JointCloud
/
JCS-pub
Not watched
1
0
Fork 0
Code
Releases 0 Wiki evaluate Activity
Issues 0 Pull Requests 0 Datasets Model Cloudbrain HPC
You can not select more than 25 topics Topics must start with a chinese character,a letter or number, can include dashes ('-') and can be up to 35 characters long.
1060 Commits
3 Branches
118 MB
1 Download
Tree: 17e4452435
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '17e4452435'
${ noResults }
JCS-pub/client/internal/cmdline/cert.go

cert.go 6.2 kB
Raw Normal View History

客户端鉴权改为证书
5 months ago
 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219 
  1. package cmdline

  2. 

  3. import (

  4. 	"crypto/ecdsa"

  5. 	"crypto/elliptic"

  6. 	"crypto/rand"

  7. 	"crypto/x509"

  8. 	"crypto/x509/pkix"

  9. 	"encoding/pem"

  10. 	"fmt"

  11. 	"math/big"

  12. 	"os"

  13. 	"path/filepath"

  14. 	"time"

  15. 

  16. 	"github.com/spf13/cobra"

  17. 	"gitlink.org.cn/cloudream/jcs-pub/client/internal/http/auth"

  18. )

  19. 

  20. func init() {

  21. 	certCmd := cobra.Command{

  22. 		Use: "cert",

  23. 	}

  24. 	RootCmd.AddCommand(&certCmd)

  25. 

  26. 	certRoot := cobra.Command{

  27. 		Use:  "root [outputDir]",

  28. 		Args: cobra.ExactArgs(1),

  29. 		Run: func(cmd *cobra.Command, args []string) {

  30. 			certRoot(args[0])

  31. 		},

  32. 	}

  33. 	certCmd.AddCommand(&certRoot)

  34. 

  35. 	var certFilePath string

  36. 	var keyFilePath string

  37. 

  38. 	certServer := cobra.Command{

  39. 		Use:  "server [outputDir]",

  40. 		Args: cobra.ExactArgs(1),

  41. 		Run: func(cmd *cobra.Command, args []string) {

  42. 			certServer(certFilePath, keyFilePath, args[0])

  43. 		},

  44. 	}

  45. 	certServer.Flags().StringVar(&certFilePath, "cert", "", "CA certificate file path")

  46. 	certServer.Flags().StringVar(&keyFilePath, "key", "", "CA key file path")

  47. 	certCmd.AddCommand(&certServer)

  48. 

  49. 	certClient := cobra.Command{

  50. 		Use:  "client [outputDir]",

  51. 		Args: cobra.ExactArgs(1),

  52. 		Run: func(cmd *cobra.Command, args []string) {

  53. 			certClient(certFilePath, keyFilePath, args[0])

  54. 		},

  55. 	}

  56. 	certClient.Flags().StringVar(&certFilePath, "cert", "", "CA certificate file path")

  57. 	certClient.Flags().StringVar(&keyFilePath, "key", "", "CA key file path")

  58. 	certCmd.AddCommand(&certClient)

  59. }

  60. 

  61. func certRoot(output string) {

  62. 	caPriv, _ := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)

  63. 

  64. 	// 创建 CA 证书模板

  65. 	caTemplate := &x509.Certificate{

  66. 		SerialNumber: big.NewInt(1),

  67. 		Subject: pkix.Name{

  68. 			Organization: []string{"JCS"},

  69. 		},

  70. 		NotBefore:             time.Now(),

  71. 		NotAfter:              time.Now().AddDate(10, 0, 0), // 有效期10年

  72. 		KeyUsage:              x509.KeyUsageCertSign | x509.KeyUsageDigitalSignature,

  73. 		BasicConstraintsValid: true,

  74. 		IsCA:                  true,

  75. 	}

  76. 

  77. 	// 自签名 CA 证书

  78. 	caCertDER, _ := x509.CreateCertificate(rand.Reader, caTemplate, caTemplate, &caPriv.PublicKey, caPriv)

  79. 

  80. 	// 保存 CA 证书和私钥

  81. 	writePem(filepath.Join(output, "ca_cert.pem"), "CERTIFICATE", caCertDER)

  82. 

  83. 	privDER, _ := x509.MarshalECPrivateKey(caPriv)

  84. 	writePem(filepath.Join(output, "ca_key.pem"), "EC PRIVATE KEY", privDER)

  85. 	fmt.Println("CA certificate and key saved to", output)

  86. }

  87. 

  88. func certServer(certFile string, keyFile string, output string) {

  89. 	// 读取 CA 证书和私钥

  90. 	caCertPEM, err := os.ReadFile(certFile)

  91. 	if err != nil {

  92. 		fmt.Println("Failed to read CA certificate:", err)

  93. 		return

  94. 	}

  95. 	caKeyPEM, err := os.ReadFile(keyFile)

  96. 	if err != nil {

  97. 		fmt.Println("Failed to read CA key:", err)

  98. 		return

  99. 	}

  100. 	caCertPEMBlock, _ := pem.Decode(caCertPEM)

  101. 	if caCertPEMBlock == nil {

  102. 		fmt.Println("Failed to decode CA certificate")

  103. 		return

  104. 	}

  105. 	caKeyPEMBlock, _ := pem.Decode(caKeyPEM)

  106. 	if caKeyPEMBlock == nil {

  107. 		fmt.Println("Failed to decode CA key")

  108. 		return

  109. 	}

  110. 

