diff --git a/controllers/server.go b/controllers/server.go index 6fe52409..4ba305ef 100644 --- a/controllers/server.go +++ b/controllers/server.go @@ -13,6 +13,7 @@ import ( "github.com/gravitl/netmaker/logic" "github.com/gravitl/netmaker/models" "github.com/gravitl/netmaker/netclient/config" + "github.com/gravitl/netmaker/netclient/ncutils" "github.com/gravitl/netmaker/servercfg" "github.com/gravitl/netmaker/tls" ) @@ -163,7 +164,9 @@ func register(w http.ResponseWriter, r *http.Request) { returnErrorResponse(w, r, errorResponse) return } - cert, ca, err := genCerts(&request.CSR, request.Key) + // not working --- use openssl instead + // cert, ca, err := genCerts(&request.CSR, request.Key) + key, cert, ca, err := genOpenSSLCerts() if err != nil { logger.Log(0, "failed to generater certs ", err.Error()) errorResponse := models.ErrorResponse{ @@ -172,6 +175,7 @@ func register(w http.ResponseWriter, r *http.Request) { returnErrorResponse(w, r, errorResponse) return } + response := config.RegisterResponse{ CA: *ca, Cert: *cert, @@ -201,6 +205,7 @@ func genCerts(csr *x509.CertificateRequest, publickey ed25519.PublicKey) (*x509. // logger.Log(2, "failed to generate client certificate requests", err.Error()) // return nil, nil, nil, fmt.Errorf("client certification request generation failed %w", err) //} + csr.PublicKey = publickey cert, err := tls.NewEndEntityCert(*key, csr, ca, tls.CERTIFICATE_VALIDITY) if err != nil { @@ -209,3 +214,32 @@ func genCerts(csr *x509.CertificateRequest, publickey ed25519.PublicKey) (*x509. } return ca, cert, nil } + +func genOpenSSLCerts() (*ed25519.PrivateKey, *x509.Certificate, *x509.Certificate, error) { + cmd1 := "openssl genpkey -algorithm Ed25519 -out /tmp/client.key" + cmd2 := "openssl req -new -out /tmp/client.csr -key tmp/client.key -subj '/CN=client'" + cmd3 := "openssl x509 -req -in /tmp/client.csr -days 365 -CA /etc/netmaker/root.pem -CAkey /etc/netmaker/root.key -CAcreateserial -out /tmp/client.pem" + + if _, err := ncutils.RunCmd(cmd1, true); err != nil { + return nil, nil, nil, fmt.Errorf("client key error %w", err) + } + if _, err := ncutils.RunCmd(cmd2, true); err != nil { + return nil, nil, nil, fmt.Errorf("client csr error %w", err) + } + if _, err := ncutils.RunCmd(cmd3, true); err != nil { + return nil, nil, nil, fmt.Errorf("client cert error %w", err) + } + key, err := tls.ReadKey("/tmp/client.key") + if err != nil { + return nil, nil, nil, fmt.Errorf("read client key error %w", err) + } + cert, err := tls.ReadCert("/tmp/client.pem") + if err != nil { + return nil, nil, nil, fmt.Errorf("read client cert error %w", err) + } + ca, err := tls.ReadCert("/etc/netmaker/root.pem") + if err != nil { + return nil, nil, nil, fmt.Errorf("read ca cert error %w", err) + } + return key, cert, ca, nil +} diff --git a/netclient/config/config.go b/netclient/config/config.go index 91ff01e2..d73a19aa 100644 --- a/netclient/config/config.go +++ b/netclient/config/config.go @@ -47,6 +47,7 @@ type RegisterRequest struct { } type RegisterResponse struct { + Key ed25519.PrivateKey CA x509.Certificate Cert x509.Certificate } diff --git a/netclient/functions/daemon.go b/netclient/functions/daemon.go index 5062a98b..58583c07 100644 --- a/netclient/functions/daemon.go +++ b/netclient/functions/daemon.go @@ -288,8 +288,8 @@ func NewTLSConfig(cfg *config.ClientConfig, server string) *tls.Config { logger.Log(0, "failed to append cert") } //mycert, err := ssl.ReadCert("/etc/netclient/" + server + "/client.pem") - //clientKeyPair, err := tls.LoadX509KeyPair("/etc/netclient/"+server+"/client.pem", "/etc/netclient/client.key") - clientKeyPair, err := tls.LoadX509KeyPair("/home/mkasun/tmp/client.pem", "/home/mkasun/tmp/client.key") + clientKeyPair, err := tls.LoadX509KeyPair("/etc/netclient/"+server+"/client.pem", "/etc/netclient/client.key") + //clientKeyPair, err := tls.LoadX509KeyPair("/home/mkasun/tmp/client.pem", "/home/mkasun/tmp/client.key") if err != nil { log.Fatalf("could not read client cert/key %v \n", err) } diff --git a/tls/tls.go b/tls/tls.go index e996d21b..3d17d1a1 100644 --- a/tls/tls.go +++ b/tls/tls.go @@ -100,9 +100,11 @@ func NewCSR(key ed25519.PrivateKey, name pkix.Name) (*x509.CertificateRequest, e dnsnames := []string{} dnsnames = append(dnsnames, name.CommonName) derCertRequest, err := x509.CreateCertificateRequest(rand.Reader, &x509.CertificateRequest{ - Subject: name, - PublicKey: key.Public(), - DNSNames: dnsnames, + Subject: name, + PublicKey: key.Public(), + DNSNames: dnsnames, + PublicKeyAlgorithm: x509.Ed25519, + Version: 3, }, key) if err != nil { return nil, err @@ -152,10 +154,10 @@ func NewEndEntityCert(key ed25519.PrivateKey, req *x509.CertificateRequest, pare SerialNumber: serialNumber(), SignatureAlgorithm: req.SignatureAlgorithm, PublicKeyAlgorithm: req.PublicKeyAlgorithm, - //PublicKey: req.PublicKey, - Subject: req.Subject, - SubjectKeyId: req.RawSubject, - Issuer: parent.Subject, + PublicKey: key.Public(), + Subject: req.Subject, + SubjectKeyId: req.RawSubject, + Issuer: parent.Subject, } rootCa, err := x509.CreateCertificate(rand.Reader, template, parent, key.Public(), key) if err != nil { @@ -168,6 +170,23 @@ func NewEndEntityCert(key ed25519.PrivateKey, req *x509.CertificateRequest, pare return result, nil } +func SaveRequest(path, name string, csr *x509.CertificateRequest) error { + if err := os.MkdirAll(path, 0644); err != nil { + return err + } + requestOut, err := os.Create(path + name) + if err != nil { + return err + } + defer requestOut.Close() + if err := pem.Encode(requestOut, &pem.Block{ + Type: "CERTIFICATE REQUEST", + Bytes: csr.Raw, + }); err != nil { + return err + } + return nil +} func SaveCert(path, name string, cert *x509.Certificate) error { //certbytes, err := x509.ParseCertificate(cert) if err := os.MkdirAll(path, 0644); err != nil {