1 |
|
2 |
|
3 |
|
4 |
|
5 |
|
6 |
|
7 |
|
8 |
|
9 |
|
10 |
|
11 |
|
12 |
|
13 |
|
14 |
|
15 |
|
16 | var crypto = require('crypto');
|
17 | var util = require('util');
|
18 | var path = require('path');
|
19 | var fs = require('fs');
|
20 | var moment = require('moment');
|
21 |
|
22 | var utils = require('./utils');
|
23 | var utilsCore = require('./utilsCore');
|
24 |
|
25 |
|
26 | var BEGIN_CERT = '-----BEGIN CERTIFICATE-----';
|
27 |
|
28 | var END_CERT = '-----END CERTIFICATE-----';
|
29 |
|
30 | var SSHDashRSA = 'ssh-rsa';
|
31 |
|
32 |
|
33 |
|
34 |
|
35 |
|
36 |
|
37 |
|
38 |
|
39 |
|
40 |
|
41 |
|
42 |
|
43 |
|
44 |
|
45 |
|
46 |
|
47 |
|
48 |
|
49 |
|
50 |
|
51 |
|
52 |
|
53 |
|
54 | exports.openSshRSAPubToPkcs8RsaPubPEM = function (sshRSAPubKey) {
|
55 | var sshKeyToPEM = require('ssh-key-to-pem');
|
56 | return sshKeyToPEM(sshRSAPubKey);
|
57 | };
|
58 |
|
59 |
|
60 |
|
61 |
|
62 |
|
63 |
|
64 |
|
65 |
|
66 |
|
67 |
|
68 |
|
69 |
|
70 |
|
71 |
|
72 |
|
73 |
|
74 |
|
75 |
|
76 |
|
77 |
|
78 |
|
79 |
|
80 |
|
81 |
|
82 |
|
83 |
|
84 |
|
85 |
|
86 |
|
87 |
|
88 |
|
89 |
|
90 |
|
91 |
|
92 |
|
93 |
|
94 |
|
95 |
|
96 |
|
97 |
|
98 |
|
99 |
|
100 |
|
101 |
|
102 |
|
103 |
|
104 |
|
105 |
|
106 |
|
107 |
|
108 |
|
109 |
|
110 |
|
111 |
|
112 |
|
113 |
|
114 |
|
115 |
|
116 |
|
117 |
|
118 |
|
119 | exports.pkcs8RSAPubPEMToX509CertPEM = function (pkc8RSAPub) {
|
120 | require('jsrsasign');
|
121 |
|
122 | var certValidityRange = exports.getCertValidityRange();
|
123 | var x509CertPEM = KJUR.asn1.x509.X509Util.newCertPEM({
|
124 | serial: { int: 1 },
|
125 | sigalg: { name: 'SHA1withRSA', paramempty: true },
|
126 | issuer: { str: 'CN=Root Agency' },
|
127 | notbefore: { 'str': certValidityRange.start },
|
128 | notafter: { 'str': certValidityRange.end },
|
129 | subject: { str: '/C=DE/O=dummy-subject/CN=dummy' },
|
130 | sbjpubkey: pkc8RSAPub,
|
131 | sighex: '00'
|
132 | });
|
133 |
|
134 | var certEnd = x509CertPEM.indexOf(END_CERT);
|
135 |
|
136 | if (x509CertPEM[certEnd - 2] === '\r' && x509CertPEM[certEnd - 1] === '\n') {
|
137 | if (x509CertPEM[certEnd - 4] === '\r' && x509CertPEM[certEnd - 3] === '\n') {
|
138 | x509CertPEM = x509CertPEM.replace(new RegExp('\r\n' + END_CERT + '(\r\n)?' + '$'), END_CERT);
|
139 | }
|
140 | } else if (x509CertPEM[certEnd - 2] === '\n' && x509CertPEM[certEnd - 1] === '\n') {
|
141 | x509CertPEM = x509CertPEM.replace(new RegExp('\n' + END_CERT + '\n?' + '$'), END_CERT);
|
142 | }
|
143 |
|
144 | return x509CertPEM;
|
145 | };
|
146 |
|
147 | exports.openSshRSAPubToX509CertPEM = function (openSShRSAPub) {
|
148 | var pkcs8RsaPubKey = exports.openSshRSAPubToPkcs8RsaPubPEM(openSShRSAPub);
|
149 | return exports.pkcs8RSAPubPEMToX509CertPEM(pkcs8RsaPubKey);
|
150 | };
|
151 |
|
152 | exports.isX509CertPEM = function (data) {
|
153 | return (data && data.indexOf(BEGIN_CERT) !== -1 && data.indexOf(END_CERT) !== -1);
|
154 | };
|
155 |
|
156 | exports.isOpenSshRSAPub = function (data) {
|
157 | if (data) {
|
158 |
|
159 | var tokens = data.split([' ']);
|
160 | return (tokens.length >= 2 && tokens[0] === SSHDashRSA);
|
161 | }
|
162 |
|
163 | return false;
|
164 | };
|
165 |
|
166 | exports.getFingerprintFromX509CertPEM = function (x509CertPEM) {
|
167 | var certBase64 = exports.extractBase64X509CertFromPEM(x509CertPEM);
|
168 |
|
169 | var cert = new Buffer(certBase64, 'base64');
|
170 | var sha1 = crypto.createHash('sha1');
|
171 | sha1.update(cert);
|
172 | return sha1.digest('hex');
|
173 | };
|
174 |
|
175 | exports.extractBase64X509CertFromPEM = function (x509CertPEM) {
|
176 |
|
177 | var beginCert = x509CertPEM.indexOf(BEGIN_CERT) + BEGIN_CERT.length;
|
178 | if (x509CertPEM[beginCert] === '\n') {
|
179 | beginCert = beginCert + 1;
|
180 | } else if (x509CertPEM[beginCert] === '\r' && x509CertPEM[beginCert + 1] === '\n') {
|
181 | beginCert = beginCert + 2;
|
182 | }
|
183 |
|
184 | var endCert = '\n' + x509CertPEM.indexOf(END_CERT);
|
