From bef19bc9220ad698ba32fcfb5e168f9bd491081b Mon Sep 17 00:00:00 2001 From: Erik Larsson Date: Wed, 5 Jun 2019 16:14:55 +0200 Subject: [PATCH 1/4] Add renew functionality for client certificates. The code does the following: Generates a new CSR bases on current certification information. Asks the server to revoke the current certificate. Sends the CSR to the tsa server. Replaces the certificate and keys on disk. --- cli/command/cert/renew.go | 107 ++++++++++++++++++++++++++++++++++++-- 1 file changed, 104 insertions(+), 3 deletions(-) diff --git a/cli/command/cert/renew.go b/cli/command/cert/renew.go index 20a0d5c..6e840a2 100644 --- a/cli/command/cert/renew.go +++ b/cli/command/cert/renew.go @@ -1,10 +1,16 @@ package cert import ( - "fmt" "os" - "github.com/juliengk/go-utils" + log "github.com/Sirupsen/logrus" + "github.com/juliengk/go-utils/readinput" + "github.com/juliengk/go-cert/helpers" + "github.com/juliengk/go-cert/pkix" + "github.com/kassisol/tsa/client" + "github.com/kassisol/tsa/pkg/adf" + "github.com/kassisol/twic/storage" + "github.com/kassisol/twic/storage/driver" "github.com/spf13/cobra" ) @@ -16,6 +22,11 @@ func newRenewCommand() *cobra.Command { Run: runRenew, } + flags := cmd.Flags() + + flags.StringVarP(&tsaToken, "token", "t", "", "Token") + flags.StringVarP(&tsaPassword, "password", "p", "", "Password") + return cmd } @@ -25,7 +36,97 @@ func runRenew(cmd *cobra.Command, args []string) { os.Exit(-1) } - utils.Exit(fmt.Errorf("Not implemented yet")) + name := args[0] + + cfg := adf.NewClient() + if err := cfg.Init(); err != nil { + log.Fatal(err) + } + + cfg.SetName(name) + + s, err := storage.NewDriver("sqlite", cfg.App.Dir.Root) + if err != nil { + log.Fatal(err) + } + defer s.End() + + crt := s.GetCert(name) + if crt == (driver.CertResult{}) { + log.Fatal("Name, ", name, ", does not exist") + } + + clt, err := client.New(crt.TSAURL) + if err != nil { + log.Fatal(err) + } + + err = clt.GetDirectory() + if err != nil { + log.Fatal(err) + } + + oldcert, err := pkix.NewCertificateFromPEMFile(cfg.TLS.CrtFile) + if err != nil { + log.Fatal(err) + } + + key, err := pkix.NewKey(4096) + if err != nil { + log.Fatal(err) + } + + keyBytes, err := key.ToPEM() + if err != nil { + log.Fatal(err) + } + + csr, err := helpers.CreateCSR(oldcert.Crt.Subject.Country[0], oldcert.Crt.Subject.Province[0], oldcert.Crt.Subject.Locality[0], oldcert.Crt.Subject.Organization[0], oldcert.Crt.Subject.OrganizationalUnit[0], oldcert.Crt.Subject.CommonName, "", []string{}, key) + if err != nil { + log.Fatal(err) + } + + token := tsaToken + if len(tsaToken) == 0 { + password := tsaPassword + if len(tsaPassword) == 0 { + password = readinput.ReadPassword("Password") + } + token, err = clt.GetToken(crt.CN, password, 0) + if err != nil { + log.Fatal(err) + } + } + + err = clt.RevokeCertificate(token, int(oldcert.Crt.SerialNumber.Int64())) + if err != nil { + log.Fatal(err) + } + + newcert, err := clt.GetCertificate(token, "client", csr.Bytes, 12) + if err != nil { + log.Fatal(err) + } + + err = os.Remove(cfg.TLS.CrtFile) + if err != nil { + log.Fatal(err) + } + + err = os.Remove(cfg.TLS.KeyFile) + if err != nil && !os.IsNotExist(err) { + log.Fatal(err) + } + + err = pkix.ToPEMFile(cfg.TLS.CrtFile, []byte(newcert), 0444) + if err != nil { + log.Fatal(err) + } + + err = pkix.ToPEMFile(cfg.TLS.KeyFile, keyBytes, 0400) + if err != nil { + log.Fatal(err) + } } var renewDescription = ` From 73e2c5ef54810289c06ad50b90ef1ebc2f5e0d19 Mon Sep 17 00:00:00 2001 From: Erik Larsson Date: Wed, 10 Jul 2019 11:30:58 +0200 Subject: [PATCH 2/4] Add flag to set engine certificate duration. --- cli/command/engine/cmd.go | 1 + cli/command/engine/create.go | 3 ++- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/cli/command/engine/cmd.go b/cli/command/engine/cmd.go index cec9ff2..3a7ae3f 100644 --- a/cli/command/engine/cmd.go +++ b/cli/command/engine/cmd.go @@ -8,6 +8,7 @@ var ( certType string certCN string certAltNames string + duration int tsaURL string tsaToken string diff --git a/cli/command/engine/create.go b/cli/command/engine/create.go index 46371d1..e57646e 100644 --- a/cli/command/engine/create.go +++ b/cli/command/engine/create.go @@ -29,6 +29,7 @@ func newCreateCommand() *cobra.Command { flags.StringVarP(&certCN, "common-name", "n", "", "Certificate Common Name") flags.StringVarP(&certAltNames, "alt-names", "a", "", "Certificate Alternative Names") + flags.IntVarP(&duration, "duration", "d", 12, "Certificate duration (in months)") flags.StringVarP(&tsaURL, "tsa-url", "c", "", "TSA URL") flags.StringVarP(&tsaToken, "token", "t", "", "Token") @@ -188,7 +189,7 @@ func runCreate(cmd *cobra.Command, args []string) { } // Send CSR - cert, err := clt.GetCertificate(token, certtype, csr.Bytes, 12) + cert, err := clt.GetCertificate(token, certtype, csr.Bytes, duration) if err != nil { panic(err) } From 2cd7fb9a10e680fe659adee0dd94e8028a0f10d3 Mon Sep 17 00:00:00 2001 From: Erik Reuterborg Larsson Date: Tue, 6 Dec 2022 12:13:12 +0100 Subject: [PATCH 3/4] add newer go version and remove static linking Build against 1.19.3 and remove static linking of twic as it get SIGSEGV on newer systems when static linking is used. --- Dockerfile.dapper | 2 +- Dockerfile.dev | 2 +- scripts/build-target | 3 ++- scripts/packages/centos6/prebuild.sh | 1 + scripts/packages/centos7/prebuild.sh | 1 + 5 files changed, 6 insertions(+), 3 deletions(-) diff --git a/Dockerfile.dapper b/Dockerfile.dapper index 2dc99cd..57f11e0 100644 --- a/Dockerfile.dapper +++ b/Dockerfile.dapper @@ -34,7 +34,7 @@ ENV DOCKER_URL=${DOCKER_URL_amd64} \ DAPPER_HOST_ARCH=${DAPPER_HOST_ARCH} \ GOPATH=/go \ GOARCH=$ARCH \ - GO_VERSION=1.8.3 + GO_VERSION=1.19.3 ENV PATH=/go/bin:/usr/local/go/bin:$PATH diff --git a/Dockerfile.dev b/Dockerfile.dev index bf0e569..517052a 100644 --- a/Dockerfile.dev +++ b/Dockerfile.dev @@ -38,7 +38,7 @@ ENV