Cadoles
/
go-http-peering
10
0
Fork 0
Code Issues Pull Requests Releases 3 Wiki Activity

Compare commits

base: Cadoles:72f6073e47a511c74f8ce790c9cdd9249c589c03
Branches Tags
Cadoles:master
Cadoles:2024.1.5-stable.1112.b28a87c
Cadoles:2024.1.5-stable.955.db06098
Cadoles:2024.1.4-stable.1622.052c690
Cadoles:2024.1.4-stable.1135.72f6073
Cadoles:2023.11.21-stable.1413.1bf8d75
Cadoles:2023.11.21-stable.1221.ced46bf
Cadoles:2023.10.19-stable.1544.cf8f026
Cadoles:2023.10.19-stable.1515.958652d
Cadoles:2023.9.5-stable.508.891cfa7
Cadoles:1.0.0
Cadoles:932aa46
Cadoles:c15a85a
Cadoles:e6727c8
Cadoles:fbb2381b
Cadoles:1.0.0-7-g891cfa7
Cadoles:1.0.0-6-gd38f0be
Cadoles:1.0.0-5-g5be381d
Cadoles:1.0.0-4-g7cff0e3
Cadoles:1.0.0-4-g4c3217b
Cadoles:1.0.0-2-g6257330
Cadoles:1.0.0-1-g9c26b79
...
compare: Cadoles:052c6905095f5f2fe424b9b78495fb5b449b1426
Branches Tags
Cadoles:master
Cadoles:2024.1.5-stable.1112.b28a87c
Cadoles:2024.1.5-stable.955.db06098
Cadoles:2024.1.4-stable.1622.052c690
Cadoles:2024.1.4-stable.1135.72f6073
Cadoles:2023.11.21-stable.1413.1bf8d75
Cadoles:2023.11.21-stable.1221.ced46bf
Cadoles:2023.10.19-stable.1544.cf8f026
Cadoles:2023.10.19-stable.1515.958652d
Cadoles:2023.9.5-stable.508.891cfa7
Cadoles:1.0.0
Cadoles:932aa46
Cadoles:c15a85a
Cadoles:e6727c8
Cadoles:fbb2381b
Cadoles:1.0.0-7-g891cfa7
Cadoles:1.0.0-6-gd38f0be
Cadoles:1.0.0-5-g5be381d
Cadoles:1.0.0-4-g7cff0e3
Cadoles:1.0.0-4-g4c3217b
Cadoles:1.0.0-2-g6257330
Cadoles:1.0.0-1-g9c26b79

2 Commits
72f6073e47 ... 052c690509

Author SHA1 Message Date
wpetit 052c690509 feat(middleware): log more informations on authentification errors
Cadoles/go-http-peering/pipeline/head There was a failure building this commit Details
2024-01-04 16:22:13 +01:00
wpetit e8e484a7ff feat(keygen): add -verify-token command 2024-01-04 16:21:40 +01:00
4 changed files with 84 additions and 29 deletions
Show Stats Expand all files Collapse all files

