1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
|
package main
import (
"bytes"
"encoding/json"
"flag"
"fmt"
"io/ioutil"
"log"
"net"
"net/http"
"os"
"time"
"github.com/nsheridan/cashier/lib"
"github.com/pkg/browser"
"golang.org/x/crypto/ssh"
"golang.org/x/crypto/ssh/agent"
)
var (
ca = flag.String("ca", "http://localhost:10000", "CA server")
keybits = flag.Int("bits", 4096, "Key size. Ignored for ed25519 keys")
validity = flag.Duration("validity", time.Hour*24, "Key validity")
keytype = flag.String("key_type", "rsa", "Type of private key to generate - rsa, ecdsa or ed25519")
)
func installCert(a agent.Agent, cert *ssh.Certificate, key key) error {
pubcert := agent.AddedKey{
PrivateKey: key,
Certificate: cert,
Comment: cert.KeyId,
}
if err := a.Add(pubcert); err != nil {
return fmt.Errorf("error importing certificate: %s", err)
}
return nil
}
func send(s []byte, token string) (*lib.SignResponse, error) {
req, err := http.NewRequest("POST", *ca+"/sign", bytes.NewReader(s))
if err != nil {
return nil, err
}
req.Header.Set("Content-Type", "application/json")
req.Header.Add("Accept", "application/json")
req.Header.Set("Authorization", fmt.Sprintf("Bearer %s", token))
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
return nil, err
}
if resp.StatusCode != http.StatusOK {
return nil, fmt.Errorf("Bad response from server: %s", resp.Status)
}
defer resp.Body.Close()
body, err := ioutil.ReadAll(resp.Body)
if err != nil {
return nil, err
}
c := &lib.SignResponse{}
if err := json.Unmarshal(body, c); err != nil {
return nil, err
}
return c, nil
}
func sign(pub ssh.PublicKey, token string) (*ssh.Certificate, error) {
marshaled := ssh.MarshalAuthorizedKey(pub)
marshaled = marshaled[:len(marshaled)-1]
s, err := json.Marshal(&lib.SignRequest{
Key: string(marshaled),
ValidUntil: time.Now().Add(*validity),
})
if err != nil {
return nil, err
}
resp, err := send(s, token)
if err != nil {
return nil, err
}
if resp.Status != "ok" {
return nil, fmt.Errorf("error: %s", resp.Response)
}
k, _, _, _, err := ssh.ParseAuthorizedKey([]byte(resp.Response))
if err != nil {
return nil, err
}
cert, ok := k.(*ssh.Certificate)
if !ok {
return nil, fmt.Errorf("did not receive a certificate from server")
}
return cert, nil
}
func main() {
flag.Parse()
fmt.Printf("Your browser has been opened to visit %s\n", *ca)
if err := browser.OpenURL(*ca); err != nil {
fmt.Println("Error launching web browser. Go to the link in your web browser")
}
priv, pub, err := generateKey(*keytype, *keybits)
if err != nil {
log.Fatalln("Error generating key pair: ", err)
}
fmt.Print("Enter token: ")
var token string
fmt.Scanln(&token)
cert, err := sign(pub, token)
if err != nil {
log.Fatalln(err)
}
sock, err := net.Dial("unix", os.Getenv("SSH_AUTH_SOCK"))
if err != nil {
log.Fatalln("Error connecting to agent: %s", err)
}
defer sock.Close()
a := agent.NewClient(sock)
if err := installCert(a, cert, priv); err != nil {
log.Fatalln(err)
}
fmt.Println("Certificate added.")
}
|
