Merge pull request #1276 from gravitl/feature_v0.14.5_cert_ha_support

Feature v0.14.5 cert ha support

controllers/server.go

@@ -15,6 +15,7 @@ import (
 	"github.com/gravitl/netmaker/models"
 	"github.com/gravitl/netmaker/netclient/config"
 	"github.com/gravitl/netmaker/servercfg"
+	"github.com/gravitl/netmaker/serverctl"
 	"github.com/gravitl/netmaker/tls"
 )
 
@@ -142,12 +143,12 @@ func register(w http.ResponseWriter, r *http.Request) {
 
 // genCerts generates a client certificate and returns the certificate and root CA
 func genCerts(clientKey *ed25519.PrivateKey, name *pkix.Name) (*x509.Certificate, *x509.Certificate, error) {
-	ca, err := tls.ReadCert("/etc/netmaker/root.pem")
+	ca, err := serverctl.ReadCertFromDB(tls.ROOT_PEM_NAME)
 	if err != nil {
 		logger.Log(2, "root ca not found ", err.Error())
 		return nil, nil, fmt.Errorf("root ca not found %w", err)
 	}
-	key, err := tls.ReadKey("/etc/netmaker/root.key")
+	key, err := serverctl.ReadKeyFromDB(tls.ROOT_KEY_NAME)
 	if err != nil {
 		logger.Log(2, "root key not found ", err.Error())
 		return nil, nil, fmt.Errorf("root key not found %w", err)

database/database.go

@@ -26,6 +26,9 @@ const DELETED_NODES_TABLE_NAME = "deletednodes"
 // USERS_TABLE_NAME - users table
 const USERS_TABLE_NAME = "users"
 
+// CERTS_TABLE_NAME - certificates table
+const CERTS_TABLE_NAME = "certs"
+
 // DNS_TABLE_NAME - dns table
 const DNS_TABLE_NAME = "dns"
 
@@ -122,6 +125,7 @@ func InitializeDatabase() error {
 func createTables() {
 	createTable(NETWORKS_TABLE_NAME)
 	createTable(NODES_TABLE_NAME)
+	createTable(CERTS_TABLE_NAME)
 	createTable(DELETED_NODES_TABLE_NAME)
 	createTable(USERS_TABLE_NAME)
 	createTable(DNS_TABLE_NAME)

main.go

@@ -190,21 +190,21 @@ func genCerts() error {
 	logger.Log(0, "checking keys and certificates")
 	var private *ed25519.PrivateKey
 	var err error
-	private, err = tls.ReadKey(functions.GetNetmakerPath() + "/root.key")
+	private, err = serverctl.ReadKeyFromDB(tls.ROOT_KEY_NAME)
 	if errors.Is(err, os.ErrNotExist) {
 		logger.Log(0, "generating new root key")
 		_, newKey, err := ed25519.GenerateKey(rand.Reader)
 		if err != nil {
 			return err
 		}
-		if err := tls.SaveKey(functions.GetNetmakerPath(), "/root.key", newKey); err != nil {
+		if err := serverctl.SaveKey(functions.GetNetmakerPath()+ncutils.GetSeparator(), tls.ROOT_KEY_NAME, newKey); err != nil {
 			return err
 		}
 		private = &newKey
 	} else if err != nil {
 		return err
 	}
-	ca, err := tls.ReadCert(functions.GetNetmakerPath() + ncutils.GetSeparator() + "root.pem")
+	ca, err := serverctl.ReadCertFromDB(tls.ROOT_PEM_NAME)
 	//if cert doesn't exist or will expire within 10 days --- but can't do this as clients won't be able to connect
 	//if errors.Is(err, os.ErrNotExist) || cert.NotAfter.Before(time.Now().Add(time.Hour*24*10)) {
 	if errors.Is(err, os.ErrNotExist) {
@@ -218,14 +218,14 @@ func genCerts() error {
 		if err != nil {
 			return err
 		}
-		if err := tls.SaveCert(functions.GetNetmakerPath(), ncutils.GetSeparator()+"root.pem", rootCA); err != nil {
+		if err := serverctl.SaveCert(functions.GetNetmakerPath()+ncutils.GetSeparator(), tls.ROOT_PEM_NAME, rootCA); err != nil {
 			return err
 		}
 		ca = rootCA
 	} else if err != nil {
 		return err
 	}
-	cert, err := tls.ReadCert(functions.GetNetmakerPath() + "/server.pem")
+	cert, err := serverctl.ReadCertFromDB(tls.SERVER_PEM_NAME)
 	if errors.Is(err, os.ErrNotExist) || cert.NotAfter.Before(time.Now().Add(time.Hour*24*10)) {
 		//gen new key
 		logger.Log(0, "generating new server key/certificate")
@@ -242,10 +242,10 @@ func genCerts() error {
 		if err != nil {
 			return err
 		}
-		if err := tls.SaveKey(functions.GetNetmakerPath(), "/server.key", key); err != nil {
+		if err := serverctl.SaveKey(functions.GetNetmakerPath()+ncutils.GetSeparator(), tls.SERVER_KEY_NAME, key); err != nil {
 			return err
 		}
-		if err := tls.SaveCert(functions.GetNetmakerPath(), "/server.pem", cert); err != nil {
+		if err := serverctl.SaveCert(functions.GetNetmakerPath()+ncutils.GetSeparator(), tls.SERVER_PEM_NAME, cert); err != nil {
 			return err
 		}
 	} else if err != nil {

netclient/command/commands.go

@@ -94,13 +94,13 @@ func Pull(cfg *config.ClientConfig) error {
 	}
 	//generate new client key if one doesn' exist
 	var private *ed25519.PrivateKey
-	private, err = tls.ReadKey(ncutils.GetNetclientPath() + ncutils.GetSeparator() + "client.key")
+	private, err = tls.ReadKeyFromFile(ncutils.GetNetclientPath() + ncutils.GetSeparator() + "client.key")
 	if err != nil {
 		_, newKey, err := ed25519.GenerateKey(rand.Reader)
 		if err != nil {
 			return err
 		}
-		if err := tls.SaveKey(ncutils.GetNetclientPath(), ncutils.GetSeparator()+"client.key", newKey); err != nil {
+		if err := tls.SaveKeyToFile(ncutils.GetNetclientPath(), ncutils.GetSeparator()+"client.key", newKey); err != nil {
 			return err
 		}
 		private = &newKey

netclient/functions/daemon.go

@@ -268,7 +268,7 @@ func setupMQTT(cfg *config.ClientConfig, publish bool) (mqtt.Client, error) {
 
 func reRegisterWithServer(cfg *config.ClientConfig) {
 	logger.Log(0, "connection issue detected.. attempt connection with new certs and broker information")
-	key, err := ssl.ReadKey(ncutils.GetNetclientPath() + ncutils.GetSeparator() + "client.key")
+	key, err := ssl.ReadKeyFromFile(ncutils.GetNetclientPath() + ncutils.GetSeparator() + "client.key")
 	if err != nil {
 		_, *key, err = ed25519.GenerateKey(rand.Reader)
 		if err != nil {

netclient/functions/mqpublish.go

@@ -151,10 +151,10 @@ func publish(nodeCfg *config.ClientConfig, dest string, msg []byte, qos byte) er
 }
 
 func checkCertExpiry(cfg *config.ClientConfig) error {
-	cert, err := tls.ReadCert(ncutils.GetNetclientServerPath(cfg.Server.Server) + ncutils.GetSeparator() + "client.pem")
+	cert, err := tls.ReadCertFromFile(ncutils.GetNetclientServerPath(cfg.Server.Server) + ncutils.GetSeparator() + "client.pem")
 	//if cert doesn't exist or will expire within 10 days
 	if errors.Is(err, os.ErrNotExist) || cert.NotAfter.Before(time.Now().Add(time.Hour*24*10)) {
-		key, err := tls.ReadKey(ncutils.GetNetclientPath() + ncutils.GetSeparator() + "client.key")
+		key, err := tls.ReadKeyFromFile(ncutils.GetNetclientPath() + ncutils.GetSeparator() + "client.key")
 		if err != nil {
 			return err
 		}

