From 9cc630e98423422d7088a00da5efbe02a02c4bfa Mon Sep 17 00:00:00 2001
From: Massimiliano Adamo <massimiliano.adamo@geant.org>
Date: Mon, 12 Apr 2021 20:33:58 +0200
Subject: [PATCH] remove OpenSSL dependency
---
README.md | 2 +-
main.go | 92 +++++++++----------------------------------------------
2 files changed, 15 insertions(+), 79 deletions(-)
diff --git a/README.md b/README.md
index 81e5354..c340b79 100644
--- a/README.md
+++ b/README.md
@@ -33,7 +33,7 @@ Usage:
Options:
-h --help Show this screen
- -v --version Print version exit
+ -v --version Print version and exit
-b --build Print version and build information and exit
--redis-token=REDISTOKEN Redis access token
--vault-token=VAULTTOKEN Vault access token
diff --git a/main.go b/main.go
index 9fca715..ad17bad 100644
--- a/main.go
+++ b/main.go
@@ -1,13 +1,13 @@
package main
import (
+ "crypto/tls"
"crypto/x509"
"encoding/pem"
"fmt"
"io/ioutil"
"net/http"
"os"
- "os/exec"
"os/user"
"path/filepath"
"runtime"
@@ -172,74 +172,17 @@ func checkCertificates(dnsname string, certificate string, fullchain string, ca
return true
}
-// check if priv key matches the publick key
-func checkPrivkey(privkey string, pubcert string, opensslbinary string, fail bool, silent bool) bool {
- _, errOpenssl := exec.Command(opensslbinary, "help").Output()
- if errOpenssl != nil {
- fmt.Printf("[WARN] skipping private key matching check: please install OpenSSL: %v\n", errOpenssl)
- } else {
- certPubKey, errCertPubKey := exec.Command(opensslbinary, "x509", "-noout", "-pubkey", "-in", pubcert).Output()
- if errCertPubKey != nil {
- if fail == true {
- fmt.Printf("[ERR] running openssl against %s: %s\n", pubcert, errCertPubKey)
- appExit(255)
- } else {
- return false
- }
- }
- certPrivKey, errCertPrivKey := exec.Command(opensslbinary, "pkey", "-pubout", "-in", privkey).Output()
- if errCertPrivKey != nil {
- if fail == true {
- fmt.Printf("[ERR] running openssl against %s: %s\n", privkey, errCertPrivKey)
- appExit(255)
- } else {
- return false
- }
- }
- pubkeyOutput := string(certPubKey[:])
- privkeyOutput := string(certPrivKey[:])
- if pubkeyOutput != privkeyOutput {
- if fail == true {
- fmt.Printf("[ERR] the private key %v does not match the the public certificate %v\n", privkey, pubcert)
- appExit(255)
- }
- }
- }
- return true
-}
-
-// check if priv key matches the publick key
-/*
+// check if the private key matches the publick key
func checkPrivkey(privkey string, pubkey string, fail bool) bool {
- // extract data from public key
- pubkeyByte, errpubkey := ioutil.ReadFile(pubkey)
- if errpubkey != nil {
- fmt.Printf("[ERR] reading private key %v: %v\n", pubkey, errpubkey)
+ _, errFileExist := os.Stat(privkey)
+ if os.IsNotExist(errFileExist) {
+ fmt.Printf("[ERR] could not access the private key %v\n", privkey)
appExit(255)
}
- block, _ := pem.Decode(pubkeyByte)
- cert, _ = x509.ParseCertificate(block.Bytes)
- rsaPublicKey := cert.PublicKey.(*rsa.PublicKey)
- rsaPublicKeyString := fmt.Sprintf(rsaPublicKey.N.String())
-
- // extract data from private key
- privkeyByte, errprivkey := ioutil.ReadFile(privkey)
- if errprivkey != nil {
- fmt.Printf("[ERR] reading private key %v: %v\n", privkey, errprivkey)
- appExit(255)
- }
- fmt.Printf("primo passaggio\n")
-
- keyBlock, _ := pem.Decode(privkeyByte)
- key, _ = x509.ParseCertificate(keyBlock.Bytes)
- rsaPrivateKey := key.PublicKey.(*rsa.PrivateKey)
- rsaPrivateKeyString := fmt.Sprintf(rsaPrivateKey.N.String())
-
- fmt.Printf("primo passaggio")
-
- if rsaPublicKeyString != rsaPrivateKeyString {
- if fail == true {
- fmt.Printf("[ERR] the private key %v does not match the the public key %v\n", privkey, pubkey)
+ _, err := tls.LoadX509KeyPair(pubkey, privkey)
+ if fail == true {
+ if err != nil {
+ fmt.Printf("[ERR] the private key %v does not match the the public certificate %v\n", privkey, pubkey)
appExit(255)
} else {
return false
@@ -247,7 +190,6 @@ func checkPrivkey(privkey string, pubkey string, fail bool) bool {
}
return true
}
-*/
// get redis key
func GetRedisKey(redisurl string, redistoken string) string {
@@ -385,9 +327,8 @@ Usage:
Options:
-h --help Show this screen
- -v --version Print version exit
+ -v --version Print version and exit
-b --build Print version and build information and exit
- -s --silent Suppress warnings
--redis-token=REDISTOKEN Redis access token
--vault-token=VAULTTOKEN Vault access token
--cert-name=CERTNAME Certificate name
@@ -407,10 +348,6 @@ Options:
fmt.Printf("acme-downloader version: %v, built on: %v\n", appVersion, buildTime)
appExit(0)
}
- silent := false
- if arguments["--silent"] == true {
- silent = true
- }
if runtime.GOOS == "windows" {
opensslBinary = "openssl.exe"
@@ -482,8 +419,7 @@ Options:
// check if there is a certificate installed and it is valid
existingCert := checkCertificates(CertName, certificateDestination, fullchainDestination, caDestination, keyDestination, Days, false)
- // existingKey := checkPrivkey(keyDestination, certificateDestination, false)
- existingKey := checkPrivkey(keyDestination, certificateDestination, opensslBinary, false, silent)
+ existingKey := checkPrivkey(keyDestination, certificateDestination, false)
if existingCert == true && existingKey == true {
fmt.Printf("[INFO] the certificate is still valid\n")
appExit(0)
@@ -500,8 +436,7 @@ Options:
WriteToFile(privKey, tmpKeyDestination, 0640)
checkCertificates(CertName, tmpCertificateDestination, tmpFullchainDestination, tmpCaDestination, tmpKeyDestination, Days, true)
- //checkPrivkey(tmpKeyDestination, tmpCertificateDestination, true)
- checkPrivkey(tmpKeyDestination, tmpCertificateDestination, opensslBinary, true, silent)
+ checkPrivkey(tmpKeyDestination, tmpCertificateDestination, true)
// move certificates in place
moveFile(tmpCertificateDestination, certificateDestination, GroupID, 0644, 0755)
@@ -509,7 +444,8 @@ Options:
moveFile(tmpCaDestination, caDestination, GroupID, 0644, 0755)
moveFile(tmpKeyDestination, keyDestination, GroupID, 0640, 0750)
- // Exit 64 means application needs to be reloaded
+ // Exit 64: it means that the certificate was replaced
+ // in this case you can reloaded the application to read the new certificate
appExit(64)
}
--
GitLab