use issuer's public key for certs

controllers/server.go

@@ -112,7 +112,7 @@ func getConfig(w http.ResponseWriter, r *http.Request) {
 
 // register - registers a client with the server and return the CA cert
 func register(w http.ResponseWriter, r *http.Request) {
-	logger.Log(3, "processing registration request")
+	logger.Log(2, "processing registration request")
 	w.Header().Set("Content-Type", "application/json")
 	bearerToken := r.Header.Get("Authorization")
 	var tokenSplit = strings.Split(bearerToken, " ")
@@ -136,6 +136,7 @@ func register(w http.ResponseWriter, r *http.Request) {
 		returnErrorResponse(w, r, errorResponse)
 		return
 	}
+	request.CSR.PublicKey = request.Key
 	found := false
 	networks, err := logic.GetNetworks()
 	if err != nil {
@@ -180,12 +181,12 @@ func register(w http.ResponseWriter, r *http.Request) {
 }
 
 func genCerts(csr *x509.CertificateRequest, publickey ed25519.PublicKey) (*x509.Certificate, *x509.Certificate, error) {
-	ca, err := tls.ReadCert("/etc/netmaker/root.pem")
+	ca, err := tls.ReadCert("/etc/netmaker/server.pem")
 	if err != nil {
 		logger.Log(2, "root ca not found ", err.Error())
 		return nil, nil, fmt.Errorf("root ca not found %w", err)
 	}
-	key, err := tls.ReadKey("/etc/netmaker/root.key")
+	key, err := tls.ReadKey("/etc/netmaker/server.key")
 	if err != nil {
 		logger.Log(2, "root key not found ", err.Error())
 		return nil, nil, fmt.Errorf("root key not found %w", err)

netclient/functions/daemon.go

@@ -7,6 +7,7 @@ import (
 	"crypto/x509"
 	"errors"
 	"fmt"
+	"log"
 	"os"
 	"os/signal"
 	"strings"
@@ -56,7 +57,7 @@ func Daemon() error {
 		//temporary code --- remove in version v0.13.0
 		removeHostDNS(network, ncutils.IsWindows())
 		// end of code to be removed in version v0.13.0
-		initialPull(cfg.Network)
+		//initialPull(cfg.Network)
 	}
 
 	// == subscribe to all nodes for each on machine ==
@@ -275,10 +276,8 @@ func NewTLSConfig(cfg *config.ClientConfig, server string) *tls.Config {
 	var file string
 	if cfg != nil {
 		server = cfg.Server.Server
-		file = "/etc/netclient/" + cfg.Server.Server + "/root.pem"
-	} else {
-		file = "/etc/netclient/" + server + "/root.pem"
 	}
+	file = "/etc/netclient/" + server + "/server.pem"
 	certpool := x509.NewCertPool()
 	ca, err := os.ReadFile(file)
 	if err != nil {
@@ -288,15 +287,20 @@ func NewTLSConfig(cfg *config.ClientConfig, server string) *tls.Config {
 	if !ok {
 		logger.Log(0, "failed to append cert")
 	}
-	//clientKeyPair, err := tls.LoadX509KeyPair("/etc/netclient/"+cfg.Server.Server+"/client.pem", "/etc/netclient/client.key")
-	//if err != nil {
-	//	log.Fatalf("could not read client cert/key %v \n", err)
-	//}
+	//mycert, err := ssl.ReadCert("/etc/netclient/" + server + "/client.pem")
+	//clientKeyPair, err := tls.LoadX509KeyPair("/etc/netclient/"+server+"/client.pem", "/etc/netclient/client.key")
+	clientKeyPair, err := tls.LoadX509KeyPair("/home/mkasun/tmp/client.pem", "/home/mkasun/tmp/client.key")
+	if err != nil {
+		log.Fatalf("could not read client cert/key %v \n", err)
+	}
+	certs := []tls.Certificate{clientKeyPair}
+	//certs = append(certs, tls.Certificate(&mycert))
 	return &tls.Config{
 		RootCAs:    certpool,
 		ClientAuth: tls.NoClientCert,
 		//ClientAuth:         tls.VerifyClientCertIfGiven,
-		ClientCAs: nil,
+		ClientCAs:    nil,
+		Certificates: certs,
 		//InsecureSkipVerify: false  fails ---- so need to use VerifyConnection
 		InsecureSkipVerify: true,
 		VerifyConnection: func(cs tls.ConnectionState) error {
@@ -304,7 +308,7 @@ func NewTLSConfig(cfg *config.ClientConfig, server string) *tls.Config {
 				logger.Log(0, "VerifyConnection - certifiate mismatch")
 				return errors.New("certificate doesn't match server")
 			}
-			ca, err := ssl.ReadCert("/etc/netclient/" + cs.ServerName + "/root.pem")
+			ca, err := ssl.ReadCert("/etc/netclient/" + cs.ServerName + "/server.pem")
 			if err != nil {
 				logger.Log(0, "VerifyConnection - unable to read ca", err.Error())
 				return errors.New("unable to read ca")

