pki-io / core Goto Github PK
View Code? Open in Web Editor NEWMain pki.io repo
License: Other
Main pki.io repo
License: Other
WebID Protocol has existed for a number of years, it enables decentralized web friendly client authentication. Users authenticate over HTTP+TLS by presenting a certificate with a subjectAltName (SAN) containing a URI Identifier (a WebID) which can be used as a name for the person, for example http://www.w3.org/People/Berners-Lee/card#i
is Sir Tim Berners-Lee's WebID.
subjectAltName is reasonably hard to configure with openssl tooling, requiring the SAN to be specified in the openssl.cnf file (re configure for every certificate created!)
Please, please, support certificate extensions easily, especially subjectAltName.
Thank you.
Current 128 bit random keys are used to match 128 bit security level provided by AES-256. Could increase the shared key size to 256 bits and maybe reduce the ID size from 128 bits to 64 bits.
Before a message can be verified, it still has to be parsed. Need to look at protecting against nested or large (or any other logic) documents that could cause a DoS when parsed.
Generally need to add more unit tests.
The PEM file created begins with
-----BEGIN ECDSA PRIVATE KEY-----
Whereas openssl is expecting
-----BEGIN EC PRIVATE KEY-----
This is being set on line 227 of helpers.go
Is missing.
e.g make lint
Currently hardcoded for testing
RandomByte or UUID converted to Int. Would be nice if serials always incremented (timestamp?)
In addition to p-256?
Unfortunately I thought I knew what I'd done, so I just deleted it after saving this one error. Worst users ever.
I believe what I did was:
pki.io init foo
cd foo
pki.io ca list
...but that obviously doesn't reproduce the problem right now, on exactly the same machine / name / setup / etc.
% pki.io ca list
&{{{0xc20805a480 map[] false {0 0} [true true false false false true] 0xc20805a540 0} 0xc20807a9c0 0xc208069180}}
Loading admin app
Loading admin config
Loading admin entity
Loading org entity
*************************************************
[..]
The error was: Could not decrypt container: Could not decrypt: Could not decrypt container: Can't initialise cipher: crypto/aes: invalid key size 0
panic: ...
goroutine 1 [running]:
main.checkAppFatal(0x8d8910, 0x1f, 0xc2080b8400, 0x1, 0x1)
/tmp/tmp.Yo5NzUr1SO/go/src/github.com/pki-io/admin/helpers.go:44 +0x214
main.(*AdminApp).LoadOrgEntity(0xc208068680)
/tmp/tmp.Yo5NzUr1SO/go/src/github.com/pki-io/admin/adminApp.go:208 +0x91a
main.(*AdminApp).Load(0xc208068680)
/tmp/tmp.Yo5NzUr1SO/go/src/github.com/pki-io/admin/adminApp.go:261 +0x14c
main.caList(0xc20809e000, 0x0, 0x0)
/tmp/tmp.Yo5NzUr1SO/go/src/github.com/pki-io/admin/runCA.go:77 +0x60
main.runCA(0xc20809d200, 0x2, 0x2, 0x0, 0x0)
/tmp/tmp.Yo5NzUr1SO/go/src/github.com/pki-io/admin/runCA.go:187 +0x21b
main.runCommand(0x7fffa822e78a, 0x2, 0xc20802b550, 0x1, 0x1, 0x0, 0x0)
/tmp/tmp.Yo5NzUr1SO/go/src/github.com/pki-io/admin/pki.io.go:69 +0x321
main.main()
/tmp/tmp.Yo5NzUr1SO/go/src/github.com/pki-io/admin/pki.io.go:52 +0x4b7
goroutine 5 [runnable]:
github.com/cihub/seelog.(*asyncLoopLogger).processQueue(0xc20805a1e0)
/tmp/tmp.Yo5NzUr1SO/go/src/github.com/pki-io/admin/_vendor/src/github.com/cihub/seelog/behavior_asynclooplogger.go:61
created by github.com/cihub/seelog.newAsyncLoopLogger
/tmp/tmp.Yo5NzUr1SO/go/src/github.com/pki-io/admin/_vendor/src/github.com/cihub/seelog/behavior_asynclooplogger.go:40 +0x8e
