251 lines
8.0 KiB
Go
251 lines
8.0 KiB
Go
/*
|
|
© Copyright IBM Corporation 2018, 2019
|
|
|
|
Licensed under the Apache License, Version 2.0 (the "License");
|
|
you may not use this file except in compliance with the License.
|
|
You may obtain a copy of the License at
|
|
|
|
http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
Unless required by applicable law or agreed to in writing, software
|
|
distributed under the License is distributed on an "AS IS" BASIS,
|
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
See the License for the specific language governing permissions and
|
|
limitations under the License.
|
|
*/
|
|
|
|
// Package keystore contains code to create and update keystores
|
|
package keystore
|
|
|
|
import (
|
|
"bufio"
|
|
"fmt"
|
|
"os"
|
|
"path/filepath"
|
|
"strings"
|
|
|
|
"github.com/ibm-messaging/mq-container/internal/command"
|
|
"github.com/ibm-messaging/mq-container/internal/logger"
|
|
)
|
|
|
|
// KeyStore describes information about a keystore file
|
|
type KeyStore struct {
|
|
Filename string
|
|
Password string
|
|
keyStoreType string
|
|
command string
|
|
}
|
|
|
|
// NewJKSKeyStore creates a new Java Key Store, managed by the runmqckm command
|
|
func NewJKSKeyStore(filename, password string) *KeyStore {
|
|
return &KeyStore{
|
|
Filename: filename,
|
|
Password: password,
|
|
keyStoreType: "jks",
|
|
command: "/opt/mqm/bin/runmqckm",
|
|
}
|
|
}
|
|
|
|
// NewCMSKeyStore creates a new MQ CMS Key Store, managed by the runmqakm command
|
|
func NewCMSKeyStore(filename, password string) *KeyStore {
|
|
return &KeyStore{
|
|
Filename: filename,
|
|
Password: password,
|
|
keyStoreType: "cms",
|
|
command: "/opt/mqm/bin/runmqakm",
|
|
}
|
|
}
|
|
|
|
// NewPKCS12KeyStore creates a new PKCS12 Key Store, managed by the runmqakm command
|
|
func NewPKCS12KeyStore(filename, password string) *KeyStore {
|
|
return &KeyStore{
|
|
Filename: filename,
|
|
Password: password,
|
|
keyStoreType: "p12",
|
|
command: "/opt/mqm/bin/runmqakm",
|
|
}
|
|
}
|
|
|
|
// Create a key store, if it doesn't already exist
|
|
func (ks *KeyStore) Create(log *logger.Logger) error {
|
|
_, err := os.Stat(ks.Filename)
|
|
if err == nil {
|
|
// Keystore already exists so we should refresh it by deleting it.
|
|
extension := filepath.Ext(ks.Filename)
|
|
log.Debugf("Refreshing keystore: %v", ks.Filename)
|
|
if ks.keyStoreType == "cms" {
|
|
// Only delete these when we are refreshing the kdb keystore
|
|
stashFile := ks.Filename[0:len(ks.Filename)-len(extension)] + ".sth"
|
|
rdbFile := ks.Filename[0:len(ks.Filename)-len(extension)] + ".rdb"
|
|
crlFile := ks.Filename[0:len(ks.Filename)-len(extension)] + ".crl"
|
|
err = os.Remove(stashFile)
|
|
if err != nil {
|
|
log.Errorf("Error removing %s: %v", stashFile, err)
|
|
return err
|
|
}
|
|
err = os.Remove(rdbFile)
|
|
if err != nil {
|
|
log.Errorf("Error removing %s: %v", rdbFile, err)
|
|
return err
|
|
}
|
|
err = os.Remove(crlFile)
|
|
if err != nil {
|
|
log.Errorf("Error removing %s: %v", crlFile, err)
|
|
return err
|
|
}
|
|
}
|
|
err = os.Remove(ks.Filename)
|
|
if err != nil {
|
|
log.Errorf("Error removing %s: %v", ks.Filename, err)
|
|
return err
|
|
}
|
|
} else if !os.IsNotExist(err) {
|
|
// If the keystore exists but cannot be accessed then return the error
|
|
return err
|
|
}
|
|
|
|
// Create the keystore now we're sure it doesn't exist
|
|
out, _, err := command.Run(ks.command, "-keydb", "-create", "-type", ks.keyStoreType, "-db", ks.Filename, "-pw", ks.Password, "-stash")
|
|
if err != nil {
|
|
return fmt.Errorf("error running \"%v -keydb -create\": %v %s", ks.command, err, out)
|
|
}
|
|
|
|
mqmUID, mqmGID, err := command.LookupMQM()
|
|
if err != nil {
|
|
log.Error(err)
|
|
return err
|
|
}
|
|
err = os.Chown(ks.Filename, mqmUID, mqmGID)
|
|
if err != nil {
|
|
log.Error(err)
|
|
return err
|
|
}
|
|
return nil
|
|
}
|
|
|
|
// CreateStash creates a key stash, if it doesn't already exist
|
|
func (ks *KeyStore) CreateStash(log *logger.Logger) error {
|
|
extension := filepath.Ext(ks.Filename)
|
|
stashFile := ks.Filename[0:len(ks.Filename)-len(extension)] + ".sth"
|
|
log.Debugf("TLS stash file: %v", stashFile)
|
|
_, err := os.Stat(stashFile)
|
|
if err != nil {
|
|
if os.IsNotExist(err) {
|
|
out, _, err := command.Run(ks.command, "-keydb", "-stashpw", "-type", ks.keyStoreType, "-db", ks.Filename, "-pw", ks.Password)
|
|
if err != nil {
|
|
