Skip to content
Snippets Groups Projects
Unverified Commit 9cc630e9 authored by Massimiliano Adamo's avatar Massimiliano Adamo
Browse files

remove OpenSSL dependency

parent 937cba5e
No related branches found
No related tags found
No related merge requests found
Pipeline #966 passed
Stage: sonarqube
Hide whitespace changes
Inline Side-by-side
README.md
+ 1
1
View file @ 9cc630e9
...@@ -33,7 +33,7 @@ Usage: ...@@ -33,7 +33,7 @@ Usage:
Options: Options:
-h --help Show this screen -h --help Show this screen
-v --version Print version exit -v --version Print version and exit
-b --build Print version and build information and exit -b --build Print version and build information and exit
--redis-token=REDISTOKEN Redis access token --redis-token=REDISTOKEN Redis access token
--vault-token=VAULTTOKEN Vault access token --vault-token=VAULTTOKEN Vault access token
......
main.go
+ 14
78
View file @ 9cc630e9
package main package main
import ( import (
"crypto/tls"
"crypto/x509" "crypto/x509"
"encoding/pem" "encoding/pem"
"fmt" "fmt"
"io/ioutil" "io/ioutil"
"net/http" "net/http"
"os" "os"
"os/exec"
"os/user" "os/user"
"path/filepath" "path/filepath"
"runtime" "runtime"
...@@ -172,74 +172,17 @@ func checkCertificates(dnsname string, certificate string, fullchain string, ca ...@@ -172,74 +172,17 @@ func checkCertificates(dnsname string, certificate string, fullchain string, ca
return true return true
} }
// check if priv key matches the publick key // check if the private key matches the publick key
func checkPrivkey(privkey string, pubcert string, opensslbinary string, fail bool, silent bool) bool {
_, errOpenssl := exec.Command(opensslbinary, "help").Output()
if errOpenssl != nil {
fmt.Printf("[WARN] skipping private key matching check: please install OpenSSL: %v\n", errOpenssl)
} else {
certPubKey, errCertPubKey := exec.Command(opensslbinary, "x509", "-noout", "-pubkey", "-in", pubcert).Output()
if errCertPubKey != nil {
if fail == true {
fmt.Printf("[ERR] running openssl against %s: %s\n", pubcert, errCertPubKey)
appExit(255)
} else {
return false
}
}
certPrivKey, errCertPrivKey := exec.Command(opensslbinary, "pkey", "-pubout", "-in", privkey).Output()
if errCertPrivKey != nil {
if fail == true {
fmt.Printf("[ERR] running openssl against %s: %s\n", privkey, errCertPrivKey)
appExit(255)
} else {
return false
}
}
pubkeyOutput := string(certPubKey[:])
privkeyOutput := string(certPrivKey[:])
if pubkeyOutput != privkeyOutput {
if fail == true {
fmt.Printf("[ERR] the private key %v does not match the the public certificate %v\n", privkey, pubcert)
appExit(255)
}
}
}
return true
}
// check if priv key matches the publick key
/*
func checkPrivkey(privkey string, pubkey string, fail bool) bool { func checkPrivkey(privkey string, pubkey string, fail bool) bool {
// extract data from public key _, errFileExist := os.Stat(privkey)
pubkeyByte, errpubkey := ioutil.ReadFile(pubkey) if os.IsNotExist(errFileExist) {
if errpubkey != nil { fmt.Printf("[ERR] could not access the private key %v\n", privkey)
fmt.Printf("[ERR] reading private key %v: %v\n", pubkey, errpubkey)
appExit(255) appExit(255)
} }
block, _ := pem.Decode(pubkeyByte) _, err := tls.LoadX509KeyPair(pubkey, privkey)
cert, _ = x509.ParseCertificate(block.Bytes) if fail == true {
rsaPublicKey := cert.PublicKey.(*rsa.PublicKey) if err != nil {
rsaPublicKeyString := fmt.Sprintf(rsaPublicKey.N.String()) fmt.Printf("[ERR] the private key %v does not match the the public certificate %v\n", privkey, pubkey)
// extract data from private key
privkeyByte, errprivkey := ioutil.ReadFile(privkey)
if errprivkey != nil {
fmt.Printf("[ERR] reading private key %v: %v\n", privkey, errprivkey)
appExit(255)
}
fmt.Printf("primo passaggio\n")
keyBlock, _ := pem.Decode(privkeyByte)
key, _ = x509.ParseCertificate(keyBlock.Bytes)
rsaPrivateKey := key.PublicKey.(*rsa.PrivateKey)
rsaPrivateKeyString := fmt.Sprintf(rsaPrivateKey.N.String())
fmt.Printf("primo passaggio")
if rsaPublicKeyString != rsaPrivateKeyString {
