From 5510f1c7717a83150d5d4efb7162071b0488a5bb Mon Sep 17 00:00:00 2001 From: Marius C Date: Fri, 15 Dec 2023 12:53:55 +0200 Subject: [PATCH 1/9] FEAT: Very ugly working version with certificates --- cert/cert.go | 103 ++++++++++++++++++++++++++++++ cert/cmd/cert/main.go | 12 ++++ client/cmd/client/certificate.crt | 20 ++++++ client/cmd/client/private_key.pem | 27 ++++++++ client/factory.go | 27 ++++++-- server/cmd/server/certificate.crt | 20 ++++++ server/cmd/server/main.go | 41 +++++++++++- server/cmd/server/private_key.pem | 27 ++++++++ 8 files changed, 272 insertions(+), 5 deletions(-) create mode 100644 cert/cert.go create mode 100644 cert/cmd/cert/main.go create mode 100644 client/cmd/client/certificate.crt create mode 100644 client/cmd/client/private_key.pem create mode 100644 server/cmd/server/certificate.crt create mode 100644 server/cmd/server/private_key.pem diff --git a/cert/cert.go b/cert/cert.go new file mode 100644 index 0000000..9870ff5 --- /dev/null +++ b/cert/cert.go @@ -0,0 +1,103 @@ +package cert + +import ( + "crypto/rand" + "crypto/rsa" + "crypto/tls" + "crypto/x509" + "crypto/x509/pkix" + "encoding/pem" + "math/big" + "os" + "time" +) + +func GenerateCert() (*tls.Certificate, error) { + pk, err := rsa.GenerateKey(rand.Reader, 2048) + if err != nil { + return nil, err + } + + template := &x509.Certificate{ + SerialNumber: big.NewInt(1), + Subject: pkix.Name{ + Organization: []string{"MultiversX"}, + CommonName: "Username", // Will be checked by the server + }, + NotBefore: time.Now(), + NotAfter: time.Now().Add(time.Hour), + KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature, + ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth}, + BasicConstraintsValid: true, + } + + cert, err := x509.CreateCertificate(rand.Reader, template, template, pk.Public(), pk) + if err != nil { + return nil, err + } + + tlsCert := tls.Certificate{ + Certificate: [][]byte{cert}, + PrivateKey: pk, + } + + return &tlsCert, nil + + //conn, err := grpc.DialContext(ctx, net.JoinHostPort(addr, port), + // grpc.WithTransportCredentials(credentials.NewTLS(tlsConfig)), + //) +} + +func GenerateCertFile() error { + pk, err := rsa.GenerateKey(rand.Reader, 2048) + if err != nil { + return err + } + + template := &x509.Certificate{ + SerialNumber: big.NewInt(1), + Subject: pkix.Name{ + Organization: []string{"MultiversX"}, + CommonName: "MultiversX Bridge", // Will be checked by the server + }, + DNSNames: []string{"localhost"}, + NotBefore: time.Now(), + NotAfter: time.Now().Add(time.Hour), + KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature, + ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth}, + BasicConstraintsValid: true, + } + + cert, err := x509.CreateCertificate(rand.Reader, template, template, pk.Public(), pk) + if err != nil { + return err + } + + certFile := "certificate.crt" + keyFile := "private_key.pem" + + certOut, err := os.Create(certFile) + if err != nil { + return err + } + defer certOut.Close() + pem.Encode(certOut, &pem.Block{Type: "CERTIFICATE", Bytes: cert}) + + keyOut, err := os.Create(keyFile) + if err != nil { + return err + } + defer keyOut.Close() + privBytes := x509.MarshalPKCS1PrivateKey(pk) + pem.Encode(keyOut, &pem.Block{Type: "RSA PRIVATE KEY", Bytes: privBytes}) + + return nil +} + +func LoadCertificate(certFile, keyFile string) (tls.Certificate, error) { + cert, err := tls.LoadX509KeyPair(certFile, keyFile) + if err != nil { + return tls.Certificate{}, err + } + return cert, nil +} diff --git a/cert/cmd/cert/main.go b/cert/cmd/cert/main.go new file mode 100644 index 0000000..ecc9a94 --- /dev/null +++ b/cert/cmd/cert/main.go @@ -0,0 +1,12 @@ +package main + +import ( + "fmt" + + "github.com/multiversx/mx-chain-sovereign-bridge-go/cert" +) + +func main() { + err := cert.GenerateCertFile() + fmt.Println(err) +} diff --git a/client/cmd/client/certificate.crt b/client/cmd/client/certificate.crt new file mode 100644 index 0000000..e023772 --- /dev/null +++ b/client/cmd/client/certificate.crt @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDMjCCAhqgAwIBAgIBATANBgkqhkiG9w0BAQsFADAxMRMwEQYDVQQKEwpNdWx0 +aXZlcnNYMRowGAYDVQQDExFNdWx0aXZlcnNYIEJyaWRnZTAeFw0yMzEyMTUxMDQ3 +MDJaFw0yMzEyMTUxMTQ3MDJaMDExEzARBgNVBAoTCk11bHRpdmVyc1gxGjAYBgNV +BAMTEU11bHRpdmVyc1ggQnJpZGdlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB +CgKCAQEAwfhRKyHh3ozOm86A1n3njv8/Ju4shZ0DM+PAciPuyKFe9Z3bWcPqHZTe +RNt4sESUMWS+1LZZ23g5etDrLDH9obRXMtsKvQWP9eh5YQldz86qUebmXtw6gFNo +6lcjq4sced6wjO0su0Hzxy274S1/8SPuTeUPslpP1JNncn03UWis3SvURF6N0wHj +LKJNU20M1EhP8OCCciNq59bn3pBlkhFHVru0BOxHzgT79ZYVG/PSF2FfuqDyfp53 +dg6ZHdlQqVcwRYrEn2pBw3EZ1MO8sqSULTszDev3tZeqa+9x5hrLo/Ch0hLp/h1f +BFAPjbAETdlp77Ne/tUReEPFhCeK8wIDAQABo1UwUzAOBgNVHQ8BAf8EBAMCBaAw +HQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMAwGA1UdEwEB/wQCMAAwFAYD +VR0RBA0wC4IJbG9jYWxob3N0MA0GCSqGSIb3DQEBCwUAA4IBAQAoYxPvJQwn5QwU +I8Fr+rHP16R8DM1Hi7H9WV30RshSimhJ2IolKqI9oWvsLJ0loGOYwD3UgXlKMinI +1U44MSraqGj5XP0/Pg87/we72GAnYjrDAYc3e5lq08o70UDM6jVKFN6Ctqzt5CDZ +eSrNXEVgXf4scDP804lUy6lHOtwTDxQWh+AbtH7TuqoYQc8ZA8FeVIolDh8/ozyo +nFN55dwTisghWSg+2VjNihJxoqgm7m0l8i2tpURpXxlmhSlAnwkijIH8BiEcqqvL +kFjJYePcA89Xjfru3xR5dTFHP8y/prHBPR1N8BV0QWdrrirGm7lCmjpilK3YGdBu +VE+39f0l +-----END CERTIFICATE----- diff --git a/client/cmd/client/private_key.pem b/client/cmd/client/private_key.pem new file mode 100644 index 0000000..d4df8a1 --- /dev/null +++ b/client/cmd/client/private_key.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpgIBAAKCAQEAwfhRKyHh3ozOm86A1n3njv8/Ju4shZ0DM+PAciPuyKFe9Z3b +WcPqHZTeRNt4sESUMWS+1LZZ23g5etDrLDH9obRXMtsKvQWP9eh5YQldz86qUebm +Xtw6gFNo6lcjq4sced6wjO0su0Hzxy274S1/8SPuTeUPslpP1JNncn03UWis3SvU +RF6N0wHjLKJNU20M1EhP8OCCciNq59bn3pBlkhFHVru0BOxHzgT79ZYVG/PSF2Ff +uqDyfp53dg6ZHdlQqVcwRYrEn2pBw3EZ1MO8sqSULTszDev3tZeqa+9x5hrLo/Ch +0hLp/h1fBFAPjbAETdlp77Ne/tUReEPFhCeK8wIDAQABAoIBAQCpCNTzWZuUbfC/ +Jr5wLVhV7WoDaxuxdJsN5TQYQ+gbP0WZle9J0sl67fik2P3b3memg70pcZ/s+mBc +/yNyaD43ZQl4cBpzjx1dlzHvtlHifp8+sJGhqRnyKr4LOdUD8T7nlYEVzrpklZzz +vo80NIqCgmVxzGRZcQqQncRQqX5DmgWKHH+wTh+2jVAT4EuANsp1Gv94Te2kWyoa +TwPVbHjCclOl+07BR7+8h961Rq6AJKTd1NKA1+dkELgjBJEe+jG1tg7rZPgk0pDU +Yn3EzAKbW0/aUMQhEvLqzCsi+qYiafGo5Q9/yDJYshwsANheR7gai/yQZXOF7Z6M +0K/9UdSBAoGBAMVcW/g8oOW4g+GsokT0W/zfR7WcnNhRt+4GiyiomMFWl4vhty3n +1wl35TtivU/8B9X/ZiBEg3FrR1eOeNEQ1eti3imteRgVEQGge7fiRlNFmr9s0ds9 +dX+ij/iCEkMM9cqosAE6TLQsQMsJ8ZjSpVp8gNTWwfk4zL1831klB+E5AoGBAPua +DD0UexDT5gEQedBbU7aBnkq04ZACwrRm1MYcnQh2zxYJVjC2PrptLvEtBJK/X9Lq +gRLTsojgBmwWynC3pzK2yQsIuMNEaSWRyPF1p8zd5auhrWANwCRjgKhqJJLx4xym +8+wgeLVnRIM0S5UJJJjPbVlWCczapYPzb1bB30mLAoGBAJlmV0nT/g9v4nn3T80e +zZz4A2nCyBpPMhI9Xc6FdO3Zm0MrdtCkgfynBzKoZZMUxxZrQ/rSpgPzKWmBoKCH +YG5r01g7sIKqZSSJk3/yzUyOLmCZeWfaFkjVlufGWeFp4mXZxau+n73vI5FtMi7h +k4qIeS51miFXJ7QkqglFAiHpAoGBALofVkhk+zkSmAZXitVwiffr4Q5Ays/+yswr +eeFoT15wjXcuxvzYBIViuaQd+lEYkyly4rLruhn5J6cUIQPLSDuC7ixkclG5LNNn +CjBdKhmqWPlja98vrOD+XrG3e4DcwXZzpuQZjVIcp5kruXHxxonogGri8/MAGAsJ +rWaPmr9LAoGBAMOoR8EHuwidMoMbifhWoh6/v8uCO5iKWndPLQkhHmCIx2l1G4e0 +Em1CQ7LmML3pJwxIg+wB+4KOItg7fGP23C6wlWNeF29N8/tKWICQhB4L0jq3FHNU +rA4MWxOAl+mVmDt0h6rlSh0fDJsDsW4XC46nY+dK0sa5o/Wu1tYGMKc0 +-----END RSA PRIVATE KEY----- diff --git a/client/factory.go b/client/factory.go index 6c75a1c..7802f44 100644 --- a/client/factory.go +++ b/client/factory.go @@ -1,14 +1,17 @@ package client import ( + "crypto/tls" + "crypto/x509" "fmt" "time" "github.com/multiversx/mx-chain-core-go/data/sovereign" logger "github.com/multiversx/mx-chain-logger-go" + "github.com/multiversx/mx-chain-sovereign-bridge-go/cert" "github.com/multiversx/mx-chain-sovereign-bridge-go/client/config" "google.golang.org/grpc" - "google.golang.org/grpc/credentials/insecure" + "google.golang.org/grpc/credentials" ) const ( @@ -31,11 +34,27 @@ func CreateClient(cfg *config.ClientConfig) (ClientHandler, error) { } func connectWithRetrials(host string) (GRPCConn, error) { - credentials := insecure.NewCredentials() - opts := grpc.WithTransportCredentials(credentials) + //credentials := insecure.NewCredentials() + //opts := grpc.WithTransportCredentials(credentials) + certt, err := cert.LoadCertificate("certificate.crt", "private_key.pem") + if err != nil { + return nil, err + } + certLeaf, err := x509.ParseCertificate(certt.Certificate[0]) + if err != nil { + return nil, err + } + + CertPool := x509.NewCertPool() + CertPool.AddCert(certLeaf) + + tlsConfig := &tls.Config{ + Certificates: []tls.Certificate{certt}, + RootCAs: CertPool, + } for i := 0; i < maxConnectionRetrials; i++ { - cc, err := grpc.Dial(host, opts) + cc, err := grpc.Dial(host, grpc.WithTransportCredentials(credentials.NewTLS(tlsConfig))) if err == nil { return cc, err } diff --git a/server/cmd/server/certificate.crt b/server/cmd/server/certificate.crt new file mode 100644 index 0000000..e023772 --- /dev/null +++ b/server/cmd/server/certificate.crt @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDMjCCAhqgAwIBAgIBATANBgkqhkiG9w0BAQsFADAxMRMwEQYDVQQKEwpNdWx0 +aXZlcnNYMRowGAYDVQQDExFNdWx0aXZlcnNYIEJyaWRnZTAeFw0yMzEyMTUxMDQ3 +MDJaFw0yMzEyMTUxMTQ3MDJaMDExEzARBgNVBAoTCk11bHRpdmVyc1gxGjAYBgNV +BAMTEU11bHRpdmVyc1ggQnJpZGdlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB +CgKCAQEAwfhRKyHh3ozOm86A1n3njv8/Ju4shZ0DM+PAciPuyKFe9Z3bWcPqHZTe +RNt4sESUMWS+1LZZ23g5etDrLDH9obRXMtsKvQWP9eh5YQldz86qUebmXtw6gFNo +6lcjq4sced6wjO0su0Hzxy274S1/8SPuTeUPslpP1JNncn03UWis3SvURF6N0wHj +LKJNU20M1EhP8OCCciNq59bn3pBlkhFHVru0BOxHzgT79ZYVG/PSF2FfuqDyfp53 +dg6ZHdlQqVcwRYrEn2pBw3EZ1MO8sqSULTszDev3tZeqa+9x5hrLo/Ch0hLp/h1f +BFAPjbAETdlp77Ne/tUReEPFhCeK8wIDAQABo1UwUzAOBgNVHQ8BAf8EBAMCBaAw +HQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMAwGA1UdEwEB/wQCMAAwFAYD +VR0RBA0wC4IJbG9jYWxob3N0MA0GCSqGSIb3DQEBCwUAA4IBAQAoYxPvJQwn5QwU +I8Fr+rHP16R8DM1Hi7H9WV30RshSimhJ2IolKqI9oWvsLJ0loGOYwD3UgXlKMinI +1U44MSraqGj5XP0/Pg87/we72GAnYjrDAYc3e5lq08o70UDM6jVKFN6Ctqzt5CDZ +eSrNXEVgXf4scDP804lUy6lHOtwTDxQWh+AbtH7TuqoYQc8ZA8FeVIolDh8/ozyo +nFN55dwTisghWSg+2VjNihJxoqgm7m0l8i2tpURpXxlmhSlAnwkijIH8BiEcqqvL +kFjJYePcA89Xjfru3xR5dTFHP8y/prHBPR1N8BV0QWdrrirGm7lCmjpilK3YGdBu +VE+39f0l +-----END CERTIFICATE----- diff --git a/server/cmd/server/main.go b/server/cmd/server/main.go index 4a84766..3ab7a09 100644 --- a/server/cmd/server/main.go +++ b/server/cmd/server/main.go @@ -1,6 +1,8 @@ package main import ( + "crypto/tls" + "crypto/x509" "fmt" "net" "os" @@ -9,12 +11,15 @@ import ( "syscall" "time" + "google.golang.org/grpc/credentials" + "github.com/joho/godotenv" "github.com/multiversx/mx-chain-core-go/core/check" "github.com/multiversx/mx-chain-core-go/core/closing" "github.com/multiversx/mx-chain-core-go/data/sovereign" logger "github.com/multiversx/mx-chain-logger-go" "github.com/multiversx/mx-chain-logger-go/file" + "github.com/multiversx/mx-chain-sovereign-bridge-go/cert" "github.com/multiversx/mx-chain-sovereign-bridge-go/server" "github.com/multiversx/mx-chain-sovereign-bridge-go/server/cmd/config" "github.com/multiversx/mx-chain-sovereign-bridge-go/server/txSender" @@ -73,7 +78,41 @@ func startServer(ctx *cli.Context) error { return err } - grpcServer := grpc.NewServer() + certCfg, err := cert.GenerateCert() + if err != nil { + return err + } + + CertPool := x509.NewCertPool() + + //certLeaf, err := x509.ParseCertificate(certCfg.Certificate[0]) + //if err != nil { + // return err + //} + + tlsConfig := &tls.Config{ + Certificates: []tls.Certificate{*certCfg}, + ClientCAs: CertPool, + ClientAuth: tls.RequireAndVerifyClientCert, + } + + certt, err := cert.LoadCertificate("certificate.crt", "private_key.pem") + if err != nil { + return err + } + certLeaf, err := x509.ParseCertificate(certt.Certificate[0]) + if err != nil { + return err + } + CertPool.AddCert(certLeaf) + tlsConfig = &tls.Config{ + Certificates: []tls.Certificate{certt}, + ClientCAs: CertPool, + ClientAuth: tls.RequireAndVerifyClientCert, + } + grpcServer := grpc.NewServer( + grpc.Creds(credentials.NewTLS(tlsConfig)), + ) bridgeServer, err := server.CreateServer(cfg) if err != nil { return err diff --git a/server/cmd/server/private_key.pem b/server/cmd/server/private_key.pem new file mode 100644 index 0000000..d4df8a1 --- /dev/null +++ b/server/cmd/server/private_key.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpgIBAAKCAQEAwfhRKyHh3ozOm86A1n3njv8/Ju4shZ0DM+PAciPuyKFe9Z3b +WcPqHZTeRNt4sESUMWS+1LZZ23g5etDrLDH9obRXMtsKvQWP9eh5YQldz86qUebm +Xtw6gFNo6lcjq4sced6wjO0su0Hzxy274S1/8SPuTeUPslpP1JNncn03UWis3SvU +RF6N0wHjLKJNU20M1EhP8OCCciNq59bn3pBlkhFHVru0BOxHzgT79ZYVG/PSF2Ff +uqDyfp53dg6ZHdlQqVcwRYrEn2pBw3EZ1MO8sqSULTszDev3tZeqa+9x5hrLo/Ch +0hLp/h1fBFAPjbAETdlp77Ne/tUReEPFhCeK8wIDAQABAoIBAQCpCNTzWZuUbfC/ +Jr5wLVhV7WoDaxuxdJsN5TQYQ+gbP0WZle9J0sl67fik2P3b3memg70pcZ/s+mBc +/yNyaD43ZQl4cBpzjx1dlzHvtlHifp8+sJGhqRnyKr4LOdUD8T7nlYEVzrpklZzz +vo80NIqCgmVxzGRZcQqQncRQqX5DmgWKHH+wTh+2jVAT4EuANsp1Gv94Te2kWyoa +TwPVbHjCclOl+07BR7+8h961Rq6AJKTd1NKA1+dkELgjBJEe+jG1tg7rZPgk0pDU +Yn3EzAKbW0/aUMQhEvLqzCsi+qYiafGo5Q9/yDJYshwsANheR7gai/yQZXOF7Z6M +0K/9UdSBAoGBAMVcW/g8oOW4g+GsokT0W/zfR7WcnNhRt+4GiyiomMFWl4vhty3n +1wl35TtivU/8B9X/ZiBEg3FrR1eOeNEQ1eti3imteRgVEQGge7fiRlNFmr9s0ds9 +dX+ij/iCEkMM9cqosAE6TLQsQMsJ8ZjSpVp8gNTWwfk4zL1831klB+E5AoGBAPua +DD0UexDT5gEQedBbU7aBnkq04ZACwrRm1MYcnQh2zxYJVjC2PrptLvEtBJK/X9Lq +gRLTsojgBmwWynC3pzK2yQsIuMNEaSWRyPF1p8zd5auhrWANwCRjgKhqJJLx4xym +8+wgeLVnRIM0S5UJJJjPbVlWCczapYPzb1bB30mLAoGBAJlmV0nT/g9v4nn3T80e +zZz4A2nCyBpPMhI9Xc6FdO3Zm0MrdtCkgfynBzKoZZMUxxZrQ/rSpgPzKWmBoKCH +YG5r01g7sIKqZSSJk3/yzUyOLmCZeWfaFkjVlufGWeFp4mXZxau+n73vI5FtMi7h +k4qIeS51miFXJ7QkqglFAiHpAoGBALofVkhk+zkSmAZXitVwiffr4Q5Ays/+yswr +eeFoT15wjXcuxvzYBIViuaQd+lEYkyly4rLruhn5J6cUIQPLSDuC7ixkclG5LNNn +CjBdKhmqWPlja98vrOD+XrG3e4DcwXZzpuQZjVIcp5kruXHxxonogGri8/MAGAsJ +rWaPmr9LAoGBAMOoR8EHuwidMoMbifhWoh6/v8uCO5iKWndPLQkhHmCIx2l1G4e0 +Em1CQ7LmML3pJwxIg+wB+4KOItg7fGP23C6wlWNeF29N8/tKWICQhB4L0jq3FHNU +rA4MWxOAl+mVmDt0h6rlSh0fDJsDsW4XC46nY+dK0sa5o/Wu1tYGMKc0 +-----END RSA PRIVATE KEY----- From a24f7cca8d4d8976b50c5b2bee60cf57f8cd0dfa Mon Sep 17 00:00:00 2001 From: Marius C Date: Fri, 15 Dec 2023 15:09:50 +0200 Subject: [PATCH 2/9] FEAT: Create cert file with cfg --- cert/cert.go | 96 +++++++++++++++++-------------- cert/certificate.crt | 20 +++++++ cert/cmd/cert/main.go | 12 +++- cert/private_key.pem | 27 +++++++++ client/cmd/client/certificate.crt | 20 ------- client/cmd/client/private_key.pem | 27 --------- client/factory.go | 2 +- server/cmd/server/certificate.crt | 20 ------- server/cmd/server/main.go | 23 +------- server/cmd/server/private_key.pem | 27 --------- 10 files changed, 115 insertions(+), 159 deletions(-) create mode 100644 cert/certificate.crt create mode 100644 cert/private_key.pem delete mode 100644 client/cmd/client/certificate.crt delete mode 100644 client/cmd/client/private_key.pem delete mode 100644 server/cmd/server/certificate.crt delete mode 100644 server/cmd/server/private_key.pem diff --git a/cert/cert.go b/cert/cert.go index 9870ff5..bb28212 100644 --- a/cert/cert.go +++ b/cert/cert.go @@ -10,86 +10,96 @@ import ( "math/big" "os" "time" + + logger "github.com/multiversx/mx-chain-logger-go" ) -func GenerateCert() (*tls.Certificate, error) { +var log = logger.GetOrCreate("cert") + +type CertificateCfg struct { + CertCfg CertCfg + CertFileCfg CertFileCfg +} + +type CertCfg struct { + Organization string + DNSName string + Availability int64 +} + +type CertFileCfg struct { + OutFileCert string + OutFilePk string +} + +func GenerateCert(cfg CertCfg) ([]byte, *rsa.PrivateKey, error) { pk, err := rsa.GenerateKey(rand.Reader, 2048) if err != nil { - return nil, err + return nil, nil, err + } + + serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128) + serialNumber, err := rand.Int(rand.Reader, serialNumberLimit) + if err != nil { + return nil, nil, err } template := &x509.Certificate{ - SerialNumber: big.NewInt(1), + SerialNumber: serialNumber, Subject: pkix.Name{ - Organization: []string{"MultiversX"}, - CommonName: "Username", // Will be checked by the server + Organization: []string{cfg.Organization}, + CommonName: cfg.Organization, }, + DNSNames: []string{cfg.DNSName}, NotBefore: time.Now(), - NotAfter: time.Now().Add(time.Hour), + NotAfter: time.Now().Add(time.Duration(cfg.Availability) * time.Hour), KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature, - ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth}, + ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth}, BasicConstraintsValid: true, } cert, err := x509.CreateCertificate(rand.Reader, template, template, pk.Public(), pk) if err != nil { - return nil, err + return nil, nil, err } - tlsCert := tls.Certificate{ - Certificate: [][]byte{cert}, - PrivateKey: pk, - } - - return &tlsCert, nil - - //conn, err := grpc.DialContext(ctx, net.JoinHostPort(addr, port), - // grpc.WithTransportCredentials(credentials.NewTLS(tlsConfig)), - //) + return cert, pk, nil } -func GenerateCertFile() error { - pk, err := rsa.GenerateKey(rand.Reader, 2048) +func GenerateCertFile(cfg CertificateCfg) error { + cert, pk, err := GenerateCert(cfg.CertCfg) if err != nil { return err } - template := &x509.Certificate{ - SerialNumber: big.NewInt(1), - Subject: pkix.Name{ - Organization: []string{"MultiversX"}, - CommonName: "MultiversX Bridge", // Will be checked by the server - }, - DNSNames: []string{"localhost"}, - NotBefore: time.Now(), - NotAfter: time.Now().Add(time.Hour), - KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature, - ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth}, - BasicConstraintsValid: true, + certOut, err := os.Create(cfg.CertFileCfg.OutFileCert) + if err != nil { + return err } + defer func() { + err = certOut.Close() + log.LogIfError(err) + }() - cert, err := x509.CreateCertificate(rand.Reader, template, template, pk.Public(), pk) + err = pem.Encode(certOut, &pem.Block{Type: "CERTIFICATE", Bytes: cert}) if err != nil { return err } - certFile := "certificate.crt" - keyFile := "private_key.pem" - - certOut, err := os.Create(certFile) + keyOut, err := os.Create(cfg.CertFileCfg.OutFilePk) if err != nil { return err } - defer certOut.Close() - pem.Encode(certOut, &pem.Block{Type: "CERTIFICATE", Bytes: cert}) + defer func() { + err = keyOut.Close() + log.LogIfError(err) + }() - keyOut, err := os.Create(keyFile) + privBytes := x509.MarshalPKCS1PrivateKey(pk) + err = pem.Encode(keyOut, &pem.Block{Type: "RSA PRIVATE KEY", Bytes: privBytes}) if err != nil { return err } - defer keyOut.Close() - privBytes := x509.MarshalPKCS1PrivateKey(pk) - pem.Encode(keyOut, &pem.Block{Type: "RSA PRIVATE KEY", Bytes: privBytes}) return nil } diff --git a/cert/certificate.crt b/cert/certificate.crt new file mode 100644 index 0000000..cede562 --- /dev/null +++ b/cert/certificate.crt @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDMzCCAhugAwIBAgIQZRWJbdDEYUsEetoVBpuWpTANBgkqhkiG9w0BAQsFADAq +MRMwEQYDVQQKEwpNdWx0aXZlcnNYMRMwEQYDVQQDEwpNdWx0aXZlcnNYMB4XDTIz +MTIxNTEzMDQxOFoXDTIzMTIxNTIzMDQxOFowKjETMBEGA1UEChMKTXVsdGl2ZXJz +WDETMBEGA1UEAxMKTXVsdGl2ZXJzWDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC +AQoCggEBAL9Me6/qYZSCYMrvEQaUOLPSa0x0UC2xzCo894wYEG4zf/oCnBvjEssg +prFbjqiIBKiIxgl4EjwHaOnSblhv0xWsdxiZHtQDzo2VwAts50mj8mqfEpGPkXKi +u2m2K2TdLytkrVnn2iIUij31uII25Bd72uVZWdJbQZPNRjgnVfEfx+1fuA7g0gA1 +YkN8Ao0NW8Jj3KxT/xZbZSXk/uc8XhXBQPqE8CNmgSg1t7ZDl9s0Ek3HxkHUjCqV +zHlhm6+FXE8QWSrGiFcW+WPqCdNvm7ySkeTOaJCR8Ii4mhlpm5o5+f8ZAnMp4u3H +68gWkqz132Lk4yFopbktziT4I8eqW4MCAwEAAaNVMFMwDgYDVR0PAQH/BAQDAgWg +MB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATAMBgNVHRMBAf8EAjAAMBQG +A1UdEQQNMAuCCWxvY2FsaG9zdDANBgkqhkiG9w0BAQsFAAOCAQEAJHm8LUuV8mgr +gpgpJarNxUw0WQfyIdxsYC6yiLP3R69leb3DGpOwAHbeAjvq6cEtgAEHWb8pYXDL +f6zBbNbsnu70e2CZP/Dp4Rvob1Sl8QLlhDhftl4jKOhhXzUXRo5mogy3cAPSTCHz +UDeatEunvC3lKOGb2Og+8sbBfYAcnThVqF3efI8NPRnzsUMJKSzGNobIYFjDYrtm +zOHhx5gaAZ6GCNueA+CAEBue74I/JfdbiFjTU3Racwci0cUCXxjXNOI0MWmYi7J5 +93rYKsWvhPNcyJ3jEksorhfKAjW4s6zvPwOZv2m01TIJ6KTVqqPRCAtiVm2mWXyW +vc6vRcBWBg== +-----END CERTIFICATE----- diff --git a/cert/cmd/cert/main.go b/cert/cmd/cert/main.go index ecc9a94..25d49fc 100644 --- a/cert/cmd/cert/main.go +++ b/cert/cmd/cert/main.go @@ -7,6 +7,16 @@ import ( ) func main() { - err := cert.GenerateCertFile() + err := cert.GenerateCertFile(cert.CertificateCfg{ + CertCfg: cert.CertCfg{ + Organization: "MultiversX", + DNSName: "localhost", + Availability: 10, + }, + CertFileCfg: cert.CertFileCfg{ + OutFileCert: "certificate.crt", + OutFilePk: "private_key.pem", + }, + }) fmt.Println(err) } diff --git a/cert/private_key.pem b/cert/private_key.pem new file mode 100644 index 0000000..1db5540 --- /dev/null +++ b/cert/private_key.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEAv0x7r+phlIJgyu8RBpQ4s9JrTHRQLbHMKjz3jBgQbjN/+gKc +G+MSyyCmsVuOqIgEqIjGCXgSPAdo6dJuWG/TFax3GJke1APOjZXAC2znSaPyap8S +kY+RcqK7abYrZN0vK2StWefaIhSKPfW4gjbkF3va5VlZ0ltBk81GOCdV8R/H7V+4 +DuDSADViQ3wCjQ1bwmPcrFP/FltlJeT+5zxeFcFA+oTwI2aBKDW3tkOX2zQSTcfG +QdSMKpXMeWGbr4VcTxBZKsaIVxb5Y+oJ02+bvJKR5M5okJHwiLiaGWmbmjn5/xkC +cyni7cfryBaSrPXfYuTjIWiluS3OJPgjx6pbgwIDAQABAoIBACYhUZob5r1aS37H +riYYj0DQlVCU8pJZGS/mHRWQil3c6ApmUMWCOnHAnVlGvaW8Dumk8YxboY7Tj0bk +CdiY2YM9cDO3+Zwa8iXojnH4kBVul1hHQsU+z6gA5chJZlbhe5BzrdX4z9LxMyjs +fI1/8XD44AXNDIlQZT7XsMJqnMfFzJ1Lw659iOTe+QqgKPJXFiDYtisEZG71rfjA +9awmvX39jejzcyiUkNlv4wyRyuiX0xr24FOcXuHk0DNwkdDHLaFqWzF9IpXUOJqu +JQNMroSnhaPd0P2MvQOH4HtcLlYkoCamn9IYD9AD3PM8I4mmwaLgQJX68+ifhDEr +Iue6lxkCgYEA03vWxpW0EkkVTdm8jUqmUSkChxDyG1Prftg1RoDnXp6dN+//9spB +bmQM1f8LDn66dWEO6XXcgPh+aCGQSySs3wvOYJN5amBRFwqkpbXjpgsCIp1qm1g9 +uYKzm0CH8UaDnjdoE+vhAjKQwHZdGcj3nZCVtI9gn+dzaEtOW6wpgU0CgYEA55Dx +KY5Q6wR6he3AaDeklmNkh0qhYFAzt7FICsPhsbVchExmDBovGUXDFWePjxh/Q09q +J2Tum5VqqMCb7S1Tyak+FC/mNcF92wBr8e7BF3kLcP7t9zW/V6/fLCHKSqqCeoXZ +NvI1xbR//lxsQ1/XtBnNdUXnnGTWRNW8wB1G6A8CgYEAsi6H0b81/aYHxhTq0RyR +LpZf4866PZ4iLzgZAvL+fXEkQ4n5XkQghtLTIcYF2cuaa+U/vCGqjBtR3YhR243l +/PMkiagXRzIpgEFeYaPzTuW9gc6hkIrzToa5rtfa8cUYhchm70nwxXo3DYFshZoW +TnIQQBYBMhi+2qOAPKq8OY0CgYBubLvT6T3FFLmorBuYlxAxduw1Z+1UlGpVKoEE +QSybJbUckaIIG2RiVNYWmu/mePQXEQO6DXOLVdEq785rZ7YQ8FfeIIlTERYHHUhc +clI580r1c1vfCw5XrlJqJSLmQDFAZBuVDCOAR/bRQRmPd2DRTYygY9lyxtM2uAXu +RwfNGQKBgQCC8TVhfhu5dtFZqyTewN0YIIG1fuZBhXvKkWinSlmSsM6XO9oqE9p9 +bGqv6IFvsyI2NbM5omETfAvaedbnjG7TL8NszGv+3u98dn8vZMZdgvXAsnqzf/tO +79TMMpzTuZATHX7qlUMXRTSGEinVCKXvGJXudvfDZwqooq9DkV1NWw== +-----END RSA PRIVATE KEY----- diff --git a/client/cmd/client/certificate.crt b/client/cmd/client/certificate.crt deleted file mode 100644 index e023772..0000000 --- a/client/cmd/client/certificate.crt +++ /dev/null @@ -1,20 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDMjCCAhqgAwIBAgIBATANBgkqhkiG9w0BAQsFADAxMRMwEQYDVQQKEwpNdWx0 -aXZlcnNYMRowGAYDVQQDExFNdWx0aXZlcnNYIEJyaWRnZTAeFw0yMzEyMTUxMDQ3 -MDJaFw0yMzEyMTUxMTQ3MDJaMDExEzARBgNVBAoTCk11bHRpdmVyc1gxGjAYBgNV -BAMTEU11bHRpdmVyc1ggQnJpZGdlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB -CgKCAQEAwfhRKyHh3ozOm86A1n3njv8/Ju4shZ0DM+PAciPuyKFe9Z3bWcPqHZTe -RNt4sESUMWS+1LZZ23g5etDrLDH9obRXMtsKvQWP9eh5YQldz86qUebmXtw6gFNo -6lcjq4sced6wjO0su0Hzxy274S1/8SPuTeUPslpP1JNncn03UWis3SvURF6N0wHj -LKJNU20M1EhP8OCCciNq59bn3pBlkhFHVru0BOxHzgT79ZYVG/PSF2FfuqDyfp53 -dg6ZHdlQqVcwRYrEn2pBw3EZ1MO8sqSULTszDev3tZeqa+9x5hrLo/Ch0hLp/h1f -BFAPjbAETdlp77Ne/tUReEPFhCeK8wIDAQABo1UwUzAOBgNVHQ8BAf8EBAMCBaAw -HQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMAwGA1UdEwEB/wQCMAAwFAYD -VR0RBA0wC4IJbG9jYWxob3N0MA0GCSqGSIb3DQEBCwUAA4IBAQAoYxPvJQwn5QwU -I8Fr+rHP16R8DM1Hi7H9WV30RshSimhJ2IolKqI9oWvsLJ0loGOYwD3UgXlKMinI -1U44MSraqGj5XP0/Pg87/we72GAnYjrDAYc3e5lq08o70UDM6jVKFN6Ctqzt5CDZ -eSrNXEVgXf4scDP804lUy6lHOtwTDxQWh+AbtH7TuqoYQc8ZA8FeVIolDh8/ozyo -nFN55dwTisghWSg+2VjNihJxoqgm7m0l8i2tpURpXxlmhSlAnwkijIH8BiEcqqvL -kFjJYePcA89Xjfru3xR5dTFHP8y/prHBPR1N8BV0QWdrrirGm7lCmjpilK3YGdBu -VE+39f0l ------END CERTIFICATE----- diff --git a/client/cmd/client/private_key.pem b/client/cmd/client/private_key.pem deleted file mode 100644 index d4df8a1..0000000 --- a/client/cmd/client/private_key.pem +++ /dev/null @@ -1,27 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -MIIEpgIBAAKCAQEAwfhRKyHh3ozOm86A1n3njv8/Ju4shZ0DM+PAciPuyKFe9Z3b -WcPqHZTeRNt4sESUMWS+1LZZ23g5etDrLDH9obRXMtsKvQWP9eh5YQldz86qUebm -Xtw6gFNo6lcjq4sced6wjO0su0Hzxy274S1/8SPuTeUPslpP1JNncn03UWis3SvU -RF6N0wHjLKJNU20M1EhP8OCCciNq59bn3pBlkhFHVru0BOxHzgT79ZYVG/PSF2Ff -uqDyfp53dg6ZHdlQqVcwRYrEn2pBw3EZ1MO8sqSULTszDev3tZeqa+9x5hrLo/Ch -0hLp/h1fBFAPjbAETdlp77Ne/tUReEPFhCeK8wIDAQABAoIBAQCpCNTzWZuUbfC/ -Jr5wLVhV7WoDaxuxdJsN5TQYQ+gbP0WZle9J0sl67fik2P3b3memg70pcZ/s+mBc -/yNyaD43ZQl4cBpzjx1dlzHvtlHifp8+sJGhqRnyKr4LOdUD8T7nlYEVzrpklZzz -vo80NIqCgmVxzGRZcQqQncRQqX5DmgWKHH+wTh+2jVAT4EuANsp1Gv94Te2kWyoa -TwPVbHjCclOl+07BR7+8h961Rq6AJKTd1NKA1+dkELgjBJEe+jG1tg7rZPgk0pDU -Yn3EzAKbW0/aUMQhEvLqzCsi+qYiafGo5Q9/yDJYshwsANheR7gai/yQZXOF7Z6M -0K/9UdSBAoGBAMVcW/g8oOW4g+GsokT0W/zfR7WcnNhRt+4GiyiomMFWl4vhty3n -1wl35TtivU/8B9X/ZiBEg3FrR1eOeNEQ1eti3imteRgVEQGge7fiRlNFmr9s0ds9 -dX+ij/iCEkMM9cqosAE6TLQsQMsJ8ZjSpVp8gNTWwfk4zL1831klB+E5AoGBAPua -DD0UexDT5gEQedBbU7aBnkq04ZACwrRm1MYcnQh2zxYJVjC2PrptLvEtBJK/X9Lq -gRLTsojgBmwWynC3pzK2yQsIuMNEaSWRyPF1p8zd5auhrWANwCRjgKhqJJLx4xym -8+wgeLVnRIM0S5UJJJjPbVlWCczapYPzb1bB30mLAoGBAJlmV0nT/g9v4nn3T80e -zZz4A2nCyBpPMhI9Xc6FdO3Zm0MrdtCkgfynBzKoZZMUxxZrQ/rSpgPzKWmBoKCH -YG5r01g7sIKqZSSJk3/yzUyOLmCZeWfaFkjVlufGWeFp4mXZxau+n73vI5FtMi7h -k4qIeS51miFXJ7QkqglFAiHpAoGBALofVkhk+zkSmAZXitVwiffr4Q5Ays/+yswr -eeFoT15wjXcuxvzYBIViuaQd+lEYkyly4rLruhn5J6cUIQPLSDuC7ixkclG5LNNn -CjBdKhmqWPlja98vrOD+XrG3e4DcwXZzpuQZjVIcp5kruXHxxonogGri8/MAGAsJ -rWaPmr9LAoGBAMOoR8EHuwidMoMbifhWoh6/v8uCO5iKWndPLQkhHmCIx2l1G4e0 -Em1CQ7LmML3pJwxIg+wB+4KOItg7fGP23C6wlWNeF29N8/tKWICQhB4L0jq3FHNU -rA4MWxOAl+mVmDt0h6rlSh0fDJsDsW4XC46nY+dK0sa5o/Wu1tYGMKc0 ------END RSA PRIVATE KEY----- diff --git a/client/factory.go b/client/factory.go index 