Merge pull request #20 from EventStore/kunaldhingra/db-149-generate-fips-compliant-certificates-in-our-tools

pvanbuijtene · web-flow · commit c83127ee7d8a · 2023-09-07T09:15:11.000+01:00
Update default crypto to boringcrypto to generate FIPS compliant certificates
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -21,25 +21,34 @@ jobs:
         name: Set up Go
         uses: actions/setup-go@v3
         with:
-          go-version: 1.18
+          go-version: 1.21
+        env: 
+          GOEXPERIMENT: boringcrypto
+      -
+        name: Run Tests
+        env: 
+          GOEXPERIMENT: boringcrypto
+        run: go test ./...
       -
         name: Build and Publish
         uses: goreleaser/goreleaser-action@v3
         if: ${{ startsWith(github.ref, 'refs/tags/') }}
         with:
           version: latest
-          args: release --rm-dist
+          args: release --clean
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GOEXPERIMENT: boringcrypto
       -
         name: Build and Publish (Dry Run)
         uses: goreleaser/goreleaser-action@v3
         if: ${{ !startsWith(github.ref, 'refs/tags/') }}
         with:
           version: latest
-          args: release --skip-publish --rm-dist --snapshot
+          args: release --skip-publish --clean --snapshot
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GOEXPERIMENT: boringcrypto
       -
         name: Docker meta
         id: meta
diff --git a/.goreleaser.yml b/.goreleaser.yml
@@ -22,13 +22,14 @@ archives:
     format_overrides:
       - goos: windows
         format: zip
-    name_template: "{{.ProjectName}}_{{.Version}}_{{.Os}}-{{.Arch}}"
-    replacements:
-      darwin: Darwin
-      linux: Linux
-      windows: Windows
-      386: i386
-      amd64: x86_64
+    name_template: >-
+      {{- .ProjectName }}_
+      {{- .Version }}_
+      {{- title .Os }}_
+      {{- if eq .Arch "amd64" }}x86_64
+      {{- else if eq .Arch "386" }}i386
+      {{- else }}{{ .Arch }}{{ end }}
+      {{- if .Arm }}v{{ .Arm }}{{ end -}}
 changelog:
   sort: asc
   filters:
diff --git a/Dockerfile b/Dockerfile
@@ -1,4 +1,4 @@
-FROM golang:1.14-alpine AS build_base
+FROM golang:1.21-alpine AS build_base
 
 RUN apk add --no-cache git
 
@@ -11,7 +11,7 @@ RUN go mod download
 
 COPY . .
 
-RUN go build -o ./out/es-gencert-cli .
+RUN GOEXPERIMENT=boringcrypto go build -o ./out/es-gencert-cli .
 
 FROM alpine:3.9
 RUN apk add ca-certificates bash
diff --git a/certificates/boring_darwin.go b/certificates/boring_darwin.go
@@ -0,0 +1,8 @@
+//go:build darwin
+
+package certificates
+
+// Currently boringcryptography is only supported on Linux
+func isBoringEnabled() bool {
+	return false
+}
diff --git a/certificates/boring_linux.go b/certificates/boring_linux.go
@@ -0,0 +1,11 @@
+//go:build linux
+
+package certificates
+
+import (
+	"crypto/boring"
+)
+
+func isBoringEnabled() bool {
+	return boring.Enabled()
+}
diff --git a/certificates/boring_windows.go b/certificates/boring_windows.go
@@ -0,0 +1,8 @@
+//go:build windows
+
+package certificates
+
+// Currently boringcryptography is only supported on Linux
+func isBoringEnabled() bool {
+	return false
+}
diff --git a/certificates/common_test.go b/certificates/common_test.go
@@ -0,0 +1,14 @@
+//go:build linux
+
+package certificates
+
+import (
+	"crypto/boring"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestBoringCryptoAvailable(t *testing.T) {
+	assert.True(t, boring.Enabled())
+}
diff --git a/certificates/create_ca.go b/certificates/create_ca.go
@@ -10,7 +10,6 @@ import (
 	"errors"
 	"flag"
 	"fmt"
-	"io/ioutil"
 	"os"
 	"path"
 	"strings"
@@ -93,7 +92,11 @@ func (c *CreateCA) Run(args []string) int {
 	if err != nil {
 		c.Ui.Error(err.Error())
 	} else {
-		c.Ui.Output(fmt.Sprintf("A CA certificate & key file have been generated in the '%s' directory", outputDir))
+		if isBoringEnabled() {
+			c.Ui.Output(fmt.Sprintf("A CA certificate & key file have been generated in the '%s' directory (FIPS mode enabled).", outputDir))
+		} else {
+			c.Ui.Output(fmt.Sprintf("A CA certificate & key file have been generated in the '%s' directory.", outputDir))
+		}
 	}
 	return 0
 }
@@ -146,7 +149,7 @@ func generateCACertificate(years int, days int, outputDir string, caCert *x509.C
 	}
 