goroutine 6 [runnable]:
github.com/cihub/seelog.(*asyncLoopLogger).processQueue(0xc20805a300)
/tmp/tmp.Yo5NzUr1SO/go/src/github.com/pki-io/admin/_vendor/src/github.com/cihub/seelog/behavior_asynclooplogger.go:61
created by github.com/cihub/seelog.newAsyncLoopLogger
/tmp/tmp.Yo5NzUr1SO/go/src/github.com/pki-io/admin/_vendor/src/github.com/cihub/seelog/behavior_asynclooplogger.go:40 +0x8e
goroutine 7 [runnable]:
github.com/cihub/seelog.(*asyncLoopLogger).processQueue(0xc20805a4e0)
/tmp/tmp.Yo5NzUr1SO/go/src/github.com/pki-io/admin/_vendor/src/github.com/cihub/seelog/behavior_asynclooplogger.go:61
created by github.com/cihub/seelog.newAsyncLoopLogger
/tmp/tmp.Yo5NzUr1SO/go/src/github.com/pki-io/admin/_vendor/src/github.com/cihub/seelog/behavior_asynclooplogger.go:40 +0x8e
At the moment you have to manually build the map using the ID and key. Would be nice to provide a method that returns a pre-made map, perhaps even merging with an existing map if provided.
E.g.
keys := new(map[string]string)
entityA.PublicKeys(keys)
entityB.PublicKeys(keys)
When I was working with the code for my recent PR, things wouldn't build because gojsonschema changed its interfaces. In my PR, I took the liberty of updating the code to use the new interfaces.
You should look into a more robust dependency management solution such as Goop as 'go get' doesn't support version freezing. Supporting Goop in particular is just a matter of adding a single file to the repo, so it's not very intrusive either. This would allow you to always build using the same versions of your dependencies.
This would allow intermediate CAs to created and managed by pki.io but having the root CA managed elsewhere (e.g. MS PKI).
Instead of working with raw interface{} types, we should use the crypto.PrivateKey and crypto.PublicKey interfaces for code clarity.
Running this command (outside of org directory)
pki.io ca new tlabs-dev --dn-o falcon --dn-ou qa1 --tags consul
leads to
Loading admin app
&{{{0xc20805c480 map[] false {0 0} [true true false false false true] 0xc20805c540 0} 0xc2080749c0 0xc20805b200}}
*************************************************
* CONGRATULATIONS *
*************************************************
You may have just found a bug in pki.io :)
Please let us know by raising an issue on GitHub here: https://github.com/pki-io/core/issues
Or by dropping an email to: [email protected]
If possible, please include this full error message, including the below panic,
and anything else relevant like what command you ran.
Many thanks,
The pki.io team
The error was: Couldn't read org config: Could not read file: open /Users/hvolkmer/Downloads/pki.io/org.conf: no such file or directory
panic: ...
goroutine 1 [running]:
main.checkAppFatal(0x4dad30, 0x1c, 0xc20802b030, 0x1, 0x1)
/var/folders/n1/4ss_2rt10396zylvvdsjqv5cm4l758/T/tmp.qwP1TKnYGq/go/src/github.com/pki-io/admin/helpers.go:46 +0x22c
main.(*AdminApp).LoadOrgConfig(0xc20805a7c0)
/var/folders/n1/4ss_2rt10396zylvvdsjqv5cm4l758/T/tmp.qwP1TKnYGq/go/src/github.com/pki-io/admin/adminApp.go:233 +0x133
main.(*AdminApp).Load(0xc20805a7c0)
/var/folders/n1/4ss_2rt10396zylvvdsjqv5cm4l758/T/tmp.qwP1TKnYGq/go/src/github.com/pki-io/admin/adminApp.go:256 +0x106
main.caNew(0xc20808a420, 0x0, 0x0)
/var/folders/n1/4ss_2rt10396zylvvdsjqv5cm4l758/T/tmp.qwP1TKnYGq/go/src/github.com/pki-io/admin/runCA.go:25 +0x9b6
