cmd/keygen/main.go

@@ -11,10 +11,8 @@ var (
 	createKeyCmd    = false
 	getPublicKeyCmd = false
 	createTokenCmd  = false
-	verifyTokenCmd  = false
 	debug           = false
 	keyFile         string
-	tokenFile       string
 	tokenIssuer     string
 	tokenPeerID     = uuid.New()
 	keySize         = 2048
@@ -30,17 +28,12 @@ func init() {
 		&createTokenCmd, "create-token", createTokenCmd,
 		"Create a new signed authentication token",
 	)
-	flag.BoolVar(
-		&verifyTokenCmd, "verify-token", verifyTokenCmd,
-		"Verify a token generated with the given key",
-	)
 	flag.BoolVar(
 		&getPublicKeyCmd, "get-public-key", getPublicKeyCmd,
 		"Get the PEM encoded public key associated with the private key",
 	)
 	flag.BoolVar(&debug, "debug", debug, "Debug mode")
 	flag.StringVar(&keyFile, "key", keyFile, "Path to the encrypted PEM encoded key")
-	flag.StringVar(&tokenFile, "token", tokenFile, "Path to the token to verify")
 	flag.StringVar(&tokenIssuer, "token-issuer", tokenIssuer, "Token issuer")
 	flag.StringVar(&tokenPeerID, "token-peer-id", tokenPeerID, "Token peer ID")
 	flag.IntVar(&keySize, "key-size", keySize, "Size of the private key")
@@ -55,8 +48,6 @@ func main() {
 		getPublicKey()
 	case createTokenCmd:
 		createToken()
-	case verifyTokenCmd:
-		verifyToken()
 	default:
 		flag.Usage()
 	}

cmd/keygen/util.go

@@ -2,7 +2,10 @@ package main
 
 import (
 	"bytes"
+	"crypto/rand"
 	"crypto/rsa"
+	"crypto/x509"
+	"encoding/pem"
 	"fmt"
 	"io/ioutil"
 	"os"
@@ -44,6 +47,25 @@ func askPassphrase() ([]byte, error) {
 	return passphrase, nil
 }
 
+func privateKeyToEncryptedPEM(key *rsa.PrivateKey, passphrase []byte) ([]byte, error) {
+	if passphrase == nil {
+		return nil, errors.New("passphrase cannot be empty")
+	}
+
+	// Convert it to pem
+	block := &pem.Block{
+		Type:  "RSA PRIVATE KEY",
+		Bytes: x509.MarshalPKCS1PrivateKey(key),
+	}
+
+	block, err := x509.EncryptPEMBlock(rand.Reader, block.Type, block.Bytes, passphrase, x509.PEMCipherAES256)
+	if err != nil {
+		return nil, errors.WithStack(err)
+	}
+
+	return pem.EncodeToMemory(block), nil
+}
+
 func loadPrivateKey() (*rsa.PrivateKey, error) {
 	if keyFile == "" {
 		return nil, errors.New("you must specify a key file to load")
@@ -63,19 +85,6 @@ func loadPrivateKey() (*rsa.PrivateKey, error) {
 	return privateKey, nil
 }
 
-func loadToken() ([]byte, error) {
-	if tokenFile == "" {
-		return nil, errors.New("you must specify a token file to load")
-	}
-
-	token, err := os.ReadFile(tokenFile)
-	if err != nil {
-		return nil, errors.WithStack(err)
-	}
-
-	return token, nil
-}
-
 func handleError(err error) {
 	if !debug {
 		fmt.Printf("%+v\n", errors.WithStack(err))

