Port from heep; initial chekin

2022-11-04 19:38:34 +01:00 · 2022-11-04 19:38:34 +01:00 · 298f162d43
commit 298f162d43
7 changed files with 413 additions and 0 deletions
--- a/.gitignore
+++ b/.gitignore
@ -0,0 +1 @@
+.idea/
--- a/cert.go
+++ b/cert.go
@ -0,0 +1,208 @@
+package certifer
+
+import (
+	"bytes"
+	"crypto/aes"
+	"crypto/cipher"
+	"crypto/sha1"
+	"crypto/sha256"
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"encoding/binary"
+	"encoding/gob"
+	"encoding/pem"
+	"fmt"
+	"math/big"
+	"math/rand"
+	"net"
+	"os"
+	"time"
+)
+
+type Cert struct {
+	x        *certifier
+	Template *x509.Certificate
+	Bytes    []byte
+	Key      *KeyParameters
+	Parent   *Cert
+	CA       *Cert
+}
+
+func (x *certifier) NewCA() (*Cert, error) {
+	ca := &x509.Certificate{
+		SerialNumber: big.NewInt(1337),
+		Subject: pkix.Name{
+			Organization:       []string{x.Orga},
+			OrganizationalUnit: []string{"ca"},
+			CommonName:         "root",
+		},
+		NotBefore:             time.Now(),
+		NotAfter:              time.Now().Add(time.Hour * 24 * 365),
+		IsCA:                  true,
+		KeyUsage:              x509.KeyUsageCertSign | x509.KeyUsageDigitalSignature,
+		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth},
+		BasicConstraintsValid: true,
+		// up to this point this should be the bare minimum for a Parent cert
+	}
+
+	pk := createKeyPair()
+
+	// create certificate.
+	caBytes, err := x509.CreateCertificate(getRandom(), ca, ca, &pk.PublicKey, pk)
+	if err != nil {
+		return nil, err
+	}
+
+	return &Cert{
+		Template: ca,
+		Bytes:    caBytes,
+		Key:      NewKeyParameters(pk),
+	}, nil
+}
+
+func (c *Cert) NewCert(cn string) (*Cert, error) {
+	cert := &x509.Certificate{
+		SerialNumber: big.NewInt(1337 + int64(rand.Uint64())),
+		Subject: pkix.Name{
+			Organization:       []string{c.Template.Subject.Organization[0]},
+			OrganizationalUnit: []string{c.x.Thing},
+			CommonName:         cn,
+		},
+		//		DNSNames:    []string{"bloq", "localhost"},
+		IPAddresses: []net.IP{net.IPv4(127, 0, 0, 1), net.IPv6loopback},
+		NotBefore:   time.Now(),
+		NotAfter:    time.Now().AddDate(1, 0, 0),
+		//		SubjectKeyId: []byte{1, 2, 3, 4, 6},
+		ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth},
+		KeyUsage:    x509.KeyUsageDigitalSignature,
+	}
+
+	pk := createKeyPair()
+
+	hash := sha1.Sum(pk.PublicKey.X.Bytes())
+	cert.SubjectKeyId = hash[:]
+
+	//	caBytes, err := x509.CreateCertificate(r, ca, ca, &pk.PublicKey, pk)
+	certBytes, err := x509.CreateCertificate(getRandom(), cert, c.Template, &pk.PublicKey, c.Key.Key())
+	if err != nil {
+		return nil, err
+	}
+
+	ca := c.CA
+	if ca == nil {
+		ca = c
+	}
+	return &Cert{
+		Template: cert,
+		Bytes:    certBytes,
+		Key:      NewKeyParameters(pk),
+		Parent:   c,
+		CA:       ca,
+	}, nil
+}
+
+func (c *Cert) CertAsPem() []byte {
+	p := pem.EncodeToMemory(&pem.Block{
+		Type:  "CERTIFICATE",
+		Bytes: c.Bytes,
+	})
+	return p
+}
+
+func (c *Cert) KeyAsPem() ([]byte, error) {
+	sec, err := x509.MarshalECPrivateKey(c.Key.Key())
+	if err != nil {
+		return nil, err
+	}
+	buf := pem.EncodeToMemory(&pem.Block{
+		Type:  "EC PRIVATE KEY",
+		Bytes: sec,
+	})
+	return buf, nil
+}
+
+// WithoutKeys returns a copy of this Cert tree without any private keys.
+// Note: The result is NOT a deep copy of the original cert tree. Certificates, Templates and
+// byte slices will still point to the original data, so be careful and do not modify!
+func (c *Cert) WithoutKeys() *Cert {
+	ret := c.WithoutParentKeys()
+	ret.Key = nil
+	return ret
+}
+
+// WithoutParentKeys retruns a copy of this Cert tree without keys of the parent and ca.
+// Note: The result is NOT a deep copy of the original cert tree. Certificates, Templates and
+// byte slices will still point to the original data, so be careful and do not modify!
