time.Unix(int64(cert.ValidBefore), 0)
+ lifetime := t.Sub(time.Now()).Seconds()
+ comment := fmt.Sprintf("%s [Expires %s]", cert.KeyId, t)
+ pubcert := agent.AddedKey{
+ PrivateKey: key,
+ Certificate: cert,
+ Comment: comment,
+ LifetimeSecs: uint32(lifetime),
+ }
+ if err := a.Add(pubcert); err != nil {
+ return fmt.Errorf("error importing certificate: %s", err)
+ }
+ privkey := agent.AddedKey{
+ PrivateKey: key,
+ Comment: comment,
+ LifetimeSecs: uint32(lifetime),
+ }
+ if err := a.Add(privkey); err != nil {
+ return fmt.Errorf("error importing key: %s", err)
+ }
+ return nil
+}
+
+// send the signing request to the CA.
+func send(s []byte, token, ca string, ValidateTLSCertificate bool) (*lib.SignResponse, error) {
+ transport := &http.Transport{
+ TLSClientConfig: &tls.Config{InsecureSkipVerify: !ValidateTLSCertificate},
+ }
+ client := &http.Client{Transport: transport}
+ u, err := url.Parse(ca)
+ if err != nil {
+ return nil, err
+ }
+ u.Path = path.Join(u.Path, "/sign")
+ req, err := http.NewRequest("POST", u.String(), bytes.NewReader(s))
+ if err != nil {
+ return nil, err
+ }
+ req.Header.Set("Content-Type", "application/json")
+ req.Header.Add("Accept", "application/json")
+ req.Header.Set("Authorization", fmt.Sprintf("Bearer %s", token))
+ resp, err := client.Do(req)
+ if err != nil {
+ return nil, err
+ }
+ if resp.StatusCode != http.StatusOK {
+ return nil, fmt.Errorf("Bad response from server: %s", resp.Status)
+ }
+ defer resp.Body.Close()
+ body, err := ioutil.ReadAll(resp.Body)
+ if err != nil {
+ return nil, err
+ }
+ c := &lib.SignResponse{}
+ if err := json.Unmarshal(body, c); err != nil {
+ return nil, err
+ }
+ return c, nil
+}
+
+func Sign(pub ssh.PublicKey, token string, conf *Config) (*ssh.Certificate, error) {
+ validity, err := time.ParseDuration(conf.Validity)
+ if err != nil {
+ return nil, err
+ }
+ marshaled := ssh.MarshalAuthorizedKey(pub)
+ marshaled = marshaled[:len(marshaled)-1]
+ s, err := json.Marshal(&lib.SignRequest{
+ Key: string(marshaled),
+ ValidUntil: time.Now().Add(validity),
+ })
+ if err != nil {
+ return nil, err
+ }
+ resp, err := send(s, token, conf.CA, conf.ValidateTLSCertificate)
+ if err != nil {
+ return nil, err
+ }
+ if resp.Status != "ok" {
+ return nil, fmt.Errorf("error: %s", resp.Response)
+ }
+ k, _, _, _, err := ssh.ParseAuthorizedKey([]byte(resp.Response))
+ if err != nil {
+ return nil, err
+ }
+ cert, ok := k.(*ssh.Certificate)
+ if !ok {
+ return nil, fmt.Errorf("did not receive a certificate from server")
+ }
+ return cert, nil
+}
diff --git a/cmd/cashier/client/client_test.go b/cmd/cashier/client/client_test.go
new file mode 100644
index 0000000..b7df3fd
--- /dev/null
+++ b/cmd/cashier/client/client_test.go
@@ -0,0 +1,117 @@
+package client
+
+import (
+ "bytes"
+ "crypto/rand"
+ "crypto/rsa"
+ "encoding/json"
+ "fmt"
+ "net/http"
+ "net/http/httptest"
+ "testing"
+ "time"
+
+ "github.com/nsheridan/cashier/lib"
+ "github.com/nsheridan/cashier/testdata"
+
+ "golang.org/x/crypto/ssh"
+ "golang.org/x/crypto/ssh/agent"