  111. 	caCert, err := x509.ParseCertificate(caCertPEMBlock.Bytes)

  112. 	if err != nil {

  113. 		fmt.Println("Failed to parse CA certificate:", err)

  114. 		return

  115. 	}

  116. 

  117. 	caKey, err := x509.ParseECPrivateKey(caKeyPEMBlock.Bytes)

  118. 	if err != nil {

  119. 		fmt.Println("Failed to parse CA key:", err)

  120. 		return

  121. 	}

  122. 

  123. 	// 生成服务端私钥

  124. 	serverPriv, _ := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)

  125. 

  126. 	// 服务端证书模板

  127. 	serverTemplate := &x509.Certificate{

  128. 		SerialNumber: big.NewInt(2),

  129. 		Subject: pkix.Name{

  130. 			CommonName: "localhost",

  131. 		},

  132. 		NotBefore:             time.Now(),

  133. 		NotAfter:              time.Now().AddDate(1, 0, 0), // 有效期1年

  134. 		KeyUsage:              x509.KeyUsageDigitalSignature,

  135. 		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},

  136. 		BasicConstraintsValid: true,

  137. 	}

  138. 

  139. 	// 添加主机名/IP 到证书

  140. 	serverTemplate.DNSNames = []string{auth.ClientInternalSNI}

  141. 

  142. 	// 用 CA 签发服务端证书

  143. 	serverCertDER, _ := x509.CreateCertificate(rand.Reader, serverTemplate, caCert, &serverPriv.PublicKey, caKey)

  144. 

  145. 	// 保存服务端证书和私钥

  146. 	writePem(filepath.Join(output, "server_cert.pem"), "CERTIFICATE", serverCertDER)

  147. 

  148. 	privPem, _ := x509.MarshalECPrivateKey(serverPriv)

  149. 	writePem(filepath.Join(output, "server_key.pem"), "EC PRIVATE KEY", privPem)

  150. 	fmt.Println("Server certificate and key saved to", output)

  151. }

  152. 

  153. func certClient(certFile string, keyFile string, output string) {

  154. 	// 读取 CA 证书和私钥

  155. 	caCertPEM, err := os.ReadFile(certFile)

  156. 	if err != nil {

  157. 		fmt.Println("Failed to read CA certificate:", err)

  158. 		return

  159. 	}

  160. 	caKeyPEM, err := os.ReadFile(keyFile)

  161. 	if err != nil {

  162. 		fmt.Println("Failed to read CA key:", err)

  163. 		return

  164. 	}

  165. 	caCertPEMBlock, _ := pem.Decode(caCertPEM)

  166. 	if caCertPEMBlock == nil {

  167. 		fmt.Println("Failed to decode CA certificate")

  168. 		return

  169. 	}

  170. 	caKeyPEMBlock, _ := pem.Decode(caKeyPEM)

  171. 	if caKeyPEMBlock == nil {

  172. 		fmt.Println("Failed to decode CA key")

  173. 		return

  174. 	}

  175. 

  176. 	caCert, err := x509.ParseCertificate(caCertPEMBlock.Bytes)

  177. 	if err != nil {

  178. 		fmt.Println("Failed to parse CA certificate:", err)

  179. 		return

  180. 	}

  181. 

  182. 	caKey, err := x509.ParseECPrivateKey(caKeyPEMBlock.Bytes)

  183. 	if err != nil {

  184. 		fmt.Println("Failed to parse CA key:", err)

  185. 		return

  186. 	}

  187. 

  188. 	// 生成客户端私钥

  189. 	clientPriv, _ := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)

  190. 

  191. 	// 客户端证书模板

  192. 	clientTemplate := &x509.Certificate{

  193. 		SerialNumber: big.NewInt(3),

  194. 		Subject: pkix.Name{

  195. 			CommonName: "client",

  196. 		},

  197. 		NotBefore:             time.Now(),

  198. 		NotAfter:              time.Now().AddDate(1, 0, 0), // 有效期1年

  199. 		KeyUsage:              x509.KeyUsageDigitalSignature,

  200. 		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth},

  201. 		BasicConstraintsValid: true,

  202. 	}

  203. 

  204. 	// 用 CA 签发客户端证书

  205. 	clientCertDER, _ := x509.CreateCertificate(rand.Reader, clientTemplate, caCert, &clientPriv.PublicKey, caKey)

  206. 

  207. 	// 保存客户端证书和私钥

  208. 	writePem(filepath.Join(output, "client_cert.pem"), "CERTIFICATE", clientCertDER)

  209. 

  210. 	privPem, _ := x509.MarshalECPrivateKey(clientPriv)

  211. 	writePem(filepath.Join(output, "client_key.pem"), "EC PRIVATE KEY", privPem)

  212. 	fmt.Println("Client certificate and key saved to", output)

  213. }

  214. 

  215. func writePem(filename, pemType string, bytes []byte) {

  216. 	f, _ := os.Create(filename)

  217. 	pem.Encode(f, &pem.Block{Type: pemType, Bytes: bytes})

  218. 	f.Close()

  219. }

本项目旨在将云际存储公共基础设施化,使个人及企业可低门槛使用高效的云际存储服务(安装开箱即用云际存储客户端即可,无需关注其他组件的部署),同时支持用户灵活便捷定制云际存储的功能细节。