From 5c16c5c3c91652ef6f985bebb8bd790a9c013baf Mon Sep 17 00:00:00 2001
From: Akis Kesoglou <akiskesoglou@gmail.com>
Date: Sun, 21 Oct 2018 00:50:22 +0200
Subject: [PATCH] fix token auth gen script

---
 scripts/_keyid.js           | 79 +++++++++++++++++++++++++++++++++++++
 scripts/gen-root-cert       |  2 +-
 scripts/gen-token-auth-cert | 29 +++++++-------
 scripts/make-env            | 16 +++-----
 4 files changed, 101 insertions(+), 25 deletions(-)
 create mode 100644 scripts/_keyid.js

diff --git a/scripts/_keyid.js b/scripts/_keyid.js
new file mode 100644
index 0000000..f5898fc
--- /dev/null
+++ b/scripts/_keyid.js
@@ -0,0 +1,79 @@
+'use strict';
+
+var crypto = require('crypto');
+var fs = require('fs');
+
+var base32 = (function() {
+  // Extracted from https://github.com/chrisumbel/thirty-two
+  // to avoid having to install packages for this script.
+  var charTable = "ABCDEFGHIJKLMNOPQRSTUVWXYZ234567";
+  var byteTable = [
+    0xff, 0xff, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f,
+    0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+    0xff, 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06,
+    0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e,
+    0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16,
+    0x17, 0x18, 0x19, 0xff, 0xff, 0xff, 0xff, 0xff,
+    0xff, 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06,
+    0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e,
+    0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16,
+    0x17, 0x18, 0x19, 0xff, 0xff, 0xff, 0xff, 0xff
+  ];
+
+  function quintetCount(buff) {
+    var quintets = Math.floor(buff.length / 5);
+    return buff.length % 5 == 0 ? quintets: quintets + 1;
+  }
+
+  return function(plain) {
+    if (!Buffer.isBuffer(plain)) {
+      plain = Buffer.alloc(plain);
+    }
+    var i = 0;
+    var j = 0;
+    var shiftIndex = 0;
+    var digit = 0;
+    var encoded = Buffer.alloc(quintetCount(plain) * 8);
+
+    /* byte by byte isn't as pretty as quintet by quintet but tests a bit
+      faster. will have to revisit. */
+    while(i < plain.length) {
+      var current = plain[i];
+    
+      if(shiftIndex > 3) {
+        digit = current & (0xff >> shiftIndex);
+        shiftIndex = (shiftIndex + 5) % 8;
+        digit = (digit << shiftIndex) | ((i + 1 < plain.length) ?
+          plain[i + 1] : 0) >> (8 - shiftIndex);
+        i++;
+      } else {
+        digit = (current >> (8 - (shiftIndex + 5))) & 0x1f;
+        shiftIndex = (shiftIndex + 5) % 8;            
+        if(shiftIndex == 0) i++;
+      }
+      
+      encoded[j] = charTable.charCodeAt(digit);
+      j++;
+    }
+
+    for (i = j; i < encoded.length; i++) {
+      encoded[i] = 0x3d; //'='.charCodeAt(0)
+    }
+    return encoded;
+  }
+})();
+
+function joseKeyId(der) {
+  var hasher = crypto.createHash('sha256');
+  hasher.update(der);
+  var b32 = base32(hasher.digest().slice(0, 30)).toString('ascii');
+  var chunks = [];
+  for (var i = 0; i < b32.length; i += 4) {
+    chunks.push(b32.substr(i, 4));
+  }
+  return chunks.join(':');
+}
+
+var derFilePath = process.argv[2];
+var der = fs.readFileSync(derFilePath);
+process.stdout.write(joseKeyId(der));
diff --git a/scripts/gen-root-cert b/scripts/gen-root-cert
index df387bc..ef0a259 100755
--- a/scripts/gen-root-cert
+++ b/scripts/gen-root-cert
@@ -23,7 +23,7 @@ OUT="$(realpath "${2:-.}")"
 source "${DIR}/ssl-common.sh"
 
 # generate default CSR and sign (root + wildcard)
-"$easyrsa_bin" --pki-dir="${ROOT_PKI}" --days="${CRT_EXPIRY_DAYS}" --subject-alt-name="DNS:*.${CN}" build-server-full "*.${CN}" nopass
+"$easyrsa_bin" --pki-dir="${ROOT_PKI}" --days="${CRT_EXPIRY_DAYS}" --subject-alt-name="DNS:*.${CN}" build-server-full "*.${CN}" nopass 2>/dev/null
 ROOT_CRT="${ROOT_PKI}"'/issued/*.'"${CN}"'.crt'
 ROOT_KEY="${ROOT_PKI}"'/private/*.'"${CN}"'.key'
 echo "ROOT_CRT=${ROOT_CRT//$OUT/\$OUT}"
diff --git a/scripts/gen-token-auth-cert b/scripts/gen-token-auth-cert
index 827b8ae..f4ffe80 100755
--- a/scripts/gen-token-auth-cert
+++ b/scripts/gen-token-auth-cert
@@ -22,23 +22,24 @@ OUT="$(realpath "${2:-.}")"
 # shellcheck source=scripts/ssl-common.sh
 source "${DIR}/ssl-common.sh"
 