ARCH=${ARCH} \ ENV DAPPER_HOST_ARCH=${DAPPER_HOST_ARCH} \ GOPATH=/go \ GOARCH=$ARCH \ - GO_VERSION=1.8.3 + GO_VERSION=1.19.3 ENV PATH=$PATH:/usr/local/go/bin:/go/bin diff --git a/scripts/build-target b/scripts/build-target index 346c348..41e403e 100755 --- a/scripts/build-target +++ b/scripts/build-target @@ -14,7 +14,7 @@ fi CONST="-X github.com/kassisol/twic/version.Version=${VERSION} -X github.com/kassisol/twic/version.GitCommit=${COMMIT} -X github.com/kassisol/twic/version.GitState=${GITSTATE} -X github.com/kassisol/twic/version.BuildDate=$(date +%s)" -LDFLAGS=${LDFLAGS:-"-linkmode external -extldflags -static -s -w"} +LDFLAGS=${LDFLAGS:-"-linkmode external -extldflags -s -w"} cd $(dirname $0)/.. @@ -30,6 +30,7 @@ if [ "$CROSS" = 1 ]; then echo Built ${OUTPUT}-Linux-x86_64 else + export GO111MODULE=auto go build -ldflags "${CONST} ${LDFLAGS}" -o ${OUTPUT} strip --strip-all ${OUTPUT} diff --git a/scripts/packages/centos6/prebuild.sh b/scripts/packages/centos6/prebuild.sh index 56c1bee..752cbe6 100755 --- a/scripts/packages/centos6/prebuild.sh +++ b/scripts/packages/centos6/prebuild.sh @@ -10,6 +10,7 @@ mkdir -p build cp ${ROOTDIR}/bin/twic build/ +export GO111MODULE=auto go run ${ROOTDIR}/gen/man/genman.go cp -r /tmp/twic/man build/ diff --git a/scripts/packages/centos7/prebuild.sh b/scripts/packages/centos7/prebuild.sh index 56c1bee..752cbe6 100755 --- a/scripts/packages/centos7/prebuild.sh +++ b/scripts/packages/centos7/prebuild.sh @@ -10,6 +10,7 @@ mkdir -p build cp ${ROOTDIR}/bin/twic build/ +export GO111MODULE=auto go run ${ROOTDIR}/gen/man/genman.go cp -r /tmp/twic/man build/ From 96e7fa13addae1ff40d9de79241aff28ba05f900 Mon Sep 17 00:00:00 2001 From: Erik Reuterborg Larsson Date: Tue, 6 Dec 2022 12:18:14 +0100 Subject: [PATCH 4/4] don't build centos 6 packages Not supported any more, noone should use it. --- scripts/packages/centos6/Dockerfile | 35 ------------------ scripts/packages/centos6/entrypoint.sh | 18 ---------- scripts/packages/centos6/prebuild.sh | 18 ---------- scripts/packages/centos6/twic.spec | 49 -------------------------- 4 files changed, 120 deletions(-) delete mode 100644 scripts/packages/centos6/Dockerfile delete mode 100755 scripts/packages/centos6/entrypoint.sh delete mode 100755 scripts/packages/centos6/prebuild.sh delete mode 100644 scripts/packages/centos6/twic.spec diff --git a/scripts/packages/centos6/Dockerfile b/scripts/packages/centos6/Dockerfile deleted file mode 100644 index 840bda9..0000000 --- a/scripts/packages/centos6/Dockerfile +++ /dev/null @@ -1,35 +0,0 @@ -FROM centos:6 - -COPY entrypoint.sh /entrypoint.sh -COPY build /usr/local/src/twic - -ENV DAPPER_SOURCE /tmp -ENV DAPPER_OUTPUT dist -ENV SHELL /bin/bash - -WORKDIR ${DAPPER_SOURCE} - -ENV RPMBUILD_PATH="/srv/rpmbuild" - -RUN build="rpm-build" \ - && set -x \ - && yum -y install $build \ - && yum clean all - -RUN mkdir -p ${RPMBUILD_PATH} \ - && mkdir ${RPMBUILD_PATH}/BUILD \ - && mkdir ${RPMBUILD_PATH}/RPMS \ - && mkdir ${RPMBUILD_PATH}/SOURCES \ - && mkdir ${RPMBUILD_PATH}/SPECS \ - && mkdir ${RPMBUILD_PATH}/SRPMS \ - && mkdir ${RPMBUILD_PATH}/tmp \ - && echo "%_topdir ${RPMBUILD_PATH}" > /root/.rpmmacros \ - && echo "%_tmppath ${RPMBUILD_PATH}/tmp" >> /root/.rpmmacros - -COPY twic.spec ${RPMBUILD_PATH}/SPECS/twic.spec - -RUN set -x \ - && tar cvzf ${RPMBUILD_PATH}/SOURCES/twic.tar.gz -C /usr/local/src twic \ - && rm -rf /usr/local/src/twic - -ENTRYPOINT ["/entrypoint.sh"] diff --git a/scripts/packages/centos6/entrypoint.sh b/scripts/packages/centos6/entrypoint.sh deleted file mode 100755 index 8fd1c77..0000000 --- a/scripts/packages/centos6/entrypoint.sh +++ /dev/null @@ -1,18 +0,0 @@ -#!/bin/bash - -VERSION=$1 -RELEASE=$2 - -VERSION=`echo ${VERSION} | sed 's/-/_/'` - -cd ${RPMBUILD_PATH}/SPECS - -rpmbuild -ba \ - --define "_version ${VERSION}" \ - --define "_release ${RELEASE}" \ - twic.spec - -mkdir -p /tmp/dist -cp ${RPMBUILD_PATH}/RPMS/x86_64/*.rpm /tmp/dist/ - -#rpmlint twic.spec ../SRPMS/twic* ../RPMS/*/twic* diff --git a/scripts/packages/centos6/prebuild.sh b/scripts/packages/centos6/prebuild.sh deleted file mode 100755 index 752cbe6..0000000 --- a/scripts/packages/centos6/prebuild.sh +++ /dev/null @@ -1,18 +0,0 @@ -#!/usr/bin/env bash - -ROOTDIR=$(dirname $0)/../../.. -cd $(dirname $0) - -if [ -d "build" ]; then - rm -rf build -fi -mkdir -p build - -cp ${ROOTDIR}/bin/twic build/ - -export GO111MODULE=auto -go run ${ROOTDIR}/gen/man/genman.go -cp -r /tmp/twic/man build/ - -go run ${ROOTDIR}/gen/shellcompletion/genshellcompletion.go -cp -r /tmp/twic/shellcompletion build/ diff --git a/scripts/packages/centos6/twic.spec b/scripts/packages/centos6/twic.spec deleted file mode 100644 index ec4aa18..0000000 --- a/scripts/packages/centos6/twic.spec +++ /dev/null @@ -1,49 +0,0 @@ -Name: twic -Version: %{_version} -Release: %{_release}%{?dist} -Summary: HBM TWIC -Group: Tools/Docker - -License: GPL - -URL: https://github.com/kassisol/twic -Vendor: Kassisol -Packager: Kassisol - -BuildArch: x86_64 -BuildRoot: %{_tmppath}/%{name}-buildroot - -Source: twic.tar.gz - -%description -HBM TWIC is an open source project for managing Docker certificates to connect to the Docker daemon using TLS. - -%prep -%setup -n %{name} - -%install -# install binary -install -d $RPM_BUILD_ROOT/%{_bindir} -install -p -m 755 twic $RPM_BUILD_ROOT/%{_bindir}/ - -# add bash completions -install -d $RPM_BUILD_ROOT/usr/share/bash-completion/completions -install -p -m 644 shellcompletion/bash $RPM_BUILD_ROOT/usr/share/bash-completion/completions/twic - -# install manpages -install -d $RPM_BUILD_ROOT/%{_mandir}/man8 -install -p -m 644 man/man8/*.8 $RPM_BUILD_ROOT/%{_mandir}/man8 - -# list files owned by the package here -%files -#%doc README.md -%{_bindir}/twic -/usr/share/bash-completion/completions/twic -%doc -/%{_mandir}/man8/* - -%postun -rm -f %{_bindir}/twic - -%clean -rm -rf $RPM_BUILD_ROOT