7802f44..b68e69a 100644 --- a/client/factory.go +++ b/client/factory.go @@ -36,7 +36,7 @@ func CreateClient(cfg *config.ClientConfig) (ClientHandler, error) { func connectWithRetrials(host string) (GRPCConn, error) { //credentials := insecure.NewCredentials() //opts := grpc.WithTransportCredentials(credentials) - certt, err := cert.LoadCertificate("certificate.crt", "private_key.pem") + certt, err := cert.LoadCertificate("../../../cert/certificate.crt", "../../../cert/private_key.pem") if err != nil { return nil, err } diff --git a/server/cmd/server/certificate.crt b/server/cmd/server/certificate.crt deleted file mode 100644 index e023772..0000000 --- a/server/cmd/server/certificate.crt +++ /dev/null @@ -1,20 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDMjCCAhqgAwIBAgIBATANBgkqhkiG9w0BAQsFADAxMRMwEQYDVQQKEwpNdWx0 -aXZlcnNYMRowGAYDVQQDExFNdWx0aXZlcnNYIEJyaWRnZTAeFw0yMzEyMTUxMDQ3 -MDJaFw0yMzEyMTUxMTQ3MDJaMDExEzARBgNVBAoTCk11bHRpdmVyc1gxGjAYBgNV -BAMTEU11bHRpdmVyc1ggQnJpZGdlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB -CgKCAQEAwfhRKyHh3ozOm86A1n3njv8/Ju4shZ0DM+PAciPuyKFe9Z3bWcPqHZTe -RNt4sESUMWS+1LZZ23g5etDrLDH9obRXMtsKvQWP9eh5YQldz86qUebmXtw6gFNo -6lcjq4sced6wjO0su0Hzxy274S1/8SPuTeUPslpP1JNncn03UWis3SvURF6N0wHj -LKJNU20M1EhP8OCCciNq59bn3pBlkhFHVru0BOxHzgT79ZYVG/PSF2FfuqDyfp53 -dg6ZHdlQqVcwRYrEn2pBw3EZ1MO8sqSULTszDev3tZeqa+9x5hrLo/Ch0hLp/h1f -BFAPjbAETdlp77Ne/tUReEPFhCeK8wIDAQABo1UwUzAOBgNVHQ8BAf8EBAMCBaAw -HQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMAwGA1UdEwEB/wQCMAAwFAYD -VR0RBA0wC4IJbG9jYWxob3N0MA0GCSqGSIb3DQEBCwUAA4IBAQAoYxPvJQwn5QwU -I8Fr+rHP16R8DM1Hi7H9WV30RshSimhJ2IolKqI9oWvsLJ0loGOYwD3UgXlKMinI -1U44MSraqGj5XP0/Pg87/we72GAnYjrDAYc3e5lq08o70UDM6jVKFN6Ctqzt5CDZ -eSrNXEVgXf4scDP804lUy6lHOtwTDxQWh+AbtH7TuqoYQc8ZA8FeVIolDh8/ozyo -nFN55dwTisghWSg+2VjNihJxoqgm7m0l8i2tpURpXxlmhSlAnwkijIH8BiEcqqvL -kFjJYePcA89Xjfru3xR5dTFHP8y/prHBPR1N8BV0QWdrrirGm7lCmjpilK3YGdBu -VE+39f0l ------END CERTIFICATE----- diff --git a/server/cmd/server/main.go b/server/cmd/server/main.go index 3ab7a09..dd8f7e3 100644 --- a/server/cmd/server/main.go +++ b/server/cmd/server/main.go @@ -78,25 +78,7 @@ func startServer(ctx *cli.Context) error { return err } - certCfg, err := cert.GenerateCert() - if err != nil { - return err - } - - CertPool := x509.NewCertPool() - - //certLeaf, err := x509.ParseCertificate(certCfg.Certificate[0]) - //if err != nil { - // return err - //} - - tlsConfig := &tls.Config{ - Certificates: []tls.Certificate{*certCfg}, - ClientCAs: CertPool, - ClientAuth: tls.RequireAndVerifyClientCert, - } - - certt, err := cert.LoadCertificate("certificate.crt", "private_key.pem") + certt, err := cert.LoadCertificate("../../../cert/certificate.crt", "../../../cert/private_key.pem") if err != nil { return err } @@ -104,8 +86,9 @@ func startServer(ctx *cli.Context) error { if err != nil { return err } + CertPool := x509.NewCertPool() CertPool.AddCert(certLeaf) - tlsConfig = &tls.Config{ + tlsConfig := &tls.Config{ Certificates: []tls.Certificate{certt}, ClientCAs: CertPool, ClientAuth: tls.RequireAndVerifyClientCert, diff --git a/server/cmd/server/private_key.pem b/server/cmd/server/private_key.pem deleted file mode 100644 index d4df8a1..0000000 --- a/server/cmd/server/private_key.pem +++ /dev/null @@ -1,27 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -MIIEpgIBAAKCAQEAwfhRKyHh3ozOm86A1n3njv8/Ju4shZ0DM+PAciPuyKFe9Z3b -WcPqHZTeRNt4sESUMWS+1LZZ23g5etDrLDH9obRXMtsKvQWP9eh5YQldz86qUebm -Xtw6gFNo6lcjq4sced6wjO0su0Hzxy274S1/8SPuTeUPslpP1JNncn03UWis3SvU -RF6N0wHjLKJNU20M1EhP8OCCciNq59bn3pBlkhFHVru0BOxHzgT79ZYVG/PSF2Ff -uqDyfp53dg6ZHdlQqVcwRYrEn2pBw3EZ1MO8sqSULTszDev3tZeqa+9x5hrLo/Ch -0hLp/h1fBFAPjbAETdlp77Ne/tUReEPFhCeK8wIDAQABAoIBAQCpCNTzWZuUbfC/ -Jr5wLVhV7WoDaxuxdJsN5TQYQ+gbP0WZle9J0sl67fik2P3b3memg70pcZ/s+mBc -/yNyaD43ZQl4cBpzjx1dlzHvtlHifp8+sJGhqRnyKr4LOdUD8T7nlYEVzrpklZzz -vo80NIqCgmVxzGRZcQqQncRQqX5DmgWKHH+wTh+2jVAT4EuANsp1Gv94Te2kWyoa -TwPVbHjCclOl+07BR7+8h961Rq6AJKTd1NKA1+dkELgjBJEe+jG1tg7rZPgk0pDU -Yn3EzAKbW0/aUMQhEvLqzCsi+qYiafGo5Q9/yDJYshwsANheR7gai/yQZXOF7Z6M -0K/9UdSBAoGBAMVcW/g8oOW4g+GsokT0W/zfR7WcnNhRt+4GiyiomMFWl4vhty3n -1wl35TtivU/8B9X/ZiBEg3FrR1eOeNEQ1eti3imteRgVEQGge7fiRlNFmr9s0ds9 -dX+ij/iCEkMM9cqosAE6TLQsQMsJ8ZjSpVp8gNTWwfk4zL1831klB+E5AoGBAPua -DD0UexDT5gEQedBbU7aBnkq04ZACwrRm1MYcnQh2zxYJVjC2PrptLvEtBJK/X9Lq -gRLTsojgBmwWynC3pzK2yQsIuMNEaSWRyPF1p8zd5auhrWANwCRjgKhqJJLx4xym -8+wgeLVnRIM0S5UJJJjPbVlWCczapYPzb1bB30mLAoGBAJlmV0nT/g9v4nn3T80e -zZz4A2nCyBpPMhI9Xc6FdO3Zm0MrdtCkgfynBzKoZZMUxxZrQ/rSpgPzKWmBoKCH -YG5r01g7sIKqZSSJk3/yzUyOLmCZeWfaFkjVlufGWeFp4mXZxau+n73vI5FtMi7h -k4qIeS51miFXJ7QkqglFAiHpAoGBALofVkhk+zkSmAZXitVwiffr4Q5Ays/+yswr -eeFoT15wjXcuxvzYBIViuaQd+lEYkyly4rLruhn5J6cUIQPLSDuC7ixkclG5LNNn -CjBdKhmqWPlja98vrOD+XrG3e4DcwXZzpuQZjVIcp5kruXHxxonogGri8/MAGAsJ -rWaPmr9LAoGBAMOoR8EHuwidMoMbifhWoh6/v8uCO5iKWndPLQkhHmCIx2l1G4e0 -Em1CQ7LmML3pJwxIg+wB+4KOItg7fGP23C6wlWNeF29N8/tKWICQhB4L0jq3FHNU -rA4MWxOAl+mVmDt0h6rlSh0fDJsDsW4XC46nY+dK0sa5o/Wu1tYGMKc0 ------END RSA PRIVATE KEY----- From 5bd0eebf120bc32ba5f1a5f3d5aaf53682ba5e65 Mon Sep 17 00:00:00 2001 From: Marius C Date: Mon, 18 Dec 2023 14:42:29 +0200 Subject: [PATCH 3/9] FEAT: Load cert tls config --- cert/cert.go | 59 ++++++++++++++++++++++++++++++++------- cert/certificate.crt | 36 ++++++++++++------------ cert/cmd/cert/main.go | 4 +-- cert/private_key.pem | 50 ++++++++++++++++----------------- client/factory.go | 25 ++++------------- server/cmd/server/main.go | 19 ++++--------- 6 files changed, 104 insertions(+), 89 deletions(-) diff --git a/cert/cert.go b/cert/cert.go index bb28212..bd06b07 100644 --- a/cert/cert.go +++ b/cert/cert.go @@ -28,8 +28,8 @@ type CertCfg struct { } type CertFileCfg struct { - OutFileCert string - OutFilePk string + CertFile string + PkFile string } func GenerateCert(cfg CertCfg) ([]byte, *rsa.PrivateKey, error) { @@ -72,7 +72,7 @@ func GenerateCertFile(cfg CertificateCfg) error { return err } - certOut, err := os.Create(cfg.CertFileCfg.OutFileCert) + certOut, err := os.Create(cfg.CertFileCfg.CertFile) if err != nil { return err } @@ -86,7 +86,7 @@ func GenerateCertFile(cfg CertificateCfg) error { return err } - keyOut, err := os.Create(cfg.CertFileCfg.OutFilePk) + keyOut, err := os.Create(cfg.CertFileCfg.PkFile) if err != nil { return err } @@ -95,8 +95,8 @@ func GenerateCertFile(cfg CertificateCfg) error { log.LogIfError(err) }() - privBytes := x509.MarshalPKCS1PrivateKey(pk) - err = pem.Encode(keyOut, &pem.Block{Type: "RSA PRIVATE KEY", Bytes: privBytes}) + pkBytes := x509.MarshalPKCS1PrivateKey(pk) + err = pem.Encode(keyOut, &pem.Block{Type: "RSA PRIVATE KEY", Bytes: pkBytes}) if err != nil { return err } @@ -104,10 +104,49 @@ func GenerateCertFile(cfg CertificateCfg) error { return nil } -func LoadCertificate(certFile, keyFile string) (tls.Certificate, error) { - cert, err := tls.LoadX509KeyPair(certFile, keyFile) +func CreateTLSServerConfig(cfg CertFileCfg) (*tls.Config, error) { + cert, err := tls.LoadX509KeyPair(cfg.CertFile, cfg.PkFile) if err != nil { - return tls.Certificate{}, err + return nil, err } - return cert, nil + + certPool, err := createCertPool(cert) + if err != nil { + return nil, err + } + + return &tls.Config{ + Certificates: []tls.Certificate{cert}, + ClientCAs: certPool, + ClientAuth: tls.RequireAndVerifyClientCert, + }, nil +} + +func CreateTLSClientConfig(cfg CertFileCfg) (*tls.Config, error) { + cert, err := tls.LoadX509KeyPair(cfg.CertFile, cfg.PkFile) + if err != nil { + return nil, err + } + + certPool, err := createCertPool(cert) + if err != nil { + return nil, err + } + + return &tls.Config{ + Certificates: []tls.Certificate{cert}, + RootCAs: certPool, + }, nil +} + +func createCertPool(cert tls.Certificate) (*x509.CertPool, error) { + certLeaf, err := x509.ParseCertificate(cert.Certificate[0]) + if err != nil { + return nil, err + } + + certPool := x509.NewCertPool() + certPool.AddCert(certLeaf) + + return certPool, nil } diff --git a/cert/certificate.crt b/cert/certificate.crt index cede562..24bfd16 100644 --- a/cert/certificate.crt +++ b/cert/certificate.crt @@ -1,20 +1,20 @@ -----BEGIN CERTIFICATE----- -MIIDMzCCAhugAwIBAgIQZRWJbdDEYUsEetoVBpuWpTANBgkqhkiG9w0BAQsFADAq -MRMwEQYDVQQKEwpNdWx0aXZlcnNYMRMwEQYDVQQDEwpNdWx0aXZlcnNYMB4XDTIz -MTIxNTEzMDQxOFoXDTIzMTIxNTIzMDQxOFowKjETMBEGA1UEChMKTXVsdGl2ZXJz -WDETMBEGA1UEAxMKTXVsdGl2ZXJzWDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC -AQoCggEBAL9Me6/qYZSCYMrvEQaUOLPSa0x0UC2xzCo894wYEG4zf/oCnBvjEssg -prFbjqiIBKiIxgl4EjwHaOnSblhv0xWsdxiZHtQDzo2VwAts50mj8mqfEpGPkXKi -u2m2K2TdLytkrVnn2iIUij31uII25Bd72uVZWdJbQZPNRjgnVfEfx+1fuA7g0gA1 -YkN8Ao0NW8Jj3KxT/xZbZSXk/uc8XhXBQPqE8CNmgSg1t7ZDl9s0Ek3HxkHUjCqV -zHlhm6+FXE8QWSrGiFcW+WPqCdNvm7ySkeTOaJCR8Ii4mhlpm5o5+f8ZAnMp4u3H -68gWkqz132Lk4yFopbktziT4I8eqW4MCAwEAAaNVMFMwDgYDVR0PAQH/BAQDAgWg -MB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATAMBgNVHRMBAf8EAjAAMBQG -A1UdEQQNMAuCCWxvY2FsaG9zdDANBgkqhkiG9w0BAQsFAAOCAQEAJHm8LUuV8mgr -gpgpJarNxUw0WQfyIdxsYC6yiLP3R69leb3DGpOwAHbeAjvq6cEtgAEHWb8pYXDL -f6zBbNbsnu70e2CZP/Dp4Rvob1Sl8QLlhDhftl4jKOhhXzUXRo5mogy3cAPSTCHz -UDeatEunvC3lKOGb2Og+8sbBfYAcnThVqF3efI8NPRnzsUMJKSzGNobIYFjDYrtm -zOHhx5gaAZ6GCNueA+CAEBue74I/JfdbiFjTU3Racwci0cUCXxjXNOI0MWmYi7J5 -93rYKsWvhPNcyJ3jEksorhfKAjW4s6zvPwOZv2m01TIJ6KTVqqPRCAtiVm2mWXyW -vc6vRcBWBg== +MIIDNDCCAhygAwIBAgIRAIFIZEV8mjs90HatkH2Hb/QwDQYJKoZIhvcNAQELBQAw +KjETMBEGA1UEChMKTXVsdGl2ZXJzWDETMBEGA1UEAxMKTXVsdGl2ZXJzWDAeFw0y +MzEyMTgxMjQwNDlaFw0yMzEyMTgyMjQwNDlaMCoxEzARBgNVBAoTCk11bHRpdmVy +c1gxEzARBgNVBAMTCk11bHRpdmVyc1gwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw +ggEKAoIBAQDAIokkHY6H3ySF32VaRRM/2ddcA4vhnWYlNpDygRKZv2LB7tevbsPX +PwRyqKQq+rGdkXMGSnF43OE9rfff6ABgH6oXlI/97fXIJWhOzt+tJutKvZjaXz8U +lEPIudXt5o3NyGbHz6a9kEc+NSfA7SfuwAWR1g9lcFzqv3haN1IG+1vwtc+MRpvx +cokiqqEUSjSjUENtuZvS7dhVUK2bd7IzDsiYrngwY9JTx3KF/zXzIRWwZZV8aMBt +o2tf4e7IYuasAcxslLCtLOHO4OxEiNulCz93cziRGQlFW3kKu8VpRtByH5kjXawV +WbxWaGtXIGiV3B8qubawsOP4xjA+4PTpAgMBAAGjVTBTMA4GA1UdDwEB/wQEAwIF +oDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADAU +BgNVHREEDTALgglsb2NhbGhvc3QwDQYJKoZIhvcNAQELBQADggEBAACE8mAMu+Oq +zZ7KkuKV99p8rJz3x+BnLPph9A7N5Q9bPXfgxmur39hmq2FnnlcomasSKYBi/Qg5 +FK1i51CsxqNZ4RI61sGm/XJRDXAiEJZWTCchwcp1atARbH7IOkPXbaNNakC2GaMR +VQGNydkK0jnoNTU/ZZkx0w40kq85okEmOW5rWLxMM4TGR70GgNOBBzD1UY6FsNj0 +zNfLohtFspgQUc6mLloproWgyyI9O53xz2yB52RRA0VldUfBbyt1xbGoTiJ0W1sx +b6kqUnt+n3QVx7yFR1TbiuqKJuK8Py+Ir9z79bYj0iskoEiyCZPamlLhnAbVf3Hb +a2KTY1kp2qc= -----END CERTIFICATE----- diff --git a/cert/cmd/cert/main.go b/cert/cmd/cert/main.go index 25d49fc..f786ffa 100644 --- a/cert/cmd/cert/main.go +++ b/cert/cmd/cert/main.go @@ -14,8 +14,8 @@ func main() { Availability: 10, }, CertFileCfg: cert.CertFileCfg{ - OutFileCert: "certificate.crt", - OutFilePk: "private_key.pem", + CertFile: "certificate.crt", + PkFile: "private_key.pem", }, }) fmt.Println(err) diff --git a/cert/private_key.pem b/cert/private_key.pem index 1db5540..867cbb9 100644 --- a/cert/private_key.pem +++ b/cert/private_key.pem @@ -1,27 +1,27 @@ -----BEGIN RSA PRIVATE KEY----- -MIIEpAIBAAKCAQEAv0x7r+phlIJgyu8RBpQ4s9JrTHRQLbHMKjz3jBgQbjN/+gKc -G+MSyyCmsVuOqIgEqIjGCXgSPAdo6dJuWG/TFax3GJke1APOjZXAC2znSaPyap8S -kY+RcqK7abYrZN0vK2StWefaIhSKPfW4gjbkF3va5VlZ0ltBk81GOCdV8R/H7V+4 -DuDSADViQ3wCjQ1bwmPcrFP/FltlJeT+5zxeFcFA+oTwI2aBKDW3tkOX2zQSTcfG -QdSMKpXMeWGbr4VcTxBZKsaIVxb5Y+oJ02+bvJKR5M5okJHwiLiaGWmbmjn5/xkC -cyni7cfryBaSrPXfYuTjIWiluS3OJPgjx6pbgwIDAQABAoIBACYhUZob5r1aS37H -riYYj0DQlVCU8pJZGS/mHRWQil3c6ApmUMWCOnHAnVlGvaW8Dumk8YxboY7Tj0bk -CdiY2YM9cDO3+Zwa8iXojnH4kBVul1hHQsU+z6gA5chJZlbhe5BzrdX4z9LxMyjs -fI1/8XD44AXNDIlQZT7XsMJqnMfFzJ1Lw659iOTe+QqgKPJXFiDYtisEZG71rfjA -9awmvX39jejzcyiUkNlv4wyRyuiX0xr24FOcXuHk0DNwkdDHLaFqWzF9IpXUOJqu -JQNMroSnhaPd0P2MvQOH4HtcLlYkoCamn9IYD9AD3PM8I4mmwaLgQJX68+ifhDEr -Iue6lxkCgYEA03vWxpW0EkkVTdm8jUqmUSkChxDyG1Prftg1RoDnXp6dN+//9spB -bmQM1f8LDn66dWEO6XXcgPh+aCGQSySs3wvOYJN5amBRFwqkpbXjpgsCIp1qm1g9 -uYKzm0CH8UaDnjdoE+vhAjKQwHZdGcj3nZCVtI9gn+dzaEtOW6wpgU0CgYEA55Dx -KY5Q6wR6he3AaDeklmNkh0qhYFAzt7FICsPhsbVchExmDBovGUXDFWePjxh/Q09q -J2Tum5VqqMCb7S1Tyak+FC/mNcF92wBr8e7BF3kLcP7t9zW/V6/fLCHKSqqCeoXZ -NvI1xbR//lxsQ1/XtBnNdUXnnGTWRNW8wB1G6A8CgYEAsi6H0b81/aYHxhTq0RyR -LpZf4866PZ4iLzgZAvL+fXEkQ4n5XkQghtLTIcYF2cuaa+U/vCGqjBtR3YhR243l -/PMkiagXRzIpgEFeYaPzTuW9gc6hkIrzToa5rtfa8cUYhchm70nwxXo3DYFshZoW -TnIQQBYBMhi+2qOAPKq8OY0CgYBubLvT6T3FFLmorBuYlxAxduw1Z+1UlGpVKoEE -QSybJbUckaIIG2RiVNYWmu/mePQXEQO6DXOLVdEq785rZ7YQ8FfeIIlTERYHHUhc -clI580r1c1vfCw5XrlJqJSLmQDFAZBuVDCOAR/bRQRmPd2DRTYygY9lyxtM2uAXu -RwfNGQKBgQCC8TVhfhu5dtFZqyTewN0YIIG1fuZBhXvKkWinSlmSsM6XO9oqE9p9 -bGqv6IFvsyI2NbM5omETfAvaedbnjG7TL8NszGv+3u98dn8vZMZdgvXAsnqzf/tO -79TMMpzTuZATHX7qlUMXRTSGEinVCKXvGJXudvfDZwqooq9DkV1NWw== +MIIEpQIBAAKCAQEAwCKJJB2Oh98khd9lWkUTP9nXXAOL4Z1mJTaQ8oESmb9iwe7X +r27D1z8EcqikKvqxnZFzBkpxeNzhPa333+gAYB+qF5SP/e31yCVoTs7frSbrSr2Y +2l8/FJRDyLnV7eaNzchmx8+mvZBHPjUnwO0n7sAFkdYPZXBc6r94WjdSBvtb8LXP +jEab8XKJIqqhFEo0o1BDbbmb0u3YVVCtm3eyMw7ImK54MGPSU8dyhf818yEVsGWV +fGjAbaNrX+HuyGLmrAHMbJSwrSzhzuDsRIjbpQs/d3M4kRkJRVt5CrvFaUbQch+Z +I12sFVm8VmhrVyBoldwfKrm2sLDj+MYwPuD06QIDAQABAoIBAQCJZmkylZx/GBmT +Tw24/1rjt5JmL/cRsjEA/cOsWJeHsbEbRQWjZI/S1zMEGAvG3J62MvTSE9yP9U1y +gX2Y9t2F4D8QO+K5UjoJFo9AhHq65fEv8uRjjeebfOf4nMUbK1xPRDgUPjBcsdfw +6axzMGX1PAb/othBz5fzHFgiFBup90pfu6oWTSaIxY5nM3FsJ+Kp+5YQTMAkT/12 +9bUvuadk9lhU3LAvRRGP4mtFevIJ7u7I5vurcR/8NxIqEAxmywPHw9Pa2fgI3iuX +9tG+prcVM2EjEXWaUZ2k56MLFmV2jCLSoRfvVQaOjcCSqvW8cw/5fpKwI50AemKF +8WZ2a0PxAoGBAPbw66XdydUWdNAVWjwDp+Grsa453VUvgwjcoXi+5lFKudE7EWTM +TRTlzc+4vHo3u5TAV7qTkBEbESxfZUcSq3eVeljskb9itSK2vnyvY8kDKSkcPlNQ +pUuXPaa5C13Odbk30LLRWyhTMO9Ho6hojeI01ayBc/Y6r5dl8hwBVOmVAoGBAMcu +6vyO2UJhKQVy1igkHF+6U3XEksHDT4h5IaEVRcTrE0wckZ2bvhJpagxrtBP1jatT +Zy/1zdWfQXZr24bT7nf1vcO54TPnc8BDMPj47rPtlQjmeCNG6avkZLukKrlCrgmP +/WC0ns03n6uOKX/zjhe7eMtBWemJZN2DUkyDf5EFAoGBAOcpLh6N2NMte1oSsu59 +KZm6JNEIf+WvXUVda5Zhda7hecKgPa8TBJEschYiQ+VQ6LrdtwIEApfQs6nK/z6h +/nsqJWa6xdDXsOJ3GSgU8x8HY2+Fbd6GHsX9JQw+KqK8kz04P5g1HNVJ0wQbFtue +TDtV5DPg1tHHq/nYx+RpZrhlAoGAdIJ2Q9tPLGvm8d/1cy+ERV6ZOTcN3Tdgy2SH +jlECKaiT9h5z8uxJ5z0wIinSASbOgpvbrQssJrvsL9fxZlGLmTHumZGeMJ0/cQQc +nlYGUsszNSySs5fkUX7ciYIC17EwWjmWrb2ZclMKG/ChR83wnOM1Sjdk351Vmdka +B9WXhf0CgYEAwNZBP+iDCYnq47ICv3GM4PCnU1Pc/tPDMKlUqWCUl8Sp/UdiNJoM +7cvG6wct4+HG9UQfjhFJegLuNL9uchK+Vnu04nbbkgQCH78ORwf2Y+VPkWOjt7r0 +86xfx+m5YNOP0Wqrm5tBqnDZpZSL5YTYVhpTKJve2BGcjOydqdKZbe4= -----END RSA PRIVATE KEY----- diff --git a/client/factory.go b/client/factory.go index b68e69a..48eef98 100644 --- a/client/factory.go +++ b/client/factory.go @@ -1,8 +1,6 @@ package client import ( - "crypto/tls" - "crypto/x509" "fmt" "time" @@ -34,26 +32,15 @@ func CreateClient(cfg *config.ClientConfig) (ClientHandler, error) { } func connectWithRetrials(host string) (GRPCConn, error) { - //credentials := insecure.NewCredentials() - //opts := grpc.WithTransportCredentials(credentials) - certt, err := cert.LoadCertificate("../../../cert/certificate.crt", "../../../cert/private_key.pem") + tlsConfig, err := cert.CreateTLSClientConfig(cert.CertFileCfg{ + CertFile: "../../../cert/certificate.crt", + PkFile: "../../../cert/private_key.pem", + }) if err != nil { return nil, err } - certLeaf, err := x509.ParseCertificate(certt.Certificate[0]) - if err != nil { - return nil, err - } - - CertPool := x509.NewCertPool() - CertPool.AddCert(certLeaf) - tlsConfig := &tls.Config{ - Certificates: []tls.Certificate{certt}, - RootCAs: CertPool, - } - - for i := 0; i < maxConnectionRetrials; i++ { + for i := 0; ; i++ { cc, err := grpc.Dial(host, grpc.WithTransportCredentials(credentials.NewTLS(tlsConfig))) if err == nil { return cc, err @@ -66,6 +53,4 @@ func connectWithRetrials(host string) (GRPCConn, error) { "host", host, "retrial", i+1) } - - return nil, errCannotOpenConnection } diff --git a/server/cmd/server/main.go b/server/cmd/server/main.go index dd8f7e3..2f82f77 100644 --- a/server/cmd/server/main.go +++ b/server/cmd/server/main.go @@ -1,8 +1,6 @@ package main import ( - "crypto/tls" - "crypto/x509" "fmt" "net" "os" @@ -78,21 +76,14 @@ func startServer(ctx *cli.Context) error { return err } - certt, err := cert.LoadCertificate("../../../cert/certificate.crt", "../../../cert/private_key.pem") - if err != nil { - return err - } - certLeaf, err := x509.ParseCertificate(certt.Certificate[0]) + tlsConfig, err := cert.CreateTLSServerConfig(cert.CertFileCfg{ + CertFile: "../../../cert/certificate.crt", + PkFile: "../../../cert/private_key.pem", + }) if err != nil { return err } - CertPool := x509.NewCertPool() - CertPool.AddCert(certLeaf) - tlsConfig := &tls.Config{ - Certificates: []tls.Certificate{certt}, - ClientCAs: CertPool, - ClientAuth: tls.RequireAndVerifyClientCert, - } + grpcServer := grpc.NewServer( grpc.Creds(credentials.NewTLS(tlsConfig)), ) From ba1c9fe0a48e165c9f82512d4601fb3dd73ffe01 Mon Sep 17 00:00:00 2001 From: Marius C Date: Mon, 18 Dec 2023 15:01:13 +0200 Subject: [PATCH 4/9] FEAT: Add cfg and env variables for certificates --- cert/cert.go | 8 ++++---- cert/cmd/cert/main.go | 2 +- client/cmd/client/.env | 6 ++++++ client/cmd/client/main.go | 16 ++++++++++++++-- client/config/config.go | 7 +++++-- client/factory.go | 18 ++++++++---------- server/cmd/config/config.go | 12 ++++++++---- server/cmd/server/.env | 6 ++++++ server/cmd/server/main.go | 19 ++++++++++++++----- 9 files changed, 66 insertions(+), 28 deletions(-) diff --git a/cert/cert.go b/cert/cert.go index bd06b07..15aa6be 100644 --- a/cert/cert.go +++ b/cert/cert.go @@ -18,7 +18,7 @@ var log = logger.GetOrCreate("cert") type CertificateCfg struct { CertCfg CertCfg - CertFileCfg CertFileCfg + CertFileCfg FileCfg } type CertCfg struct { @@ -27,7 +27,7 @@ type CertCfg struct { Availability int64 } -type CertFileCfg struct { +type FileCfg struct { CertFile string PkFile string } @@ -104,7 +104,7 @@ func GenerateCertFile(cfg CertificateCfg) error { return nil } -func CreateTLSServerConfig(cfg CertFileCfg) (*tls.Config, error) { +func CreateTLSServerConfig(cfg FileCfg) (*tls.Config, error) { cert, err := tls.LoadX509KeyPair(cfg.CertFile, cfg.PkFile) if err != nil { return nil, err @@ -122,7 +122,7 @@ func CreateTLSServerConfig(cfg CertFileCfg) (*tls.Config, error) { }, nil } -func CreateTLSClientConfig(cfg CertFileCfg) (*tls.Config, error) { +func CreateTLSClientConfig(cfg FileCfg) (*tls.Config, error) { cert, err := tls.LoadX509KeyPair(cfg.CertFile, cfg.PkFile) if err != nil { return nil, err diff --git a/cert/cmd/cert/main.go b/cert/cmd/cert/main.go index f786ffa..ae00649 100644 --- a/cert/cmd/cert/main.go +++ b/cert/cmd/cert/main.go @@ -13,7 +13,7 @@ func main() { DNSName: "localhost", Availability: 10, }, - CertFileCfg: cert.CertFileCfg{ + CertFileCfg: cert.FileCfg{ CertFile: "certificate.crt", PkFile: "private_key.pem", }, diff --git a/client/cmd/client/.env b/client/cmd/client/.env index ae9f104..152e4e4 100644 --- a/client/cmd/client/.env +++ b/client/cmd/client/.env @@ -2,3 +2,9 @@ GRPC_HOST="localhost" # GRPC server port GRPC_PORT="8085" +# Server certificate for tls secured connection with clients. +# One should use the same certificate for server as well. +# You can generate your own certificate files with the binary found in +# this repository in cert/cmd/cert +CERT_FILE="certificate.crt" +CERT_PK_FILE="private_key.pem" diff --git a/client/cmd/client/main.go b/client/cmd/client/main.go index c2c04fd..a414dad 100644 --- a/client/cmd/client/main.go +++ b/client/cmd/client/main.go @@ -9,6 +9,7 @@ import ( "github.com/joho/godotenv" "github.com/multiversx/mx-chain-core-go/data/sovereign" logger "github.com/multiversx/mx-chain-logger-go" + "github.com/multiversx/mx-chain-sovereign-bridge-go/cert" "github.com/multiversx/mx-chain-sovereign-bridge-go/client" "github.com/multiversx/mx-chain-sovereign-bridge-go/client/config" "github.com/urfave/cli" @@ -17,8 +18,10 @@ import ( var log = logger.GetOrCreate("client-tx-sender") const ( - envGRPCHost = "GRPC_HOST" - envGRPCPort = "GRPC_PORT" + envGRPCHost = "GRPC_HOST" + envGRPCPort = "GRPC_PORT" + envCertFile = "CERT_FILE" + envCertPkFile = "CERT_PK_FILE" ) func main() { @@ -135,13 +138,22 @@ func loadConfig() (*config.ClientConfig, error) { grpcHost := os.Getenv(envGRPCHost) grpcPort := os.Getenv(envGRPCPort) + certFile := os.Getenv(envCertFile) + certPkFile := os.Getenv(envCertPkFile) log.Info("loaded config", "grpc host", grpcHost) log.Info("loaded config", "grpc port", grpcPort) + log.Info("loaded config", "certificate file", certFile) + log.Info("loaded config", "certificate pk", certPkFile) + return &config.ClientConfig{ GRPCHost: grpcHost, GRPCPort: grpcPort, + CertificateCfg: cert.FileCfg{ + CertFile: certFile, + PkFile: certPkFile, + }, }, nil } diff --git a/client/config/config.go b/client/config/config.go index e15a80d..b91e640 100644 --- a/client/config/config.go +++ b/client/config/config.go @@ -1,7 +1,10 @@ package config +import "github.com/multiversx/mx-chain-sovereign-bridge-go/cert" + // ClientConfig holds all grpc client's config type ClientConfig struct { - GRPCHost string - GRPCPort string + GRPCHost string + GRPCPort string + CertificateCfg cert.FileCfg } diff --git a/client/factory.go b/client/factory.go index 48eef98..a347dd1 100644 --- a/client/factory.go +++ b/client/factory.go @@ -22,7 +22,7 @@ var log = logger.GetOrCreate("client") // CreateClient creates a grpc client with retrials func CreateClient(cfg *config.ClientConfig) (ClientHandler, error) { dialTarget := fmt.Sprintf("%s:%s", cfg.GRPCHost, cfg.GRPCPort) - conn, err := connectWithRetrials(dialTarget) + conn, err := connectWithRetrials(dialTarget, cfg.CertificateCfg) if err != nil { return nil, err } @@ -31,25 +31,23 @@ func CreateClient(cfg *config.ClientConfig) (ClientHandler, error) { return NewClient(bridgeClient, conn) } -func connectWithRetrials(host string) (GRPCConn, error) { - tlsConfig, err := cert.CreateTLSClientConfig(cert.CertFileCfg{ - CertFile: "../../../cert/certificate.crt", - PkFile: "../../../cert/private_key.pem", - }) +func connectWithRetrials(host string, cfg cert.FileCfg) (GRPCConn, error) { + tlsConfig, err := cert.CreateTLSClientConfig(cfg) if err != nil { return nil, err } for i := 0; ; i++ { - cc, err := grpc.Dial(host, grpc.WithTransportCredentials(credentials.NewTLS(tlsConfig))) - if err == nil { - return cc, err + tlsCredentials := credentials.NewTLS(tlsConfig) + cc, errConnection := grpc.Dial(host, grpc.WithTransportCredentials(tlsCredentials)) + if errConnection == nil { + return cc, errConnection } time.Sleep(time.Second * waitTime) log.Warn("could not establish connection, retrying", - "error", err, + "error", errConnection, "host", host, "retrial", i+1) } diff --git a/server/cmd/config/config.go b/server/cmd/config/config.go index 368f804..6c0c912 100644 --- a/server/cmd/config/config.go +++ b/server/cmd/config/config.go @@ -1,10 +1,14 @@ package config -import "github.com/multiversx/mx-chain-sovereign-bridge-go/server/txSender" +import ( + "github.com/multiversx/mx-chain-sovereign-bridge-go/cert" + "github.com/multiversx/mx-chain-sovereign-bridge-go/server/txSender" +) // ServerConfig holds necessary config for the grpc server type ServerConfig struct { - GRPCPort string - TxSenderConfig txSender.TxSenderConfig - WalletConfig txSender.WalletConfig + GRPCPort string + TxSenderConfig txSender.TxSenderConfig + WalletConfig txSender.WalletConfig + CertificateConfig cert.FileCfg } diff --git a/server/cmd/server/.env b/server/cmd/server/.env index 53fce18..427f442 100644 --- a/server/cmd/server/.env +++ b/server/cmd/server/.env @@ -12,3 +12,9 @@ MULTIVERSX_PROXY="https://testnet-gateway.multiversx.com" BRIDGE_SC_ADDRESS="erd1spyavw0956vq68xj8y4tenjpq2wd5a9p2c6j8gsz7ztyrnpxrruqzu66jx" # Max retrials to wait for account nonce update after sending bridge txs MAX_RETRIALS_WAIT_NONCE=60 +# Server certificate for tls secured connection with clients. +# One should use the same certificate for clients as well. +# You can generate your own certificate files with the binary found in +# this repository in cert/cmd/cert +CERT_FILE="certificate.crt" +CERT_PK_FILE="private_key.pem" \ No newline at end of file diff --git a/server/cmd/server/main.go b/server/cmd/server/main.go index 2f82f77..e4a7040 100644 --- a/server/cmd/server/main.go +++ b/server/cmd/server/main.go @@ -43,6 +43,8 @@ const ( envBridgeSCAddr = "BRIDGE_SC_ADDRESS" envMultiversXProxy = "MULTIVERSX_PROXY" envMaxRetrialsWaitNonce = "MAX_RETRIALS_WAIT_NONCE" + envCertFile = "CERT_FILE" + envCertPkFile = "CERT_PK_FILE" ) func main() { @@ -76,16 +78,14 @@ func startServer(ctx *cli.Context) error { return err } - tlsConfig, err := cert.CreateTLSServerConfig(cert.CertFileCfg{ - CertFile: "../../../cert/certificate.crt", - PkFile: "../../../cert/private_key.pem", - }) + tlsConfig, err := cert.CreateTLSServerConfig(cfg.CertificateConfig) if err != nil { return err } + tlsCredentials := credentials.NewTLS(tlsConfig) grpcServer := grpc.NewServer( - grpc.Creds(credentials.NewTLS(tlsConfig)), + grpc.Creds(tlsCredentials), ) bridgeServer, err := server.CreateServer(cfg) if err != nil { @@ -132,6 +132,8 @@ func loadConfig() (*config.ServerConfig, error) { bridgeSCAddress := os.Getenv(envBridgeSCAddr) proxy := os.Getenv(envMultiversXProxy) maxRetrialsWaitNonceStr := os.Getenv(envMaxRetrialsWaitNonce) + certFile := os.Getenv(envCertFile) + certPkFile := os.Getenv(envCertPkFile) maxRetrialsWaitNonce, err := strconv.Atoi(maxRetrialsWaitNonceStr) if err != nil { @@ -143,6 +145,9 @@ func loadConfig() (*config.ServerConfig, error) { log.Info("loaded config", "proxy", proxy) log.Info("loaded config", "maxRetrialsWaitNonce", maxRetrialsWaitNonce) + log.Info("loaded config", "certificate file", certFile) + log.Info("loaded config", "certificate pk", certPkFile) + return &config.ServerConfig{ GRPCPort: grpcPort, WalletConfig: txSender.WalletConfig{ @@ -154,6 +159,10 @@ func loadConfig() (*config.ServerConfig, error) { Proxy: proxy, MaxRetrialsWaitNonce: maxRetrialsWaitNonce, }, + CertificateConfig: cert.FileCfg{ + CertFile: certFile, + PkFile: certPkFile, + }, }, nil } From 4c2a2e4319dc7b2dc9ae9535f58291731c8e6197 Mon Sep 17 00:00:00 2001 From: Marius C Date: Mon, 18 Dec 2023 15:30:44 +0200 Subject: [PATCH 5/9] FEAT: Extend binary to generate certificates --- cert/cert.go | 4 ++- cert/certificate.crt | 20 --------------- cert/cmd/cert/flags.go | 21 ++++++++++++++++ cert/cmd/cert/main.go | 52 +++++++++++++++++++++++++++++++++++---- cert/private_key.pem | 27 -------------------- server/cmd/server/main.go | 2 +- 6 files changed, 72 insertions(+), 54 deletions(-) delete mode 100644 cert/certificate.crt create mode 100644 cert/cmd/cert/flags.go delete mode 100644 cert/private_key.pem diff --git a/cert/cert.go b/cert/cert.go index 15aa6be..3ab45d9 100644 --- a/cert/cert.go +++ b/cert/cert.go @@ -32,6 +32,8 @@ type FileCfg struct { PkFile string } +const day = time.Hour * 24 + func GenerateCert(cfg CertCfg) ([]byte, *rsa.PrivateKey, error) { pk, err := rsa.GenerateKey(rand.Reader, 2048) if err != nil { @@ -52,7 +54,7 @@ func GenerateCert(cfg CertCfg) ([]byte, *rsa.PrivateKey, error) { }, DNSNames: []string{cfg.DNSName}, NotBefore: time.Now(), - NotAfter: time.Now().Add(time.Duration(cfg.Availability) * time.Hour), + NotAfter: time.Now().Add(time.Duration(cfg.Availability) * day), KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature, ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth}, BasicConstraintsValid: true, diff --git a/cert/certificate.crt b/cert/certificate.crt deleted file mode 100644 index 24bfd16..0000000 --- a/cert/certificate.crt +++ /dev/null @@ -1,20 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDNDCCAhygAwIBAgIRAIFIZEV8mjs90HatkH2Hb/QwDQYJKoZIhvcNAQELBQAw -KjETMBEGA1UEChMKTXVsdGl2ZXJzWDETMBEGA1UEAxMKTXVsdGl2ZXJzWDAeFw0y -MzEyMTgxMjQwNDlaFw0yMzEyMTgyMjQwNDlaMCoxEzARBgNVBAoTCk11bHRpdmVy -c1gxEzARBgNVBAMTCk11bHRpdmVyc1gwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw -ggEKAoIBAQDAIokkHY6H3ySF32VaRRM/2ddcA4vhnWYlNpDygRKZv2LB7tevbsPX -PwRyqKQq+rGdkXMGSnF43OE9rfff6ABgH6oXlI/97fXIJWhOzt+tJutKvZjaXz8U -lEPIudXt5o3NyGbHz6a9kEc+NSfA7SfuwAWR1g9lcFzqv3haN1IG+1vwtc+MRpvx -cokiqqEUSjSjUENtuZvS7dhVUK2bd7IzDsiYrngwY9JTx3KF/zXzIRWwZZV8aMBt -o2tf4e7IYuasAcxslLCtLOHO4OxEiNulCz93cziRGQlFW3kKu8VpRtByH5kjXawV -WbxWaGtXIGiV3B8qubawsOP4xjA+4PTpAgMBAAGjVTBTMA4GA1UdDwEB/wQEAwIF -oDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADAU -BgNVHREEDTALgglsb2NhbGhvc3QwDQYJKoZIhvcNAQELBQADggEBAACE8mAMu+Oq -zZ7KkuKV99p8rJz3x+BnLPph9A7N5Q9bPXfgxmur39hmq2FnnlcomasSKYBi/Qg5 -FK1i51CsxqNZ4RI61sGm/XJRDXAiEJZWTCchwcp1atARbH7IOkPXbaNNakC2GaMR -VQGNydkK0jnoNTU/ZZkx0w40kq85okEmOW5rWLxMM4TGR70GgNOBBzD1UY6FsNj0 -zNfLohtFspgQUc6mLloproWgyyI9O53xz2yB52RRA0VldUfBbyt1xbGoTiJ0W1sx -b6kqUnt+n3QVx7yFR1TbiuqKJuK8Py+Ir9z79bYj0iskoEiyCZPamlLhnAbVf3Hb -a2KTY1kp2qc= ------END CERTIFICATE----- diff --git a/cert/cmd/cert/flags.go b/cert/cmd/cert/flags.go new file mode 100644 index 0000000..70252db --- /dev/null +++ b/cert/cmd/cert/flags.go @@ -0,0 +1,21 @@ +package main + +import "github.com/urfave/cli" + +var ( + organizationFlag = cli.StringFlag{ + Name: "organization", + Usage: "This flag specifies the organization name which will generate the certificate", + Value: "MultiversX", + } + dnsFlag = cli.StringFlag{ + Name: "dns", + Usage: "This flag specifies the server's dns for tls connection", + Value: "localhost", + } + availabilityFlag = cli.StringFlag{ + Name: "availability", + Usage: "This flag specifies the certificate's availability in days starting from current timestamp", + Value: "365", + } +) diff --git a/cert/cmd/cert/main.go b/cert/cmd/cert/main.go index ae00649..a23b739 100644 --- a/cert/cmd/cert/main.go +++ b/cert/cmd/cert/main.go @@ -1,22 +1,64 @@ package main import ( - "fmt" + "os" + logger "github.com/multiversx/mx-chain-logger-go" "github.com/multiversx/mx-chain-sovereign-bridge-go/cert" + "github.com/urfave/cli" ) +var log = logger.GetOrCreate("cert") + func main() { + + app := cli.NewApp() + app.Name = "Certificate generator" + app.Usage = "Generate certificate (.crt + .pem) for grpc tls connection between server and client.\n" + + "->Certificate Generation: To enable secure communication, generate a certificate pair containing a .crt (certificate) " + + "and a .pem (private key) for both the server and the sovereign nodes (clients). This will facilitate the encryption and " + + "authentication required for the gRPC TLS connection.\n" + + "->Authentication of Clients: The server, acting as the hot wallet binary, should authenticate and validate the sovereign nodes (clients) " + + "attempting to connect. Only trusted clients with the matching certificate will be granted access to interact with the hot wallet binary.\n" + + "->Ensuring Secure Transactions: Utilize the certificate-based authentication mechanism to ensure that only authorized sovereign nodes can access the hot wallet binary. " + + "This step is crucial in maintaining the integrity and security of transactions being sent from the sovereign shards to the main chain.\n" + + "->Ongoing Security Measures: Regularly review and update the certificate mechanism to maintain security. This includes renewal of certificates, " + + "implementing security best practices, and promptly revoking access for compromised or unauthorized clients." + app.Action = generateCertificate + app.Flags = []cli.Flag{ + organizationFlag, + dnsFlag, + availabilityFlag, + } + + err := app.Run(os.Args) + if err != nil { + log.Error(err.Error()) + os.Exit(1) + } + +} + +func generateCertificate(ctx *cli.Context) error { + organization := ctx.GlobalString(organizationFlag.Name) + dns := ctx.GlobalString(dnsFlag.Name) + availability := ctx.GlobalInt64(availabilityFlag.Name) + err := cert.GenerateCertFile(cert.CertificateCfg{ CertCfg: cert.CertCfg{ - Organization: "MultiversX", - DNSName: "localhost", - Availability: 10, + Organization: organization, + DNSName: dns, + Availability: availability, }, CertFileCfg: cert.FileCfg{ CertFile: "certificate.crt", PkFile: "private_key.pem", }, }) - fmt.Println(err) + if err != nil { + return err + } + + log.Info("generated files successfully") + return nil } diff --git a/cert/private_key.pem b/cert/private_key.pem deleted file mode 100644 index 867cbb9..0000000 --- a/cert/private_key.pem +++ /dev/null @@ -1,27 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -MIIEpQIBAAKCAQEAwCKJJB2Oh98khd9lWkUTP9nXXAOL4Z1mJTaQ8oESmb9iwe7X -r27D1z8EcqikKvqxnZFzBkpxeNzhPa333+gAYB+qF5SP/e31yCVoTs7frSbrSr2Y -2l8/FJRDyLnV7eaNzchmx8+mvZBHPjUnwO0n7sAFkdYPZXBc6r94WjdSBvtb8LXP -jEab8XKJIqqhFEo0o1BDbbmb0u3YVVCtm3eyMw7ImK54MGPSU8dyhf818yEVsGWV -fGjAbaNrX+HuyGLmrAHMbJSwrSzhzuDsRIjbpQs/d3M4kRkJRVt5CrvFaUbQch+Z -I12sFVm8VmhrVyBoldwfKrm2sLDj+MYwPuD06QIDAQABAoIBAQCJZmkylZx/GBmT -Tw24/1rjt5JmL/cRsjEA/cOsWJeHsbEbRQWjZI/S1zMEGAvG3J62MvTSE9yP9U1y -gX2Y9t2F4D8QO+K5UjoJFo9AhHq65fEv8uRjjeebfOf4nMUbK1xPRDgUPjBcsdfw -6axzMGX1PAb/othBz5fzHFgiFBup90pfu6oWTSaIxY5nM3FsJ+Kp+5YQTMAkT/12 -9bUvuadk9lhU3LAvRRGP4mtFevIJ7u7I5vurcR/8NxIqEAxmywPHw9Pa2fgI3iuX -9tG+prcVM2EjEXWaUZ2k56MLFmV2jCLSoRfvVQaOjcCSqvW8cw/5fpKwI50AemKF -8WZ2a0PxAoGBAPbw66XdydUWdNAVWjwDp+Grsa453VUvgwjcoXi+5lFKudE7EWTM -TRTlzc+4vHo3u5TAV7qTkBEbESxfZUcSq3eVeljskb9itSK2vnyvY8kDKSkcPlNQ -pUuXPaa5C13Odbk30LLRWyhTMO9Ho6hojeI01ayBc/Y6r5dl8hwBVOmVAoGBAMcu -6vyO2UJhKQVy1igkHF+6U3XEksHDT4h5IaEVRcTrE0wckZ2bvhJpagxrtBP1jatT -Zy/1zdWfQXZr24bT7nf1vcO54TPnc8BDMPj47rPtlQjmeCNG6avkZLukKrlCrgmP -/WC0ns03n6uOKX/zjhe7eMtBWemJZN2DUkyDf5EFAoGBAOcpLh6N2NMte1oSsu59 -KZm6JNEIf+WvXUVda5Zhda7hecKgPa8TBJEschYiQ+VQ6LrdtwIEApfQs6nK/z6h -/nsqJWa6xdDXsOJ3GSgU8x8HY2+Fbd6GHsX9JQw+KqK8kz04P5g1HNVJ0wQbFtue -TDtV5DPg1tHHq/nYx+RpZrhlAoGAdIJ2Q9tPLGvm8d/1cy+ERV6ZOTcN3Tdgy2SH -jlECKaiT9h5z8uxJ5z0wIinSASbOgpvbrQssJrvsL9fxZlGLmTHumZGeMJ0/cQQc -nlYGUsszNSySs5fkUX7ciYIC17EwWjmWrb2ZclMKG/ChR83wnOM1Sjdk351Vmdka -B9WXhf0CgYEAwNZBP+iDCYnq47ICv3GM4PCnU1Pc/tPDMKlUqWCUl8Sp/UdiNJoM -7cvG6wct4+HG9UQfjhFJegLuNL9uchK+Vnu04nbbkgQCH78ORwf2Y+VPkWOjt7r0 -86xfx+m5YNOP0Wqrm5tBqnDZpZSL5YTYVhpTKJve2BGcjOydqdKZbe4= ------END RSA PRIVATE KEY----- diff --git a/server/cmd/server/main.go b/server/cmd/server/main.go index e4a7040..974d6f1 100644 --- a/server/cmd/server/main.go +++ b/server/cmd/server/main.go @@ -82,8 +82,8 @@ func startServer(ctx *cli.Context) error { if err != nil { return err } - tlsCredentials := credentials.NewTLS(tlsConfig) + tlsCredentials := credentials.NewTLS(tlsConfig) grpcServer := grpc.NewServer( grpc.Creds(tlsCredentials), ) From de4ffdf2db3542679ae2766c1727251486efbdbd Mon Sep 17 00:00:00 2001 From: Marius C Date: Mon, 18 Dec 2023 15:36:07 +0200 Subject: [PATCH 6/9] FIX: Linter --- client/cmd/client/.env | 2 +- client/errors.go | 2 -- server/cmd/server/.env | 2 +- 3 files changed, 2 insertions(+), 4 deletions(-) diff --git a/client/cmd/client/.env b/client/cmd/client/.env index 152e4e4..954ec2c 100644 --- a/client/cmd/client/.env +++ b/client/cmd/client/.env @@ -2,7 +2,7 @@ GRPC_HOST="localhost" # GRPC server port GRPC_PORT="8085" -# Server certificate for tls secured connection with clients. +# Client certificate for tls secured connection with server. # One should use the same certificate for server as well. # You can generate your own certificate files with the binary found in # this repository in cert/cmd/cert diff --git a/client/errors.go b/client/errors.go index 07950ce..863869d 100644 --- a/client/errors.go +++ b/client/errors.go @@ -3,5 +3,3 @@ package client import "errors" var errNilClientConnection = errors.New("nil grpc client connection provided") - -var errCannotOpenConnection = errors.New("cannot open connection") diff --git a/server/cmd/server/.env b/server/cmd/server/.env index 427f442..bece564 100644 --- a/server/cmd/server/.env +++ b/server/cmd/server/.env @@ -17,4 +17,4 @@ MAX_RETRIALS_WAIT_NONCE=60 # You can generate your own certificate files with the binary found in # this repository in cert/cmd/cert CERT_FILE="certificate.crt" -CERT_PK_FILE="private_key.pem" \ No newline at end of file +CERT_PK_FILE="private_key.pem" From eb39c56a1539bc4d100a05967975f55dc31bbfae Mon Sep 17 00:00:00 2001 From: Marius C Date: Mon, 18 Dec 2023 15:43:09 +0200 Subject: [PATCH 7/9] FIX: After self review --- cert/cert.go | 13 ++++++++++--- cert/cmd/cert/main.go | 2 +- client/factory.go | 2 +- server/cmd/server/main.go | 2 +- 4 files changed, 13 insertions(+), 6 deletions(-) diff --git a/cert/cert.go b/cert/cert.go index 3ab45d9..b2b8ff6 100644 --- a/cert/cert.go +++ b/cert/cert.go @@ -16,17 +16,20 @@ import ( var log = logger.GetOrCreate("cert") +// CertificateCfg holds necessary config to generate certificate files type CertificateCfg struct { CertCfg CertCfg CertFileCfg FileCfg } +// CertCfg holds necessary config to generate a certificate and private key type CertCfg struct { Organization string DNSName string Availability int64 } +// FileCfg holds necessary config for certificate files type FileCfg struct { CertFile string PkFile string @@ -34,6 +37,7 @@ type FileCfg struct { const day = time.Hour * 24 +// GenerateCert will generate a certificate and private key with specified configuration func GenerateCert(cfg CertCfg) ([]byte, *rsa.PrivateKey, error) { pk, err := rsa.GenerateKey(rand.Reader, 2048) if err != nil { @@ -68,7 +72,8 @@ func GenerateCert(cfg CertCfg) ([]byte, *rsa.PrivateKey, error) { return cert, pk, nil } -func GenerateCertFile(cfg CertificateCfg) error { +// GenerateCertFiles will generate a certificate and private key files with specified configuration +func GenerateCertFiles(cfg CertificateCfg) error { cert, pk, err := GenerateCert(cfg.CertCfg) if err != nil { return err @@ -106,7 +111,8 @@ func GenerateCertFile(cfg CertificateCfg) error { return nil } -func CreateTLSServerConfig(cfg FileCfg) (*tls.Config, error) { +// LoadTLSServerConfig will load a tls server config +func LoadTLSServerConfig(cfg FileCfg) (*tls.Config, error) { cert, err := tls.LoadX509KeyPair(cfg.CertFile, cfg.PkFile) if err != nil { return nil, err @@ -124,7 +130,8 @@ func CreateTLSServerConfig(cfg FileCfg) (*tls.Config, error) { }, nil } -func CreateTLSClientConfig(cfg FileCfg) (*tls.Config, error) { +// LoadTLSClientConfig will load a tls client config +func LoadTLSClientConfig(cfg FileCfg) (*tls.Config, error) { cert, err := tls.LoadX509KeyPair(cfg.CertFile, cfg.PkFile) if err != nil { return nil, err diff --git a/cert/cmd/cert/main.go b/cert/cmd/cert/main.go index a23b739..239d1a2 100644 --- a/cert/cmd/cert/main.go +++ b/cert/cmd/cert/main.go @@ -44,7 +44,7 @@ func generateCertificate(ctx *cli.Context) error { dns := ctx.GlobalString(dnsFlag.Name) availability := ctx.GlobalInt64(availabilityFlag.Name) - err := cert.GenerateCertFile(cert.CertificateCfg{ + err := cert.GenerateCertFiles(cert.CertificateCfg{ CertCfg: cert.CertCfg{ Organization: organization, DNSName: dns, diff --git a/client/factory.go b/client/factory.go index a347dd1..dc557b6 100644 --- a/client/factory.go +++ b/client/factory.go @@ -32,7 +32,7 @@ func CreateClient(cfg *config.ClientConfig) (ClientHandler, error) { } func connectWithRetrials(host string, cfg cert.FileCfg) (GRPCConn, error) { - tlsConfig, err := cert.CreateTLSClientConfig(cfg) + tlsConfig, err := cert.LoadTLSClientConfig(cfg) if err != nil { return nil, err } diff --git a/server/cmd/server/main.go b/server/cmd/server/main.go index 974d6f1..408b481 100644 --- a/server/cmd/server/main.go +++ b/server/cmd/server/main.go @@ -78,7 +78,7 @@ func startServer(ctx *cli.Context) error { return err } - tlsConfig, err := cert.CreateTLSServerConfig(cfg.CertificateConfig) + tlsConfig, err := cert.LoadTLSServerConfig(cfg.CertificateConfig) if err != nil { return err } From dc3967e7e77a6e3a703ef7ef0449737f4ba1be2d Mon Sep 17 00:00:00 2001 From: Marius C Date: Tue, 19 Dec 2023 17:53:07 +0200 Subject: [PATCH 8/9] CLN: Small cleanup --- cert/cert.go | 9 +++++---- cert/cmd/cert/main.go | 2 +- client/factory.go | 3 +-- 3 files changed, 7 insertions(+), 7 deletions(-) diff --git a/cert/cert.go b/cert/cert.go index b2b8ff6..f76005c 100644 --- a/cert/cert.go +++ b/cert/cert.go @@ -7,6 +7,7 @@ import ( "crypto/x509" "crypto/x509/pkix" "encoding/pem" + "fmt" "math/big" "os" "time" @@ -81,7 +82,7 @@ func GenerateCertFiles(cfg CertificateCfg) error { certOut, err := os.Create(cfg.CertFileCfg.CertFile) if err != nil { - return err + return fmt.Errorf("cannot create certificate file, cert file: %s,error: %w", cfg.CertFileCfg.CertFile, err) } defer func() { err = certOut.Close() @@ -90,12 +91,12 @@ func GenerateCertFiles(cfg CertificateCfg) error { err = pem.Encode(certOut, &pem.Block{Type: "CERTIFICATE", Bytes: cert}) if err != nil { - return err + return fmt.Errorf("cannot create pem encoded file, cert file: %s,error: %w", cfg.CertFileCfg.CertFile, err) } keyOut, err := os.Create(cfg.CertFileCfg.PkFile) if err != nil { - return err + return fmt.Errorf("cannot create certificate private key file, cert pk file: %s,error: %w", cfg.CertFileCfg.PkFile, err) } defer func() { err = keyOut.Close() @@ -105,7 +106,7 @@ func GenerateCertFiles(cfg CertificateCfg) error { pkBytes := x509.MarshalPKCS1PrivateKey(pk) err = pem.Encode(keyOut, &pem.Block{Type: "RSA PRIVATE KEY", Bytes: pkBytes}) if err != nil { - return err + return fmt.Errorf("cannot create certificate pk file, cert pk file: %s,error: %w", cfg.CertFileCfg.PkFile, err) } return nil diff --git a/cert/cmd/cert/main.go b/cert/cmd/cert/main.go index 239d1a2..275dfab 100644 --- a/cert/cmd/cert/main.go +++ b/cert/cmd/cert/main.go @@ -59,6 +59,6 @@ func generateCertificate(ctx *cli.Context) error { return err } - log.Info("generated files successfully") + log.Info("generated certificate files successfully") return nil } diff --git a/client/factory.go b/client/factory.go index dc557b6..d4b52ab 100644 --- a/client/factory.go +++ b/client/factory.go @@ -13,8 +13,7 @@ import ( ) const ( - maxConnectionRetrials = 100 - waitTime = 5 + waitTime = 5 ) var log = logger.GetOrCreate("client") From 4e0008a87eca4c56e98526e0986269080a9810dc Mon Sep 17 00:00:00 2001 From: Marius C Date: Mon, 15 Jan 2024 16:38:54 +0200 Subject: [PATCH 9/9] FIX: Go imports --- server/cmd/server/main.go | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/server/cmd/server/main.go b/server/cmd/server/main.go index 408b481..e13cfdf 100644 --- a/server/cmd/server/main.go +++ b/server/cmd/server/main.go @@ -9,8 +9,6 @@ import ( "syscall" "time" - "google.golang.org/grpc/credentials" - "github.com/joho/godotenv" "github.com/multiversx/mx-chain-core-go/core/check" "github.com/multiversx/mx-chain-core-go/core/closing" @@ -21,9 +19,9 @@ import ( "github.com/multiversx/mx-chain-sovereign-bridge-go/server" "github.com/multiversx/mx-chain-sovereign-bridge-go/server/cmd/config" "github.com/multiversx/mx-chain-sovereign-bridge-go/server/txSender" - "github.com/urfave/cli" "google.golang.org/grpc" + "google.golang.org/grpc/credentials" ) var log = logger.GetOrCreate("sov-bridge-sender")