if fail == true {
fmt.Printf("[ERR] the private key %v does not match the the public key %v\n", privkey, pubkey)
appExit(255) appExit(255)
} else { } else {
return false return false
...@@ -247,7 +190,6 @@ func checkPrivkey(privkey string, pubkey string, fail bool) bool { ...@@ -247,7 +190,6 @@ func checkPrivkey(privkey string, pubkey string, fail bool) bool {
} }
return true return true
} }
*/
// get redis key // get redis key
func GetRedisKey(redisurl string, redistoken string) string { func GetRedisKey(redisurl string, redistoken string) string {
...@@ -385,9 +327,8 @@ Usage: ...@@ -385,9 +327,8 @@ Usage:
Options: Options:
-h --help Show this screen -h --help Show this screen
-v --version Print version exit -v --version Print version and exit
-b --build Print version and build information and exit -b --build Print version and build information and exit
-s --silent Suppress warnings
--redis-token=REDISTOKEN Redis access token --redis-token=REDISTOKEN Redis access token
--vault-token=VAULTTOKEN Vault access token --vault-token=VAULTTOKEN Vault access token
--cert-name=CERTNAME Certificate name --cert-name=CERTNAME Certificate name
...@@ -407,10 +348,6 @@ Options: ...@@ -407,10 +348,6 @@ Options:
fmt.Printf("acme-downloader version: %v, built on: %v\n", appVersion, buildTime) fmt.Printf("acme-downloader version: %v, built on: %v\n", appVersion, buildTime)
appExit(0) appExit(0)
} }
silent := false
if arguments["--silent"] == true {
silent = true
}
if runtime.GOOS == "windows" { if runtime.GOOS == "windows" {
opensslBinary = "openssl.exe" opensslBinary = "openssl.exe"
...@@ -482,8 +419,7 @@ Options: ...@@ -482,8 +419,7 @@ Options:
// check if there is a certificate installed and it is valid // check if there is a certificate installed and it is valid
existingCert := checkCertificates(CertName, certificateDestination, fullchainDestination, caDestination, keyDestination, Days, false) existingCert := checkCertificates(CertName, certificateDestination, fullchainDestination, caDestination, keyDestination, Days, false)
// existingKey := checkPrivkey(keyDestination, certificateDestination, false) existingKey := checkPrivkey(keyDestination, certificateDestination, false)
existingKey := checkPrivkey(keyDestination, certificateDestination, opensslBinary, false, silent)
if existingCert == true && existingKey == true { if existingCert == true && existingKey == true {
fmt.Printf("[INFO] the certificate is still valid\n") fmt.Printf("[INFO] the certificate is still valid\n")
appExit(0) appExit(0)
...@@ -500,8 +436,7 @@ Options: ...@@ -500,8 +436,7 @@ Options:
WriteToFile(privKey, tmpKeyDestination, 0640) WriteToFile(privKey, tmpKeyDestination, 0640)
checkCertificates(CertName, tmpCertificateDestination, tmpFullchainDestination, tmpCaDestination, tmpKeyDestination, Days, true) checkCertificates(CertName, tmpCertificateDestination, tmpFullchainDestination, tmpCaDestination, tmpKeyDestination, Days, true)
//checkPrivkey(tmpKeyDestination, tmpCertificateDestination, true) checkPrivkey(tmpKeyDestination, tmpCertificateDestination, true)
checkPrivkey(tmpKeyDestination, tmpCertificateDestination, opensslBinary, true, silent)
// move certificates in place // move certificates in place
moveFile(tmpCertificateDestination, certificateDestination, GroupID, 0644, 0755) moveFile(tmpCertificateDestination, certificateDestination, GroupID, 0644, 0755)
...@@ -509,7 +444,8 @@ Options: ...@@ -509,7 +444,8 @@ Options:
moveFile(tmpCaDestination, caDestination, GroupID, 0644, 0755) moveFile(tmpCaDestination, caDestination, GroupID, 0644, 0755)
moveFile(tmpKeyDestination, keyDestination, GroupID, 0640, 0750) moveFile(tmpKeyDestination, keyDestination, GroupID, 0640, 0750)
// Exit 64 means application needs to be reloaded // Exit 64: it means that the certificate was replaced
// in this case you can reloaded the application to read the new certificate
appExit(64) appExit(64)
} }
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment