From 8e5ee2a390e89a25f458128a1219a88390eddfad Mon Sep 17 00:00:00 2001 From: 0xdcarns Date: Thu, 7 Jul 2022 14:36:22 -0400 Subject: [PATCH 1/3] always save certs on server start --- main.go | 36 +++++++++++++----------------------- 1 file changed, 13 insertions(+), 23 deletions(-) diff --git a/main.go b/main.go index 4886e451..b6727f16 100644 --- a/main.go +++ b/main.go @@ -220,13 +220,13 @@ func genCerts() error { if err != nil { return err } - if err := serverctl.SaveCert(functions.GetNetmakerPath()+ncutils.GetSeparator(), tls.ROOT_PEM_NAME, rootCA); err != nil { - return err - } ca = rootCA } else if err != nil { return err } + if err := serverctl.SaveCert(functions.GetNetmakerPath()+ncutils.GetSeparator(), tls.ROOT_PEM_NAME, ca); err != nil { + return err + } cert, err := serverctl.ReadCertFromDB(tls.SERVER_PEM_NAME) if errors.Is(err, os.ErrNotExist) || database.IsEmptyRecord(err) || cert.NotAfter.Before(time.Now().Add(time.Hour*24*10)) { //gen new key @@ -240,19 +240,20 @@ func genCerts() error { if err != nil { return err } - cert, err := tls.NewEndEntityCert(*private, csr, ca, tls.CERTIFICATE_VALIDITY) + newCert, err := tls.NewEndEntityCert(*private, csr, ca, tls.CERTIFICATE_VALIDITY) if err != nil { return err } if err := serverctl.SaveKey(functions.GetNetmakerPath()+ncutils.GetSeparator(), tls.SERVER_KEY_NAME, key); err != nil { return err } - if err := serverctl.SaveCert(functions.GetNetmakerPath()+ncutils.GetSeparator(), tls.SERVER_PEM_NAME, cert); err != nil { - return err - } + cert = newCert } else if err != nil { return err } + if err := serverctl.SaveCert(functions.GetNetmakerPath()+ncutils.GetSeparator(), tls.SERVER_PEM_NAME, cert); err != nil { + return err + } logger.Log(2, "ensure the root.pem, root.key, server.pem, and server.key files are updated on your broker") @@ -269,7 +270,7 @@ func genCerts() error { if err != nil { return err } - serverClientCert, err := tls.NewEndEntityCert(*private, csr, ca, tls.CERTIFICATE_VALIDITY) + newServerClientCert, err := tls.NewEndEntityCert(*private, csr, ca, tls.CERTIFICATE_VALIDITY) if err != nil { return err } @@ -277,23 +278,12 @@ func genCerts() error { if err := serverctl.SaveKey(functions.GetNetmakerPath()+ncutils.GetSeparator(), tls.SERVER_CLIENT_KEY, key); err != nil { return err } - if err := serverctl.SaveCert(functions.GetNetmakerPath()+ncutils.GetSeparator(), tls.SERVER_CLIENT_PEM, serverClientCert); err != nil { - return err - } + serverClientCert = newServerClientCert } else if err != nil { return err - } else if err == nil { - logger.Log(0, "detected valid server client cert, re-saving for future consumption") - key, err := serverctl.ReadKeyFromDB(tls.SERVER_CLIENT_KEY) - if err != nil { - return err - } - if err := serverctl.SaveKey(functions.GetNetmakerPath()+ncutils.GetSeparator(), tls.SERVER_CLIENT_KEY, *key); err != nil { - return err - } - if err := serverctl.SaveCert(functions.GetNetmakerPath()+ncutils.GetSeparator(), tls.SERVER_CLIENT_PEM, serverClientCert); err != nil { - return err - } + } + if err := serverctl.SaveCert(functions.GetNetmakerPath()+ncutils.GetSeparator(), tls.SERVER_CLIENT_PEM, serverClientCert); err != nil { + return err } return serverctl.SetClientTLSConf( From 450fd933e4bd7cadf3d0cf94a424ff903cde7e04 Mon Sep 17 00:00:00 