From 4c2a2e4319dc7b2dc9ae9535f58291731c8e6197 Mon Sep 17 00:00:00 2001 From: Marius C Date: Mon, 18 Dec 2023 15:30:44 +0200 Subject: [PATCH] FEAT: Extend binary to generate certificates --- cert/cert.go | 4 ++- cert/certificate.crt | 20 --------------- cert/cmd/cert/flags.go | 21 ++++++++++++++++ cert/cmd/cert/main.go | 52 +++++++++++++++++++++++++++++++++++---- cert/private_key.pem | 27 -------------------- server/cmd/server/main.go | 2 +- 6 files changed, 72 insertions(+), 54 deletions(-) delete mode 100644 cert/certificate.crt create mode 100644 cert/cmd/cert/flags.go delete mode 100644 cert/private_key.pem diff --git a/cert/cert.go b/cert/cert.go index 15aa6be..3ab45d9 100644 --- a/cert/cert.go +++ b/cert/cert.go @@ -32,6 +32,8 @@ type FileCfg struct { PkFile string } +const day = time.Hour * 24 + func GenerateCert(cfg CertCfg) ([]byte, *rsa.PrivateKey, error) { pk, err := rsa.GenerateKey(rand.Reader, 2048) if err != nil { @@ -52,7 +54,7 @@ func GenerateCert(cfg CertCfg) ([]byte, *rsa.PrivateKey, error) { }, DNSNames: []string{cfg.DNSName}, NotBefore: time.Now(), - NotAfter: time.Now().Add(time.Duration(cfg.Availability) * time.Hour), + NotAfter: time.Now().Add(time.Duration(cfg.Availability) * day), KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature, ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth}, BasicConstraintsValid: true, diff --git a/cert/certificate.crt b/cert/certificate.crt deleted file mode 100644 index 24bfd16..0000000 --- a/cert/certificate.crt +++ /dev/null @@ -1,20 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDNDCCAhygAwIBAgIRAIFIZEV8mjs90HatkH2Hb/QwDQYJKoZIhvcNAQELBQAw -KjETMBEGA1UEChMKTXVsdGl2ZXJzWDETMBEGA1UEAxMKTXVsdGl2ZXJzWDAeFw0y -MzEyMTgxMjQwNDlaFw0yMzEyMTgyMjQwNDlaMCoxEzARBgNVBAoTCk11bHRpdmVy -c1gxEzARBgNVBAMTCk11bHRpdmVyc1gwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw -ggEKAoIBAQDAIokkHY6H3ySF32VaRRM/2ddcA4vhnWYlNpDygRKZv2LB7tevbsPX -PwRyqKQq+rGdkXMGSnF43OE9rfff6ABgH6oXlI/97fXIJWhOzt+tJutKvZjaXz8U -lEPIudXt5o3NyGbHz6a9kEc+NSfA7SfuwAWR1g9lcFzqv3haN1IG+1vwtc+MRpvx -cokiqqEUSjSjUENtuZvS7dhVUK2bd7IzDsiYrngwY9JTx3KF/zXzIRWwZZV8aMBt -o2tf4e7IYuasAcxslLCtLOHO4OxEiNulCz93cziRGQlFW3kKu8VpRtByH5kjXawV -WbxWaGtXIGiV3B8qubawsOP4xjA+4PTpAgMBAAGjVTBTMA4GA1UdDwEB/wQEAwIF -oDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADAU -BgNVHREEDTALgglsb2NhbGhvc3QwDQYJKoZIhvcNAQELBQADggEBAACE8mAMu+Oq -zZ7KkuKV99p8rJz3x+BnLPph9A7N5Q9bPXfgxmur39hmq2FnnlcomasSKYBi/Qg5 -FK1i51CsxqNZ4RI61sGm/XJRDXAiEJZWTCchwcp1atARbH7IOkPXbaNNakC2GaMR -VQGNydkK0jnoNTU/ZZkx0w40kq85okEmOW5rWLxMM4TGR70GgNOBBzD1UY6FsNj0 -zNfLohtFspgQUc6mLloproWgyyI9O53xz2yB52RRA0VldUfBbyt1xbGoTiJ0W1sx -b6kqUnt+n3QVx7yFR1TbiuqKJuK8Py+Ir9z79bYj0iskoEiyCZPamlLhnAbVf3Hb -a2KTY1kp2qc= ------END CERTIFICATE----- diff --git a/cert/cmd/cert/flags.go