+)
+
+func TestLoadCert(t *testing.T) {
+ t.Parallel()
+ priv, _ := ssh.ParseRawPrivateKey(testdata.Priv)
+ key := priv.(*rsa.PrivateKey)
+ pub, _ := ssh.NewPublicKey(&key.PublicKey)
+ c := &ssh.Certificate{
+ KeyId: "test_key_12345",
+ Key: pub,
+ CertType: ssh.UserCert,
+ ValidBefore: ssh.CertTimeInfinity,
+ ValidAfter: 0,
+ }
+ signer, err := ssh.NewSignerFromKey(key)
+ if err != nil {
+ t.Error(err)
+ }
+ c.SignCert(rand.Reader, signer)
+ a := agent.NewKeyring()
+ if err := InstallCert(a, c, key); err != nil {
+ t.Error(err)
+ }
+ listedKeys, err := a.List()
+ if err != nil {
+ t.Errorf("Error reading from agent: %v", err)
+ }
+ if len(listedKeys) != 2 {
+ t.Errorf("Expected 2 keys, got %d", len(listedKeys))
+ }
+ if !bytes.Equal(listedKeys[0].Marshal(), c.Marshal()) {
+ t.Error("Certs not equal")
+ }
+ for _, k := range listedKeys {
+ exp := time.Unix(int64(c.ValidBefore), 0).String()
+ want := fmt.Sprintf("%s [Expires %s]", c.KeyId, exp)
+ if k.Comment != want {
+ t.Errorf("key comment:\nwanted:%s\ngot: %s", want, k.Comment)
+ }
+ }
+}
+
+func TestSignGood(t *testing.T) {
+ t.Parallel()
+ res := &lib.SignResponse{
+ Status: "ok",
+ Response: string(testdata.Cert),
+ }
+ j, _ := json.Marshal(res)
+ ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+ fmt.Fprintln(w, string(j))
+ }))
+ defer ts.Close()
+ _, err := send([]byte(`{}`), "token", ts.URL, true)
+ if err != nil {
+ t.Error(err)
+ }
+ k, _, _, _, err := ssh.ParseAuthorizedKey(testdata.Pub)
+ if err != nil {
+ t.Error(err)
+ }
+ c := &Config{
+ CA: ts.URL,
+ Validity: "24h",
+ }
+ cert, err := Sign(k, "token", c)
+ if cert == nil && err != nil {
+ t.Error(err)
+ }
+}
+
+func TestSignBad(t *testing.T) {
+ t.Parallel()
+ res := &lib.SignResponse{
+ Status: "error",
+ Response: `{"response": "error"}`,
+ }
+ j, _ := json.Marshal(res)
+ ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+ fmt.Fprintln(w, string(j))
+ }))
+ defer ts.Close()
+ _, err := send([]byte(`{}`), "token", ts.URL, true)
+ if err != nil {
+ t.Error(err)
+ }
+ k, _, _, _, err := ssh.ParseAuthorizedKey(testdata.Pub)
+ if err != nil {
+ t.Error(err)
+ }
+ c := &Config{
+ CA: ts.URL,
+ Validity: "24h",
+ }
+ cert, err := Sign(k, "token", c)
+ if cert != nil && err == nil {
+ t.Error(err)
+ }
+}
diff --git a/cmd/cashier/client/config.go b/cmd/cashier/client/config.go
new file mode 100644
index 0000000..d4defef
--- /dev/null
+++ b/cmd/cashier/client/config.go
@@ -0,0 +1,36 @@
+package client
+
+import (
+ "github.com/spf13/pflag"
+ "github.com/spf13/viper"
+)
+
+type Config struct {
+ CA string `mapstructure:"ca"`
+ Keytype string `mapstructure:"key_type"`
+ Keysize int `mapstructure:"key_size"`
+ Validity string `mapstructure:"validity"`
+ ValidateTLSCertificate bool `mapstructure:"validate_tls_certificate"`
+}
+
+func setDefaults() {
+ viper.BindPFlag("ca", pflag.Lookup("ca"))
+ viper.BindPFlag("key_type", pflag.Lookup("key_type"))
+ viper.BindPFlag("key_size", pflag.Lookup("key_size"))
+ viper.BindPFlag("validity", pflag.Lookup("validity"))
