Skip to content
Snippets Groups Projects
Unverified Commit 8bab8ad5 authored by Max Adamo's avatar Max Adamo
Browse files

addedd private key check

parent 5bb52dbf
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
build.sh
+ 3
2
View file @ 8bab8ad5
...@@ -22,13 +22,14 @@ run_upx() { ...@@ -22,13 +22,14 @@ run_upx() {
} }
rm -rf ${GOPATH}/src/github.com/maxadamo/${BIN_NAME} ${GOPATH}/src/gitlab.geant.net/devops/${BIN_NAME} rm -rf ${GOPATH}/src/github.com/maxadamo/${BIN_NAME} ${GOPATH}/src/gitlab.geant.net/devops/${BIN_NAME}
go get -ldflags "-s -w -X main.appVersion=${PROG_VERSION} -X main.buildTime=${BUILDTIME}" gitlab.geant.net/devops/${BIN_NAME} #go get -ldflags "-s -w -X main.appVersion=${PROG_VERSION} -X main.buildTime=${BUILDTIME}" gitlab.geant.net/devops/${BIN_NAME}
#go get -ldflags "-s -w -X main.appVersion=${PROG_VERSION} -X main.buildTime=${BUILDTIME}" . go get -ldflags "-s -w -X main.appVersion=${PROG_VERSION} -X main.buildTime=${BUILDTIME}" .
if [ $? -gt 0 ]; then if [ $? -gt 0 ]; then
echo -e "\nthere was an error while compiling the code\n" echo -e "\nthere was an error while compiling the code\n"
exit exit
fi fi
echo "" echo ""
while true; do while true; do
read -p "Do you wish to run upx against ${BIN_NAME}? (y/n) " yn read -p "Do you wish to run upx against ${BIN_NAME}? (y/n) " yn
case $yn in case $yn in
......
main.go
+ 54
7
View file @ 8bab8ad5
...@@ -7,6 +7,7 @@ import ( ...@@ -7,6 +7,7 @@ import (
"io/ioutil" "io/ioutil"
"net/http" "net/http"
"os" "os"
"os/exec"
"os/user" "os/user"
"path/filepath" "path/filepath"
"runtime" "runtime"
...@@ -38,6 +39,7 @@ var ( ...@@ -38,6 +39,7 @@ var (
tmpCaDestination string tmpCaDestination string
tmpKeyDestination string tmpKeyDestination string
certTmpDir string certTmpDir string
opensslBinary string
) )
// app clean and exit // app clean and exit
...@@ -54,7 +56,7 @@ func appExit(status int) { ...@@ -54,7 +56,7 @@ func appExit(status int) {
} }
// check certificates // check certificates
func checkCerificates(dnsname string, certificate string, fullchain string, ca string, key string, days int, fail bool) bool { func checkCertificates(dnsname string, certificate string, fullchain string, ca string, key string, days int, fail bool) bool {
Seconds := days * 86400 Seconds := days * 86400
daysNumber := time.Now().Local().Add(time.Second * time.Duration(Seconds)) daysNumber := time.Now().Local().Add(time.Second * time.Duration(Seconds))
...@@ -164,6 +166,42 @@ func checkCerificates(dnsname string, certificate string, fullchain string, ca s ...@@ -164,6 +166,42 @@ func checkCerificates(dnsname string, certificate string, fullchain string, ca s
} }
// check if priv key matches the publick key
func checkPrivkey(privkey string, pubcert string, opensslbinary string, fail bool, silent bool) bool {
_, errOpenssl := exec.Command(opensslbinary, "help").Output()
if errOpenssl != nil {
fmt.Printf("[WARN] skipping private key matching check: please install OpenSSL: %v\n", errOpenssl)
} else {
certPubKey, errCertPubKey := exec.Command(opensslbinary, "x509", "-noout", "-pubkey", "-in", pubcert).Output()
if errCertPubKey != nil {
if fail == true {
fmt.Printf("[ERR] running openssl against %s: %s\n", pubcert, errCertPubKey)
appExit(255)
} else {
return false
}
}
certPrivKey, errCertPrivKey := exec.Command(opensslbinary, "pkey", "-pubout", "-in", privkey).Output()
if errCertPrivKey != nil {
if fail == true {
fmt.Printf("[ERR] running openssl against %s: %s\n", privkey, errCertPrivKey)
appExit(255)
} else {
return false
}
}
pubkeyOutput := string(certPubKey[:])
privkeyOutput := string(certPrivKey[:])
if pubkeyOutput != privkeyOutput {
if fail == true {
fmt.Printf("[ERR] the private key %v does not match the the public certificate %v\n", privkey, pubcert)
appExit(255)
}
}
}
return true
}
// get redis key // get redis key
func GetRedisKey(redisurl string, redistoken string) string { func GetRedisKey(redisurl string, redistoken string) string {
client := &http.Client{} client := &http.Client{}
...@@ -293,7 +331,7 @@ func main() { ...@@ -293,7 +331,7 @@ func main() {
- fetches and stores a given Certificate, Full Chain, CA and Private Key - fetches and stores a given Certificate, Full Chain, CA and Private Key
Usage: Usage:
acme-downloader --redis-token=REDISTOKEN --vault-token=VAULTTOKEN --cert-name=CERTNAME --team-name=TEAMNAME [--days=DAYS] [--type=TYPE] [--cert-destination=CERTDESTINATION] [--fullchain-destination=FULLCHAINDESTINATION] [--key-destination=KEYDESTINATION] [--ca-destination=CADESTINATION] acme-downloader --redis-token=REDISTOKEN --vault-token=VAULTTOKEN --cert-name=CERTNAME --team-name=TEAMNAME [--silent] [--days=DAYS] [--type=TYPE] [--cert-destination=CERTDESTINATION] [--fullchain-destination=FULLCHAINDESTINATION] [--key-destination=KEYDESTINATION] [--ca-destination=CADESTINATION]