185 | if (endCert === -1) {
|
186 | endCert = '\r\n' + x509CertPEM.indexOf(END_CERT);
|
187 | }
|
188 |
|
189 | return x509CertPEM.substring(beginCert, endCert);
|
190 | };
|
191 |
|
192 | exports.generatePemKeyPair = function () {
|
193 | var jsrsasign = require('jsrsasign');
|
194 |
|
195 | var keys = jsrsasign.KEYUTIL.generateKeypair('RSA', 2048);
|
196 | var pub = jsrsasign.KEYUTIL.getPEM(keys.pubKeyObj);
|
197 | var pvt = jsrsasign.KEYUTIL.getPEM(keys.prvKeyObj, 'PKCS8PRV');
|
198 |
|
199 | return { public: pub, private: pvt };
|
200 | };
|
201 |
|
202 | exports.generateX509PemCert = function (publicKey, privateKey, password) {
|
203 | var jsrsasign = require('jsrsasign');
|
204 |
|
205 | var certValidityRange = exports.getCertValidityRange();
|
206 | var certParams = {
|
207 | serial: { int: 1 },
|
208 | sigalg: { name: 'SHA1withECDSA', paramempty: true },
|
209 | issuer: { str: 'CN=Root Agency' },
|
210 | notbefore: { 'str': certValidityRange.start },
|
211 | notafter: { 'str': certValidityRange.end },
|
212 | subject: { str: '/C=US/O=b' },
|
213 | sbjpubkey: publicKey
|
214 | };
|
215 |
|
216 | if(privateKey) {
|
217 | certParams.cakey = [ privateKey, password ];
|
218 | }
|
219 |
|
220 | var certPEM = jsrsasign.asn1.x509.X509Util.newCertPEM(certParams);
|
221 | return certPEM;
|
222 | };
|
223 |
|
224 | exports.checkSSHKeys = function (azureSshDir, keyPaths, callback) {
|
225 | utils.fileExists(azureSshDir, function(error, exists) {
|
226 | if (error) {
|
227 | return callback(error);
|
228 | }
|
229 |
|
230 | if (!exists) {
|
231 | fs.mkdir(azureSshDir, function(error) {
|
232 | if (error) {
|
233 | return callback(error);
|
234 | }
|
235 |
|
236 | return callback(null, false);
|
237 | });
|
238 | } else {
|
239 | utils.fileExists(keyPaths.privateKeyPath, function(error, exists) {
|
240 | if (error) {
|
241 | return callback(error);
|
242 | }
|
243 |
|
244 | if (exists) {
|
245 | utils.fileExists(keyPaths.certPath, function(error, exists) {
|
246 | if (error) {
|
247 | return callback(error);
|
248 | }
|
249 |
|
250 | return callback(null, exists);
|
251 | });
|
252 | } else {
|
253 | return callback(null, false);
|
254 | }
|
255 | });
|
256 | }
|
257 | });
|
258 | };
|
259 |
|
260 | exports.generateSSHKeysIfNeeded = function (vmName, callback) {
|
261 | var azureSshDir = path.join(utilsCore.azureDir(), 'ssh');
|
262 | var keyPaths = {
|
263 | certPath: path.join(azureSshDir, vmName + '-cert.pem'),
|
264 | privateKeyPath: path.join(azureSshDir, vmName + '-key.pem')
|
265 | };
|
266 |
|
267 | exports.checkSSHKeys(azureSshDir, keyPaths, function(error, exists) {
|
268 | if (!exists) {
|
269 | exports.generateAndSaveSSHKeys(keyPaths.privateKeyPath, keyPaths.certPath);
|
270 | }
|
271 |
|
272 | return callback(null, keyPaths);
|
273 | });
|
274 | };
|
275 |
|
276 | exports.generateAndSaveSSHKeys = function (privateKeyPath, certPath) {
|
277 | var keys = exports.generatePemKeyPair();
|
278 | var cert = exports.generateX509PemCert(keys.public, keys.private, '');
|
279 | fs.writeFileSync(privateKeyPath, keys.private);
|
280 | fs.writeFileSync(certPath, cert);
|
281 | fs.chmodSync(privateKeyPath, 0600);
|
282 | };
|
283 |
|
284 | exports.getCertValidityRange = function () {
|
285 | function pad(n) {
|
286 | return n < 10 ? '0' + n : n;
|
287 | }
|
288 |
|
289 | function toUTCString(d) {
|
290 | return util.format('%s%s%s%s%s%sZ', d.getUTCFullYear(),
|
291 | pad(d.getUTCMonth() + 1),
|
292 | pad(d.getUTCDate()),
|
293 | pad(d.getUTCHours()),
|
294 | pad(d.getUTCMinutes()),
|
295 | pad(d.getUTCSeconds()));
|
296 | }
|
297 |
|
298 | var startDateTime = new Date();
|
299 | startDateTime.setMinutes(startDateTime.getMinutes() - 10);
|
300 | var m = moment(startDateTime);
|
301 | m.add(10, 'years');
|
302 | var endDateTime = new Date(m.toISOString());
|
303 |
|
304 | return {
|
305 | start: toUTCString(startDateTime),
|
306 | end: toUTCString(endDateTime)
|
307 | };
|
308 | }; |
\ | No newline at end of file |