2018-06-12 21:09:47 +11:00
|
|
|
package main
|
|
|
|
|
|
|
|
|
|
import (
|
2025-07-22 18:54:48 +02:00
|
|
|
"crypto/ed25519"
|
2018-06-16 22:45:27 +11:00
|
|
|
"encoding/json"
|
|
|
|
|
"errors"
|
2018-06-12 21:09:47 +11:00
|
|
|
"os"
|
2018-06-16 22:45:27 +11:00
|
|
|
"path/filepath"
|
2020-04-22 17:36:04 +02:00
|
|
|
"time"
|
2018-06-12 21:09:47 +11:00
|
|
|
|
2020-04-22 17:36:04 +02:00
|
|
|
"github.com/cloudflare/cfssl/certinfo"
|
2018-06-16 22:45:27 +11:00
|
|
|
"github.com/cloudflare/cfssl/config"
|
2025-07-22 18:54:48 +02:00
|
|
|
"github.com/cloudflare/cfssl/helpers/derhelpers"
|
2019-01-22 11:44:11 +13:00
|
|
|
"github.com/cloudflare/cfssl/log"
|
2018-06-12 21:09:47 +11:00
|
|
|
)
|
|
|
|
|
|
2018-06-16 22:45:27 +11:00
|
|
|
type SecretData struct {
|
|
|
|
|
clusters map[string]*ClusterSecrets
|
|
|
|
|
config *config.Config
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
type ClusterSecrets struct {
|
2019-12-03 11:03:20 +01:00
|
|
|
CAs map[string]*CA
|
|
|
|
|
Tokens map[string]string
|
|
|
|
|
Passwords map[string]string
|
|
|
|
|
SSHKeyPairs map[string][]SSHKeyPair
|
2018-06-16 22:45:27 +11:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
type KeyCert struct {
|
2018-07-06 11:13:56 +11:00
|
|
|
Key []byte
|
|
|
|
|
Cert []byte
|
|
|
|
|
ReqHash string
|
2018-06-16 22:45:27 +11:00
|
|
|
}
|
|
|
|
|
|
2019-01-22 11:44:11 +13:00
|
|
|
func secretDataPath() string {
|
|
|
|
|
return filepath.Join(*dataDir, "secret-data.json")
|
|
|
|
|
}
|
|
|
|
|
|
2023-02-15 08:49:34 +01:00
|
|
|
func loadSecretData(config *config.Config) (sd *SecretData, err error) {
|
2019-01-22 11:44:11 +13:00
|
|
|
log.Info("Loading secret data")
|
|
|
|
|
|
2023-02-15 08:49:34 +01:00
|
|
|
sd = &SecretData{
|
2018-06-16 22:45:27 +11:00
|
|
|
clusters: make(map[string]*ClusterSecrets),
|
|
|
|
|
config: config,
|
|
|
|
|
}
|
|
|
|
|
|
2025-01-26 11:31:04 +01:00
|
|
|
ba, err := os.ReadFile(secretDataPath())
|
2018-06-16 22:45:27 +11:00
|
|
|
if err != nil {
|
|
|
|
|
if os.IsNotExist(err) {
|
2019-01-22 11:44:11 +13:00
|
|
|
err = nil
|
|
|
|
|
return
|
2018-06-16 22:45:27 +11:00
|
|
|
}
|
2019-01-22 11:44:11 +13:00
|
|
|
return
|
2018-06-16 22:45:27 +11:00
|
|
|
}
|
|
|
|
|
|
2019-01-22 11:44:11 +13:00
|
|
|
if err = json.Unmarshal(ba, &sd.clusters); err != nil {
|
|
|
|
|
return
|
2018-06-16 22:45:27 +11:00
|
|
|
}
|
|
|
|
|
|
2019-01-22 11:44:11 +13:00
|
|
|
return
|
2018-06-16 22:45:27 +11:00
|
|
|
}
|
|
|
|
|
|
2020-04-22 17:36:04 +02:00
|
|
|
func checkCertUsable(certPEM []byte) error {
|
|
|
|
|
cert, err := certinfo.ParseCertificatePEM(certPEM)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
certDuration := cert.NotAfter.Sub(cert.NotBefore)
|
|
|
|
|
delayBeforeRegen := certDuration / 3 // TODO allow configuration
|
|
|
|
|
|
|
|
|
|
if cert.NotAfter.Sub(time.Now()) < delayBeforeRegen {
|
|
|
|
|
return errors.New("too old")
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return nil
|
|
|
|
|
}
|
2025-07-22 18:54:48 +02:00
|
|
|
|
|
|
|
|
func dlsSigningKeys() (ed25519.PrivateKey, ed25519.PublicKey) {
|
|
|
|
|
var signerDER []byte
|
|
|
|
|
|
|
|
|
|
if err := readSecret("signer", &signerDER); os.IsNotExist(err) {
|
|
|
|
|
_, key, err := ed25519.GenerateKey(nil)
|
|
|
|
|
if err != nil {
|
|
|
|
|
panic(err)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
signerDER, err = derhelpers.MarshalEd25519PrivateKey(key)
|
|
|
|
|
if err != nil {
|
|
|
|
|
panic(err)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
writeSecret("signer", signerDER)
|
|
|
|
|
} else if err != nil {
|
|
|
|
|
panic(err)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
pkeyGeneric, err := derhelpers.ParseEd25519PrivateKey(signerDER)
|
|
|
|
|
if err != nil {
|
|
|
|
|
panic(err)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
pkey := pkeyGeneric.(ed25519.PrivateKey)
|
|
|
|
|
pubkey := pkey.Public().(ed25519.PublicKey)
|
|
|
|
|
|
|
|
|
|
return pkey, pubkey
|
|
|
|
|
}
|
