mirror of
https://github.com/balena-io/open-balena.git
synced 2025-03-25 05:25:37 +00:00
fix token auth gen script
This commit is contained in:
Akis Kesoglou
parent
72f5b4826c
commit
5c16c5c3c9
79
scripts/_keyid.js
Normal file
79
scripts/_keyid.js
Normal file
@ -0,0 +1,79 @@
|
||||
'use strict';
|
||||
|
||||
var crypto = require('crypto');
|
||||
var fs = require('fs');
|
||||
|
||||
var base32 = (function() {
|
||||
// Extracted from https://github.com/chrisumbel/thirty-two
|
||||
// to avoid having to install packages for this script.
|
||||
var charTable = "ABCDEFGHIJKLMNOPQRSTUVWXYZ234567";
|
||||
var byteTable = [
|
||||
0xff, 0xff, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f,
|
||||
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
|
||||
0xff, 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06,
|
||||
0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e,
|
||||
0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16,
|
||||
0x17, 0x18, 0x19, 0xff, 0xff, 0xff, 0xff, 0xff,
|
||||
0xff, 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06,
|
||||
0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e,
|
||||
0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16,
|
||||
0x17, 0x18, 0x19, 0xff, 0xff, 0xff, 0xff, 0xff
|
||||
];
|
||||
|
||||
function quintetCount(buff) {
|
||||
var quintets = Math.floor(buff.length / 5);
|
||||
return buff.length % 5 == 0 ? quintets: quintets + 1;
|
||||
}
|
||||
|
||||
return function(plain) {
|
||||
if (!Buffer.isBuffer(plain)) {
|
||||
plain = Buffer.alloc(plain);
|
||||
}
|
||||
var i = 0;
|
||||
var j = 0;
|
||||
var shiftIndex = 0;
|
||||
var digit = 0;
|
||||
var encoded = Buffer.alloc(quintetCount(plain) * 8);
|
||||
|
||||
/* byte by byte isn't as pretty as quintet by quintet but tests a bit
|
||||
faster. will have to revisit. */
|
||||
while(i < plain.length) {
|
||||
var current = plain[i];
|
||||
|
||||
if(shiftIndex > 3) {
|
||||
digit = current & (0xff >> shiftIndex);
|
||||
shiftIndex = (shiftIndex + 5) % 8;
|
||||
digit = (digit << shiftIndex) | ((i + 1 < plain.length) ?
|
||||
plain[i + 1] : 0) >> (8 - shiftIndex);
|
||||
i++;
|
||||
} else {
|
||||
digit = (current >> (8 - (shiftIndex + 5))) & 0x1f;
|
||||
shiftIndex = (shiftIndex + 5) % 8;
|
||||
if(shiftIndex == 0) i++;
|
||||
}
|
||||
|
||||
encoded[j] = charTable.charCodeAt(digit);
|
||||
j++;
|
||||
}
|
||||
|
||||
for (i = j; i < encoded.length; i++) {
|
||||
encoded[i] = 0x3d; //'='.charCodeAt(0)
|
||||
}
|
||||
return encoded;
|
||||
}
|
||||
})();
|
||||
|
||||
function joseKeyId(der) {
|
||||
var hasher = crypto.createHash('sha256');
|
||||
hasher.update(der);
|
||||
var b32 = base32(hasher.digest().slice(0, 30)).toString('ascii');
|
||||
var chunks = [];
|
||||
for (var i = 0; i < b32.length; i += 4) {
|
||||
chunks.push(b32.substr(i, 4));
|
||||
}
|
||||
return chunks.join(':');
|
||||
}
|
||||
|
||||
var derFilePath = process.argv[2];
|
||||
var der = fs.readFileSync(derFilePath);
|
||||
process.stdout.write(joseKeyId(der));
|
||||
@ -23,7 +23,7 @@ OUT="$(realpath "${2:-.}")"
|
||||
source "${DIR}/ssl-common.sh"
|
||||
|
||||
# generate default CSR and sign (root + wildcard)
|
||||
"$easyrsa_bin" --pki-dir="${ROOT_PKI}" --days="${CRT_EXPIRY_DAYS}" --subject-alt-name="DNS:*.${CN}" build-server-full "*.${CN}" nopass
|
||||
"$easyrsa_bin" --pki-dir="${ROOT_PKI}" --days="${CRT_EXPIRY_DAYS}" --subject-alt-name="DNS:*.${CN}" build-server-full "*.${CN}" nopass 2>/dev/null
|
||||
ROOT_CRT="${ROOT_PKI}"'/issued/*.'"${CN}"'.crt'
|
||||
ROOT_KEY="${ROOT_PKI}"'/private/*.'"${CN}"'.key'
|
||||
echo "ROOT_CRT=${ROOT_CRT//$OUT/\$OUT}"
|
||||
|
||||
