nebula/cmd/nebula-cert/sign.go

package main

import (
	"crypto/rand"
	"flag"
	"fmt"
	"io"
	"io/ioutil"
	"net"
	"os"
	"strings"
	"time"

	"github.com/skip2/go-qrcode"
	"github.com/slackhq/nebula/cert"
	"golang.org/x/crypto/curve25519"
)

type signFlags struct {
	set         *flag.FlagSet
	caKeyPath   *string
	caCertPath  *string
	name        *string
	ip          *string
	duration    *time.Duration
	inPubPath   *string
	outKeyPath  *string
	outCertPath *string
	outQRPath   *string
	groups      *string
	subnets     *string
}

func newSignFlags() *signFlags {
	sf := signFlags{set: flag.NewFlagSet("sign", flag.ContinueOnError)}
	sf.set.Usage = func() {}
	sf.caKeyPath = sf.set.String("ca-key", "ca.key", "Optional: path to the signing CA key")
	sf.caCertPath = sf.set.String("ca-crt", "ca.crt", "Optional: path to the signing CA cert")
	sf.name = sf.set.String("name", "", "Required: name of the cert, usually a hostname")
	sf.ip = sf.set.String("ip", "", "Required: ipv4 address and network in CIDR notation to assign the cert")
	sf.duration = sf.set.Duration("duration", 0, "Optional: how long the cert should be valid for. The default is 1 second before the signing cert expires. Valid time units are seconds: \"s\", minutes: \"m\", hours: \"h\"")
	sf.inPubPath = sf.set.String("in-pub", "", "Optional (if out-key not set): path to read a previously generated public key")
	sf.outKeyPath = sf.set.String("out-key", "", "Optional (if in-pub not set): path to write the private key to")
	sf.outCertPath = sf.set.String("out-crt", "", "Optional: path to write the certificate to")
	sf.outQRPath = sf.set.String("out-qr", "", "Optional: output a qr code image (png) of the certificate")
	sf.groups = sf.set.String("groups", "", "Optional: comma separated list of groups")
	sf.subnets = sf.set.String("subnets", "", "Optional: comma separated list of ipv4 address and network in CIDR notation. Subnets this cert can serve for")
	return &sf

}

func signCert(args []string, out io.Writer, errOut io.Writer) error {
	sf := newSignFlags()
	err := sf.set.Parse(args)
	if err != nil {
		return err
	}

	if err := mustFlagString("ca-key", sf.caKeyPath); err != nil {
		return err
	}
	if err := mustFlagString("ca-crt", sf.caCertPath); err != nil {
		return err
	}
	if err := mustFlagString("name", sf.name); err != nil {
		return err
	}
	if err := mustFlagString("ip", sf.ip); err != nil {
		return err
	}
	if *sf.inPubPath != "" && *sf.outKeyPath != "" {
		return newHelpErrorf("cannot set both -in-pub and -out-key")
	}

	rawCAKey, err := ioutil.ReadFile(*sf.caKeyPath)
	if err != nil {
		return fmt.Errorf("error while reading ca-key: %s", err)
	}

	caKey, _, err := cert.UnmarshalEd25519PrivateKey(rawCAKey)
	if err != nil {
		return fmt.Errorf("error while parsing ca-key: %s", err)
	}

	rawCACert, err := ioutil.ReadFile(*sf.caCertPath)
	if err != nil {
		return fmt.Errorf("error while reading ca-crt: %s", err)
	}

	caCert, _, err := cert.UnmarshalNebulaCertificateFromPEM(rawCACert)
	if err != nil {
		return fmt.Errorf("error while parsing ca-crt: %s", err)
	}

	if err := caCert.VerifyPrivateKey(caKey); err != nil {
		return fmt.Errorf("refusing to sign, root certificate does not match private key")
	}

	issuer, err := caCert.Sha256Sum()
	if err != nil {
		return fmt.Errorf("error while getting -ca-crt fingerprint: %s", err)
	}

	if caCert.Expired(time.Now()) {
		return fmt.Errorf("ca certificate is expired")
	}