 	privateKeyPem := new(bytes.Buffer)
-	pem.Encode(privateKeyPem, &pem.Block{
+	err = pem.Encode(privateKeyPem, &pem.Block{
 		Type:  "RSA PRIVATE KEY",
 		Bytes: x509.MarshalPKCS1PrivateKey(privateKey),
 	})
@@ -179,13 +182,13 @@ func generateCACertificate(years int, days int, outputDir string, caCert *x509.C
 	}
 
 	certFile := "ca.crt"
-	err = ioutil.WriteFile(path.Join(outputDir, certFile), certPem.Bytes(), 0444)
+	err = os.WriteFile(path.Join(outputDir, certFile), certPem.Bytes(), 0444)
 	if err != nil {
 		return fmt.Errorf("error writing CA certificate to %s: %s", certFile, err.Error())
 	}
 
 	keyFile := "ca.key"
-	err = ioutil.WriteFile(path.Join(outputDir, keyFile), privateKeyPem.Bytes(), 0400)
+	err = os.WriteFile(path.Join(outputDir, keyFile), privateKeyPem.Bytes(), 0400)
 	if err != nil {
 		return fmt.Errorf("error writing CA's private key to %s: %s", keyFile, err.Error())
 	}
diff --git a/certificates/create_ca_test.go b/certificates/create_ca_test.go
@@ -0,0 +1,42 @@
+package certificates
+
+import (
+	"crypto/rsa"
+	"crypto/x509"
+	"os"
+	"path"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestGenerateCACertificate(t *testing.T) {
+
+	t.Run("nominal-case", func(t *testing.T) {
+		years := 1
+		days := 0
+		outputDir := "./ca"
+		var caCert *x509.Certificate
+		var caKey *rsa.PrivateKey
+
+		// Clean up from previous runs
+		os.RemoveAll(outputDir)
+
+		certificateError := generateCACertificate(years, days, outputDir, caCert, caKey)
+
+		certFilePath := path.Join(outputDir, "ca.crt")
+		keyFilePath := path.Join(outputDir, "ca.key")
+
+		_, certPathError := os.Stat(certFilePath)
+		_, keyPathError := os.Stat(keyFilePath)
+
+		assert.NoError(t, certificateError)
+		assert.False(t, os.IsNotExist(certPathError))
+		assert.False(t, os.IsNotExist(keyPathError))
+
+		// Clean up
+		os.RemoveAll(outputDir)
+
+	})
+
+}
diff --git a/certificates/create_certs.go b/certificates/create_certs.go
@@ -5,7 +5,7 @@ import (
 	"fmt"
 	"github.com/mitchellh/cli"
 	"gopkg.in/yaml.v3"
-	"io/ioutil"
+	"os"
 	"reflect"
 	"strings"
 )
@@ -33,7 +33,7 @@ func (c *CreateCertificates) Run(args []string) int {
 	if err := flags.Parse(args); err != nil {
 		return 1
 	}
-	configData, err := ioutil.ReadFile(arguments.ConfigPath)
+	configData, err := os.ReadFile(arguments.ConfigPath)
 	if err != nil {
 		c.Ui.Error(err.Error())
 		return 1
diff --git a/certificates/create_node.go b/certificates/create_node.go
@@ -10,7 +10,6 @@ import (
 	"errors"
 	"flag"
 	"fmt"
-	"io/ioutil"
 	"net"
 	"os"
 	"path"
@@ -37,7 +36,7 @@ type CreateNodeArguments struct {
 }
 
