use openssl to gen client key/cert

2025-09-07 21:54:54 +08:00 · 2022-04-15 13:32:10 -04:00 · 2022-04-15 13:32:10 -04:00 · a6c388db67
commit a6c388db67
parent 84de5c5216
4 changed files with 64 additions and 10 deletions
--- a/controllers/server.go
+++ b/controllers/server.go
@ -13,6 +13,7 @@ import (
 	"github.com/gravitl/netmaker/logic"
 	"github.com/gravitl/netmaker/models"
 	"github.com/gravitl/netmaker/netclient/config"
+	"github.com/gravitl/netmaker/netclient/ncutils"
 	"github.com/gravitl/netmaker/servercfg"
 	"github.com/gravitl/netmaker/tls"
 )
@ -163,7 +164,9 @@ func register(w http.ResponseWriter, r *http.Request) {
 		returnErrorResponse(w, r, errorResponse)
 		return
 	}
-	cert, ca, err := genCerts(&request.CSR, request.Key)
+	// not working --- use openssl instead
+	//	cert, ca, err := genCerts(&request.CSR, request.Key)
+	key, cert, ca, err := genOpenSSLCerts()
 	if err != nil {
 		logger.Log(0, "failed to generater certs ", err.Error())
 		errorResponse := models.ErrorResponse{
@ -172,6 +175,7 @@ func register(w http.ResponseWriter, r *http.Request) {
 		returnErrorResponse(w, r, errorResponse)
 		return
 	}
+
 	response := config.RegisterResponse{
 		CA:   *ca,
 		Cert: *cert,
@ -201,6 +205,7 @@ func genCerts(csr *x509.CertificateRequest, publickey ed25519.PublicKey) (*x509.
 	//	logger.Log(2, "failed to generate client certificate requests", err.Error())
 	//	return nil, nil, nil, fmt.Errorf("client certification request generation failed %w", err)
 	//}
+
 	csr.PublicKey = publickey
 	cert, err := tls.NewEndEntityCert(*key, csr, ca, tls.CERTIFICATE_VALIDITY)
 	if err != nil {
@ -209,3 +214,32 @@ func genCerts(csr *x509.CertificateRequest, publickey ed25519.PublicKey) (*x509.
 	}
 	return ca, cert, nil
 }
+
+func genOpenSSLCerts() (*ed25519.PrivateKey, *x509.Certificate, *x509.Certificate, error) {
+	cmd1 := "openssl genpkey -algorithm Ed25519 -out /tmp/client.key"
+	cmd2 := "openssl req -new -out /tmp/client.csr -key tmp/client.key -subj  '/CN=client'"
+	cmd3 := "openssl x509 -req -in /tmp/client.csr -days 365 -CA /etc/netmaker/root.pem -CAkey /etc/netmaker/root.key -CAcreateserial -out /tmp/client.pem"
+
+	if _, err := ncutils.RunCmd(cmd1, true); err != nil {
+		return nil, nil, nil, fmt.Errorf("client key error %w", err)
+	}
+	if _, err := ncutils.RunCmd(cmd2, true); err != nil {
+		return nil, nil, nil, fmt.Errorf("client csr error %w", err)
+	}
+	if _, err := ncutils.RunCmd(cmd3, true); err != nil {
+		return nil, nil, nil, fmt.Errorf("client cert error %w", err)
+	}
+	key, err := tls.ReadKey("/tmp/client.key")
+	if err != nil {
+		return nil, nil, nil, fmt.Errorf("read client key error %w", err)
+	}
+	cert, err := tls.ReadCert("/tmp/client.pem")
+	if err != nil {
+		return nil, nil, nil, fmt.Errorf("read client cert error %w", err)
+	}
+	ca, err := tls.ReadCert("/etc/netmaker/root.pem")
+	if err != nil {
+		return nil, nil, nil, fmt.Errorf("read ca cert error %w", err)
+	}
+	return key, cert, ca, nil
+}
--- a/netclient/config/config.go
+++ b/netclient/config/config.go
@ -47,6 +47,7 @@ type RegisterRequest struct {
 }

