Compare commits

...

2 Commits

Author SHA1 Message Date
wpetit 052c690509 feat(middleware): log more informations on authentification errors
Cadoles/go-http-peering/pipeline/head There was a failure building this commit Details
2024-01-04 16:22:13 +01:00
wpetit e8e484a7ff feat(keygen): add -verify-token command 2024-01-04 16:21:40 +01:00
4 changed files with 84 additions and 29 deletions

View File

@ -11,8 +11,10 @@ var (
createKeyCmd = false
getPublicKeyCmd = false
createTokenCmd = false
verifyTokenCmd = false
debug = false
keyFile string
tokenFile string
tokenIssuer string
tokenPeerID = uuid.New()
keySize = 2048
@ -28,12 +30,17 @@ func init() {
&createTokenCmd, "create-token", createTokenCmd,
"Create a new signed authentication token",
)
flag.BoolVar(
&verifyTokenCmd, "verify-token", verifyTokenCmd,
"Verify a token generated with the given key",
)
flag.BoolVar(
&getPublicKeyCmd, "get-public-key", getPublicKeyCmd,
"Get the PEM encoded public key associated with the private key",
)
flag.BoolVar(&debug, "debug", debug, "Debug mode")
flag.StringVar(&keyFile, "key", keyFile, "Path to the encrypted PEM encoded key")
flag.StringVar(&tokenFile, "token", tokenFile, "Path to the token to verify")
flag.StringVar(&tokenIssuer, "token-issuer", tokenIssuer, "Token issuer")
flag.StringVar(&tokenPeerID, "token-peer-id", tokenPeerID, "Token peer ID")
flag.IntVar(&keySize, "key-size", keySize, "Size of the private key")
@ -48,6 +55,8 @@ func main() {
getPublicKey()
case createTokenCmd:
createToken()
case verifyTokenCmd:
verifyToken()
default:
flag.Usage()
}

View File

@ -2,10 +2,7 @@ package main
import (
"bytes"
"crypto/rand"
"crypto/rsa"
"crypto/x509"
"encoding/pem"
"fmt"
"io/ioutil"
"os"
@ -47,25 +44,6 @@ func askPassphrase() ([]byte, error) {
return passphrase, nil
}
func privateKeyToEncryptedPEM(key *rsa.PrivateKey, passphrase []byte) ([]byte, error) {
if passphrase == nil {
return nil, errors.New("passphrase cannot be empty")
}
// Convert it to pem
block := &pem.Block{
Type: "RSA PRIVATE KEY",
Bytes: x509.MarshalPKCS1PrivateKey(key),
}
block, err := x509.EncryptPEMBlock(rand.Reader, block.Type, block.Bytes, passphrase, x509.PEMCipherAES256)
if err != nil {
return nil, errors.WithStack(err)
}
return pem.EncodeToMemory(block), nil
}
func loadPrivateKey() (*rsa.PrivateKey, error) {
if keyFile == "" {
return nil, errors.New("you must specify a key file to load")
@ -85,6 +63,19 @@ func loadPrivateKey() (*rsa.PrivateKey, error) {
return privateKey, nil
}
func loadToken() ([]byte, error) {
if tokenFile == "" {
return nil, errors.New("you must specify a token file to load")
}
token, err := os.ReadFile(tokenFile)
if err != nil {
return nil, errors.WithStack(err)
}
return token, nil
}
func handleError(err error) {
if !debug {
fmt.Printf("%+v\n", errors.WithStack(err))

View File

@ -0,0 +1,55 @@
package main
import (
"encoding/json"
"fmt"
peering "forge.cadoles.com/Cadoles/go-http-peering"
"github.com/dgrijalva/jwt-go"
"github.com/pkg/errors"
)
func verifyToken() {
rawToken, err := loadToken()
if err != nil {
handleError(errors.WithStack(err))
}
privateKey, err := loadPrivateKey()
if err != nil {
handleError(errors.WithStack(err))
}
fn := func(token *jwt.Token) (interface{}, error) {
return &privateKey.PublicKey, nil
}
token, err := jwt.ParseWithClaims(string(rawToken), &peering.ServerTokenClaims{}, fn)
if err != nil {
validationError, ok := err.(*jwt.ValidationError)
if ok {
handleError(errors.WithStack(validationError.Inner))
}
handleError(errors.WithStack(err))
}
if !token.Valid {
handleError(errors.New("token is invalid"))
}
claims, ok := token.Claims.(*peering.ServerTokenClaims)
if !ok {
handleError(errors.New("unexpected token claims"))
}
data, err := json.MarshalIndent(claims, "", " ")
if err != nil {
handleError(errors.WithStack(err))
}
fmt.Println("Token OK.")
fmt.Println("Claims:")
fmt.Println(string(data))
}

View File

@ -51,7 +51,7 @@ func Authenticate(store peering.Store, key *rsa.PublicKey, funcs ...OptionFunc)
serverClaims, err := assertServerToken(key, serverToken)
if err != nil {
logger.Printf("[ERROR] %s", err)
logger.Printf("[ERROR] %+v", err)
sendError(w, http.StatusUnauthorized)
return
}
@ -64,13 +64,13 @@ func Authenticate(store peering.Store, key *rsa.PublicKey, funcs ...OptionFunc)
options.IgnoredClientTokenErrors...,
)
if err != nil {
logger.Printf("[ERROR] %s", err)
logger.Printf("[ERROR] %+v", err)
switch err {
case peering.ErrPeerNotFound:
sendError(w, http.StatusUnauthorized)
case ErrNotPeered:
if err := store.UpdateLastContact(serverClaims.PeerID, r.RemoteAddr, time.Now()); err != nil {
logger.Printf("[ERROR] %s", err)
logger.Printf("[ERROR] %+v", err)
sendError(w, http.StatusInternalServerError)
return
}
@ -78,7 +78,7 @@ func Authenticate(store peering.Store, key *rsa.PublicKey, funcs ...OptionFunc)
return
case ErrPeerRejected:
if err := store.UpdateLastContact(serverClaims.PeerID, r.RemoteAddr, time.Now()); err != nil {
logger.Printf("[ERROR] %s", err)
logger.Printf("[ERROR] %+v", err)
sendError(w, http.StatusInternalServerError)
return
}
@ -92,19 +92,19 @@ func Authenticate(store peering.Store, key *rsa.PublicKey, funcs ...OptionFunc)
match, body, err := assertBodySum(r.Body, clientClaims.BodySum)
if err != nil {
logger.Printf("[ERROR] %s", err)
logger.Printf("[ERROR] %+v", err)
sendError(w, http.StatusInternalServerError)
return
}
if !match {
logger.Printf("[ERROR] %s", ErrInvalidChecksum)
logger.Printf("[ERROR] %+v", ErrInvalidChecksum)
sendError(w, http.StatusBadRequest)
return
}
if err := store.UpdateLastContact(serverClaims.PeerID, r.RemoteAddr, time.Now()); err != nil {
logger.Printf("[ERROR] %s", err)
logger.Printf("[ERROR] %+v", err)
sendError(w, http.StatusInternalServerError)
return
}