github.com/Cloud-Foundations/Dominator@v0.3.4/hypervisor/manager/certificates.go (about) 1 package manager 2 3 import ( 4 "crypto/tls" 5 "crypto/x509" 6 "fmt" 7 "io/ioutil" 8 "time" 9 10 "github.com/Cloud-Foundations/Dominator/lib/format" 11 "github.com/Cloud-Foundations/Dominator/lib/fsutil" 12 "github.com/Cloud-Foundations/Dominator/lib/x509util" 13 ) 14 15 func parseKeyPair(certPEM, keyPEM []byte) (*x509.Certificate, error) { 16 tlsCert, err := tls.X509KeyPair(certPEM, keyPEM) 17 if err != nil { 18 return nil, err 19 } 20 x509Cert, err := x509.ParseCertificate(tlsCert.Certificate[0]) 21 if err != nil { 22 return nil, err 23 } 24 now := time.Now() 25 if notYet := x509Cert.NotBefore.Sub(now); notYet > 0 { 26 return nil, 27 fmt.Errorf("cert will not be valid for %s", format.Duration(notYet)) 28 } 29 if expired := now.Sub(x509Cert.NotAfter); expired > 0 { 30 return nil, fmt.Errorf("cert expired %s ago", format.Duration(expired)) 31 } 32 33 return x509Cert, nil 34 } 35 36 func validateIdentityKeyPair(certPEM, keyPEM []byte, username string) ( 37 string, time.Time, error) { 38 x509Cert, err := parseKeyPair(certPEM, keyPEM) 39 if err != nil { 40 return "", time.Time{}, err 41 } 42 certUsername, err := x509util.GetUsername(x509Cert) 43 if err != nil { 44 return "", time.Time{}, err 45 } 46 if username == certUsername { 47 return "", time.Time{}, fmt.Errorf("cannot give VM your own identity") 48 } 49 return certUsername, x509Cert.NotAfter, nil 50 } 51 52 func writeKeyPair(certPEM, keyPEM []byte, 53 certFilename, keyFilename string) error { 54 if len(certPEM) < 1 || len(keyPEM) < 1 { 55 return nil 56 } 57 err := ioutil.WriteFile(certFilename, certPEM, fsutil.PublicFilePerms) 58 if err != nil { 59 return err 60 } 61 err = ioutil.WriteFile(keyFilename, keyPEM, fsutil.PrivateFilePerms) 62 if err != nil { 63 return err 64 } 65 return nil 66 }