+CERT_DIR="${OUT}/api"
+CERT_FILE="${CERT_DIR}/api.${CN}"
+
 keyid() {
-  local der
-  der="$(openssl ec -in "$1" -pubout -outform DER 2>/dev/null)"
-  python -c "import sys as S; from base64 import b32encode as B; import hashlib as H; h = H.sha256(); h.update(S.argv[1].encode('ascii')); s = B(h.digest()[:30]).decode('ascii'); S.stdout.write(':'.join([s[i:i+4] for i in range(0, len(s), 4)]))" "${der}"
+  nodejs "${DIR}/_keyid.js" "$1"
 }
 
-# generate api CSR and sign
-"$easyrsa_bin" --pki-dir="${ROOT_PKI}" --days=730 --use-algo=ec --curve=prime256v1 build-server-full "api.${CN}" nopass 2>/dev/null
-JWT_CRT="${ROOT_PKI}/issued/api.${CN}.crt"
-JWT_KEY="${ROOT_PKI}/private/api.${CN}.key"
+JWT_CRT="${CERT_FILE}.crt"
+JWT_KEY="${CERT_FILE}.pem"
+JWT_KID="${CERT_FILE}.kid"
+
+mkdir -p "${CERT_DIR}"
+openssl ecparam -name prime256v1 -genkey -noout -out "${JWT_KEY}" 2>/dev/null
+openssl req -x509 -new -nodes -days "${CRT_EXPIRY_DAYS}" -key "${JWT_KEY}" -subj "/CN=api.${CN}" -out "${JWT_CRT}" 2>/dev/null
+openssl ec -in "${JWT_KEY}" -pubout -outform DER -out "${CERT_FILE}.der" 2>/dev/null
+keyid "${CERT_FILE}.der" >"${JWT_KID}"
+rm "${CERT_FILE}.der"
+
 echo "JWT_CRT=${JWT_CRT//$OUT/\$OUT}"
 echo "JWT_KEY=${JWT_KEY//$OUT/\$OUT}"
-
-# update indexes and generate CRLs
-"$easyrsa_bin" --pki-dir="${ROOT_PKI}" update-db 2>/dev/null
-"$easyrsa_bin" --pki-dir="${ROOT_PKI}" gen-crl 2>/dev/null
-
-# generate key ID
-JWT_KID="$(keyid "${JWT_CRT}")"
 echo "JWT_KID=${JWT_KID//$OUT/\$OUT}"
diff --git a/scripts/make-env b/scripts/make-env
index 9d72f0e..8b7aa4a 100755
--- a/scripts/make-env
+++ b/scripts/make-env
@@ -11,7 +11,7 @@ usage() {
   echo "  ROOT_KEY   Path to root/wildcard private key"
   echo "  JWT_CRT    Path to Token Auth certificate"
   echo "  JWT_KEY    Path to Token Auth private key"
-  echo "  JWT_KID    The KeyID for the Token Auth certificate"
+  echo "  JWT_KID    Path to KeyID for the Token Auth certificate"
   echo "  VPN_CA     Path to the VPN sub-CA certificate"
   echo "  VPN_CRT    Path to the VPN server certificate"
   echo "  VPN_KEY    Path to the VPN server private key"
@@ -20,10 +20,10 @@ usage() {
 }
 
 for var in DOMAIN ROOT_CA ROOT_CRT ROOT_KEY JWT_CRT JWT_KEY JWT_KID VPN_CA VPN_CRT VPN_KEY VPN_DH; do
-    if [ -z "${!var-}" ]; then
-        usage
-        exit 1
-    fi
+  if [ -z "${!var-}" ]; then
+    usage
+    exit 1
+  fi
 done
 
 randstr() {
@@ -34,10 +34,6 @@ b64encode() {
   cat "$@" | base64 --wrap=0 2>/dev/null || cat "$@" | base64 --break=0
 }
 
-b64encode_str() {
-  echo -n "$@" | base64 --wrap=0 - 2>/dev/null || echo -n "$@" | base64 --break=0 -
-}
-
 cat <<STR
 export OPENBALENA_DEBUG=true
 export OPENBALENA_PRODUCTION_MODE=false
@@ -49,7 +45,7 @@ export OPENBALENA_ROOT_CRT=$(b64encode "${ROOT_CRT}")
 export OPENBALENA_ROOT_KEY=$(b64encode "${ROOT_KEY}")
 export OPENBALENA_TOKEN_AUTH_PUB=$(b64encode "$JWT_CRT")
 export OPENBALENA_TOKEN_AUTH_KEY=$(b64encode "$JWT_KEY")
-export OPENBALENA_TOKEN_AUTH_KID=$(b64encode_str "$JWT_KID")
+export OPENBALENA_TOKEN_AUTH_KID=$(b64encode "$JWT_KID")
 export OPENBALENA_VPN_CA=$(b64encode "$VPN_CA")
 export OPENBALENA_VPN_SERVER_CRT=$(b64encode "$VPN_CRT")
 export OPENBALENA_VPN_SERVER_KEY=$(b64encode "$VPN_KEY")