acme-downloader -v | --version acme-downloader -v | --version
acme-downloader -b | --build acme-downloader -b | --build
acme-downloader -h | --help acme-downloader -h | --help
...@@ -302,6 +340,7 @@ Options: ...@@ -302,6 +340,7 @@ Options:
-h --help Show this screen -h --help Show this screen
-v --version Print version exit -v --version Print version exit
-b --build Print version and build information and exit -b --build Print version and build information and exit
-s --silent Suppress warnings
--redis-token=REDISTOKEN Redis access token --redis-token=REDISTOKEN Redis access token
--vault-token=VAULTTOKEN Vault access token --vault-token=VAULTTOKEN Vault access token
--cert-name=CERTNAME Certificate name --cert-name=CERTNAME Certificate name
...@@ -320,21 +359,27 @@ Options: ...@@ -320,21 +359,27 @@ Options:
fmt.Printf("acme-downloader version: %v, built on: %v\n", appVersion, buildTime) fmt.Printf("acme-downloader version: %v, built on: %v\n", appVersion, buildTime)
appExit(0) appExit(0)
} }
silent := false
if arguments["--silent"] == true {
silent = true
}
if runtime.GOOS == "windows" { if runtime.GOOS == "windows" {
opensslBinary = "openssl.exe"
tmpCertificateDestination = "C:\\tmp\\acme-downloader\\cert\\amce_cert.pem" tmpCertificateDestination = "C:\\tmp\\acme-downloader\\cert\\amce_cert.pem"
tmpFullchainDestination = "C:\\tmp\\acme-downloader\\cert\\amce_fullchain.pem" tmpFullchainDestination = "C:\\tmp\\acme-downloader\\cert\\amce_fullchain.pem"
tmpCaDestination = "C:\\tmp\\acme-downloader\\cert\\amce_ca.pem" tmpCaDestination = "C:\\tmp\\acme-downloader\\cert\\amce_ca.pem"
tmpKeyDestination = "C:\\tmp\\acme-downloader\\key\\amce_key.pem" tmpKeyDestination = "C:\\tmp\\acme-downloader\\key\\amce_key.pem"
GroupID = 0 // just a fake one GroupID = 0 // just a fake one
} else { } else {
opensslBinary = "openssl"
tmpCertificateDestination = "/tmp/acme-downloader/cert/amce_cert.pem" tmpCertificateDestination = "/tmp/acme-downloader/cert/amce_cert.pem"
tmpFullchainDestination = "/tmp/acme-downloader/cert/amce_fullchain.pem" tmpFullchainDestination = "/tmp/acme-downloader/cert/amce_fullchain.pem"
tmpCaDestination = "/tmp/acme-downloader/cert/amce_ca.pem" tmpCaDestination = "/tmp/acme-downloader/cert/amce_ca.pem"
tmpKeyDestination = "/tmp/acme-downloader/key/amce_key.pem" tmpKeyDestination = "/tmp/acme-downloader/key/amce_key.pem"
group, groupErr := user.LookupGroup(GroupName) group, groupErr := user.LookupGroup(GroupName)
if groupErr != nil { if groupErr != nil {
fmt.Printf("[ERR] Fail looking up %v user user info", GroupName) fmt.Printf("[ERR] Fail looking up %v user user info\n", GroupName)
appExit(255) appExit(255)
} }
GroupID, _ = strconv.Atoi(group.Gid) GroupID, _ = strconv.Atoi(group.Gid)
...@@ -381,9 +426,10 @@ Options: ...@@ -381,9 +426,10 @@ Options:
} }
// check if there is a certificate installed and it is valid // check if there is a certificate installed and it is valid
existingCert := checkCerificates(CertName, certificateDestination, fullchainDestination, caDestination, keyDestination, Days, false) existingCert := checkCertificates(CertName, certificateDestination, fullchainDestination, caDestination, keyDestination, Days, false)
if existingCert == true { existingKey := checkPrivkey(keyDestination, certificateDestination, opensslBinary, false, silent)
fmt.Printf("[INFO] the certificates are still valid\n") if existingCert == true && existingKey == true {
fmt.Printf("[INFO] the certificate is still valid\n")
appExit(0) appExit(0)
} }
certificate := GetRedisKey(RedisCertURL, RedisToken) certificate := GetRedisKey(RedisCertURL, RedisToken)
...@@ -397,7 +443,8 @@ Options: ...@@ -397,7 +443,8 @@ Options:
WriteToFile(ca, tmpCaDestination, 0644) WriteToFile(ca, tmpCaDestination, 0644)
WriteToFile(privKey, tmpKeyDestination, 0640) WriteToFile(privKey, tmpKeyDestination, 0640)
checkCerificates(CertName, tmpCertificateDestination, tmpFullchainDestination, tmpCaDestination, tmpKeyDestination, Days, true) checkCertificates(CertName, tmpCertificateDestination, tmpFullchainDestination, tmpCaDestination, tmpKeyDestination, Days, true)
checkPrivkey(keyDestination, tmpCertificateDestination, opensslBinary, false, silent)
// move certificates in place // move certificates in place
moveFile(tmpCertificateDestination, certificateDestination, GroupID, 0644, 0755) moveFile(tmpCertificateDestination, certificateDestination, GroupID, 0644, 0755)
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment