sign the uploaded user key

Author: binarycodes

src/main/frontend/views/@index.tsx

@@ -33,22 +33,20 @@ export default function MainView() {
     <>
 
       <Card theme="elevated">
-        <div slot="title">Lapland</div>
-        <div slot="subtitle">The Exotic North</div>
-        <div>Lapland is the northern-most region of Finland and an active outdoor destination.</div>
+        <div slot="title">Upload user key</div>
+        <div slot="subtitle">Only upload the public key</div>
+        <Upload
+                target="/rest/key/userSign"
+                accept=".pub"
+                maxFiles={1}
+                maxFileSize={maxFileSizeInBytes}
+                onFileReject={(event) => {
+                  Notification.show(event.detail.error);
+                }}
+                headers={csrfHeaders}
+              />
+        <Button theme="primary">Submit</Button>
       </Card>
-      
-      <Upload
-        target="/rest/key/sign"
-        accept=".pub"
-        maxFiles={1}
-        maxFileSize={maxFileSizeInBytes}
-        onFileReject={(event) => {
-          Notification.show(event.detail.error);
-        }}
-        headers={csrfHeaders}
-      />
-      <Button theme="primary">Submit</Button>
     </>
   );
 }

src/main/java/io/binarycodes/homelab/sshkeysigner/config/ApplicationProperties.java

@@ -0,0 +1,10 @@
+package io.binarycodes.homelab.sshkeysigner.config;
+
+import org.springframework.boot.context.properties.ConfigurationProperties;
+
+@ConfigurationProperties(prefix = "app")
+public record ApplicationProperties(
+        String caUserPath,
+        String caHostPath
+) {
+}

src/main/java/io/binarycodes/homelab/sshkeysigner/endpoint/HelloEndpoint.java

@@ -14,4 +14,5 @@ public String sayHello(String name) {
             return "Hello " + name;
         }
     }
+
 }

src/main/java/io/binarycodes/homelab/sshkeysigner/keymanagement/KeyController.java

@@ -1,7 +1,10 @@
 package io.binarycodes.homelab.sshkeysigner.keymanagement;
 
 import lombok.extern.log4j.Log4j2;
+import org.springframework.core.io.ByteArrayResource;
+import org.springframework.http.HttpHeaders;
 import org.springframework.http.HttpStatus;
+import org.springframework.http.MediaType;
 import org.springframework.http.ResponseEntity;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.RequestMapping;
@@ -10,8 +13,6 @@
 import org.springframework.web.multipart.MultipartFile;
 import org.springframework.web.server.ResponseStatusException;
 
-import java.io.File;
-
 @Log4j2
 @RestController
 @RequestMapping("/rest/key")
@@ -29,12 +30,46 @@ public KeyInfo generateKey(@RequestParam String comment, @RequestParam String pa
         return key.orElseThrow(() -> new ResponseStatusException(HttpStatus.NOT_FOUND, "Key generation failed"));
     }
 
-    @PostMapping("/sign")
-    public ResponseEntity<Boolean> upload(@RequestParam("file") MultipartFile multipartFile) {
+    @PostMapping("/userSign")
+    public ResponseEntity<ByteArrayResource> signUserKey(@RequestParam("file") MultipartFile multipartFile) {
         log.debug("Uploading file '" + multipartFile.getOriginalFilename() + "'");
         try {
-            //File file = keyService.save(multipartFile);
-            return ResponseEntity.ok().body(true);
+            var signed = keyService.signUserKey(multipartFile.getOriginalFilename(), multipartFile.getBytes());
+
+            return signed.map(signedPublicKeyDownload -> {
+                var httpHeaders = new HttpHeaders();
+                httpHeaders.add(HttpHeaders.CONTENT_DISPOSITION, "attachment; filename=" + signedPublicKeyDownload.filename());
+                httpHeaders.add("Cache-Control", "no-cache, no-store, must-revalidate");
+                httpHeaders.add("Pragma", "no-cache");
+                httpHeaders.add("Expires", "0");
+
+                var resource = new ByteArrayResource(signedPublicKeyDownload.signedKey());
+
+                return ResponseEntity.ok().headers(httpHeaders).contentLength(signedPublicKeyDownload.signedKey().length).contentType(MediaType.APPLICATION_OCTET_STREAM).body(resource);
+            }).orElseGet(() -> ResponseEntity.badRequest().build());
+        } catch (Exception e) {
+            log.error("Error uploading file.", e);
+            return ResponseEntity.internalServerError().build();
+        }
+    }
+
+    @PostMapping("/hostSign")
+    public ResponseEntity<ByteArrayResource> signHostKey(@RequestParam("file") MultipartFile multipartFile) {
+        log.debug("Uploading file '" + multipartFile.getOriginalFilename() + "'");
+        try {
+            var signed = keyService.signUserKey(multipartFile.getOriginalFilename(), multipartFile.getBytes());
+
+            return signed.map(signedPublicKeyDownload -> {
+                var httpHeaders = new HttpHeaders();
+                httpHeaders.add(HttpHeaders.CONTENT_DISPOSITION, "attachment; filename=" + signedPublicKeyDownload.filename());
+                httpHeaders.add("Cache-Control", "no-cache, no-store, must-revalidate");
+                httpHeaders.add("Pragma", "no-cache");
+                httpHeaders.add("Expires", "0");
+
+                var resource = new ByteArrayResource(signedPublicKeyDownload.signedKey());
+
+                return ResponseEntity.ok().headers(httpHeaders).contentLength(signedPublicKeyDownload.signedKey().length).contentType(MediaType.APPLICATION_OCTET_STREAM).body(resource);
+            }).orElseGet(() -> ResponseEntity.badRequest().build());
         } catch (Exception e) {
             log.error("Error uploading file.", e);
             return ResponseEntity.internalServerError().build();

