Remove old imply
This commit is contained in:
parent
b3294a57c4
commit
29c0c63633
1 changed files with 0 additions and 361 deletions
361
cli/main_unix.go
361
cli/main_unix.go
|
@ -1,361 +0,0 @@
|
||||||
package cli
|
|
||||||
|
|
||||||
import (
|
|
||||||
"bytes"
|
|
||||||
"crypto/ecdsa"
|
|
||||||
"crypto/elliptic"
|
|
||||||
"crypto/rand"
|
|
||||||
"crypto/rsa"
|
|
||||||
"crypto/tls"
|
|
||||||
"crypto/x509"
|
|
||||||
"crypto/x509/pkix"
|
|
||||||
"encoding/base64"
|
|
||||||
"encoding/json"
|
|
||||||
"encoding/pem"
|
|
||||||
"flag"
|
|
||||||
"io/ioutil"
|
|
||||||
"log"
|
|
||||||
"math/big"
|
|
||||||
"net/http"
|
|
||||||
"os"
|
|
||||||
"strings"
|
|
||||||
"time"
|
|
||||||
|
|
||||||
"github.com/square/go-jose"
|
|
||||||
)
|
|
||||||
|
|
||||||
var (
|
|
||||||
newReg = flag.String("new-reg", "http://192.168.10.22:4000/acme/new-reg", "New Registration URL")
|
|
||||||
accountKeyFile = flag.String("certKey", "account.key", "Private key file. Created if it does not exist.")
|
|
||||||
accountTmpCrtFile = flag.String("acc-crt-file", "account-tmp.pem", "Temporary self signed certificate for challenges.")
|
|
||||||
|
|
||||||
email = flag.String("email", "", "Email address used for certificate retrieval.")
|
|
||||||
domain = flag.String("domain", "", "The domain to request a certificate for")
|
|
||||||
|
|
||||||
ecdsaCurve = flag.String("ecdsa-curve", "", "ECDSA curve to use to generate a key. Valid values are P224, P256, P384, P521")
|
|
||||||
bits = flag.Int("bits", 2048, "The size of the RSA keys in bits. Default 4096")
|
|
||||||
)
|
|
||||||
|
|
||||||
// Logger is used to log errors; if nil, the default log.Logger is used.
|
|
||||||
var Logger *log.Logger
|
|
||||||
|
|
||||||
// logger is an helper function to retrieve the available logger
|
|
||||||
func logger() *log.Logger {
|
|
||||||
if Logger == nil {
|
|
||||||
Logger = log.New(os.Stderr, "", log.LstdFlags)
|
|
||||||
}
|
|
||||||
return Logger
|
|
||||||
}
|
|
||||||
|
|
||||||
type Registration struct {
|
|
||||||
Contact []string `json:"contact"`
|
|
||||||
}
|
|
||||||
|
|
||||||
type Tos struct {
|
|
||||||
Agreement string `json:"agreement"`
|
|
||||||
}
|
|
||||||
|
|
||||||
type GetChallenges struct {
|
|
||||||
Identifier `json:"identifier"`
|
|
||||||
}
|
|
||||||
|
|
||||||
type Identifier struct {
|
|
||||||
Type string `json:"type"`
|
|
||||||
Value string `json:"value"`
|
|
||||||
}
|
|
||||||
|
|
||||||
type ChallengesResponse struct {
|
|
||||||
Identifier `json:"identifier"`
|
|
||||||
Status string `json:"status"`
|
|
||||||
Expires time.Time `json:"expires"`
|
|
||||||
Challenges []Challenge `json:"challenges"`
|
|
||||||
Combinations [][]int `json:"combinations"`
|
|
||||||
}
|
|
||||||
|
|
||||||
type Challenge struct {
|
|
||||||
Type string `json:"type"`
|
|
||||||
Status string `json:"status"`
|
|
||||||
URI string `json:"uri"`
|
|
||||||
Token string `json:"token"`
|
|
||||||
}
|
|
||||||
|
|
||||||
type SimpleHttpsMessage struct {
|
|
||||||
Path string `json:"path"`
|
|
||||||
}
|
|
||||||
|
|
||||||
type CsrMessage struct {
|
|
||||||
Csr string `json:"csr"`
|
|
||||||
Authorizations []string `json:"authorizations"`
|
|
||||||
}
|
|
||||||
|
|
||||||
func execute() {
|
|
||||||
flag.Parse()
|
|
||||||
accountKey := generateKeyPair(*accountKeyFile).(*rsa.PrivateKey)
|
|
||||||
jsonBytes, _ := json.Marshal(Registration{Contact: []string{"mailto:" + *email}})
|
|
||||||
logger().Printf("Posting registration to %s", *newReg)
|
|
||||||
|
|
||||||
resp, _ := jwsPost(*newReg, jsonBytes)
|
|
||||||
|
|
||||||
links := parseLinks(resp.Header["Link"])
|
|
||||||
if links["next"] == "" {
|
|
||||||
logger().Fatalln("The server did not provide enough information to proceed.")