return fmt.Errorf("error running \"%v -keydb -stashpw\": %v %s", ks.command, err, out)
|
|
}
|
|
}
|
|
return err
|
|
}
|
|
mqmUID, mqmGID, err := command.LookupMQM()
|
|
if err != nil {
|
|
log.Error(err)
|
|
return err
|
|
}
|
|
err = os.Chown(stashFile, mqmUID, mqmGID)
|
|
if err != nil {
|
|
log.Error(err)
|
|
return err
|
|
}
|
|
return nil
|
|
}
|
|
|
|
// GeneratePKCS12 generates a PKCS12 file
|
|
func (ks *KeyStore) GeneratePKCS12(keyFile, crtFile, pkcs12File, label, password string) error {
|
|
out, _, err := command.Run("openssl", "pkcs12", "-export", "-inkey", keyFile, "-in", crtFile, "-out", pkcs12File, "-name", label, "-passout", "pass:"+password)
|
|
if err != nil {
|
|
return fmt.Errorf("error running \"openssl pkcs12 -export\": %v %s", err, out)
|
|
}
|
|
return nil
|
|
}
|
|
|
|
// Import imports a certificate file in the keystore
|
|
func (ks *KeyStore) Import(inputFile, password string) error {
|
|
out, _, err := command.Run(ks.command, "-cert", "-import", "-file", inputFile, "-pw", password, "-target", ks.Filename, "-target_pw", ks.Password, "-target_type", ks.keyStoreType)
|
|
if err != nil {
|
|
return fmt.Errorf("error running \"%v -cert -import\": %v %s", ks.command, err, out)
|
|
}
|
|
return nil
|
|
}
|
|
|
|
// CreateSelfSignedCertificate creates a self-signed certificate in the keystore
|
|
func (ks *KeyStore) CreateSelfSignedCertificate(label, dn string) error {
|
|
out, _, err := command.Run(ks.command, "-cert", "-create", "-db", ks.Filename, "-pw", ks.Password, "-label", label, "-dn", dn)
|
|
if err != nil {
|
|
return fmt.Errorf("error running \"%v -cert -create\": %v %s", ks.command, err, out)
|
|
}
|
|
return nil
|
|
}
|
|
|
|
// Add adds a CA certificate to the keystore
|
|
func (ks *KeyStore) Add(inputFile, label string) error {
|
|
out, _, err := command.Run(ks.command, "-cert", "-add", "-db", ks.Filename, "-type", ks.keyStoreType, "-pw", ks.Password, "-file", inputFile, "-label", label)
|
|
if err != nil {
|
|
return fmt.Errorf("error running \"%v -cert -add\": %v %s", ks.command, err, out)
|
|
}
|
|
return nil
|
|
}
|
|
|
|
// Add adds a CA certificate to the keystore
|
|
func (ks *KeyStore) AddNoLabel(inputFile string) error {
|
|
out, _, err := command.Run(ks.command, "-cert", "-add", "-db", ks.Filename, "-type", ks.keyStoreType, "-pw", ks.Password, "-file", inputFile)
|
|
if err != nil {
|
|
return fmt.Errorf("error running \"%v -cert -add\": %v %s", ks.command, err, out)
|
|
}
|
|
return nil
|
|
}
|
|
|
|
// GetCertificateLabels returns the labels of all certificates in the key store
|
|
func (ks *KeyStore) GetCertificateLabels() ([]string, error) {
|
|
out, _, err := command.Run(ks.command, "-cert", "-list", "-type", ks.keyStoreType, "-db", ks.Filename, "-pw", ks.Password)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("error running \"%v -cert -list\": %v %s", ks.command, err, out)
|
|
}
|
|
scanner := bufio.NewScanner(strings.NewReader(out))
|
|
var labels []string
|
|
for scanner.Scan() {
|
|
s := scanner.Text()
|
|
if strings.HasPrefix(s, "-") || strings.HasPrefix(s, "*-") {
|
|
s := strings.TrimLeft(s, "-*")
|
|
labels = append(labels, strings.TrimSpace(s))
|
|
}
|
|
}
|
|
err = scanner.Err()
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
return labels, nil
|
|
}
|
|
|
|
// RenameCertificate renames the specified certificate
|
|
func (ks *KeyStore) RenameCertificate(from, to string) error {
|
|
out, _, err := command.Run(ks.command, "-cert", "-rename", "-db", ks.Filename, "-pw", ks.Password, "-label", from, "-new_label", to)
|
|
if err != nil {
|
|
return fmt.Errorf("error running \"%v -cert -rename\": %v %s", ks.command, err, out)
|
|
}
|
|
return nil
|
|
}
|
|
|
|
// ListCertificates Lists all certificates in hte keystore
|
|
func (ks *KeyStore) ListAllCertificates() ([]string, error) {
|
|
out, _, err := command.Run(ks.command, "-cert", "-list", "-type", ks.keyStoreType, "-db", ks.Filename, "-pw", ks.Password)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("error running \"%v -cert -list\": %v %s", ks.command, err, out)
|
|
}
|
|
scanner := bufio.NewScanner(strings.NewReader(out))
|
|
var labels []string
|
|
for scanner.Scan() {
|
|
s := scanner.Text()
|
|
if strings.HasPrefix(s, "-") || strings.HasPrefix(s, "*-") || strings.HasPrefix(s, "!") {
|
|
s := strings.TrimLeft(s, "-*!")
|
|
labels = append(labels, strings.TrimSpace(s))
|
|
}
|
|
}
|
|
err = scanner.Err()
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
return labels, nil
|
|
}
|