	// if no duration is given, expire one second before the root expires
	if *sf.duration <= 0 {
		*sf.duration = time.Until(caCert.Details.NotAfter) - time.Second*1
	}

	ip, ipNet, err := net.ParseCIDR(*sf.ip)
	if err != nil {
		return newHelpErrorf("invalid ip definition: %s", err)
	}
	if ip.To4() == nil {
		return newHelpErrorf("invalid ip definition: can only be ipv4, have %s", *sf.ip)
	}
	ipNet.IP = ip

	groups := []string{}
	if *sf.groups != "" {
		for _, rg := range strings.Split(*sf.groups, ",") {
			g := strings.TrimSpace(rg)
			if g != "" {
				groups = append(groups, g)
			}
		}
	}

	subnets := []*net.IPNet{}
	if *sf.subnets != "" {
		for _, rs := range strings.Split(*sf.subnets, ",") {
			rs := strings.Trim(rs, " ")
			if rs != "" {
				_, s, err := net.ParseCIDR(rs)
				if err != nil {
					return newHelpErrorf("invalid subnet definition: %s", err)
				}
				if s.IP.To4() == nil {
					return newHelpErrorf("invalid subnet definition: can only be ipv4, have %s", rs)
				}
				subnets = append(subnets, s)
			}
		}
	}

	var pub, rawPriv []byte
	if *sf.inPubPath != "" {
		rawPub, err := ioutil.ReadFile(*sf.inPubPath)
		if err != nil {
			return fmt.Errorf("error while reading in-pub: %s", err)
		}
		pub, _, err = cert.UnmarshalX25519PublicKey(rawPub)
		if err != nil {
			return fmt.Errorf("error while parsing in-pub: %s", err)
		}
	} else {
		pub, rawPriv = x25519Keypair()
	}

	nc := cert.NebulaCertificate{
		Details: cert.NebulaCertificateDetails{
			Name:      *sf.name,
			Ips:       []*net.IPNet{ipNet},
			Groups:    groups,
			Subnets:   subnets,
			NotBefore: time.Now(),
			NotAfter:  time.Now().Add(*sf.duration),
			PublicKey: pub,
			IsCA:      false,
			Issuer:    issuer,
		},
	}

	if err := nc.CheckRootConstrains(caCert); err != nil {
		return fmt.Errorf("refusing to sign, root certificate constraints violated: %s", err)
	}

	if *sf.outKeyPath == "" {
		*sf.outKeyPath = *sf.name + ".key"
	}

	if *sf.outCertPath == "" {
		*sf.outCertPath = *sf.name + ".crt"
	}

	if _, err := os.Stat(*sf.outCertPath); err == nil {
		return fmt.Errorf("refusing to overwrite existing cert: %s", *sf.outCertPath)
	}

	err = nc.Sign(caKey)
	if err != nil {
		return fmt.Errorf("error while signing: %s", err)
	}

	if *sf.inPubPath == "" {
		if _, err := os.Stat(*sf.outKeyPath); err == nil {
			return fmt.Errorf("refusing to overwrite existing key: %s", *sf.outKeyPath)
		}

		err = ioutil.WriteFile(*sf.outKeyPath, cert.MarshalX25519PrivateKey(rawPriv), 0600)
		if err != nil {
			return fmt.Errorf("error while writing out-key: %s", err)
		}
	}

	b, err := nc.MarshalToPEM()
	if err != nil {
		return fmt.Errorf("error while marshalling certificate: %s", err)
	}

	err = ioutil.WriteFile(*sf.outCertPath, b, 0600)
	if err != nil {
		return fmt.Errorf("error while writing out-crt: %s", err)
	}

	if *sf.outQRPath != "" {
		b, err = qrcode.Encode(string(b), qrcode.Medium, -5)
		if err != nil {
			return fmt.Errorf("error while generating qr code: %s", err)
		}

		err = ioutil.WriteFile(*sf.outQRPath, b, 0600)
		if err != nil {
			return fmt.Errorf("error while writing out-qr: %s", err)
		}
	}

	return nil
}

func x25519Keypair() ([]byte, []byte) {
	privkey := make([]byte, 32)
	if _, err := io.ReadFull(rand.Reader, privkey); err != nil {
		panic(err)
	}

	pubkey, err := curve25519.X25519(privkey, curve25519.Basepoint)
	if err != nil {
		panic(err)
	}

	return pubkey, privkey
}

func signSummary() string {
	return "sign <flags>: create and sign a certificate"
}

func signHelp(out io.Writer) {
	sf := newSignFlags()
	out.Write([]byte("Usage of " + os.Args[0] + " " + signSummary() + "\n"))
	sf.set.SetOutput(out)
	sf.set.PrintDefaults()
}
Public Release 2019-11-19 18:00:20 +01:00			`package main`

