Added keyfile generation

ewoutp · ewoutp · commit 47805b79f3cd · 2017-03-07T10:34:52.000+01:00
diff --git a/main.go b/main.go
@@ -50,6 +50,9 @@ var (
 	allPortOffsetsUnique bool
 	jwtSecretFile        string
 	sslKeyFile           string
+	sslAutoKeyFile       bool
+	sslAutoServerName    string
+	sslAutoOrganization  string
 	sslCAFile            string
 	dockerEndpoint       string
 	dockerImage          string
@@ -86,6 +89,9 @@ func init() {
 	f.StringVar(&jwtSecretFile, "jwtSecretFile", "", "name of a plain text file containing a JWT secret used for server authentication")
 	f.StringVar(&sslKeyFile, "sslKeyFile", "", "path of a PEM encoded file containing a server certificate + private key")
 	f.StringVar(&sslCAFile, "sslCAFile", "", "path of a PEM encoded file containing a CA certificate used for client authentication")
+	f.BoolVar(&sslAutoKeyFile, "sslAutoKeyFile", false, "If set, a self-signed certificate will be created and used as --sslKeyFile")
+	f.StringVar(&sslAutoServerName, "sslAutoServerName", "", "Server name put into self-signed certificate. See --sslAutoKeyFile")
+	f.StringVar(&sslAutoOrganization, "sslAutoOrganization", "ArangoDB", "Organization name put into self-signed certificate. See --sslAutoKeyFile")
 }
 
 // handleSignal listens for termination signals and stops this process onup termination.
@@ -208,6 +214,30 @@ func cmdMainRun(cmd *cobra.Command, args []string) {
 		jwtSecret = strings.TrimSpace(string(content))
 	}
 
+	// Auto create key file (if needed)
+	if sslAutoKeyFile {
+		if sslKeyFile != "" {
+			log.Fatalf("Cannot specify both --sslAutoKeyFile and --sslKeyFile")
+		}
+		hosts := []string{"arangod.server"}
+		if sslAutoServerName != "" {
+			hosts = []string{sslAutoServerName}
+		}
+		if ownAddress != "" {
+			hosts = append(hosts, ownAddress)
+		}
+		keyFile, err := service.CreateCertificate(service.CreateCertificateOptions{
+			Hosts:        hosts,
+			RSABits:      2048,
+			Organization: sslAutoOrganization,
+		}, dataDir)
+		if err != nil {
+			log.Fatalf("Failed to create keyfile: %v", err)
+		}
+		sslKeyFile = keyFile
+		log.Infof("Using self-signed certificate: %s", sslKeyFile)
+	}
+
 	// Interrupt signal:
 	sigChannel := make(chan os.Signal)
 	rootCtx, cancel := context.WithCancel(context.Background())
diff --git a/service/certificate.go b/service/certificate.go
@@ -0,0 +1,106 @@
+package service
+
+import (
+	"crypto/rand"
+	"crypto/rsa"
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"encoding/pem"
+	"fmt"
+	"io/ioutil"
+	"math/big"
+	"net"
+	"time"
+)
+
+// CreateCertificateOptions configures how to create a certificate.
+type CreateCertificateOptions struct {
+	Hosts        []string // Host names and/or IP addresses
+	ValidFor     time.Duration
+	RSABits      int
+	Organization string
+}
+
+const (
+	defaultValidFor = time.Hour * 24 * 365 // 1year
+)
+
+func publicKey(priv interface{}) interface{} {
+	switch k := priv.(type) {
+	case *rsa.PrivateKey:
+		return &k.PublicKey
+	default:
+		return nil
+	}
+}
+
+func pemBlockForKey(priv interface{}) *pem.Block {
+	switch k := priv.(type) {
+	case *rsa.PrivateKey:
+		return &pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(k)}
+	default:
+		return nil
+	}
+}
+
+// CreateCertificate creates a self-signed certificate according to the given configuration.
+// The resulting certificate + private key will be written into a single file in the given folder.
+// The path of that single file is returned.
+func CreateCertificate(options CreateCertificateOptions, folder string) (string, error) {
+	priv, err := rsa.GenerateKey(rand.Reader, options.RSABits)
+	if err != nil {
+		return "", maskAny(err)
+	}
+
+	notBefore := time.Now()
+	if options.ValidFor == 0 {
+		options.ValidFor = defaultValidFor
+	}
+	notAfter := notBefore.Add(options.ValidFor)
+
+	serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)
+	serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
+	if err != nil {
+		return "", maskAny(fmt.Errorf("failed to generate serial number: %v", err))
+	}
+
+	template := x509.Certificate{
+		SerialNumber: serialNumber,
+		Subject: pkix.Name{
+			Organization: []string{options.Organization},
+		},
+		NotBefore: notBefore,
+		NotAfter:  notAfter,
+
+		KeyUsage:              x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
+		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
+		BasicConstraintsValid: true,
+	}
+
+	for _, h := range options.Hosts {
+		if ip := net.ParseIP(h); ip != nil {
+			template.IPAddresses = append(template.IPAddresses, ip)
+		} else {
+			template.DNSNames = append(template.DNSNames, h)
+		}
+	}
+
+	// Create the certificate
+	derBytes, err := x509.CreateCertificate(rand.Reader, &template, &template, publicKey(priv), priv)
+	if err != nil {
+		return "", maskAny(fmt.Errorf("Failed to create certificate: %v", err))
+	}
+
+	// Write the certificate to disk
+	f, err := ioutil.TempFile(folder, "key-")
+	if err != nil {
+		return "", maskAny(err)
+	}
+	defer f.Close()
+	// Public key
+	pem.Encode(f, &pem.Block{Type: "CERTIFICATE", Bytes: derBytes})
+	// Private key
+	pem.Encode(f, pemBlockForKey(priv))
+
+	return f.Name(), nil
+}
