// Copyright (C) 2019 Storj Labs, Inc. // See LICENSE for copying information. package main import ( "crypto/x509/pkix" "encoding/json" "fmt" "os" "path/filepath" "github.com/spf13/cobra" "github.com/zeebo/errs" "go.uber.org/zap" "storj.io/storj/internal/fpath" "storj.io/storj/internal/version" "storj.io/storj/pkg/certificate/certificateclient" "storj.io/storj/pkg/cfgstruct" "storj.io/storj/pkg/identity" "storj.io/storj/pkg/peertls/extensions" "storj.io/storj/pkg/peertls/tlsopts" "storj.io/storj/pkg/pkcrypto" "storj.io/storj/pkg/process" "storj.io/storj/pkg/revocation" "storj.io/storj/pkg/transport" ) const ( defaultSignerAddress = "certs.alpha.storj.io:8888" ) var ( rootCmd = &cobra.Command{ Use: "identity", Short: "Identity management", } newServiceCmd = &cobra.Command{ Use: "create ", Short: "Create a new full identity for a service", Args: cobra.ExactArgs(1), RunE: cmdNewService, Annotations: map[string]string{"type": "setup"}, } authorizeCmd = &cobra.Command{ Use: "authorize ", Short: "Send a certificate signing request for a service's CA certificate", Args: cobra.ExactArgs(2), RunE: cmdAuthorize, Annotations: map[string]string{"type": "setup"}, } //nolint config struct { Difficulty uint64 `default:"30" help:"minimum difficulty for identity generation"` Concurrency uint `default:"4" help:"number of concurrent workers for certificate authority generation"` ParentCertPath string `help:"path to the parent authority's certificate chain"` ParentKeyPath string `help:"path to the parent authority's private key"` Signer certificateclient.Config // TODO: ideally the default is the latest version; can't interpolate struct tags IdentityVersion uint `default:"0" help:"identity version to use when creating an identity or CA"` Version version.Config } identityDir, configDir string defaultIdentityDir = fpath.ApplicationDir("storj", "identity") defaultConfigDir = fpath.ApplicationDir("storj", "identity") ) func init() { rootCmd.AddCommand(newServiceCmd) rootCmd.AddCommand(authorizeCmd) process.Bind(newServiceCmd, &config, defaults, cfgstruct.ConfDir(defaultConfigDir), cfgstruct.IdentityDir(defaultIdentityDir)) process.Bind(authorizeCmd, &config, defaults, cfgstruct.ConfDir(defaultConfigDir), cfgstruct.IdentityDir(defaultIdentityDir)) } func main() { process.Exec(rootCmd) } func serviceDirectory(serviceName string) string { return filepath.Join(identityDir, serviceName) } func cmdNewService(cmd *cobra.Command, args []string) error { ctx := process.Ctx(cmd) err := version.CheckProcessVersion(ctx, zap.L(), config.Version, version.Build, "Identity") if err != nil { return err } serviceDir := serviceDirectory(args[0]) caCertPath := filepath.Join(serviceDir, "ca.cert") caKeyPath := filepath.Join(serviceDir, "ca.key") identCertPath := filepath.Join(serviceDir, "identity.cert") identKeyPath := filepath.Join(serviceDir, "identity.key") caConfig := identity.CASetupConfig{ CertPath: caCertPath, KeyPath: caKeyPath, Difficulty: config.Difficulty, Concurrency: config.Concurrency, ParentCertPath: config.ParentCertPath, ParentKeyPath: config.ParentKeyPath, VersionNumber: config.IdentityVersion, } status, err := caConfig.Status() if err != nil { return err } if status != identity.NoCertNoKey { return errs.New("CA certificate and/or key already exists, NOT overwriting!") } identConfig := identity.SetupConfig{ CertPath: identCertPath, KeyPath: identKeyPath, } status, err = identConfig.Status() if err != nil { return err } if status != identity.NoCertNoKey { return errs.New("Identity certificate and/or key already exists, NOT overwriting!") } ca, caerr := caConfig.Create(ctx, os.Stdout) if caerr != nil { return caerr } _, iderr := identConfig.Create(ca) if iderr != nil { return iderr } fmt.Printf("Unsigned identity is located in %q\n", serviceDir) fmt.Println("Please *move* CA key to secure storage - it is only needed for identity management!") fmt.Printf("\t%s\n", caConfig.KeyPath) return nil } func cmdAuthorize(cmd *cobra.Command, args []string) (err error) { ctx := process.Ctx(cmd) err = version.CheckProcessVersion(ctx, zap.L(), config.Version, version.Build, "Identity") if err != nil { return err } serviceDir := serviceDirectory(args[0]) authToken := args[1] caCertPath := filepath.Join(serviceDir, "ca.cert") caConfig := identity.PeerCAConfig{ CertPath: caCertPath, } identCertPath := filepath.Join(serviceDir, "identity.cert") identKeyPath := filepath.Join(serviceDir, "identity.key") identConfig := identity.Config{ CertPath: identCertPath, KeyPath: identKeyPath, } ca, err := caConfig.Load() if err != nil { return err } ident, err := identConfig.Load() if err != nil { return err } if config.Signer.Address == "" { config.Signer.Address = defaultSignerAddress } // Ensure we dont enforce a signed Peer Identity config.Signer.TLS.UsePeerCAWhitelist = false revocationDB, err := revocation.NewDBFromCfg(config.Signer.TLS) if err != nil { return errs.New("error creating revocation database: %+v", err) } defer func() { err = errs.Combine(err, revocationDB.Close()) }() tlsOpts, err := tlsopts.NewOptions(ident, config.Signer.TLS, nil) if err != nil { return err } client, err := certificateclient.New(ctx, transport.NewClient(tlsOpts), config.Signer.Address) if err != nil { return err } defer func() { err = errs.Combine(err, client.Close()) }() signedChainBytes, err := client.Sign(ctx, authToken) if err != nil { return errs.New("error occurred while signing certificate: %s\n(identity files were still generated and saved, if you try again existing files will be loaded)", err) } signedChain, err := pkcrypto.CertsFromDER(signedChainBytes) if err != nil { return nil } err = caConfig.SaveBackup(ca) if err != nil { return err } // NB: signedChain is this identity's CA + signer chain. ca.Cert = signedChain[0] ca.RestChain = signedChain[1:] err = caConfig.Save(ca) if err != nil { return err } err = identConfig.PeerConfig().SaveBackup(ident.PeerIdentity()) if err != nil { return err } ident.RestChain = signedChain[1:] ident.CA = ca.Cert err = identConfig.PeerConfig().Save(ident.PeerIdentity()) if err != nil { return err } fmt.Println("Identity successfully authorized using single use authorization token.") fmt.Printf("Please back-up \"%s\" to a safe location.\n", serviceDir) return nil } func printExtensions(cert []byte, exts []pkix.Extension) error { hash := pkcrypto.SHA256Hash(cert) b64Hash, err := json.Marshal(hash) if err != nil { return err } fmt.Printf("Cert hash: %s\n", b64Hash) fmt.Println("Extensions:") for _, e := range exts { var data interface{} if e.Id.Equal(extensions.RevocationExtID) { var rev extensions.Revocation if err := rev.Unmarshal(e.Value); err != nil { return err } data = rev } else { data = e.Value } out, err := json.MarshalIndent(data, "", " ") if err != nil { return err } fmt.Printf("\t%s: %s\n", e.Id, out) } return nil }