+ viper.SetDefault("validateTLSCertificate", true)
+}
+
+func ReadConfig(path string) (*Config, error) {
+ setDefaults()
+ viper.SetConfigFile(path)
+ viper.SetConfigType("hcl")
+ if err := viper.ReadInConfig(); err != nil {
+ return nil, err
+ }
+ c := &Config{}
+ if err := viper.Unmarshal(c); err != nil {
+ return nil, err
+ }
+ return c, nil
+}
diff --git a/cmd/cashier/client/keys.go b/cmd/cashier/client/keys.go
new file mode 100644
index 0000000..877ff42
--- /dev/null
+++ b/cmd/cashier/client/keys.go
@@ -0,0 +1,82 @@
+package client
+
+import (
+ "crypto/ecdsa"
+ "crypto/elliptic"
+ "crypto/rand"
+ "crypto/rsa"
+ "fmt"
+
+ "golang.org/x/crypto/ed25519"
+ "golang.org/x/crypto/ssh"
+)
+
+type Key interface{}
+type keyfunc func(int) (Key, ssh.PublicKey, error)
+
+var (
+ keytypes = map[string]keyfunc{
+ "rsa": generateRSAKey,
+ "ecdsa": generateECDSAKey,
+ "ed25519": generateED25519Key,
+ }
+)
+
+func generateED25519Key(bits int) (Key, ssh.PublicKey, error) {
+ p, k, err := ed25519.GenerateKey(rand.Reader)
+ if err != nil {
+ return nil, nil, err
+ }
+ pub, err := ssh.NewPublicKey(p)
+ if err != nil {
+ return nil, nil, err
+ }
+ return &k, pub, nil
+}
+
+func generateRSAKey(bits int) (Key, ssh.PublicKey, error) {
+ k, err := rsa.GenerateKey(rand.Reader, bits)
+ if err != nil {
+ return nil, nil, err
+ }
+ pub, err := ssh.NewPublicKey(&k.PublicKey)
+ if err != nil {
+ return nil, nil, err
+ }
+ return k, pub, nil
+}
+
+func generateECDSAKey(bits int) (Key, ssh.PublicKey, error) {
+ var curve elliptic.Curve
+ switch bits {
+ case 256:
+ curve = elliptic.P256()
+ case 384:
+ curve = elliptic.P384()
+ case 521:
+ curve = elliptic.P521()
+ default:
+ return nil, nil, fmt.Errorf("Unsupported key size. Valid sizes are '256', '384', '521'")
+ }
+ k, err := ecdsa.GenerateKey(curve, rand.Reader)
+ if err != nil {
+ return nil, nil, err
+ }
+ pub, err := ssh.NewPublicKey(&k.PublicKey)
+ if err != nil {
+ return nil, nil, err
+ }
+ return k, pub, nil
+}
+
+func GenerateKey(keytype string, bits int) (Key, ssh.PublicKey, error) {
+ f, ok := keytypes[keytype]
+ if !ok {
+ var valid []string
+ for k := range keytypes {
+ valid = append(valid, k)
+ }
+ return nil, nil, fmt.Errorf("Unsupported key type %s. Valid choices are %s", keytype, valid)
+ }
+ return f(bits)
+}
diff --git a/cmd/cashier/client/keys_test.go b/cmd/cashier/client/keys_test.go
new file mode 100644
index 0000000..9e930d5
--- /dev/null
+++ b/cmd/cashier/client/keys_test.go
@@ -0,0 +1,28 @@
+package client
+
+import (
+ "reflect"
+ "testing"
+)
+
+func TestGenerateKeys(t *testing.T) {
+ var tests = []struct {
+ key string
+ size int
+ want string
+ }{
+ {"ecdsa", 256, "*ecdsa.PrivateKey"},
+ {"rsa", 1024, "*rsa.PrivateKey"},
+ {"ed25519", 256, "*ed25519.PrivateKey"},
+ }
+
+ for _, tst := range tests {
+ k, _, err := GenerateKey(tst.key, tst.size)
+ if err != nil {
+ t.Error(err)
+ }
+ if reflect.TypeOf(k).String() != tst.want {
+ t.Errorf("Wrong key type returned. Got %s, wanted %s", reflect.TypeOf(k).String(), tst.want)
+ }
+ }
+}