+func (c *Cert) WithoutParentKeys() *Cert {
+	p := c.Parent
+	if p != nil {
+		p = p.WithoutKeys()
+	}
+	ca := c.CA
+	if ca != nil {
+		ca.WithoutKeys()
+	}
+	return &Cert{
+		Template: c.Template,
+		Bytes:    c.Bytes,
+		Key:      c.Key,
+		Parent:   p,
+		CA:       ca,
+	}
+}
+
+func (c *Cert) Export(includeKey bool) ([]byte, error) {
+	exportCert := c
+	if !includeKey {
+		exportCert = c.WithoutParentKeys()
+	}
+
+	buf := &bytes.Buffer{}
+	tGob := gob.NewEncoder(buf)
+	if err := tGob.Encode(exportCert); err != nil {
+		return nil, err
+	}
+	blob := buf.Bytes()
+	bloblen := uint32(len(blob))
+	padding := (aes.BlockSize - ((len(blob) + 4) % aes.BlockSize)) % aes.BlockSize
+	paddedBlob := make([]byte, len(blob)+4+padding)
+	binary.BigEndian.PutUint32(paddedBlob[0:4], bloblen)
+	copy(paddedBlob[4:], blob)
+	//for i := 0; i < padding; i++ {
+	// use padding spaces. Nul bytes would confuse the json unmarshaller
+	//paddedBlob[len(paddedBlob)+i] = ' '
+	//}
+	tKeydata := sha256.Sum256([]byte(c.x.key)) // gives 32 bytes, which is a multiple of the block size
+	tIVdata := tKeydata[:aes.BlockSize]
+	block, err := aes.NewCipher(tKeydata[:])
+	if err != nil {
+		return nil, err
+	}
+	cbc := cipher.NewCBCEncrypter(block, tIVdata)
+	cbc.CryptBlocks(paddedBlob, paddedBlob)
+	return paddedBlob, nil
+}
+
+func (c *Cert) ExportToFile(includeKey bool, filename string) error {
+	cBlob, err := c.Export(includeKey)
+	if err != nil {
+		return err
+	}
+	if err := os.WriteFile(filename, cBlob, 0600); err != nil {
+		return err
+	}
+	return nil
+}
+
+func (c *Cert) String() string {
+	ret := ""
+	if c.Parent != nil {
+		ret += fmt.Sprintf("%v->", c.Parent)
+	}
+	key := ""
+	if c.Key != nil {
+		key = "(*)"
+	}
+	ret += fmt.Sprintf("[%v%v]", c.Template.Subject, key)
+	return ret
+}
--- a/certifier.go
+++ b/certifier.go
@ -0,0 +1,64 @@
+package certifer
+
+import (
+	"bytes"
+	"crypto/aes"
+	"crypto/cipher"
+	"crypto/sha256"
+	"encoding/binary"
+	"encoding/gob"
+	"os"
+)
+
+type certifier struct {
+	key string
+
+	// head / thing / bla (
+	// orga / unit  / cn
+	// "abc"/ "ca"  / "ca"
+
+	// Orga will be the Organization of newly created CAs
+	Orga string
+
+	// Thing is the OrgaUnit of newly created Certs
+	Thing string
+}
+
+func New(key, orga, thing string) *certifier {
+	return &certifier{
+		key:   key,
+		Orga:  orga,
+		Thing: thing,
+	}
+}
+
+func (x *certifier) Import(data []byte) (*Cert, error) {
+	blob := make([]byte, len(data))
+	copy(blob, data)
+
+	tKeydata := sha256.Sum256([]byte(x.key)) // gives 32 bytes, which is a multiple of the block size
+	tIVdata := tKeydata[:aes.BlockSize]
+	block, err := aes.NewCipher(tKeydata[:])
+	if err != nil {
+		return nil, err
+	}
+	cbc := cipher.NewCBCDecrypter(block, tIVdata)
+	cbc.CryptBlocks(blob, blob)
+	bloblen := binary.BigEndian.Uint32(blob[0:4])
+	buf := bytes.NewBuffer(blob[4 : 4+bloblen])
+	// should be plain gob now
+	cert := &Cert{}
+	tGob := gob.NewDecoder(buf)
+	if err := tGob.Decode(cert); err != nil {
+		return nil, err
+	}
+	return cert, nil
+}
+
+func (x *certifier) ImportFromFile(filename string) (*Cert, error) {
+	blob, err := os.ReadFile(filename)
+	if err != nil {
+		return nil, err
+	}
+	return x.Import(blob)
+}
--- a/go.mod
+++ b/go.mod
@ -0,0 +1,10 @@
+module udico.de/heep/cert
+
+go 1.19
+
+require google.golang.org/grpc v1.50.1
+
+require (
+	github.com/golang/protobuf v1.5.2 // indirect
+	google.golang.org/protobuf v1.27.1 // indirect
+)
--- a/go.sum
+++ b/go.sum
@ -0,0 +1,13 @@
+github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk=
+github.com/golang/protobuf v1.5.2 h1:ROPKBNFfQgOUMifHyP+KYbvpjbdoFNs+aK7DXlji0Tw=