@ -22,23 +22,24 @@ OUT="$(realpath "${2:-.}")"
|
||||
# shellcheck source=scripts/ssl-common.sh
|
||||
source "${DIR}/ssl-common.sh"
|
||||
|
||||
CERT_DIR="${OUT}/api"
|
||||
CERT_FILE="${CERT_DIR}/api.${CN}"
|
||||
|
||||
keyid() {
|
||||
local der
|
||||
der="$(openssl ec -in "$1" -pubout -outform DER 2>/dev/null)"
|
||||
python -c "import sys as S; from base64 import b32encode as B; import hashlib as H; h = H.sha256(); h.update(S.argv[1].encode('ascii')); s = B(h.digest()[:30]).decode('ascii'); S.stdout.write(':'.join([s[i:i+4] for i in range(0, len(s), 4)]))" "${der}"
|
||||
nodejs "${DIR}/_keyid.js" "$1"
|
||||
}
|
||||
|
||||
# generate api CSR and sign
|
||||
"$easyrsa_bin" --pki-dir="${ROOT_PKI}" --days=730 --use-algo=ec --curve=prime256v1 build-server-full "api.${CN}" nopass 2>/dev/null
|
||||
JWT_CRT="${ROOT_PKI}/issued/api.${CN}.crt"
|
||||
JWT_KEY="${ROOT_PKI}/private/api.${CN}.key"
|
||||
JWT_CRT="${CERT_FILE}.crt"
|
||||
JWT_KEY="${CERT_FILE}.pem"
|
||||
JWT_KID="${CERT_FILE}.kid"
|
||||
|
||||
mkdir -p "${CERT_DIR}"
|
||||
openssl ecparam -name prime256v1 -genkey -noout -out "${JWT_KEY}" 2>/dev/null
|
||||
openssl req -x509 -new -nodes -days "${CRT_EXPIRY_DAYS}" -key "${JWT_KEY}" -subj "/CN=api.${CN}" -out "${JWT_CRT}" 2>/dev/null
|
||||
openssl ec -in "${JWT_KEY}" -pubout -outform DER -out "${CERT_FILE}.der" 2>/dev/null
|
||||
keyid "${CERT_FILE}.der" >"${JWT_KID}"
|
||||
rm "${CERT_FILE}.der"
|
||||
|
||||
echo "JWT_CRT=${JWT_CRT//$OUT/\$OUT}"
|
||||
echo "JWT_KEY=${JWT_KEY//$OUT/\$OUT}"
|
||||
|
||||
# update indexes and generate CRLs
|
||||
"$easyrsa_bin" --pki-dir="${ROOT_PKI}" update-db 2>/dev/null
|
||||
"$easyrsa_bin" --pki-dir="${ROOT_PKI}" gen-crl 2>/dev/null
|
||||
|
||||
# generate key ID
|
||||
JWT_KID="$(keyid "${JWT_CRT}")"
|
||||
echo "JWT_KID=${JWT_KID//$OUT/\$OUT}"
|
||||
|
||||
@ -11,7 +11,7 @@ usage() {
|
||||
echo " ROOT_KEY Path to root/wildcard private key"
|
||||
echo " JWT_CRT Path to Token Auth certificate"
|
||||
echo " JWT_KEY Path to Token Auth private key"
|
||||
echo " JWT_KID The KeyID for the Token Auth certificate"
|
||||
echo " JWT_KID Path to KeyID for the Token Auth certificate"
|
||||
echo " VPN_CA Path to the VPN sub-CA certificate"
|
||||
echo " VPN_CRT Path to the VPN server certificate"
|
||||
echo " VPN_KEY Path to the VPN server private key"
|
||||
@ -20,10 +20,10 @@ usage() {
|
||||
}
|
||||
|
||||
for var in DOMAIN ROOT_CA ROOT_CRT ROOT_KEY JWT_CRT JWT_KEY JWT_KID VPN_CA VPN_CRT VPN_KEY VPN_DH; do
|
||||
if [ -z "${!var-}" ]; then
|
||||
usage
|
||||
exit 1
|
||||
fi
|
||||
if [ -z "${!var-}" ]; then
|
||||
usage
|
||||
exit 1
|
||||
fi
|
||||
done
|
||||
|
||||
randstr() {
|
||||
@ -34,10 +34,6 @@ b64encode() {
|
||||
cat "$@" | base64 --wrap=0 2>/dev/null || cat "$@" | base64 --break=0
|
||||
}
|
||||
|
||||
b64encode_str() {
|
||||
echo -n "$@" | base64 --wrap=0 - 2>/dev/null || echo -n "$@" | base64 --break=0 -
|
||||
}
|
||||
|
||||
cat <<STR
|
||||
export OPENBALENA_DEBUG=true
|
||||
export OPENBALENA_PRODUCTION_MODE=false
|
||||
@ -49,7 +45,7 @@ export OPENBALENA_ROOT_CRT=$(b64encode "${ROOT_CRT}")
|
||||
export OPENBALENA_ROOT_KEY=$(b64encode "${ROOT_KEY}")
|
||||
export OPENBALENA_TOKEN_AUTH_PUB=$(b64encode "$JWT_CRT")
|
||||
export OPENBALENA_TOKEN_AUTH_KEY=$(b64encode "$JWT_KEY")
|
||||
export OPENBALENA_TOKEN_AUTH_KID=$(b64encode_str "$JWT_KID")
|
||||
export OPENBALENA_TOKEN_AUTH_KID=$(b64encode "$JWT_KID")
|
||||
export OPENBALENA_VPN_CA=$(b64encode "$VPN_CA")
|
||||
export OPENBALENA_VPN_SERVER_CRT=$(b64encode "$VPN_CRT")
|
||||
export OPENBALENA_VPN_SERVER_KEY=$(b64encode "$VPN_KEY")
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user