netclient/functions/register.go

@@ -20,19 +20,19 @@ func Register(cfg *config.ClientConfig) error {
 	//generate new key if one doesn' exist
 	var private *ed25519.PrivateKey
 	var err error
-	private, err = tls.ReadKey(ncutils.GetNetclientPath() + ncutils.GetSeparator() + "client.key")
+	private, err = tls.ReadKeyFromFile(ncutils.GetNetclientPath() + ncutils.GetSeparator() + "client.key")
 	if err != nil {
 		_, newKey, err := ed25519.GenerateKey(rand.Reader)
 		if err != nil {
 			return err
 		}
-		if err := tls.SaveKey(ncutils.GetNetclientPath(), ncutils.GetSeparator()+"client.key", newKey); err != nil {
+		if err := tls.SaveKeyToFile(ncutils.GetNetclientPath(), ncutils.GetSeparator()+"client.key", newKey); err != nil {
 			return err
 		}
 		private = &newKey
 	}
 	//check if cert exists
-	_, err = tls.ReadCert(ncutils.GetNetclientServerPath(cfg.Server.Server) + ncutils.GetSeparator() + "client.pem")
+	_, err = tls.ReadCertFromFile(ncutils.GetNetclientServerPath(cfg.Server.Server) + ncutils.GetSeparator() + "client.pem")
 	if errors.Is(err, os.ErrNotExist) {
 		if err := RegisterWithServer(private, cfg); err != nil {
 			return err
@@ -88,10 +88,10 @@ func RegisterWithServer(private *ed25519.PrivateKey, cfg *config.ClientConfig) e
 	//the pubkeys are included in the response so the values in the certificate can be updated appropriately
 	resp.CA.PublicKey = resp.CAPubKey
 	resp.Cert.PublicKey = resp.CertPubKey
-	if err := tls.SaveCert(ncutils.GetNetclientServerPath(cfg.Server.Server)+ncutils.GetSeparator(), "root.pem", &resp.CA); err != nil {
+	if err := tls.SaveCertToFile(ncutils.GetNetclientServerPath(cfg.Server.Server)+ncutils.GetSeparator(), tls.ROOT_PEM_NAME, &resp.CA); err != nil {
 		return err
 	}
-	if err := tls.SaveCert(ncutils.GetNetclientServerPath(cfg.Server.Server)+ncutils.GetSeparator(), "client.pem", &resp.Cert); err != nil {
+	if err := tls.SaveCertToFile(ncutils.GetNetclientServerPath(cfg.Server.Server)+ncutils.GetSeparator(), "client.pem", &resp.Cert); err != nil {
 		return err
 	}
 	logger.Log(0, "certificates/key saved ")

serverctl/tls.go

@@ -0,0 +1,105 @@
+package serverctl
+
+import (
+	"crypto/ed25519"
+	"crypto/x509"
+	"encoding/json"
+	"encoding/pem"
+	"errors"
+	"fmt"
+
+	"github.com/gravitl/netmaker/database"
+	"github.com/gravitl/netmaker/tls"
+)
+
+// SaveCert - save a certificate to file and DB
+func SaveCert(path, name string, cert *x509.Certificate) error {
+	if err := SaveCertToDB(name, cert); err != nil {
+		return err
+	}
+	return tls.SaveCertToFile(path, name, cert)
+}
+
+// SaveCertToDB - save a certificate to the certs database
+func SaveCertToDB(name string, cert *x509.Certificate) error {
+	if certBytes := pem.EncodeToMemory(&pem.Block{
+		Type:  "CERTIFICATE",
+		Bytes: cert.Raw,
+	}); len(certBytes) > 0 {
+		data, err := json.Marshal(&certBytes)
+		if err != nil {
+			return fmt.Errorf("failed to marshal certificate - %v ", err)
+		}
+		return database.Insert(name, string(data), database.CERTS_TABLE_NAME)
+	} else {
+		return fmt.Errorf("failed to write cert to DB - %s ", name)
+	}
+}
+
+// SaveKey - save a private key (ed25519) to file and DB
+func SaveKey(path, name string, key ed25519.PrivateKey) error {
+	if err := SaveKeyToDB(name, key); err != nil {
+		return err
+	}
+	return tls.SaveKeyToFile(path, name, key)
+}
+
+// SaveKeyToDB - save a private key (ed25519) to the specified path
+func SaveKeyToDB(name string, key ed25519.PrivateKey) error {
+	privBytes, err := x509.MarshalPKCS8PrivateKey(key)
+	if err != nil {
+		return fmt.Errorf("failed to marshal key %v ", err)
+	}
+	if pemBytes := pem.EncodeToMemory(&pem.Block{
+		Type:  "PRIVATE KEY",
+		Bytes: privBytes,
+	}); len(pemBytes) > 0 {
+		data, err := json.Marshal(&pemBytes)
+		if err != nil {
+			return fmt.Errorf("failed to marshal key %v ", err)
+		}
+		return database.Insert(name, string(data), database.CERTS_TABLE_NAME)
+	} else {
+		return fmt.Errorf("failed to write key to DB - %v ", err)
+	}
+}
+
+// ReadCertFromDB - reads a certificate from the database
+func ReadCertFromDB(name string) (*x509.Certificate, error) {
+	certString, err := database.FetchRecord(database.CERTS_TABLE_NAME, name)
+	if err != nil {
+		return nil, fmt.Errorf("unable to read file %w", err)
+	}
+	var certBytes []byte
+	if err = json.Unmarshal([]byte(certString), &certBytes); err != nil {
+		return nil, fmt.Errorf("unable to unmarshal db cert %w", err)
+	}
+	block, _ := pem.Decode(certBytes)
+	if block == nil || block.Type != "CERTIFICATE" {
+		return nil, errors.New("not a cert " + block.Type)
+	}
+	cert, err := x509.ParseCertificate(block.Bytes)
+	if err != nil {
+		return nil, fmt.Errorf("unable to parse cert %w", err)
+	}
+	return cert, nil
+}
+
+// ReadKeyFromDB - reads a private key (ed25519) from the database
+func ReadKeyFromDB(name string) (*ed25519.PrivateKey, error) {
+	keyString, err := database.FetchRecord(database.CERTS_TABLE_NAME, name)
+	if err != nil {
+		return nil, fmt.Errorf("unable to read key value from db - %w", err)
+	}
+	var bytes []byte
+	if err = json.Unmarshal([]byte(keyString), &bytes); err != nil {
+		return nil, fmt.Errorf("unable to unmarshal db key - %w", err)
+	}
+	keyBytes, _ := pem.Decode(bytes)
+	key, err := x509.ParsePKCS8PrivateKey(keyBytes.Bytes)
+	if err != nil {
+		return nil, fmt.Errorf("unable to parse key from DB -  %w", err)
+	}
+	private := key.(ed25519.PrivateKey)
+	return &private, nil
+}