 type RegisterResponse struct {
+	Key  ed25519.PrivateKey
 	CA   x509.Certificate
 	Cert x509.Certificate
 }
--- a/netclient/functions/daemon.go
+++ b/netclient/functions/daemon.go
@ -288,8 +288,8 @@ func NewTLSConfig(cfg *config.ClientConfig, server string) *tls.Config {
 		logger.Log(0, "failed to append cert")
 	}
 	//mycert, err := ssl.ReadCert("/etc/netclient/" + server + "/client.pem")
-	//clientKeyPair, err := tls.LoadX509KeyPair("/etc/netclient/"+server+"/client.pem", "/etc/netclient/client.key")
-	clientKeyPair, err := tls.LoadX509KeyPair("/home/mkasun/tmp/client.pem", "/home/mkasun/tmp/client.key")
+	clientKeyPair, err := tls.LoadX509KeyPair("/etc/netclient/"+server+"/client.pem", "/etc/netclient/client.key")
+	//clientKeyPair, err := tls.LoadX509KeyPair("/home/mkasun/tmp/client.pem", "/home/mkasun/tmp/client.key")
 	if err != nil {
 		log.Fatalf("could not read client cert/key %v \n", err)
 	}
--- a/tls/tls.go
+++ b/tls/tls.go
@ -100,9 +100,11 @@ func NewCSR(key ed25519.PrivateKey, name pkix.Name) (*x509.CertificateRequest, e
 	dnsnames := []string{}
 	dnsnames = append(dnsnames, name.CommonName)
 	derCertRequest, err := x509.CreateCertificateRequest(rand.Reader, &x509.CertificateRequest{
-		Subject:   name,
-		PublicKey: key.Public(),
-		DNSNames:  dnsnames,
+		Subject:            name,
+		PublicKey:          key.Public(),
+		DNSNames:           dnsnames,
+		PublicKeyAlgorithm: x509.Ed25519,
+		Version:            3,
 	}, key)
 	if err != nil {
 		return nil, err
@ -152,10 +154,10 @@ func NewEndEntityCert(key ed25519.PrivateKey, req *x509.CertificateRequest, pare
 		SerialNumber:       serialNumber(),
 		SignatureAlgorithm: req.SignatureAlgorithm,
 		PublicKeyAlgorithm: req.PublicKeyAlgorithm,
-		//PublicKey:          req.PublicKey,
-		Subject:      req.Subject,
-		SubjectKeyId: req.RawSubject,
-		Issuer:       parent.Subject,
+		PublicKey:          key.Public(),
+		Subject:            req.Subject,
+		SubjectKeyId:       req.RawSubject,
+		Issuer:             parent.Subject,
 	}
 	rootCa, err := x509.CreateCertificate(rand.Reader, template, parent, key.Public(), key)
 	if err != nil {
@ -168,6 +170,23 @@ func NewEndEntityCert(key ed25519.PrivateKey, req *x509.CertificateRequest, pare
 	return result, nil
 }

+func SaveRequest(path, name string, csr *x509.CertificateRequest) error {
+	if err := os.MkdirAll(path, 0644); err != nil {
+		return err
+	}
+	requestOut, err := os.Create(path + name)
+	if err != nil {
+		return err
+	}
+	defer requestOut.Close()
+	if err := pem.Encode(requestOut, &pem.Block{
+		Type:  "CERTIFICATE REQUEST",
+		Bytes: csr.Raw,
+	}); err != nil {
+		return err
+	}
+	return nil
+}
 func SaveCert(path, name string, cert *x509.Certificate) error {
 	//certbytes, err := x509.ParseCertificate(cert)
 	if err := os.MkdirAll(path, 0644); err != nil {