 func readCertificateFromFile(path string) (*x509.Certificate, error) {
-	pemBytes, err := ioutil.ReadFile(path)
+	pemBytes, err := os.ReadFile(path)
 	if err != nil {
 		return nil, fmt.Errorf("error reading file: %s", err.Error())
 	}
@@ -55,7 +54,7 @@ func readCertificateFromFile(path string) (*x509.Certificate, error) {
 }
 
 func readRSAKeyFromFile(path string) (*rsa.PrivateKey, error) {
-	keyBytes, err := ioutil.ReadFile(path)
+	keyBytes, err := os.ReadFile(path)
 	if err != nil {
 		return nil, fmt.Errorf("error reading file: %s", err.Error())
 	}
@@ -198,7 +197,12 @@ func (c *CreateNode) Run(args []string) int {
 		return 1
 	}
 
-	c.Ui.Output(fmt.Sprintf("A node certificate & key file have been generated in the '%s' directory.", outputDir))
+	if isBoringEnabled() {
+		c.Ui.Output(fmt.Sprintf("A node certificate & key file have been generated in the '%s' directory (FIPS mode enabled).", outputDir))
+	} else {
+		c.Ui.Output(fmt.Sprintf("A node certificate & key file have been generated in the '%s' directory.", outputDir))
+	}
+
 	return 0
 }
 
@@ -267,13 +271,13 @@ func generateNodeCertificate(caCert *x509.Certificate, caPrivateKey *rsa.Private
 	}
 
 	certFile := fmt.Sprintf("%s.crt", outputBaseFileName)
-	err = ioutil.WriteFile(path.Join(outputDir, certFile), certPem.Bytes(), 0444)
+	err = os.WriteFile(path.Join(outputDir, certFile), certPem.Bytes(), 0444)
 	if err != nil {
 		return fmt.Errorf("error writing certificate to %s: %s", certFile, err.Error())
 	}
 