|
|
||||||
}
|
|
||||||
|
|
||||||
logger().Printf("Got agreement URL: %s", links["terms-of-service"])
|
|
||||||
logger().Printf("Got new auth URL: %s", links["next"])
|
|
||||||
|
|
||||||
jsonBytes, _ = json.Marshal(Tos{Agreement: links["terms-of-service"]})
|
|
||||||
logger().Printf("Posting agreement to %s", resp.Header.Get("Location"))
|
|
||||||
|
|
||||||
resp, _ = jwsPost(resp.Header.Get("Location"), jsonBytes)
|
|
||||||
logResponse(resp)
|
|
||||||
|
|
||||||
jsonBytes, _ = json.Marshal(GetChallenges{Identifier{Type: "dns", Value: *domain}})
|
|
||||||
logger().Printf("Getting challenges for type %s and domain %s", "dns", *domain)
|
|
||||||
|
|
||||||
resp, _ = jwsPost(links["next"], jsonBytes)
|
|
||||||
logResponse(resp)
|
|
||||||
|
|
||||||
links = parseLinks(resp.Header["Link"])
|
|
||||||
if links["next"] == "" {
|
|
||||||
logger().Fatalln("The server did not provide enough information to proceed.")
|
|
||||||
}
|
|
||||||
|
|
||||||
logger().Printf("Got new cert URL: %s", links["next"])
|
|
||||||
logger().Printf("Got new authorization URL: %s", resp.Header.Get("Location"))
|
|
||||||
newCertUrl := links["next"]
|
|
||||||
authUrl := resp.Header.Get("Location")
|
|
||||||
body, _ := ioutil.ReadAll(resp.Body)
|
|
||||||
|
|
||||||
var challenges ChallengesResponse
|
|
||||||
_ = json.Unmarshal(body, &challenges)
|
|
||||||
|
|
||||||
for _, challenge := range challenges.Challenges {
|
|
||||||
logger().Printf("Got challenge %s", challenge.Type)
|
|
||||||
}
|
|
||||||
logger().Printf("Challenge combinations are: %v", challenges.Combinations)
|
|
||||||
logger().Printf("Choosing first challenge combination and starting with %s", challenges.Challenges[challenges.Combinations[0][0]].Type)
|
|
||||||
|
|
||||||
firstChallenge := challenges.Challenges[challenges.Combinations[0][0]]
|
|
||||||
if firstChallenge.Type == "simpleHttps" {
|
|
||||||
generateSelfSignedCert(accountKey)
|
|
||||||
|
|
||||||
path := getRandomString(8) + ".txt"
|
|
||||||
challengePath := "/.well-known/acme-challenge/" + path
|
|
||||||
startChallengeTlsServer(challengePath, firstChallenge.Token)
|
|
||||||
|
|
||||||
logger().Print("Waiting for domain validation...")
|
|
||||||
|
|
||||||
jsonBytes, _ = json.Marshal(SimpleHttpsMessage{Path: path})
|
|
||||||
logger().Printf("Sending challenge response for path %s", path)
|
|
||||||
|
|
||||||
resp, _ = jwsPost(firstChallenge.URI, jsonBytes)
|
|
||||||
logResponse(resp)
|
|
||||||
|
|
||||||
// Loop until status is verified or error.
|
|
||||||
var challengeResponse Challenge
|
|
||||||
loop:
|
|
||||||
for {
|
|
||||||
decoder := json.NewDecoder(resp.Body)
|
|
||||||
decoder.Decode(&challengeResponse)
|
|
||||||
|
|
||||||
switch challengeResponse.Status {
|
|
||||||
case "valid":
|
|
||||||
logger().Print("The CA validated our credentials. Continue...")
|
|
||||||
break loop
|
|
||||||
case "pending":
|
|
||||||
logger().Print("The data is still being validated. Please stand by...")
|
|
||||||
case "invalid":
|
|
||||||
logger().Fatalf("The CA could not validate the provided file. - %v", challengeResponse)
|
|
||||||
default:
|
|
||||||
logger().Fatalf("The CA returned an unexpected state. - %v", challengeResponse)
|
|
||||||
}
|
|
||||||
|
|
||||||
time.Sleep(1000 * time.Millisecond)
|
|
||||||
resp, _ = http.Get(authUrl)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
logger().Print("Getting certificate...")