src/main/java/io/binarycodes/homelab/sshkeysigner/keymanagement/KeyService.java

@@ -4,18 +4,32 @@
 import com.sshtools.common.ssh.SshException;
 import com.sshtools.common.ssh.components.SshCertificate;
 import com.sshtools.common.ssh.components.SshKeyPair;
+import io.binarycodes.homelab.sshkeysigner.config.ApplicationProperties;
 import lombok.extern.log4j.Log4j2;
+import org.apache.commons.io.FilenameUtils;
 import org.springframework.stereotype.Service;
 
 import java.io.IOException;
 import java.nio.charset.StandardCharsets;
+import java.nio.file.Path;
 import java.util.Optional;
 
 @Log4j2
 @Service
 public class KeyService {
     /* https://jadaptive.com/app/manpage/en/article/2895616 */
 
+    private static final String CERTIFICATE_FILE_NAME_SUFFIX = "cert";
+    private final ApplicationProperties applicationProperties;
+
+    private enum SIGN_TYPE {
+        USER, HOST;
+    }
+
+    public KeyService(ApplicationProperties applicationProperties) {
+        this.applicationProperties = applicationProperties;
+    }
+
     public Optional<KeyInfo> generateKey(String comment, String passphrase) {
         try {
             var pair = SshKeyPairGenerator.generateKeyPair(SshKeyPairGenerator.ED25519);
@@ -83,4 +97,43 @@ private SshKeyPair keyInfoToKeyPair(KeyInfo keyInfo, String passphrase) throws I
         return SshPrivateKeyFileFactory.parse(keyInfo.privateKey().getBytes(StandardCharsets.UTF_8)).toKeyPair(passphrase);
     }
 
+    public Optional<SignedPublicKeyDownload> signUserKey(String filename, byte[] bytes) {
+        return signKey(SIGN_TYPE.USER, filename, bytes, "binarycodes");
+    }
+
+    public Optional<SignedPublicKeyDownload> signHostKey(String filename, byte[] bytes) {
+        return signKey(SIGN_TYPE.HOST, filename, bytes, "hostname");
+    }
+
+    private Optional<SignedPublicKeyDownload> signKey(SIGN_TYPE signType, String filename, byte[] bytes, String typeData) {
+        try {
+            var publicKeyFileToSign = SshPublicKeyFileFactory.parse(bytes);
+            var keyPairToSign = SshKeyPair.getKeyPair(null, publicKeyFileToSign.toPublicKey());
+
+            var signed = switch (signType) {
+                case USER ->
+                        SshCertificateAuthority.generateUserCertificate(keyPairToSign, 0L, typeData, 1, readUserCAKeys());
+                case HOST ->
+                        SshCertificateAuthority.generateHostCertificate(keyPairToSign, 0L, typeData, 1, readHostCAKeys());
+            };
+
+            var signedKey = SshPublicKeyFileFactory.create(signed.getCertificate(), publicKeyFileToSign.getComment(), SshPublicKeyFileFactory.OPENSSH_FORMAT);
+            var downloadFilename = "%s-%s.%s".formatted(FilenameUtils.getBaseName(filename), CERTIFICATE_FILE_NAME_SUFFIX, FilenameUtils.getExtension(filename));
+
+            return Optional.of(new SignedPublicKeyDownload(downloadFilename, signedKey.getFormattedKey()));
+        } catch (IOException e) {
+            log.error(e.getMessage(), e);
+        } catch (InvalidPassphraseException | SshException e) {
+            throw new RuntimeException(e);
+        }
+        return Optional.empty();
+    }
+
+    private SshKeyPair readUserCAKeys() throws IOException, InvalidPassphraseException {
+        return SshPrivateKeyFileFactory.parse(Path.of(applicationProperties.caUserPath())).toKeyPair("");
+    }
+
+    private SshKeyPair readHostCAKeys() throws IOException, InvalidPassphraseException {
+        return SshPrivateKeyFileFactory.parse(Path.of(applicationProperties.caHostPath())).toKeyPair("");
+    }
 }

src/main/java/io/binarycodes/homelab/sshkeysigner/keymanagement/SignedPublicKeyDownload.java

@@ -0,0 +1,4 @@
+package io.binarycodes.homelab.sshkeysigner.keymanagement;
+
+public record SignedPublicKeyDownload(String filename, byte[] signedKey) {
+}

src/main/resources/application-dev.yml

@@ -6,10 +6,12 @@ logging:
     org:
       atmosphere: warn
       springframework: warn
+    io:
+      binarycodes: trace
 
 keycloak:
   client: my-test-client
-  client_secret: NOVQKaevwzliFfqwzTRnHZmrEssd1s9f
+  client_secret: NGMFDNlSqjxVWgqwOyZQ4NS2fY18BG0x
   url: http://localhost:8090
   realm: my-test-realm
 

src/main/resources/application.yml

@@ -1,6 +1,12 @@
 server:
   port: ${PORT:8080}
 
+
+app:
+  ca_user_path: "./user_ca_key"
+  ca_host_path: "./host_ca_key"
+
+
 spring:
   profiles:
     active: @spring.profiles.active@