 	keyFile := fmt.Sprintf("%s.key", outputBaseFileName)
-	err = ioutil.WriteFile(path.Join(outputDir, keyFile), privateKeyPem.Bytes(), 0400)
+	err = os.WriteFile(path.Join(outputDir, keyFile), privateKeyPem.Bytes(), 0400)
 	if err != nil {
 		return fmt.Errorf("error writing private key to %s: %s", keyFile, err.Error())
 	}
diff --git a/certificates/create_node_test.go b/certificates/create_node_test.go
@@ -0,0 +1,69 @@
+package certificates
+
+import (
+	"crypto/rsa"
+	"crypto/x509"
+	"os"
+	"path"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestGenerateNodeCertificate(t *testing.T) {
+
+	t.Run("nominal-case", func(t *testing.T) {
+
+		years := 1
+		days := 0
+		outputDirCA := "./ca"
+		outputDirNode := "./node"
+		var caCert *x509.Certificate
+		var caKey *rsa.PrivateKey
+		var nodeCertFileName = "node"
+		var ipAddresses = "127.0.0.1"
+		var dnsNames = []string{"localhost"}
+		var commonName = "EventStoreDB"
+
+		// Clean up from previous runs
+		os.RemoveAll(outputDirCA)
+		os.RemoveAll(outputDirNode)
+
+		certificateError := generateCACertificate(years, days, outputDirCA, caCert, caKey)
+
+		certFilePath := path.Join(outputDirCA, "ca.crt")
+		keyFilePath := path.Join(outputDirCA, "ca.key")
+
+		_, certPathError := os.Stat(certFilePath)
+		_, keyPathError := os.Stat(keyFilePath)
+
+		assert.NoError(t, certificateError)
+		assert.False(t, os.IsNotExist(certPathError))
+		assert.False(t, os.IsNotExist(keyPathError))
+
+		caCertificate, err := readCertificateFromFile(certFilePath)
+		assert.NoError(t, err)
+		caPrivateKey, err := readRSAKeyFromFile(keyFilePath)
+		assert.NoError(t, err)
+
+		ips, err := parseIPAddresses(ipAddresses)
+		assert.NoError(t, err)
+
+		certificateError = generateNodeCertificate(caCertificate, caPrivateKey, ips, dnsNames, years, days, outputDirNode, nodeCertFileName, commonName)
+
+		nodeCertPath := path.Join(outputDirNode, "node.crt")
+		nodeKeyPath := path.Join(outputDirNode, "node.key")
+
+		_, nodeCertPathError := os.Stat(nodeCertPath)
+		_, nodeKeyPathError := os.Stat(nodeKeyPath)
+
+		assert.NoError(t, certificateError)
+		assert.False(t, os.IsNotExist(nodeCertPathError))
+		assert.False(t, os.IsNotExist(nodeKeyPathError))
+
+		// Clean up
+		os.RemoveAll(outputDirCA)
+		os.RemoveAll(outputDirNode)
+
+	})
+}
diff --git a/go.mod b/go.mod
@@ -5,5 +5,6 @@ go 1.14
 require (
 	github.com/hashicorp/go-multierror v1.0.0
 	github.com/mitchellh/cli v1.1.1
+	github.com/stretchr/testify v1.8.4 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )
diff --git a/go.sum b/go.sum
@@ -2,6 +2,9 @@ github.com/armon/go-radix v0.0.0-20180808171621-7fddfc383310 h1:BUAU3CGlLvorLI26
 github.com/armon/go-radix v0.0.0-20180808171621-7fddfc383310/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8=
 github.com/bgentry/speakeasy v0.1.0 h1:ByYyxL9InA1OWqxJqqp2A5pYHUrCiAL6K3J+LKSsQkY=
 github.com/bgentry/speakeasy v0.1.0/go.mod h1:+zsyZBPWlz7T6j88CTgSN5bM796AkVf0kBD4zp0CCIs=
+github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
+github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/fatih/color v1.7.0 h1:DkWD4oS2D8LGGgTQ6IvwJJXSL5Vp2ffcQg58nFV38Ys=
 github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4=
 github.com/hashicorp/errwrap v1.0.0 h1:hLrqtEDnRye3+sgx6z4qVLNuviH3MR5aQ0ykNJa/UYA=
@@ -14,10 +17,21 @@ github.com/mattn/go-isatty v0.0.3 h1:ns/ykhmWi7G9O+8a448SecJU3nSMBXJfqQkl0upE1jI
 github.com/mattn/go-isatty v0.0.3/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNxMWT7Zi4=
 github.com/mitchellh/cli v1.1.1 h1:J64v/xD7Clql+JVKSvkYojLOXu1ibnY9ZjGLwSt/89w=
 github.com/mitchellh/cli v1.1.1/go.mod h1:xcISNoH86gajksDmfB23e/pu+B+GeFRMYmoHXxx3xhI=
+github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
+github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/posener/complete v1.1.1 h1:ccV59UEOTzVDnDUEFdT95ZzHVZ+5+158q8+SJb2QV5w=
 github.com/posener/complete v1.1.1/go.mod h1:em0nMJCgc9GFtwrmVmEMR/ZL6WyhyjMBndrE9hABlRI=
+github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
+github.com/stretchr/objx v0.5.0 h1:1zr/of2m5FGMsad5YfcqgdqdWrIhu+EBEJRhR1U7z/c=
+github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
+github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
+github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk=
+github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
 golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc h1:MeuS1UDyZyFH++6vVy44PuufTeFF0d0nfI6XB87YGSk=
 golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=

