From d50f7a8c0b8e836d0e0f720069aeff5530e0faa6 Mon Sep 17 00:00:00 2001 From: "Matthew R. Kasun" Date: Thu, 14 Apr 2022 14:42:46 -0400 Subject: [PATCH] revert to gen csr on client --- controllers/server.go | 43 +++++++++++++++------------------ netclient/config/config.go | 5 ++-- netclient/functions/register.go | 15 ++++-------- 3 files changed, 27 insertions(+), 36 deletions(-) diff --git a/controllers/server.go b/controllers/server.go index f5917379..dec6789f 100644 --- a/controllers/server.go +++ b/controllers/server.go @@ -2,9 +2,7 @@ package controller import ( "crypto/ed25519" - "crypto/rand" "crypto/x509" - "crypto/x509/pkix" "encoding/json" "fmt" "net/http" @@ -131,7 +129,7 @@ func register(w http.ResponseWriter, r *http.Request) { //decode body var request config.RegisterRequest if err := json.NewDecoder(r.Body).Decode(&request); err != nil { - logger.Log(3, "error decoding request", err.Error()) + logger.Log(0, "error decoding request", err.Error()) errorResponse := models.ErrorResponse{ Code: http.StatusBadRequest, Message: err.Error(), } @@ -141,7 +139,7 @@ func register(w http.ResponseWriter, r *http.Request) { found := false networks, err := logic.GetNetworks() if err != nil { - logger.Log(3, "no networks", err.Error()) + logger.Log(0, "no networks", err.Error()) errorResponse := models.ErrorResponse{ Code: http.StatusNotFound, Message: "no networks", } @@ -157,14 +155,14 @@ func register(w http.ResponseWriter, r *http.Request) { } } if !found { - logger.Log(2, "valid access key not found") + logger.Log(0, "valid access key not found") errorResponse := models.ErrorResponse{ Code: http.StatusUnauthorized, Message: "You are unauthorized to access this endpoint.", } returnErrorResponse(w, r, errorResponse) return } - privKey, cert, ca, err := genCerts(request.Name) + cert, ca, err := genCerts(&request.CSR, request.Key) if err != nil { logger.Log(0, "failed to generater certs ", err.Error()) errorResponse := models.ErrorResponse{ @@ -176,38 +174,37 @@ func register(w http.ResponseWriter, r *http.Request) { response := config.RegisterResponse{ CA: *ca, Cert: *cert, - Key: *privKey, } w.WriteHeader(http.StatusOK) json.NewEncoder(w).Encode(response) } -func genCerts(name pkix.Name) (*ed25519.PrivateKey, *x509.Certificate, *x509.Certificate, error) { +func genCerts(csr *x509.CertificateRequest, publickey ed25519.PublicKey) (*x509.Certificate, *x509.Certificate, error) { ca, err := tls.ReadCert("/etc/netmaker/root.pem") if err != nil { logger.Log(2, "root ca not found ", err.Error()) - return nil, nil, nil, fmt.Errorf("root ca not found %w", err) + return nil, nil, fmt.Errorf("root ca not found %w", err) } key, err := tls.ReadKey("/etc/netmaker/root.key") if err != nil { logger.Log(2, "root key not found ", err.Error()) - return nil, nil, nil, fmt.Errorf("root key not found %w", err) + return nil, nil, fmt.Errorf("root key not found %w", err) } - _, privKey, err := ed25519.GenerateKey(rand.Reader) - if err != nil { - logger.Log(2, "failed to generate client key", err.Error()) - return nil, nil, nil, fmt.Errorf("client key generation failed %w", err) - } - csr, err := tls.NewCSR(privKey, name) - if err != nil { - logger.Log(2, "failed to generate client certificate requests", err.Error()) - return nil, nil, nil, fmt.Errorf("client certification request generation failed %w", err) - } - + //_, privKey, err := ed25519.GenerateKey(rand.Reader) + //if err != nil { + // logger.Log(2, "failed to generate client key", err.Error()) + // return nil, nil, nil, fmt.Errorf("client key generation failed %w", err) + //} + //csr, err := tls.NewCSR(privKey, name) + //if err != nil { + // logger.Log(2, "failed to generate client certificate requests", err.Error()) + // return nil, nil, nil, fmt.Errorf("client certification request generation failed %w", err) + //} + csr.PublicKey = publickey cert, err := tls.NewEndEntityCert(*key, csr, ca, tls.CERTIFICATE_VALIDITY) if err != nil { logger.Log(2, "unable to generate client certificate", err.Error()) - return nil, nil, nil, fmt.Errorf("client certification generation failed %w", err) + return nil, nil, fmt.Errorf("client certification generation failed %w", err) } - return &privKey, ca, cert, nil + return ca, cert, nil } diff --git a/netclient/config/config.go b/netclient/config/config.go index c4dc650c..91ff01e2 100644 --- a/netclient/config/config.go +++ b/netclient/config/config.go @@ -4,7 +4,6 @@ import ( //"github.com/davecgh/go-spew/spew" "crypto/ed25519" "crypto/x509" - "crypto/x509/pkix" "encoding/base64" "encoding/json" "errors" @@ -43,13 +42,13 @@ type ServerConfig struct { // RegisterRequest - struct for registation with netmaker server type RegisterRequest struct { - Name pkix.Name + CSR x509.CertificateRequest + Key ed25519.PublicKey } type RegisterResponse struct { CA x509.Certificate Cert x509.Certificate - Key ed25519.PrivateKey } // Write - writes the config of a client to disk diff --git a/netclient/functions/register.go b/netclient/functions/register.go index 695f5b97..888716eb 100644 --- a/netclient/functions/register.go +++ b/netclient/functions/register.go @@ -14,7 +14,6 @@ import ( "github.com/gravitl/netmaker/netclient/config" "github.com/gravitl/netmaker/netclient/ncutils" "github.com/gravitl/netmaker/tls" - "github.com/kr/pretty" ) func Register(cfg *config.ClientConfig) error { @@ -25,27 +24,23 @@ func Register(cfg *config.ClientConfig) error { return errors.New("no access key provided") } //create certificate request - _, key, err := ed25519.GenerateKey(rand.Reader) + public, private, err := ed25519.GenerateKey(rand.Reader) if err != nil { return err } name := tls.NewCName(os.Getenv("HOSTNAME")) - csr, err := tls.NewCSR(key, name) + csr, err := tls.NewCSR(private, name) if err != nil { return err } data := config.RegisterRequest{ - Name: name, - CSR: *csr, + CSR: *csr, + Key: public, } - pretty.Println(data.CSR.PublicKey) - pretty.Println(data.CSR.RawSubjectPublicKeyInfo) - pretty.Println("data\n", data) payload, err := json.Marshal(data) if err != nil { return err } - os.WriteFile("/tmp/data", payload, os.ModePerm) url := cfg.Server.API + "/api/server/register" log.Println("registering at ", url) @@ -73,7 +68,7 @@ func Register(cfg *config.ClientConfig) error { if err := tls.SaveCert(ncutils.GetNetclientPath()+cfg.Server.Server+"/", "client.pem", &resp.Cert); err != nil { return err } - if err := tls.SaveKey(ncutils.GetNetclientPath()+cfg.Server.Server+"/", "client.key", resp.Key); err != nil { + if err := tls.SaveKey(ncutils.GetNetclientPath()+cfg.Server.Server+"/", "client.key", private); err != nil { return err } logger.Log(0, "certificates/key saved ")