2001 From: 0xdcarns Date: Thu, 7 Jul 2022 14:43:32 -0400 Subject: [PATCH 2/3] always save keys on server start --- main.go | 41 ++++++++++++++++++++++++++++++++++++++++- 1 file changed, 40 insertions(+), 1 deletion(-) diff --git a/main.go b/main.go index b6727f16..1396ad32 100644 --- a/main.go +++ b/main.go @@ -206,6 +206,9 @@ func genCerts() error { } else if err != nil { return err } + + // == ROOT cert handling == + ca, err := serverctl.ReadCertFromDB(tls.ROOT_PEM_NAME) //if cert doesn't exist or will expire within 10 days --- but can't do this as clients won't be able to connect //if errors.Is(err, os.ErrNotExist) || cert.NotAfter.Before(time.Now().Add(time.Hour*24*10)) { @@ -223,10 +226,23 @@ func genCerts() error { ca = rootCA } else if err != nil { return err + } else if err == nil { + if serverKey, err := serverctl.ReadKeyFromDB(tls.ROOT_KEY_NAME); err == nil { + logger.Log(2, "re-saving root.key") + if err := serverctl.SaveKey(functions.GetNetmakerPath()+ncutils.GetSeparator(), tls.ROOT_KEY_NAME, *serverKey); err != nil { + return err + } + } else { + return err + } } + logger.Log(2, "re-saving root.pem") if err := serverctl.SaveCert(functions.GetNetmakerPath()+ncutils.GetSeparator(), tls.ROOT_PEM_NAME, ca); err != nil { return err } + + // == SERVER cert handling == + cert, err := serverctl.ReadCertFromDB(tls.SERVER_PEM_NAME) if errors.Is(err, os.ErrNotExist) || database.IsEmptyRecord(err) || cert.NotAfter.Before(time.Now().Add(time.Hour*24*10)) { //gen new key @@ -250,12 +266,22 @@ func genCerts() error { cert = newCert } else if err != nil { return err + } else if err == nil { + if serverKey, err := serverctl.ReadKeyFromDB(tls.SERVER_KEY_NAME); err == nil { + logger.Log(2, "re-saving server.key") + if err := serverctl.SaveKey(functions.GetNetmakerPath()+ncutils.GetSeparator(), tls.SERVER_KEY_NAME, *serverKey); err != nil { + return err + } + } else { + return err + } } + logger.Log(2, "re-saving server.pem") if err := serverctl.SaveCert(functions.GetNetmakerPath()+ncutils.GetSeparator(), tls.SERVER_PEM_NAME, cert); err != nil { return err } - logger.Log(2, "ensure the root.pem, root.key, server.pem, and server.key files are updated on your broker") + // == SERVER-CLIENT connection cert handling == serverClientCert, err := serverctl.ReadCertFromDB(tls.SERVER_CLIENT_PEM) if errors.Is(err, os.ErrNotExist) || database.IsEmptyRecord(err) || serverClientCert.NotAfter.Before(time.Now().Add(time.Hour*24*10)) { @@ -281,11 +307,24 @@ func genCerts() error { serverClientCert = newServerClientCert } else if err != nil { return err + } else if err == nil { + logger.Log(2, "re-saving serverclient.key") + if serverClientKey, err := serverctl.ReadKeyFromDB(tls.SERVER_CLIENT_KEY); err == nil { + if err := serverctl.SaveKey(functions.GetNetmakerPath()+ncutils.GetSeparator(), tls.SERVER_CLIENT_KEY, *serverClientKey); err != nil { + return err + } + } else { + return err + } } + + logger.Log(2, "re-saving serverclient.pem") if err := serverctl.SaveCert(functions.GetNetmakerPath()+ncutils.GetSeparator(), tls.SERVER_CLIENT_PEM, serverClientCert); err != nil { return err } + logger.Log(1, "ensure the root.pem, root.key, server.pem, and server.key files are updated on your broker") + return