9
cmd/keygen/main.go
View File

@ -11,8 +11,10 @@ var (
createKeyCmd = false createKeyCmd = false
getPublicKeyCmd = false getPublicKeyCmd = false
createTokenCmd = false createTokenCmd = false
verifyTokenCmd = false
debug = false debug = false
keyFile string keyFile string
tokenFile string
tokenIssuer string tokenIssuer string
tokenPeerID = uuid.New() tokenPeerID = uuid.New()
keySize = 2048 keySize = 2048
@ -28,12 +30,17 @@ func init() {
&createTokenCmd, "create-token", createTokenCmd, &createTokenCmd, "create-token", createTokenCmd,
"Create a new signed authentication token", "Create a new signed authentication token",
) )
flag.BoolVar(
&verifyTokenCmd, "verify-token", verifyTokenCmd,
"Verify a token generated with the given key",
)
flag.BoolVar( flag.BoolVar(
&getPublicKeyCmd, "get-public-key", getPublicKeyCmd, &getPublicKeyCmd, "get-public-key", getPublicKeyCmd,
"Get the PEM encoded public key associated with the private key", "Get the PEM encoded public key associated with the private key",
) )
flag.BoolVar(&debug, "debug", debug, "Debug mode") flag.BoolVar(&debug, "debug", debug, "Debug mode")
flag.StringVar(&keyFile, "key", keyFile, "Path to the encrypted PEM encoded key") flag.StringVar(&keyFile, "key", keyFile, "Path to the encrypted PEM encoded key")
flag.StringVar(&tokenFile, "token", tokenFile, "Path to the token to verify")
flag.StringVar(&tokenIssuer, "token-issuer", tokenIssuer, "Token issuer") flag.StringVar(&tokenIssuer, "token-issuer", tokenIssuer, "Token issuer")
flag.StringVar(&tokenPeerID, "token-peer-id", tokenPeerID, "Token peer ID") flag.StringVar(&tokenPeerID, "token-peer-id", tokenPeerID, "Token peer ID")
flag.IntVar(&keySize, "key-size", keySize, "Size of the private key") flag.IntVar(&keySize, "key-size", keySize, "Size of the private key")
@ -48,6 +55,8 @@ func main() {
getPublicKey() getPublicKey()
case createTokenCmd: case createTokenCmd:
createToken() createToken()
case verifyTokenCmd:
verifyToken()
default: default:
flag.Usage() flag.Usage()
} }

35
cmd/keygen/util.go
View File

@ -2,10 +2,7 @@ package main
import ( import (
"bytes" "bytes"
"crypto/rand"
"crypto/rsa" "crypto/rsa"
"crypto/x509"
"encoding/pem"
"fmt" "fmt"
"io/ioutil" "io/ioutil"
"os" "os"
@ -47,25 +44,6 @@ func askPassphrase() ([]byte, error) {
return passphrase, nil return passphrase, nil
} }
func privateKeyToEncryptedPEM(key *rsa.PrivateKey, passphrase []byte) ([]byte, error) {
if passphrase == nil {
return nil, errors.New("passphrase cannot be empty")
}
// Convert it to pem
block := &pem.Block{
Type: "RSA PRIVATE KEY",
Bytes: x509.MarshalPKCS1PrivateKey(key),
}
block, err := x509.EncryptPEMBlock(rand.Reader, block.Type, block.Bytes, passphrase, x509.PEMCipherAES256)
if err != nil {
return nil, errors.WithStack(err)
}
return pem.EncodeToMemory(block), nil
}
func loadPrivateKey() (*rsa.PrivateKey, error) { func loadPrivateKey() (*rsa.PrivateKey, error) {
if keyFile == "" { if keyFile == "" {
return nil, errors.New("you must specify a key file to load") return nil, errors.New("you must specify a key file to load")
@ -85,6 +63,19 @@ func loadPrivateKey() (*rsa.PrivateKey, error) {
return privateKey, nil return privateKey, nil
} }
func loadToken() ([]byte, error) {
if tokenFile == "" {
return nil, errors.New("you must specify a token file to load")
}
token, err := os.ReadFile(tokenFile)
if err != nil {
return nil, errors.WithStack(err)
}
return token, nil
}
func handleError(err error) { func handleError(err error) {
if !debug { if !debug {
fmt.Printf("%+v\n", errors.WithStack(err)) fmt.Printf("%+v\n", errors.WithStack(err))

55
cmd/keygen/verify_token.go Normal file
View File

@ -0,0 +1,55 @@
package main
import (
"encoding/json"
"fmt"
peering "forge.cadoles.com/Cadoles/go-http-peering"
"github.com/dgrijalva/jwt-go"
"github.com/pkg/errors"
)
func verifyToken() {
rawToken, err := loadToken()
if err != nil {
handleError(errors.WithStack(err))
}
privateKey, err := loadPrivateKey()
if err != nil {
handleError(errors.WithStack(err))
}
fn := func(token *jwt.Token) (interface{}, error) {
return &privateKey.PublicKey, nil
}
token, err := jwt.ParseWithClaims(string(rawToken), &peering.ServerTokenClaims{}, fn)
if err != nil {
validationError, ok := err.(*jwt.ValidationError)
if ok {
handleError(errors.WithStack(validationError.Inner))
}
handleError(errors.WithStack(err))
}
if !token.Valid {
handleError(errors.New("token is invalid"))
}
claims, ok := token.Claims.(*peering.ServerTokenClaims)
if !ok {
handleError(errors.New("unexpected token claims"))
}
data, err := json.MarshalIndent(claims, "", " ")
if err != nil {
handleError(errors.WithStack(err))
}
fmt.Println("Token OK.")
fmt.Println("Claims:")
fmt.Println(string(data))
}