|
|
||||||
privateSslKey := generateKeyPair("ssl-priv.key")
|
|
||||||
csr := generateCsr(privateSslKey)
|
|
||||||
csrString := base64.URLEncoding.EncodeToString(csr)
|
|
||||||
jsonBytes, _ = json.Marshal(CsrMessage{Csr: csrString, Authorizations: []string{authUrl}})
|
|
||||||
resp, _ = jwsPost(newCertUrl, jsonBytes)
|
|
||||||
logResponse(resp)
|
|
||||||
|
|
||||||
body, _ = ioutil.ReadAll(resp.Body)
|
|
||||||
ioutil.WriteFile("ssl-crt.crt", body, 0644)
|
|
||||||
}
|
|
||||||
|
|
||||||
func startChallengeTlsServer(path string, token string) {
|
|
||||||
|
|
||||||
cert, err := tls.LoadX509KeyPair(*accountTmpCrtFile, *accountKeyFile)
|
|
||||||
tlsConf := new(tls.Config)
|
|
||||||
tlsConf.Certificates = []tls.Certificate{cert}
|
|
||||||
|
|
||||||
tlsListener, err := tls.Listen("tcp", ":443", tlsConf)
|
|
||||||
if err != nil {
|
|
||||||
logger().Fatalf("Could not start TLS listener on %s for challenge handling! - %v", ":443", err)
|
|
||||||
}
|
|
||||||
|
|
||||||
http.HandleFunc(path, func(w http.ResponseWriter, r *http.Request) {
|
|
||||||
if r.Host == *domain && r.Method == "GET" {
|
|
||||||
w.Write([]byte(token))
|
|
||||||
tlsListener.Close()
|
|
||||||
}
|
|
||||||
})
|
|
||||||
|
|
||||||
srv := http.Server{Addr: ":443", Handler: nil}
|
|
||||||
go func() {
|
|
||||||
srv.Serve(tlsListener)
|
|
||||||
logger().Print("TLS Server exited.")
|
|
||||||
}()
|
|
||||||
}
|
|
||||||
|
|
||||||
func getRandomString(length int) string {
|
|
||||||
const alphanum = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"
|
|
||||||
var bytes = make([]byte, length)
|
|
||||||
rand.Read(bytes)
|
|
||||||
for i, b := range bytes {
|
|
||||||
bytes[i] = alphanum[b%byte(len(alphanum))]
|
|
||||||
}
|
|
||||||
return string(bytes)
|
|
||||||
}
|
|
||||||
|
|
||||||
func logResponse(resp *http.Response) {
|
|
||||||
logger().Println(resp.Status)
|
|
||||||
for k, v := range resp.Header {
|
|
||||||
logger().Printf("-- %s: %s", k, v)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
func jwsPost(url string, content []byte) (*http.Response, error) {
|
|
||||||
url = strings.Replace(url, "localhost", "192.168.10.22", -1)
|
|
||||||
|
|
||||||
privKeyBytes, err := ioutil.ReadFile(*accountKeyFile)
|
|
||||||
key, err := jose.LoadPrivateKey(privKeyBytes)
|
|
||||||
if err != nil {
|
|
||||||
panic(err)
|
|
||||||
}
|
|
||||||
|
|
||||||
signer, err := jose.NewSigner(jose.RS256, key)
|
|
||||||
if err != nil {
|
|
||||||
panic(err)
|
|
||||||
}
|
|
||||||
signed, err := signer.Sign(content)
|
|
||||||
if err != nil {
|
|
||||||
panic(err)
|
|
||||||
}
|
|
||||||
signedContent := signed.FullSerialize()
|
|
||||||
|
|
||||||
resp, err := http.Post(url, "application/json", bytes.NewBuffer([]byte(signedContent)))
|
|
||||||
if err != nil {
|
|
||||||
logger().Fatalf("Error posting content: %s", err)
|
|
||||||
}
|
|
||||||
|
|
||||||
return resp, err
|
|
||||||
}
|
|
||||||
|
|
||||||
func generateCsr(privateKey interface{}) []byte {
|
|
||||||
template := x509.CertificateRequest{
|
|
||||||
Subject: pkix.Name{
|
|
||||||
CommonName: *domain,
|
|
||||||
},
|
|
||||||
EmailAddresses: []string{*email},
|
|
||||||
}
|
|
||||||
|
|
||||||
csrBytes, err := x509.CreateCertificateRequest(rand.Reader, &template, privateKey)
|
|
||||||
|
|
||||||
csrOut, err := os.Create("csr.pem")
|
|
||||||
if err != nil {
|
|
||||||
logger().Fatalf("Could not create certificate request file: %s", err)
|
|
||||||
}
|
|
||||||
|
|
||||||
pem.Encode(csrOut, &pem.Block{Type: "CERTIFICATE REQUEST", Bytes: csrBytes})
|
|
||||||
|
|
||||||
return csrBytes
|
|
||||||
}
|
|
||||||
|
|
||||||
func generateKeyPair(fileName string) interface{} {
|
|
||||||
logger().Println("Generating key pair ...")