tls/tls.go

@@ -17,8 +17,23 @@ import (
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
 )
 
-// CERTTIFICAT_VALIDITY duration of certificate validity in days
-const CERTIFICATE_VALIDITY = 365
+const (
+
+	// CERTTIFICATE_VALIDITY duration of certificate validity in days
+	CERTIFICATE_VALIDITY = 365
+
+	// SERVER_KEY_NAME - name of server cert private key
+	SERVER_KEY_NAME = "server.key"
+
+	// ROOT_KEY_NAME - name of root cert private key
+	ROOT_KEY_NAME = "root.key"
+
+	// SERVER_PEM_NAME - name of server pem
+	SERVER_PEM_NAME = "server.pem"
+
+	// ROOT_PEM_NAME - name of root pem
+	ROOT_PEM_NAME = "root.pem"
+)
 
 type (
 	// Key is the struct for an edwards representation point
@@ -189,8 +204,8 @@ func SaveRequest(path, name string, csr *x509.CertificateRequest) error {
 	return nil
 }
 
-// SaveCert save a certificate to the specified path
-func SaveCert(path, name string, cert *x509.Certificate) error {
+// SaveCertToFile save a certificate to the specified path
+func SaveCertToFile(path, name string, cert *x509.Certificate) error {
 	//certbytes, err := x509.ParseCertificate(cert)
 	if err := os.MkdirAll(path, 0600); err != nil {
 		return fmt.Errorf("failed to create dir %s %w", path, err)
@@ -209,8 +224,8 @@ func SaveCert(path, name string, cert *x509.Certificate) error {
 	return nil
 }
 
-// SaveKey save a private key (ed25519) to the specified path
-func SaveKey(path, name string, key ed25519.PrivateKey) error {
+// SaveKeyToFile save a private key (ed25519) to the certs database
+func SaveKeyToFile(path, name string, key ed25519.PrivateKey) error {
 	//func SaveKey(name string, key *ecdsa.PrivateKey) error {
 	if err := os.MkdirAll(path, 0600); err != nil {
 		return fmt.Errorf("failed to create dir %s %w", path, err)
@@ -233,8 +248,8 @@ func SaveKey(path, name string, key ed25519.PrivateKey) error {
 	return nil
 }
 
-// ReadCert reads a certificate from disk
-func ReadCert(name string) (*x509.Certificate, error) {
+// ReadCertFromFile reads a certificate from disk
+func ReadCertFromFile(name string) (*x509.Certificate, error) {
 	contents, err := os.ReadFile(name)
 	if err != nil {
 		return nil, fmt.Errorf("unable to read file %w", err)
@@ -250,8 +265,8 @@ func ReadCert(name string) (*x509.Certificate, error) {
 	return cert, nil
 }
 
-// ReadKey reads a private key (ed25519) from disk
-func ReadKey(name string) (*ed25519.PrivateKey, error) {
+// ReadKeyFromFile reads a private key (ed25519) from disk
+func ReadKeyFromFile(name string) (*ed25519.PrivateKey, error) {
 	bytes, err := os.ReadFile(name)
 	if err != nil {
 		return nil, fmt.Errorf("unable to read file %w", err)