+github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
+github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/go-cmp v0.5.6 h1:BKbKCqvP6I+rmFHt06ZmyQtvB8xAkWdhFyr0ZUNZcxQ=
+golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 h1:go1bK/D/BFZV2I8cIQd1NKEZ+0owSTG1fDTci4IqFcE=
+google.golang.org/grpc v1.50.1 h1:DS/BukOZWp8s6p4Dt/tOaJaTQyPyOoCcrjroHuCeLzY=
+google.golang.org/grpc v1.50.1/go.mod h1:ZgQEeidpAuNRZ8iRrlBKXZQP1ghovWIVhdJRyCDK+GI=
+google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
+google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
+google.golang.org/protobuf v1.27.1 h1:SnqbnDw1V7RiZcXPx5MEeqPv2s79L9i7BJUlG/+RurQ=
+google.golang.org/protobuf v1.27.1/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
--- a/grpc.go
+++ b/grpc.go
@ -0,0 +1,55 @@
+package certifer
+
+import (
+	"crypto/tls"
+	"crypto/x509"
+	"errors"
+	"google.golang.org/grpc/credentials"
+)
+
+func (c *Cert) GrpcServerConfig() (credentials.TransportCredentials, error) {
+	if c.CA == nil {
+		return nil, errors.New("security blob contains no CA")
+	}
+	certPool := x509.NewCertPool()
+	if !certPool.AppendCertsFromPEM(c.CA.CertAsPem()) {
+		return nil, errors.New("cannot add CA to pool")
+	}
+
+	tCertPem := c.CertAsPem()
+	tKeyPem, _ := c.KeyAsPem()
+	tCert, err := tls.X509KeyPair(tCertPem, tKeyPem)
+	if err != nil {
+		return nil, err
+	}
+	config := &tls.Config{
+		Certificates: []tls.Certificate{tCert},
+		ClientAuth:   tls.RequireAndVerifyClientCert,
+		ClientCAs:    certPool,
+	}
+	creds := credentials.NewTLS(config)
+	return creds, nil
+}
+
+func (c *Cert) GrpcClientConfig() (credentials.TransportCredentials, error) {
+	if c.CA == nil {
+		return nil, errors.New("security blob contains no CA")
+	}
+	certPool := x509.NewCertPool()
+	if !certPool.AppendCertsFromPEM(c.CA.CertAsPem()) {
+		return nil, errors.New("cannot add CA to pool")
+	}
+
+	tCertPem := c.CertAsPem()
+	tKeyPem, _ := c.KeyAsPem()
+	tCert, err := tls.X509KeyPair(tCertPem, tKeyPem)
+	if err != nil {
+		return nil, err
+	}
+	config := &tls.Config{
+		Certificates: []tls.Certificate{tCert},
+		RootCAs:      certPool,
+	}
+	creds := credentials.NewTLS(config)
+	return creds, nil
+}
--- a/key.go
+++ b/key.go
@ -0,0 +1,62 @@
+package certifer
+
+import (
+	"crypto/ecdsa"
+	"crypto/elliptic"
+	"math/big"
+	"math/rand"
+	"time"
+)
+
+const maxCreateKeyRounds = 3
+
+var ecdsacurve = elliptic.P256()
+
+// KeyParameters hold the ecdsa curve parameters of private (and public, despite these are redundand values) keys.
+type KeyParameters struct {
+	D, X, Y *big.Int
+}
+
+// NewKeyParameters extracts key information from a given ecdsa private key and returns a KeyParameters instance.
+func NewKeyParameters(key *ecdsa.PrivateKey) *KeyParameters {
+	return &KeyParameters{
+		D: key.D,
+		X: key.X,
+		Y: key.Y,
+	}
+}
+
+// Key creates a new ecdsa.PrivateKey from the given KeyParameters
+func (k *KeyParameters) Key() *ecdsa.PrivateKey {
+	priv := new(ecdsa.PrivateKey)
+	priv.PublicKey.Curve = ecdsacurve
+	priv.D = k.D
+	priv.PublicKey.X, priv.PublicKey.Y = k.X, k.Y
+	return priv
+}
+
+func createKeyPair() *ecdsa.PrivateKey {
+	// generate key pair
+	var pk *ecdsa.PrivateKey
+	var err error
+	for i := 0; i < 3; i++ {
+		r := getRandom()
+		pk, err = ecdsa.GenerateKey(ecdsacurve, r)
+		if err != nil {
+			//log.WithError(err).Error("cannot create key pair")
+			continue
+		}
+		return pk
+	}
+	panic(err)
+}
+
+var theRand *rand.Rand = nil
+
+func getRandom() *rand.Rand {
+	if theRand == nil {
+		rnd := rand.NewSource(time.Now().Unix())
+		theRand = rand.New(rnd)
+	}
+	return theRand
+}