- Timestamp:
- Oct 8, 2021, 7:47:25 AM (4 years ago)
- Location:
- trunk
- Files:
-
- 1 added
- 1 edited
-
certfp.go (added)
-
service.go (modified) (7 diffs)
Legend:
- Unmodified
- Added
- Removed
-
trunk/service.go
r607 r614 2 2 3 3 import ( 4 "crypto"5 "crypto/ecdsa"6 "crypto/ed25519"7 "crypto/elliptic"8 "crypto/rand"9 "crypto/rsa"10 4 "crypto/sha1" 11 5 "crypto/sha256" 12 6 "crypto/sha512" 13 "crypto/x509"14 "crypto/x509/pkix"15 7 "encoding/hex" 16 8 "errors" … … 18 10 "fmt" 19 11 "io/ioutil" 20 "math/big"21 12 "sort" 22 13 "strconv" … … 239 230 usage: "[-key-type rsa|ecdsa|ed25519] [-bits N] <network name>", 240 231 desc: "generate a new self-signed certificate, defaults to using RSA-3072 key", 241 handle: handleServiceCert fpGenerate,232 handle: handleServiceCertFPGenerate, 242 233 }, 243 234 "fingerprint": { 244 235 usage: "<network name>", 245 236 desc: "show fingerprints of certificate associated with the network", 246 handle: handleServiceCert fpFingerprints,237 handle: handleServiceCertFPFingerprints, 247 238 }, 248 239 }, … … 622 613 } 623 614 624 func handleServiceCertfpGenerate(dc *downstreamConn, params []string) error { 615 func sendCertfpFingerprints(dc *downstreamConn, cert []byte) { 616 sha1Sum := sha1.Sum(cert) 617 sendServicePRIVMSG(dc, "SHA-1 fingerprint: "+hex.EncodeToString(sha1Sum[:])) 618 sha256Sum := sha256.Sum256(cert) 619 sendServicePRIVMSG(dc, "SHA-256 fingerprint: "+hex.EncodeToString(sha256Sum[:])) 620 sha512Sum := sha512.Sum512(cert) 621 sendServicePRIVMSG(dc, "SHA-512 fingerprint: "+hex.EncodeToString(sha512Sum[:])) 622 } 623 624 func handleServiceCertFPGenerate(dc *downstreamConn, params []string) error { 625 625 fs := newFlagSet() 626 626 keyType := fs.String("key-type", "rsa", "key type to generate (rsa, ecdsa, ed25519)") … … 640 640 } 641 641 642 var ( 643 privKey crypto.PrivateKey 644 pubKey crypto.PublicKey 645 ) 646 switch *keyType { 647 case "rsa": 648 if *bits <= 0 || *bits > maxRSABits { 649 return fmt.Errorf("invalid value for -bits") 650 } 651 key, err := rsa.GenerateKey(rand.Reader, *bits) 652 if err != nil { 653 return err 654 } 655 privKey = key 656 pubKey = key.Public() 657 case "ecdsa": 658 key, err := ecdsa.GenerateKey(elliptic.P521(), rand.Reader) 659 if err != nil { 660 return err 661 } 662 privKey = key 663 pubKey = key.Public() 664 case "ed25519": 665 var err error 666 pubKey, privKey, err = ed25519.GenerateKey(rand.Reader) 667 if err != nil { 668 return err 669 } 670 } 671 672 // Using PKCS#8 allows easier extension for new key types. 673 privKeyBytes, err := x509.MarshalPKCS8PrivateKey(privKey) 642 if *bits <= 0 || *bits > maxRSABits { 643 return fmt.Errorf("invalid value for -bits") 644 } 645 646 privKey, cert, err := generateCertFP(*keyType, *bits) 674 647 if err != nil { 675 648 return err 676 649 } 677 650 678 notBefore := time.Now() 679 // Lets make a fair assumption nobody will use the same cert for more than 20 years... 680 notAfter := notBefore.Add(24 * time.Hour * 365 * 20) 681 serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128) 682 serialNumber, err := rand.Int(rand.Reader, serialNumberLimit) 683 if err != nil { 684 return err 685 } 686 cert := &x509.Certificate{ 687 SerialNumber: serialNumber, 688 Subject: pkix.Name{CommonName: "soju auto-generated certificate"}, 689 NotBefore: notBefore, 690 NotAfter: notAfter, 691 KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature, 692 ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth}, 693 } 694 derBytes, err := x509.CreateCertificate(rand.Reader, cert, cert, pubKey, privKey) 695 if err != nil { 696 return err 697 } 698 699 net.SASL.External.CertBlob = derBytes 700 net.SASL.External.PrivKeyBlob = privKeyBytes 651 net.SASL.External.CertBlob = cert 652 net.SASL.External.PrivKeyBlob = privKey 701 653 net.SASL.Mechanism = "EXTERNAL" 702 654 … … 706 658 707 659 sendServicePRIVMSG(dc, "certificate generated") 708 709 sha1Sum := sha1.Sum(derBytes) 710 sendServicePRIVMSG(dc, "SHA-1 fingerprint: "+hex.EncodeToString(sha1Sum[:])) 711 sha256Sum := sha256.Sum256(derBytes) 712 sendServicePRIVMSG(dc, "SHA-256 fingerprint: "+hex.EncodeToString(sha256Sum[:])) 713 sha512Sum := sha512.Sum512(derBytes) 714 sendServicePRIVMSG(dc, "SHA-512 fingerprint: "+hex.EncodeToString(sha512Sum[:])) 715 716 return nil 717 } 718 719 func handleServiceCertfpFingerprints(dc *downstreamConn, params []string) error { 660 sendCertfpFingerprints(dc, cert) 661 return nil 662 } 663 664 func handleServiceCertFPFingerprints(dc *downstreamConn, params []string) error { 720 665 if len(params) != 1 { 721 666 return fmt.Errorf("expected exactly one argument") … … 727 672 } 728 673 729 sha1Sum := sha1.Sum(net.SASL.External.CertBlob) 730 sendServicePRIVMSG(dc, "SHA-1 fingerprint: "+hex.EncodeToString(sha1Sum[:])) 731 sha256Sum := sha256.Sum256(net.SASL.External.CertBlob) 732 sendServicePRIVMSG(dc, "SHA-256 fingerprint: "+hex.EncodeToString(sha256Sum[:])) 733 sha512Sum := sha512.Sum512(net.SASL.External.CertBlob) 734 sendServicePRIVMSG(dc, "SHA-512 fingerprint: "+hex.EncodeToString(sha512Sum[:])) 674 if net.SASL.Mechanism != "EXTERNAL" { 675 return fmt.Errorf("CertFP not set up") 676 } 677 678 sendCertfpFingerprints(dc, net.SASL.External.CertBlob) 735 679 return nil 736 680 }
Note:
See TracChangeset
for help on using the changeset viewer.