cmd/keygen/verify_token.go

@@ -1,55 +0,0 @@
-package main
-
-import (
-	"encoding/json"
-	"fmt"
-
-	peering "forge.cadoles.com/Cadoles/go-http-peering"
-	"github.com/dgrijalva/jwt-go"
-	"github.com/pkg/errors"
-)
-
-func verifyToken() {
-	rawToken, err := loadToken()
-	if err != nil {
-		handleError(errors.WithStack(err))
-	}
-
-	privateKey, err := loadPrivateKey()
-	if err != nil {
-		handleError(errors.WithStack(err))
-	}
-
-	fn := func(token *jwt.Token) (interface{}, error) {
-		return &privateKey.PublicKey, nil
-	}
-
-	token, err := jwt.ParseWithClaims(string(rawToken), &peering.ServerTokenClaims{}, fn)
-	if err != nil {
-		validationError, ok := err.(*jwt.ValidationError)
-		if ok {
-			handleError(errors.WithStack(validationError.Inner))
-		}
-
-		handleError(errors.WithStack(err))
-	}
-
-	if !token.Valid {
-		handleError(errors.New("token is invalid"))
-	}
-
-	claims, ok := token.Claims.(*peering.ServerTokenClaims)
-	if !ok {
-		handleError(errors.New("unexpected token claims"))
-	}
-
-	data, err := json.MarshalIndent(claims, "", "  ")
-	if err != nil {
-		handleError(errors.WithStack(err))
-	}
-
-	fmt.Println("Token OK.")
-	fmt.Println("Claims:")
-	fmt.Println(string(data))
-
-}

server/middleware.go

@@ -51,7 +51,7 @@ func Authenticate(store peering.Store, key *rsa.PublicKey, funcs ...OptionFunc)
 
 			serverClaims, err := assertServerToken(key, serverToken)
 			if err != nil {
-				logger.Printf("[ERROR] %+v", err)
+				logger.Printf("[ERROR] %s", err)
 				sendError(w, http.StatusUnauthorized)
 				return
 			}
@@ -64,13 +64,13 @@ func Authenticate(store peering.Store, key *rsa.PublicKey, funcs ...OptionFunc)
 				options.IgnoredClientTokenErrors...,
 			)
 			if err != nil {
-				logger.Printf("[ERROR] %+v", err)
+				logger.Printf("[ERROR] %s", err)
 				switch err {
 				case peering.ErrPeerNotFound:
 					sendError(w, http.StatusUnauthorized)
 				case ErrNotPeered:
 					if err := store.UpdateLastContact(serverClaims.PeerID, r.RemoteAddr, time.Now()); err != nil {
-						logger.Printf("[ERROR] %+v", err)
+						logger.Printf("[ERROR] %s", err)
 						sendError(w, http.StatusInternalServerError)
 						return
 					}
@@ -78,7 +78,7 @@ func Authenticate(store peering.Store, key *rsa.PublicKey, funcs ...OptionFunc)
 					return
 				case ErrPeerRejected:
 					if err := store.UpdateLastContact(serverClaims.PeerID, r.RemoteAddr, time.Now()); err != nil {
-						logger.Printf("[ERROR] %+v", err)
+						logger.Printf("[ERROR] %s", err)
 						sendError(w, http.StatusInternalServerError)
 						return
 					}
@@ -92,19 +92,19 @@ func Authenticate(store peering.Store, key *rsa.PublicKey, funcs ...OptionFunc)
 
 			match, body, err := assertBodySum(r.Body, clientClaims.BodySum)
 			if err != nil {
-				logger.Printf("[ERROR] %+v", err)
+				logger.Printf("[ERROR] %s", err)
 				sendError(w, http.StatusInternalServerError)
 				return
 			}
 
 			if !match {
-				logger.Printf("[ERROR] %+v", ErrInvalidChecksum)
+				logger.Printf("[ERROR] %s", ErrInvalidChecksum)
 				sendError(w, http.StatusBadRequest)
 				return
 			}
 
 			if err := store.UpdateLastContact(serverClaims.PeerID, r.RemoteAddr, time.Now()); err != nil {
-				logger.Printf("[ERROR] %+v", err)
+				logger.Printf("[ERROR] %s", err)
 				sendError(w, http.StatusInternalServerError)
 				return
 			}