netclient/functions/register.go

@@ -42,7 +42,7 @@ func Register(cfg *config.ClientConfig) error {
 		return err
 	}
 	url := cfg.Server.API + "/api/server/register"
-	log.Println("registering at ", url)
+	log.Println("register at ", url)
 
 	request, err := http.NewRequest(http.MethodPost, url, bytes.NewBuffer(payload))
 	if err != nil {
@@ -68,7 +68,7 @@ func Register(cfg *config.ClientConfig) error {
 	if err := tls.SaveCert(ncutils.GetNetclientPath()+cfg.Server.Server+"/", "client.pem", &resp.Cert); err != nil {
 		return err
 	}
-	if err := tls.SaveKey(ncutils.GetNetclientPath()+cfg.Server.Server+"/", "client.key", private); err != nil {
+	if err := tls.SaveKey(ncutils.GetNetclientPath(), "client.key", private); err != nil {
 		return err
 	}
 	logger.Log(0, "certificates/key saved ")

scripts/nm-quick.sh

@@ -146,7 +146,7 @@ openssl req -new -key certs/root.key -out certs/root.csr -subj '/CN=CA Root'
 openssl x509 -req -in certs/root.csr -days 365 -signkey certs/root.key -CAcreateserial -out certs/root.pem
 
 openssl genpkey -algorithm Ed25519 -out certs/server.key
-openssl req -new -out certs/server.csr -key certs/server.key -subj  $subject 
+openssl req -new -out certs/server.csr -key certs/server.key -subj  $server
 openssl x509 -req -in certs/server.csr -days 365 -CA certs/root.pem -CAkey certs/root.key -CAcreateserial -out certs/server.pem
 
 echo "setting docker-compose..."

tls/tls.go

@@ -121,7 +121,7 @@ func SelfSignedCA(key ed25519.PrivateKey, req *x509.CertificateRequest, days int
 		BasicConstraintsValid: true,
 		IsCA:                  true,
 		Version:               req.Version,
-		KeyUsage:              x509.KeyUsageCertSign | x509.KeyUsageCRLSign,
+		KeyUsage:              x509.KeyUsageCertSign | x509.KeyUsageCRLSign | x509.KeyUsageDataEncipherment,
 		NotAfter:              time.Now().Add(duration(days)),
 		NotBefore:             time.Now(),
 		SerialNumber:          serialNumber(),
@@ -152,12 +152,12 @@ func NewEndEntityCert(key ed25519.PrivateKey, req *x509.CertificateRequest, pare
 		SerialNumber:       serialNumber(),
 		SignatureAlgorithm: req.SignatureAlgorithm,
 		PublicKeyAlgorithm: req.PublicKeyAlgorithm,
-		PublicKey:          req.PublicKey,
-		Subject:            req.Subject,
-		SubjectKeyId:       req.RawSubject,
-		Issuer:             parent.Subject,
+		//PublicKey:          req.PublicKey,
+		Subject:      req.Subject,
+		SubjectKeyId: req.RawSubject,
+		Issuer:       parent.Subject,
 	}
-	rootCa, err := x509.CreateCertificate(rand.Reader, template, parent, req.PublicKey, key)
+	rootCa, err := x509.CreateCertificate(rand.Reader, template, parent, key.Public(), key)
 	if err != nil {
 		return nil, err
 	}