Original file line number	Diff line number	Diff line change
`@@ -10,7 +10,6 @@ import (`
`10`	`10`	`"errors"`
`11`	`11`	`"flag"`
`12`	`12`	`"fmt"`
`13`		`- "io/ioutil"`
`14`	`13`	`"net"`
`15`	`14`	`"os"`
`16`	`15`	`"path"`
`@@ -37,7 +36,7 @@ type CreateNodeArguments struct {`
`37`	`36`	`}`
`38`	`37`
`39`	`38`	`func readCertificateFromFile(path string) (*x509.Certificate, error) {`
`40`		`- pemBytes, err := ioutil.ReadFile(path)`
	`39`	`+ pemBytes, err := os.ReadFile(path)`
`41`	`40`	`if err != nil {`
`42`	`41`	`return nil, fmt.Errorf("error reading file: %s", err.Error())`
`43`	`42`	`}`
`@@ -55,7 +54,7 @@ func readCertificateFromFile(path string) (*x509.Certificate, error) {`
`55`	`54`	`}`
`56`	`55`
`57`	`56`	`func readRSAKeyFromFile(path string) (*rsa.PrivateKey, error) {`
`58`		`- keyBytes, err := ioutil.ReadFile(path)`
	`57`	`+ keyBytes, err := os.ReadFile(path)`
`59`	`58`	`if err != nil {`
`60`	`59`	`return nil, fmt.Errorf("error reading file: %s", err.Error())`
`61`	`60`	`}`
`@@ -198,7 +197,12 @@ func (c *CreateNode) Run(args []string) int {`
`198`	`197`	`return 1`
`199`	`198`	`}`
`200`	`199`
`201`		`- c.Ui.Output(fmt.Sprintf("A node certificate & key file have been generated in the '%s' directory.", outputDir))`
	`200`	`+ if isBoringEnabled() {`
	`201`	`+ c.Ui.Output(fmt.Sprintf("A node certificate & key file have been generated in the '%s' directory (FIPS mode enabled).", outputDir))`
	`202`	`+ } else {`
	`203`	`+ c.Ui.Output(fmt.Sprintf("A node certificate & key file have been generated in the '%s' directory.", outputDir))`
	`204`	`+ }`
	`205`	`+`
`202`	`206`	`return 0`
`203`	`207`	`}`
`204`	`208`
`@@ -267,13 +271,13 @@ func generateNodeCertificate(caCert x509.Certificate, caPrivateKey rsa.Private`
`267`	`271`	`}`
`268`	`272`
`269`	`273`	`certFile := fmt.Sprintf("%s.crt", outputBaseFileName)`
`270`		`- err = ioutil.WriteFile(path.Join(outputDir, certFile), certPem.Bytes(), 0444)`
	`274`	`+ err = os.WriteFile(path.Join(outputDir, certFile), certPem.Bytes(), 0444)`
`271`	`275`	`if err != nil {`
`272`	`276`	`return fmt.Errorf("error writing certificate to %s: %s", certFile, err.Error())`
`273`	`277`	`}`
`274`	`278`
`275`	`279`	`keyFile := fmt.Sprintf("%s.key", outputBaseFileName)`
`276`		`- err = ioutil.WriteFile(path.Join(outputDir, keyFile), privateKeyPem.Bytes(), 0400)`
	`280`	`+ err = os.WriteFile(path.Join(outputDir, keyFile), privateKeyPem.Bytes(), 0400)`
`277`	`281`	`if err != nil {`
`278`	`282`	`return fmt.Errorf("error writing private key to %s: %s", keyFile, err.Error())`
`279`	`283`	`}`
Original file line number	Diff line number	Diff line change
`@@ -5,5 +5,6 @@ go 1.14`
`5`	`5`	`require (`
`6`	`6`	`github.com/hashicorp/go-multierror v1.0.0`
`7`	`7`	`github.com/mitchellh/cli v1.1.1`
	`8`	`+ github.com/stretchr/testify v1.8.4 // indirect`
`8`	`9`	`gopkg.in/yaml.v3 v3.0.1 // indirect`
`9`	`10`	`)`