|
|
||||||
|
|
||||||
var privateKey interface{}
|
|
||||||
var err error
|
|
||||||
switch *ecdsaCurve {
|
|
||||||
case "":
|
|
||||||
privateKey, err = rsa.GenerateKey(rand.Reader, *bits)
|
|
||||||
case "P224":
|
|
||||||
privateKey, err = ecdsa.GenerateKey(elliptic.P224(), rand.Reader)
|
|
||||||
case "P256":
|
|
||||||
privateKey, err = ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
|
|
||||||
case "P384":
|
|
||||||
privateKey, err = ecdsa.GenerateKey(elliptic.P384(), rand.Reader)
|
|
||||||
case "P521":
|
|
||||||
privateKey, err = ecdsa.GenerateKey(elliptic.P521(), rand.Reader)
|
|
||||||
}
|
|
||||||
|
|
||||||
if err != nil {
|
|
||||||
logger().Fatalf("Failed to generate private key: %s", err)
|
|
||||||
}
|
|
||||||
|
|
||||||
var pemKey pem.Block
|
|
||||||
switch key := privateKey.(type) {
|
|
||||||
case *rsa.PrivateKey:
|
|
||||||
pemKey = pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(key)}
|
|
||||||
case *ecdsa.PrivateKey:
|
|
||||||
privateBytes, err := x509.MarshalECPrivateKey(key)
|
|
||||||
if err != nil {
|
|
||||||
logger().Fatalf("Could not marshal ECDSA private key: %v", err)
|
|
||||||
}
|
|
||||||
|
|
||||||
pemKey = pem.Block{Type: "EC PRIVATE KEY", Bytes: privateBytes}
|
|
||||||
}
|
|
||||||
|
|
||||||
certOut, err := os.Create(fileName)
|
|
||||||
if err != nil {
|
|
||||||
logger().Fatalf("Could not create private key file: %s", err)
|
|
||||||
}
|
|
||||||
|
|
||||||
pem.Encode(certOut, &pemKey)
|
|
||||||
certOut.Close()
|
|
||||||
|
|
||||||
return privateKey
|
|
||||||
}
|
|
||||||
|
|
||||||
func generateSelfSignedCert(privKey *rsa.PrivateKey) {
|
|
||||||
|
|
||||||
serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)
|
|
||||||
serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
|
|
||||||
if err != nil {
|
|
||||||
log.Fatalf("failed to generate serial number: %s", err)
|
|
||||||
}
|
|
||||||
|
|
||||||
template := x509.Certificate{
|
|
||||||
SerialNumber: serialNumber,
|
|
||||||
Subject: pkix.Name{
|
|
||||||
CommonName: *email,
|
|
||||||
Organization: []string{*domain},
|
|
||||||
},
|
|
||||||
NotBefore: time.Now(),
|
|
||||||
NotAfter: time.Now().Add(365),
|
|
||||||
|
|
||||||
KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
|
|
||||||
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
|
|
||||||
BasicConstraintsValid: true,
|
|
||||||
DNSNames: []string{*domain},
|
|
||||||
IsCA: true,
|
|
||||||
}
|
|
||||||
|
|
||||||
derBytes, err := x509.CreateCertificate(rand.Reader, &template, &template, &privKey.PublicKey, privKey)
|
|
||||||
if err != nil {
|
|
||||||
log.Fatalf("Failed to create certificate: %s", err)
|
|
||||||
}
|
|
||||||
|
|
||||||
certOut, err := os.Create(*accountTmpCrtFile)
|
|
||||||
if err != nil {
|
|
||||||
log.Fatalf("failed to open cert.pem for writing: %s", err)
|
|
||||||
}
|
|
||||||
pem.Encode(certOut, &pem.Block{Type: "CERTIFICATE", Bytes: derBytes})
|
|
||||||
certOut.Close()
|
|
||||||
}
|
|
Loading…
Reference in a new issue