b/cert/cmd/cert/flags.go new file mode 100644 index 0000000..70252db --- /dev/null +++ b/cert/cmd/cert/flags.go @@ -0,0 +1,21 @@ +package main + +import "github.com/urfave/cli" + +var ( + organizationFlag = cli.StringFlag{ + Name: "organization", + Usage: "This flag specifies the organization name which will generate the certificate", + Value: "MultiversX", + } + dnsFlag = cli.StringFlag{ + Name: "dns", + Usage: "This flag specifies the server's dns for tls connection", + Value: "localhost", + } + availabilityFlag = cli.StringFlag{ + Name: "availability", + Usage: "This flag specifies the certificate's availability in days starting from current timestamp", + Value: "365", + } +) diff --git a/cert/cmd/cert/main.go b/cert/cmd/cert/main.go index ae00649..a23b739 100644 --- a/cert/cmd/cert/main.go +++ b/cert/cmd/cert/main.go @@ -1,22 +1,64 @@ package main import ( - "fmt" + "os" + logger "github.com/multiversx/mx-chain-logger-go" "github.com/multiversx/mx-chain-sovereign-bridge-go/cert" + "github.com/urfave/cli" ) +var log = logger.GetOrCreate("cert") + func main() { + + app := cli.NewApp() + app.Name = "Certificate generator" + app.Usage = "Generate certificate (.crt + .pem) for grpc tls connection between server and client.\n" + + "->Certificate Generation: To enable secure communication, generate a certificate pair containing a .crt (certificate) " + + "and a .pem (private key) for both the server and the sovereign nodes (clients). This will facilitate the encryption and " + + "authentication required for the gRPC TLS connection.\n" + + "->Authentication of Clients: The server, acting as the hot wallet binary, should authenticate and validate the sovereign nodes (clients) " + + "attempting to connect. Only trusted clients with the matching certificate will be granted access to interact with the hot wallet binary.\n" + + "->Ensuring Secure Transactions: Utilize the certificate-based authentication mechanism to ensure that only authorized sovereign nodes can access the hot wallet binary. " + + "This step is crucial in maintaining the integrity and security of transactions being sent from the sovereign shards to the main chain.\n" + + "->Ongoing Security Measures: Regularly review and update the certificate mechanism to maintain security. This includes renewal of certificates, " + + "implementing security best practices, and promptly revoking access for compromised or unauthorized clients." + app.Action = generateCertificate + app.Flags = []cli.Flag{ + organizationFlag, + dnsFlag, + availabilityFlag, + } + + err := app.Run(os.Args) + if err != nil { + log.Error(err.Error()) + os.Exit(1) + } + +} + +func generateCertificate(ctx *cli.Context) error { + organization := ctx.GlobalString(organizationFlag.Name) + dns := ctx.GlobalString(dnsFlag.Name) + availability := ctx.GlobalInt64(availabilityFlag.Name) + err := cert.GenerateCertFile(cert.CertificateCfg{ CertCfg: cert.CertCfg{ - Organization: "MultiversX", - DNSName: "localhost", - Availability: 10, + Organization: organization, + DNSName: dns, + Availability: availability, }, CertFileCfg: cert.FileCfg{ CertFile: "certificate.crt", PkFile: "private_key.pem", }, }) - fmt.Println(err) + if err != nil { + return err + } + + log.Info("generated files successfully") + return nil } diff --git a/cert/private_key.pem b/cert/private_key.pem deleted file mode 100644 index 867cbb9..0000000 --- a/cert/private_key.pem +++ /dev/null @@ -1,27 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -MIIEpQIBAAKCAQEAwCKJJB2Oh98khd9lWkUTP9nXXAOL4Z1mJTaQ8oESmb9iwe7X -r27D1z8EcqikKvqxnZFzBkpxeNzhPa333+gAYB+qF5SP/e31yCVoTs7frSbrSr2Y -2l8/FJRDyLnV7eaNzchmx8+mvZBHPjUnwO0n7sAFkdYPZXBc6r94WjdSBvtb8LXP -jEab8XKJIqqhFEo0o1BDbbmb0u3YVVCtm3eyMw7ImK54MGPSU8dyhf818yEVsGWV -fGjAbaNrX+HuyGLmrAHMbJSwrSzhzuDsRIjbpQs/d3M4kRkJRVt5CrvFaUbQch+Z -I12sFVm8VmhrVyBoldwfKrm2sLDj+MYwPuD06QIDAQABAoIBAQCJZmkylZx/GBmT -Tw24/1rjt5JmL/cRsjEA/cOsWJeHsbEbRQWjZI/S1zMEGAvG3J62MvTSE9yP9U1y -gX2Y9t2F4D8QO+K5UjoJFo9AhHq65fEv8uRjjeebfOf4nMUbK1xPRDgUPjBcsdfw -6axzMGX1PAb/othBz5fzHFgiFBup90pfu6oWTSaIxY5nM3FsJ+Kp+5YQTMAkT/12 -9bUvuadk9lhU3LAvRRGP4mtFevIJ7u7I5vurcR/8NxIqEAxmywPHw9Pa2fgI3iuX -9tG+prcVM2EjEXWaUZ2k56MLFmV2jCLSoRfvVQaOjcCSqvW8cw/5fpKwI50AemKF -8WZ2a0PxAoGBAPbw66XdydUWdNAVWjwDp+Grsa453VUvgwjcoXi+5lFKudE7EWTM -TRTlzc+4vHo3u5TAV7qTkBEbESxfZUcSq3eVeljskb9itSK2vnyvY8kDKSkcPlNQ -pUuXPaa5C13Odbk30LLRWyhTMO9Ho6hojeI01ayBc/Y6r5dl8hwBVOmVAoGBAMcu -6vyO2UJhKQVy1igkHF+6U3XEksHDT4h5IaEVRcTrE0wckZ2bvhJpagxrtBP1jatT -Zy/1zdWfQXZr24bT7nf1vcO54TPnc8BDMPj47rPtlQjmeCNG6avkZLukKrlCrgmP -/WC0ns03n6uOKX/zjhe7eMtBWemJZN2DUkyDf5EFAoGBAOcpLh6N2NMte1oSsu59 -KZm6JNEIf+WvXUVda5Zhda7hecKgPa8TBJEschYiQ+VQ6LrdtwIEApfQs6nK/z6h -/nsqJWa6xdDXsOJ3GSgU8x8HY2+Fbd6GHsX9JQw+KqK8kz04P5g1HNVJ0wQbFtue -TDtV5DPg1tHHq/nYx+RpZrhlAoGAdIJ2Q9tPLGvm8d/1cy+ERV6ZOTcN3Tdgy2SH -jlECKaiT9h5z8uxJ5z0wIinSASbOgpvbrQssJrvsL9fxZlGLmTHumZGeMJ0/cQQc -nlYGUsszNSySs5fkUX7ciYIC17EwWjmWrb2ZclMKG/ChR83wnOM1Sjdk351Vmdka -B9WXhf0CgYEAwNZBP+iDCYnq47ICv3GM4PCnU1Pc/tPDMKlUqWCUl8Sp/UdiNJoM -7cvG6wct4+HG9UQfjhFJegLuNL9uchK+Vnu04nbbkgQCH78ORwf2Y+VPkWOjt7r0 -86xfx+m5YNOP0Wqrm5tBqnDZpZSL5YTYVhpTKJve2BGcjOydqdKZbe4= ------END RSA PRIVATE KEY----- diff --git a/server/cmd/server/main.go b/server/cmd/server/main.go index e4a7040..974d6f1 100644 --- a/server/cmd/server/main.go +++ b/server/cmd/server/main.go @@ -82,8 +82,8 @@ func startServer(ctx *cli.Context) error { if err != nil { return err } - tlsCredentials := credentials.NewTLS(tlsConfig) + tlsCredentials := credentials.NewTLS(tlsConfig) grpcServer := grpc.NewServer( grpc.Creds(tlsCredentials), )