main.runCA(0xc20806e090, 0x9, 0x9, 0x0, 0x0)
/var/folders/n1/4ss_2rt10396zylvvdsjqv5cm4l758/T/tmp.qwP1TKnYGq/go/src/github.com/pki-io/admin/runCA.go:185 +0x166
main.runCommand(0x7fff5fbff74f, 0x2, 0xc208060300, 0x8, 0x8, 0x0, 0x0)
/var/folders/n1/4ss_2rt10396zylvvdsjqv5cm4l758/T/tmp.qwP1TKnYGq/go/src/github.com/pki-io/admin/pki.io.go:69 +0x321
main.main()
/var/folders/n1/4ss_2rt10396zylvvdsjqv5cm4l758/T/tmp.qwP1TKnYGq/go/src/github.com/pki-io/admin/pki.io.go:52 +0x4b7
goroutine 5 [semacquire]:
sync.(*Cond).Wait(0xc20805a3c0)
/usr/local/go/src/sync/cond.go:62 +0x9e
github.com/cihub/seelog.(*asyncLoopLogger).processItem(0xc20805c180, 0x0)
/var/folders/n1/4ss_2rt10396zylvvdsjqv5cm4l758/T/tmp.qwP1TKnYGq/go/src/github.com/pki-io/admin/_vendor/src/github.com/cihub/seelog/behavior_asynclooplogger.go:50 +0xc2
github.com/cihub/seelog.(*asyncLoopLogger).processQueue(0xc20805c180)
/var/folders/n1/4ss_2rt10396zylvvdsjqv5cm4l758/T/tmp.qwP1TKnYGq/go/src/github.com/pki-io/admin/_vendor/src/github.com/cihub/seelog/behavior_asynclooplogger.go:63 +0x31
created by github.com/cihub/seelog.newAsyncLoopLogger
/var/folders/n1/4ss_2rt10396zylvvdsjqv5cm4l758/T/tmp.qwP1TKnYGq/go/src/github.com/pki-io/admin/_vendor/src/github.com/cihub/seelog/behavior_asynclooplogger.go:40 +0x8e
goroutine 6 [semacquire]:
sync.(*Cond).Wait(0xc20805a880)
/usr/local/go/src/sync/cond.go:62 +0x9e
github.com/cihub/seelog.(*asyncLoopLogger).processItem(0xc20805c300, 0x0)
/var/folders/n1/4ss_2rt10396zylvvdsjqv5cm4l758/T/tmp.qwP1TKnYGq/go/src/github.com/pki-io/admin/_vendor/src/github.com/cihub/seelog/behavior_asynclooplogger.go:50 +0xc2
github.com/cihub/seelog.(*asyncLoopLogger).processQueue(0xc20805c300)
/var/folders/n1/4ss_2rt10396zylvvdsjqv5cm4l758/T/tmp.qwP1TKnYGq/go/src/github.com/pki-io/admin/_vendor/src/github.com/cihub/seelog/behavior_asynclooplogger.go:63 +0x31
created by github.com/cihub/seelog.newAsyncLoopLogger
/var/folders/n1/4ss_2rt10396zylvvdsjqv5cm4l758/T/tmp.qwP1TKnYGq/go/src/github.com/pki-io/admin/_vendor/src/github.com/cihub/seelog/behavior_asynclooplogger.go:40 +0x8e
goroutine 7 [runnable]:
sync.(*Cond).Wait(0xc20805b200)
/usr/local/go/src/sync/cond.go:62 +0x9e
github.com/cihub/seelog.(*asyncLoopLogger).processItem(0xc20805c4e0, 0x0)
/var/folders/n1/4ss_2rt10396zylvvdsjqv5cm4l758/T/tmp.qwP1TKnYGq/go/src/github.com/pki-io/admin/_vendor/src/github.com/cihub/seelog/behavior_asynclooplogger.go:50 +0xc2
github.com/cihub/seelog.(*asyncLoopLogger).processQueue(0xc20805c4e0)
/var/folders/n1/4ss_2rt10396zylvvdsjqv5cm4l758/T/tmp.qwP1TKnYGq/go/src/github.com/pki-io/admin/_vendor/src/github.com/cihub/seelog/behavior_asynclooplogger.go:63 +0x31
created by github.com/cihub/seelog.newAsyncLoopLogger
/var/folders/n1/4ss_2rt10396zylvvdsjqv5cm4l758/T/tmp.qwP1TKnYGq/go/src/github.com/pki-io/admin/_vendor/src/github.com/cihub/seelog/behavior_asynclooplogger.go:40 +0x8e
Expected behavior in this case: Show error message about missing config file w/o crashing
I use this version: pki.io 0.1.1-release1
on Mac OS X
Most returns are either "nil, error" or "something, nil". Need to catch accidental "nil, nil"
Look for obvious bugs, optimisations, vulns etc
Could be clearer with what it is doing, either providing a reference to how EC IES should be implemented, or commenting the code with a description of what and why. Crypto implementations are notoriously hard to get right, so we need to maximise transparency.