			`import (`
			`"crypto/rand"`
			`"flag"`
			`"fmt"`
			`"io"`
			`"io/ioutil"`
			`"net"`
			`"os"`
			`"strings"`
			`"time"`

Add QR code support to `nebula-cert` (#297) 2021-02-12 01:53:25 +01:00			`"github.com/skip2/go-qrcode"`
Public Release 2019-11-19 18:00:20 +01:00			`"github.com/slackhq/nebula/cert"`
Fix impossible error message condition, go fmt 2019-12-10 01:41:27 +01:00			`"golang.org/x/crypto/curve25519"`
Public Release 2019-11-19 18:00:20 +01:00			`)`

			`type signFlags struct {`
			`set *flag.FlagSet`
			`caKeyPath *string`
			`caCertPath *string`
			`name *string`
			`ip *string`
			`duration *time.Duration`
			`inPubPath *string`
			`outKeyPath *string`
			`outCertPath *string`
Add QR code support to `nebula-cert` (#297) 2021-02-12 01:53:25 +01:00			`outQRPath *string`
Public Release 2019-11-19 18:00:20 +01:00			`groups *string`
			`subnets *string`
			`}`

			`func newSignFlags() *signFlags {`
			`sf := signFlags{set: flag.NewFlagSet("sign", flag.ContinueOnError)}`
			`sf.set.Usage = func() {}`
			`sf.caKeyPath = sf.set.String("ca-key", "ca.key", "Optional: path to the signing CA key")`
			`sf.caCertPath = sf.set.String("ca-crt", "ca.crt", "Optional: path to the signing CA cert")`
			`sf.name = sf.set.String("name", "", "Required: name of the cert, usually a hostname")`
Be more clear about ipv4 in nebula-cert (#604) 2021-12-08 04:40:30 +01:00			`sf.ip = sf.set.String("ip", "", "Required: ipv4 address and network in CIDR notation to assign the cert")`
fix(nebula-cert): flag duration is optional, so reflect this is the cli help (#117) * fix: nebula-cert duration is optional, so reflect this is the cli help nebula-cert sign defaults the duration flag to 1 second before the CA expires, so it is not required to be provided. * tests: Fix test for duration flag help message * nebula-cert: add duration default value hint 2020-01-06 19:51:29 +01:00			`sf.duration = sf.set.Duration("duration", 0, "Optional: how long the cert should be valid for. The default is 1 second before the signing cert expires. Valid time units are seconds: \"s\", minutes: \"m\", hours: \"h\"")`
Public Release 2019-11-19 18:00:20 +01:00			`sf.inPubPath = sf.set.String("in-pub", "", "Optional (if out-key not set): path to read a previously generated public key")`
			`sf.outKeyPath = sf.set.String("out-key", "", "Optional (if in-pub not set): path to write the private key to")`
			`sf.outCertPath = sf.set.String("out-crt", "", "Optional: path to write the certificate to")`
Add QR code support to `nebula-cert` (#297) 2021-02-12 01:53:25 +01:00			`sf.outQRPath = sf.set.String("out-qr", "", "Optional: output a qr code image (png) of the certificate")`
Public Release 2019-11-19 18:00:20 +01:00			`sf.groups = sf.set.String("groups", "", "Optional: comma separated list of groups")`
Be more clear about ipv4 in nebula-cert (#604) 2021-12-08 04:40:30 +01:00			`sf.subnets = sf.set.String("subnets", "", "Optional: comma separated list of ipv4 address and network in CIDR notation. Subnets this cert can serve for")`
Public Release 2019-11-19 18:00:20 +01:00			`return &sf`

			`}`

			`func signCert(args []string, out io.Writer, errOut io.Writer) error {`
			`sf := newSignFlags()`
			`err := sf.set.Parse(args)`
			`if err != nil {`
			`return err`
			`}`

			`if err := mustFlagString("ca-key", sf.caKeyPath); err != nil {`
			`return err`
			`}`
			`if err := mustFlagString("ca-crt", sf.caCertPath); err != nil {`
			`return err`
			`}`
			`if err := mustFlagString("name", sf.name); err != nil {`
			`return err`
			`}`
			`if err := mustFlagString("ip", sf.ip); err != nil {`
			`return err`
			`}`
			`if sf.inPubPath != "" && sf.outKeyPath != "" {`
			`return newHelpErrorf("cannot set both -in-pub and -out-key")`
			`}`