serverctl.SetClientTLSConf( functions.GetNetmakerPath()+ncutils.GetSeparator()+tls.SERVER_CLIENT_PEM, functions.GetNetmakerPath()+ncutils.GetSeparator()+tls.SERVER_CLIENT_KEY, From 68c59fb140dac57203dc353b2ece9ed8191a4aae Mon Sep 17 00:00:00 2001 From: 0xdcarns Date: Thu, 7 Jul 2022 14:48:55 -0400 Subject: [PATCH 3/3] added saving functionality for root.key --- main.go | 29 ++++++++++++----------------- 1 file changed, 12 insertions(+), 17 deletions(-) diff --git a/main.go b/main.go index 1396ad32..77c13a2f 100644 --- a/main.go +++ b/main.go @@ -192,6 +192,9 @@ func genCerts() error { logger.Log(0, "checking keys and certificates") var private *ed25519.PrivateKey var err error + + // == ROOT key handling == + private, err = serverctl.ReadKeyFromDB(tls.ROOT_KEY_NAME) if errors.Is(err, os.ErrNotExist) || database.IsEmptyRecord(err) { logger.Log(0, "generating new root key") @@ -199,13 +202,14 @@ func genCerts() error { if err != nil { return err } - if err := serverctl.SaveKey(functions.GetNetmakerPath()+ncutils.GetSeparator(), tls.ROOT_KEY_NAME, newKey); err != nil { - return err - } private = &newKey } else if err != nil { return err } + logger.Log(2, "saving root.key") + if err := serverctl.SaveKey(functions.GetNetmakerPath()+ncutils.GetSeparator(), tls.ROOT_KEY_NAME, *private); err != nil { + return err + } // == ROOT cert handling == @@ -226,17 +230,8 @@ func genCerts() error { ca = rootCA } else if err != nil { return err - } else if err == nil { - if serverKey, err := serverctl.ReadKeyFromDB(tls.ROOT_KEY_NAME); err == nil { - logger.Log(2, "re-saving root.key") - if err := serverctl.SaveKey(functions.GetNetmakerPath()+ncutils.GetSeparator(), tls.ROOT_KEY_NAME, *serverKey); err != nil { - return err - } - } else { - return err - } } - logger.Log(2, "re-saving root.pem") + logger.Log(2, "saving root.pem") if err := serverctl.SaveCert(functions.GetNetmakerPath()+ncutils.GetSeparator(), tls.ROOT_PEM_NAME, ca); err != nil { return err } @@ -268,7 +263,7 @@ func genCerts() error { return err } else if err == nil { if serverKey, err := serverctl.ReadKeyFromDB(tls.SERVER_KEY_NAME); err == nil { - logger.Log(2, "re-saving server.key") + logger.Log(2, "saving server.key") if err := serverctl.SaveKey(functions.GetNetmakerPath()+ncutils.GetSeparator(), tls.SERVER_KEY_NAME, *serverKey); err != nil { return err } @@ -276,7 +271,7 @@ func genCerts() error { return err } } - logger.Log(2, "re-saving server.pem") + logger.Log(2, "saving server.pem") if err := serverctl.SaveCert(functions.GetNetmakerPath()+ncutils.GetSeparator(), tls.SERVER_PEM_NAME, cert); err != nil { return err } @@ -308,7 +303,7 @@ func genCerts() error { } else if err != nil { return err } else if err == nil { - logger.Log(2, "re-saving serverclient.key") + logger.Log(2, "saving serverclient.key") if serverClientKey, err := serverctl.ReadKeyFromDB(tls.SERVER_CLIENT_KEY); err == nil { if err := serverctl.SaveKey(functions.GetNetmakerPath()+ncutils.GetSeparator(), tls.SERVER_CLIENT_KEY, *serverClientKey); err != nil { return err @@ -318,7 +313,7 @@ func genCerts() error { } } - logger.Log(2, "re-saving serverclient.pem") + logger.Log(2, "saving serverclient.pem") if err := serverctl.SaveCert(functions.GetNetmakerPath()+ncutils.GetSeparator(), tls.SERVER_CLIENT_PEM, serverClientCert); err != nil { return err }