The CA supports a DN scope that can be used for enforce a naming scheme on the client certs.
Need to allow this to be used when creating a CA on the command line.
At the moment we don't wipe/zero memory containing sensitive data. Also we don't/can't set memory to non-paged.
Need to document it as part of the threat model.
The function RandomIntBetween in crypto/helpers.go is sort of hacky. Look into a more elegant solution.
Perhaps around 80% would be nice.
RSA is just not good enough these days. I would love to see EC support. This would make pitching the use of this software to our security team much easier. =)
Gone off the idea. Instead just have a config file in the directory that scopes the org/admin etc.
e.g.
/path/to/org1
.pki.io.conf
public
private
/path/to/org2
.pki.io.conf
public
private
While the encryption works as far as the tests are concerned, the key derivation function is broken. It returns an array of 32 0's, which is obviously incorrect. What this means is, regardless of public or private key, the AES key will always be 16 0's. Not exactly secure. :P I tried switching it to use the existing ExpandKey() function (which I didn't even realize we had), but some other issues creep up when using that. I need to revisit the ECIES encryption/decryption code in its entirety. I will add any documentation I use in the process to the comments.
As we're tying a schema to a document, we should enforce the type value as that is fixed for the document, and therefore schema.
Shows code coverage
Just got a random one-off error
[file-structure][fscott@ukm043583 test-org]$ gom run ../*.go node new server1 --pairing-id 6f18aad6be59961dd81695686d1f7c5b --pairing-key a88077882a6bc6d6ed9997b21deb8593
Loading admin app
Loading admin entity
Loading org entity
Creating new node
Generating node keys
Encrypting node for org
Could encrypt and authenticate node: Couldn't encrypt content: Could not encrypt container: Could not group encrypt: ecies: shared key is too big:
panic: Could encrypt and authenticate node: Couldn't encrypt content: Could not encrypt container: Could not group encrypt: ecies: shared key is too big:
...
Running the same command again worked.
We should document all of the code that is intended to be library code with the standard godoc jazz.
http://blog.golang.org/godoc-documenting-go-code
command:
pki.io cert new some.cn --expiry 120 --ca non-existing-ca --export testx.tar.gz
The error was: Couldn't get CA id: key non-existing-ca does not exist
panic: ...