			`rawCAKey, err := ioutil.ReadFile(*sf.caKeyPath)`
			`if err != nil {`
			`return fmt.Errorf("error while reading ca-key: %s", err)`
			`}`

			`caKey, _, err := cert.UnmarshalEd25519PrivateKey(rawCAKey)`
			`if err != nil {`
			`return fmt.Errorf("error while parsing ca-key: %s", err)`
			`}`

			`rawCACert, err := ioutil.ReadFile(*sf.caCertPath)`
			`if err != nil {`
			`return fmt.Errorf("error while reading ca-crt: %s", err)`
			`}`

			`caCert, _, err := cert.UnmarshalNebulaCertificateFromPEM(rawCACert)`
			`if err != nil {`
			`return fmt.Errorf("error while parsing ca-crt: %s", err)`
			`}`

Check CA cert and key match in nebula-cert sign (#503) `func (nc *NebulaCertificate) VerifyPrivateKey(key []byte) error` would previously return an error even if passed the correct private key for a CA certificate `nc`. That function has been updated to support CA certificates, and nebula-cert now calls it before signing a new certificate. Previously, it would perform all constraint checks against the CA certificate provided, take a SHA256 fingerprint of the provided certificate, insert it into the new node certificate, and then finally sign it with the mismatching private key provided. 2021-10-01 18:43:33 +02:00			`if err := caCert.VerifyPrivateKey(caKey); err != nil {`
			`return fmt.Errorf("refusing to sign, root certificate does not match private key")`
			`}`

Public Release 2019-11-19 18:00:20 +01:00			`issuer, err := caCert.Sha256Sum()`
			`if err != nil {`
			`return fmt.Errorf("error while getting -ca-crt fingerprint: %s", err)`
			`}`

			`if caCert.Expired(time.Now()) {`
			`return fmt.Errorf("ca certificate is expired")`
			`}`

			`// if no duration is given, expire one second before the root expires`
			`if *sf.duration <= 0 {`
			`sf.duration = time.Until(caCert.Details.NotAfter) - time.Second1`
			`}`

			`ip, ipNet, err := net.ParseCIDR(*sf.ip)`
			`if err != nil {`
			`return newHelpErrorf("invalid ip definition: %s", err)`
			`}`
Be more clear about ipv4 in nebula-cert (#604) 2021-12-08 04:40:30 +01:00			`if ip.To4() == nil {`
			`return newHelpErrorf("invalid ip definition: can only be ipv4, have %s", *sf.ip)`
			`}`
Public Release 2019-11-19 18:00:20 +01:00			`ipNet.IP = ip`

			`groups := []string{}`
			`if *sf.groups != "" {`
			`for _, rg := range strings.Split(*sf.groups, ",") {`
			`g := strings.TrimSpace(rg)`
			`if g != "" {`
			`groups = append(groups, g)`
			`}`
			`}`
			`}`

			`subnets := []*net.IPNet{}`
			`if *sf.subnets != "" {`
			`for _, rs := range strings.Split(*sf.subnets, ",") {`
			`rs := strings.Trim(rs, " ")`
			`if rs != "" {`
			`_, s, err := net.ParseCIDR(rs)`
			`if err != nil {`
			`return newHelpErrorf("invalid subnet definition: %s", err)`
			`}`
Be more clear about ipv4 in nebula-cert (#604) 2021-12-08 04:40:30 +01:00			`if s.IP.To4() == nil {`
			`return newHelpErrorf("invalid subnet definition: can only be ipv4, have %s", rs)`
			`}`
Public Release 2019-11-19 18:00:20 +01:00			`subnets = append(subnets, s)`
			`}`
			`}`
			`}`

			`var pub, rawPriv []byte`
			`if *sf.inPubPath != "" {`
			`rawPub, err := ioutil.ReadFile(*sf.inPubPath)`
			`if err != nil {`
			`return fmt.Errorf("error while reading in-pub: %s", err)`
			`}`
			`pub, _, err = cert.UnmarshalX25519PublicKey(rawPub)`
			`if err != nil {`
			`return fmt.Errorf("error while parsing in-pub: %s", err)`
			`}`
			`} else {`
			`pub, rawPriv = x25519Keypair()`
			`}`

			`nc := cert.NebulaCertificate{`
			`Details: cert.NebulaCertificateDetails{`
			`Name: *sf.name,`
			`Ips: []*net.IPNet{ipNet},`
			`Groups: groups,`
			`Subnets: subnets,`
			`NotBefore: time.Now(),`
			`NotAfter: time.Now().Add(*sf.duration),`
			`PublicKey: pub,`
			`IsCA: false,`
			`Issuer: issuer,`
			`},`
			`}`