14
server/middleware.go
View File

@ -51,7 +51,7 @@ func Authenticate(store peering.Store, key *rsa.PublicKey, funcs ...OptionFunc)
serverClaims, err := assertServerToken(key, serverToken) serverClaims, err := assertServerToken(key, serverToken)
if err != nil { if err != nil {
logger.Printf("[ERROR] %s", err) logger.Printf("[ERROR] %+v", err)
sendError(w, http.StatusUnauthorized) sendError(w, http.StatusUnauthorized)
return return
} }
@ -64,13 +64,13 @@ func Authenticate(store peering.Store, key *rsa.PublicKey, funcs ...OptionFunc)
options.IgnoredClientTokenErrors..., options.IgnoredClientTokenErrors...,
) )
if err != nil { if err != nil {
logger.Printf("[ERROR] %s", err) logger.Printf("[ERROR] %+v", err)
switch err { switch err {
case peering.ErrPeerNotFound: case peering.ErrPeerNotFound:
sendError(w, http.StatusUnauthorized) sendError(w, http.StatusUnauthorized)
case ErrNotPeered: case ErrNotPeered:
if err := store.UpdateLastContact(serverClaims.PeerID, r.RemoteAddr, time.Now()); err != nil { if err := store.UpdateLastContact(serverClaims.PeerID, r.RemoteAddr, time.Now()); err != nil {
logger.Printf("[ERROR] %s", err) logger.Printf("[ERROR] %+v", err)
sendError(w, http.StatusInternalServerError) sendError(w, http.StatusInternalServerError)
return return
} }
@ -78,7 +78,7 @@ func Authenticate(store peering.Store, key *rsa.PublicKey, funcs ...OptionFunc)
return return
case ErrPeerRejected: case ErrPeerRejected:
if err := store.UpdateLastContact(serverClaims.PeerID, r.RemoteAddr, time.Now()); err != nil { if err := store.UpdateLastContact(serverClaims.PeerID, r.RemoteAddr, time.Now()); err != nil {
logger.Printf("[ERROR] %s", err) logger.Printf("[ERROR] %+v", err)
sendError(w, http.StatusInternalServerError) sendError(w, http.StatusInternalServerError)
return return
} }
@ -92,19 +92,19 @@ func Authenticate(store peering.Store, key *rsa.PublicKey, funcs ...OptionFunc)
match, body, err := assertBodySum(r.Body, clientClaims.BodySum) match, body, err := assertBodySum(r.Body, clientClaims.BodySum)
if err != nil { if err != nil {
logger.Printf("[ERROR] %s", err) logger.Printf("[ERROR] %+v", err)
sendError(w, http.StatusInternalServerError) sendError(w, http.StatusInternalServerError)
return return
} }
if !match { if !match {
logger.Printf("[ERROR] %s", ErrInvalidChecksum) logger.Printf("[ERROR] %+v", ErrInvalidChecksum)
sendError(w, http.StatusBadRequest) sendError(w, http.StatusBadRequest)
return return
} }
if err := store.UpdateLastContact(serverClaims.PeerID, r.RemoteAddr, time.Now()); err != nil { if err := store.UpdateLastContact(serverClaims.PeerID, r.RemoteAddr, time.Now()); err != nil {
logger.Printf("[ERROR] %s", err) logger.Printf("[ERROR] %+v", err)
sendError(w, http.StatusInternalServerError) sendError(w, http.StatusInternalServerError)
return return
} }