goroutine 1 [running]:
main.checkAppFatal(0x4b93b0, 0x16, 0xc20802b130, 0x1, 0x1)
/var/folders/n1/4ss_2rt10396zylvvdsjqv5cm4l758/T/tmp.qwP1TKnYGq/go/src/github.com/pki-io/admin/helpers.go:46 +0x22c
main.certNew(0xc20808ff20, 0x0, 0x0)
/var/folders/n1/4ss_2rt10396zylvvdsjqv5cm4l758/T/tmp.qwP1TKnYGq/go/src/github.com/pki-io/admin/runCert.go:75 +0x1c5d
main.runCert(0xc20803ea90, 0xd, 0xd, 0x0, 0x0)
/var/folders/n1/4ss_2rt10396zylvvdsjqv5cm4l758/T/tmp.qwP1TKnYGq/go/src/github.com/pki-io/admin/runCert.go:129 +0x162
main.runCommand(0x7fff5fbff71f, 0x4, 0xc20806e300, 0xc, 0x10, 0x0, 0x0)
/var/folders/n1/4ss_2rt10396zylvvdsjqv5cm4l758/T/tmp.qwP1TKnYGq/go/src/github.com/pki-io/admin/pki.io.go:71 +0x3a2
main.main()
/var/folders/n1/4ss_2rt10396zylvvdsjqv5cm4l758/T/tmp.qwP1TKnYGq/go/src/github.com/pki-io/admin/pki.io.go:52 +0x4b7
goroutine 5 [semacquire]:
sync.(*Cond).Wait(0xc20805a580)
/usr/local/go/src/sync/cond.go:62 +0x9e
github.com/cihub/seelog.(*asyncLoopLogger).processItem(0xc20805c180, 0x0)
/var/folders/n1/4ss_2rt10396zylvvdsjqv5cm4l758/T/tmp.qwP1TKnYGq/go/src/github.com/pki-io/admin/_vendor/src/github.com/cihub/seelog/behavior_asynclooplogger.go:50 +0xc2
github.com/cihub/seelog.(*asyncLoopLogger).processQueue(0xc20805c180)
/var/folders/n1/4ss_2rt10396zylvvdsjqv5cm4l758/T/tmp.qwP1TKnYGq/go/src/github.com/pki-io/admin/_vendor/src/github.com/cihub/seelog/behavior_asynclooplogger.go:63 +0x31
created by github.com/cihub/seelog.newAsyncLoopLogger
/var/folders/n1/4ss_2rt10396zylvvdsjqv5cm4l758/T/tmp.qwP1TKnYGq/go/src/github.com/pki-io/admin/_vendor/src/github.com/cihub/seelog/behavior_asynclooplogger.go:40 +0x8e
goroutine 6 [semacquire]:
sync.(*Cond).Wait(0xc20805a880)
/usr/local/go/src/sync/cond.go:62 +0x9e
github.com/cihub/seelog.(*asyncLoopLogger).processItem(0xc20805c300, 0x0)
/var/folders/n1/4ss_2rt10396zylvvdsjqv5cm4l758/T/tmp.qwP1TKnYGq/go/src/github.com/pki-io/admin/_vendor/src/github.com/cihub/seelog/behavior_asynclooplogger.go:50 +0xc2
github.com/cihub/seelog.(*asyncLoopLogger).processQueue(0xc20805c300)
/var/folders/n1/4ss_2rt10396zylvvdsjqv5cm4l758/T/tmp.qwP1TKnYGq/go/src/github.com/pki-io/admin/_vendor/src/github.com/cihub/seelog/behavior_asynclooplogger.go:63 +0x31
created by github.com/cihub/seelog.newAsyncLoopLogger
/var/folders/n1/4ss_2rt10396zylvvdsjqv5cm4l758/T/tmp.qwP1TKnYGq/go/src/github.com/pki-io/admin/_vendor/src/github.com/cihub/seelog/behavior_asynclooplogger.go:40 +0x8e
goroutine 7 [runnable]:
sync.(*Cond).Wait(0xc20805b300)
/usr/local/go/src/sync/cond.go:62 +0x9e
github.com/cihub/seelog.(*asyncLoopLogger).processItem(0xc20805c5a0, 0x0)
/var/folders/n1/4ss_2rt10396zylvvdsjqv5cm4l758/T/tmp.qwP1TKnYGq/go/src/github.com/pki-io/admin/_vendor/src/github.com/cihub/seelog/behavior_asynclooplogger.go:50 +0xc2
github.com/cihub/seelog.(*asyncLoopLogger).processQueue(0xc20805c5a0)
/var/folders/n1/4ss_2rt10396zylvvdsjqv5cm4l758/T/tmp.qwP1TKnYGq/go/src/github.com/pki-io/admin/_vendor/src/github.com/cihub/seelog/behavior_asynclooplogger.go:63 +0x31
created by github.com/cihub/seelog.newAsyncLoopLogger
/var/folders/n1/4ss_2rt10396zylvvdsjqv5cm4l758/T/tmp.qwP1TKnYGq/go/src/github.com/pki-io/admin/_vendor/src/github.com/cihub/seelog/behavior_asynclooplogger.go:40 +0x8e
Expected behavior: Message about non-existing CA without crash
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.