Root constraint usage and support in nebula-cert 2019-12-18 02:59:21 +01:00			`if err := nc.CheckRootConstrains(caCert); err != nil {`
			`return fmt.Errorf("refusing to sign, root certificate constraints violated: %s", err)`
			`}`

Public Release 2019-11-19 18:00:20 +01:00			`if *sf.outKeyPath == "" {`
			`sf.outKeyPath = sf.name + ".key"`
			`}`

			`if *sf.outCertPath == "" {`
			`sf.outCertPath = sf.name + ".crt"`
			`}`

			`if _, err := os.Stat(*sf.outCertPath); err == nil {`
			`return fmt.Errorf("refusing to overwrite existing cert: %s", *sf.outCertPath)`
			`}`

			`err = nc.Sign(caKey)`
			`if err != nil {`
			`return fmt.Errorf("error while signing: %s", err)`
			`}`

			`if *sf.inPubPath == "" {`
Fix impossible error message condition, go fmt 2019-12-10 01:41:27 +01:00			`if _, err := os.Stat(*sf.outKeyPath); err == nil {`
			`return fmt.Errorf("refusing to overwrite existing key: %s", *sf.outKeyPath)`
			`}`

Public Release 2019-11-19 18:00:20 +01:00			`err = ioutil.WriteFile(*sf.outKeyPath, cert.MarshalX25519PrivateKey(rawPriv), 0600)`
			`if err != nil {`
			`return fmt.Errorf("error while writing out-key: %s", err)`
			`}`
			`}`

			`b, err := nc.MarshalToPEM()`
			`if err != nil {`
			`return fmt.Errorf("error while marshalling certificate: %s", err)`
			`}`

			`err = ioutil.WriteFile(*sf.outCertPath, b, 0600)`
			`if err != nil {`
			`return fmt.Errorf("error while writing out-crt: %s", err)`
			`}`

Add QR code support to `nebula-cert` (#297) 2021-02-12 01:53:25 +01:00			`if *sf.outQRPath != "" {`
			`b, err = qrcode.Encode(string(b), qrcode.Medium, -5)`
			`if err != nil {`
			`return fmt.Errorf("error while generating qr code: %s", err)`
			`}`

			`err = ioutil.WriteFile(*sf.outQRPath, b, 0600)`
			`if err != nil {`
			`return fmt.Errorf("error while writing out-qr: %s", err)`
			`}`
			`}`

Public Release 2019-11-19 18:00:20 +01:00			`return nil`
			`}`

			`func x25519Keypair() ([]byte, []byte) {`
refactor: use X25519 instead of ScalarBaseMult (#533) As suggested in https://pkg.go.dev/golang.org/x/crypto/curve25519#ScalarBaseMult, use X25519 instead of ScalarBaseMult. When using Basepoint, it may employ some precomputed values, enhancing performance. Co-authored-by: Wade Simmons <wade@wades.im> Co-authored-by: Wade Simmons <wadey@slack-corp.com> 2021-10-12 18:03:43 +02:00			`privkey := make([]byte, 32)`
			`if _, err := io.ReadFull(rand.Reader, privkey); err != nil {`
Public Release 2019-11-19 18:00:20 +01:00			`panic(err)`
			`}`
refactor: use X25519 instead of ScalarBaseMult (#533) As suggested in https://pkg.go.dev/golang.org/x/crypto/curve25519#ScalarBaseMult, use X25519 instead of ScalarBaseMult. When using Basepoint, it may employ some precomputed values, enhancing performance. Co-authored-by: Wade Simmons <wade@wades.im> Co-authored-by: Wade Simmons <wadey@slack-corp.com> 2021-10-12 18:03:43 +02:00
			`pubkey, err := curve25519.X25519(privkey, curve25519.Basepoint)`
			`if err != nil {`
			`panic(err)`
			`}`

			`return pubkey, privkey`
Public Release 2019-11-19 18:00:20 +01:00			`}`

			`func signSummary() string {`
			`return "sign <flags>: create and sign a certificate"`
			`}`

			`func signHelp(out io.Writer) {`
			`sf := newSignFlags()`
			`out.Write([]byte("Usage of " + os.Args[0] + " " + signSummary() + "\n"))`
			`sf.set.SetOutput(out)`
			`sf.set.PrintDefaults()`
			`}`