Axodouble/QUptime
0
1
Fork 0
Code Issues 2 Pull Requests Actions Packages Releases 11 Activity
Files
v0.0.1-hf1
QUptime/internal/crypto/keys.go
T
Axodouble caa45ed603 Updated versionand remote
2026-05-12 06:53:15 +00:00

95 lines
2.7 KiB
Go
Raw Permalink Blame History

// Package crypto handles the RSA key material every node uses for
// mutual TLS authentication and for the trust-store fingerprint pinning.
//
// Keys are RSA-3072 (NIST 112-bit security, well within the safe band
// through ~2030). They live PEM-encoded under <data_dir>/keys/.
package crypto
import (
"crypto/rand"
"crypto/rsa"
"crypto/x509"
"encoding/pem"
"errors"
"fmt"
"os"
"git.cer.sh/axodouble/quptime/internal/config"
)
// KeySize is the RSA modulus size used by qu.
const KeySize = 3072
// GenerateKeyPair creates a fresh RSA keypair and writes the private,
// public, and self-signed certificate to the standard paths.
// It refuses to overwrite existing keys.
func GenerateKeyPair(commonName string) (*rsa.PrivateKey, error) {
if _, err := os.Stat(config.PrivateKeyPath()); err == nil {
return nil, errors.New("key material already exists; refusing to overwrite")
}
if err := config.EnsureDataDir(); err != nil {
return nil, err
}
priv, err := rsa.GenerateKey(rand.Reader, KeySize)
if err != nil {
return nil, fmt.Errorf("generate rsa key: %w", err)
}
if err := writePEM(config.PrivateKeyPath(), "RSA PRIVATE KEY",
x509.MarshalPKCS1PrivateKey(priv), 0o600); err != nil {
return nil, err
}
pubDER, err := x509.MarshalPKIXPublicKey(&priv.PublicKey)
if err != nil {
return nil, err
}
if err := writePEM(config.PublicKeyPath(), "PUBLIC KEY", pubDER, 0o644); err != nil {
return nil, err
}
certDER, err := buildSelfSignedCert(priv, commonName)
if err != nil {
return nil, err
}
if err := writePEM(config.CertFilePath(), "CERTIFICATE", certDER, 0o644); err != nil {
return nil, err
}
return priv, nil
}
// LoadPrivateKey reads the on-disk RSA private key.
func LoadPrivateKey() (*rsa.PrivateKey, error) {
raw, err := os.ReadFile(config.PrivateKeyPath())
if err != nil {
return nil, err
}
block, _ := pem.Decode(raw)
if block == nil {
return nil, errors.New("private key: no PEM block")
}
switch block.Type {
case "RSA PRIVATE KEY":
return x509.ParsePKCS1PrivateKey(block.Bytes)
case "PRIVATE KEY":
k, err := x509.ParsePKCS8PrivateKey(block.Bytes)
if err != nil {
return nil, err
}
rk, ok := k.(*rsa.PrivateKey)
if !ok {
return nil, errors.New("private key: not RSA")
}
return rk, nil
default:
return nil, fmt.Errorf("private key: unexpected PEM type %q", block.Type)
}
}
// LoadCertPEM reads the self-signed cert file (used as the TLS leaf).
func LoadCertPEM() ([]byte, error) {
return os.ReadFile(config.CertFilePath())
}
func writePEM(path, blockType string, der []byte, perm os.FileMode) error {
encoded := pem.EncodeToMemory(&pem.Block{Type: blockType, Bytes: der})
return config.AtomicWrite(path, encoded, perm)
}
Reference in New Issue View Git Blame Copy Permalink