UNPKG

@hashgraph/solo

Version:

An opinionated CLI tool to deploy and manage private Hedera Networks.

github.com/hashgraph/solo

hashgraph/solo

442 lines 19.8 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) { var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d; if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc); else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r; return c > 3 && r && Object.defineProperty(target, key, r), r; }; var __metadata = (this && this.__metadata) || function (k, v) { if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v); }; var __param = (this && this.__param) || function (paramIndex, decorator) { return function (target, key) { decorator(target, key, paramIndex); } }; var KeyManager_1; /** * SPDX-License-Identifier: Apache-2.0 */ import * as x509 from '@peculiar/x509'; import crypto from 'crypto'; import fs from 'fs'; import path from 'path'; import { SoloError, IllegalArgumentError, MissingArgumentError } from './errors.js'; import * as constants from './constants.js'; import { Templates } from './templates.js'; import * as helpers from './helpers.js'; import chalk from 'chalk'; import { inject, injectable } from 'tsyringe-neo'; import { patchInject } from './dependency_injection/container_helper.js'; import { InjectTokens } from './dependency_injection/inject_tokens.js'; // @ts-ignore x509.cryptoProvider.set(crypto); let KeyManager = class KeyManager { static { KeyManager_1 = this; } logger; static SigningKeyAlgo = { name: 'RSASSA-PKCS1-v1_5', hash: 'SHA-384', publicExponent: new Uint8Array([1, 0, 1]), modulusLength: 3072, }; static SigningKeyUsage = ['sign', 'verify']; static TLSKeyAlgo = { name: 'RSASSA-PKCS1-v1_5', hash: 'SHA-384', publicExponent: new Uint8Array([1, 0, 1]), modulusLength: 4096, }; static TLSKeyUsage = ['sign', 'verify']; static TLSCertKeyUsages = x509.KeyUsageFlags.digitalSignature | x509.KeyUsageFlags.keyEncipherment | x509.KeyUsageFlags.dataEncipherment; static TLSCertKeyExtendedUsages = [x509.ExtendedKeyUsage.serverAuth, x509.ExtendedKeyUsage.clientAuth]; static ECKeyAlgo = { name: 'ECDSA', namedCurve: 'P-384', hash: 'SHA-384', }; constructor(logger) { this.logger = logger; this.logger = patchInject(logger, InjectTokens.SoloLogger, this.constructor.name); } /** Convert CryptoKey into PEM string */ async convertPrivateKeyToPem(privateKey) { const ab = await crypto.subtle.exportKey('pkcs8', privateKey); return x509.PemConverter.encode(ab, 'PRIVATE KEY'); } /** * Convert PEM private key into CryptoKey * @param pemStr - PEM string * @param algo - key algorithm * @param [keyUsages] */ async convertPemToPrivateKey(pemStr, algo, keyUsages = ['sign']) { if (!algo) throw new MissingArgumentError('algo is required'); const items = x509.PemConverter.decode(pemStr); // Since pem file may include multiple PEM data, the decoder returns an array // However for private key there should be a single item. // So, we just being careful here to pick the last item (similar to how last PEM data represents the actual cert in // a certificate bundle) const lastItem = items[items.length - 1]; return await crypto.subtle.importKey('pkcs8', lastItem, algo, false, keyUsages); } /** * Return file names for node key * @param nodeAlias * @param keysDir - directory where keys and certs are stored */ prepareNodeKeyFilePaths(nodeAlias, keysDir) { if (!nodeAlias) throw new MissingArgumentError('nodeAlias is required'); if (!keysDir) throw new MissingArgumentError('keysDir is required'); const keyFile = path.join(keysDir, Templates.renderGossipPemPrivateKeyFile(nodeAlias)); const certFile = path.join(keysDir, Templates.renderGossipPemPublicKeyFile(nodeAlias)); return { privateKeyFile: keyFile, certificateFile: certFile, }; } /** * Return file names for TLS key * @param nodeAlias * @param keysDir - directory where keys and certs are stored */ prepareTLSKeyFilePaths(nodeAlias, keysDir) { if (!nodeAlias) throw new MissingArgumentError('nodeAlias is required'); if (!keysDir) throw new MissingArgumentError('keysDir is required'); const keyFile = path.join(keysDir, `hedera-${nodeAlias}.key`); const certFile = path.join(keysDir, `hedera-${nodeAlias}.crt`); return { privateKeyFile: keyFile, certificateFile: certFile, }; } /** * Store node keys and certs as PEM files * @param nodeAlias * @param nodeKey * @param keysDir - directory where keys and certs are stored * @param nodeKeyFiles * @param [keyName] - optional key type name for logging * @returns a Promise that saves the keys and certs as PEM files */ async storeNodeKey(nodeAlias, nodeKey, keysDir, nodeKeyFiles, keyName = '') { if (!nodeAlias) { throw new MissingArgumentError('nodeAlias is required'); } if (!nodeKey || !nodeKey.privateKey) { throw new MissingArgumentError('nodeKey.ed25519PrivateKey is required'); } if (!nodeKey || !nodeKey.certificateChain) { throw new MissingArgumentError('nodeKey.certificateChain is required'); } if (!keysDir) { throw new MissingArgumentError('keysDir is required'); } if (!nodeKeyFiles || !nodeKeyFiles.privateKeyFile) { throw new MissingArgumentError('nodeKeyFiles.privateKeyFile is required'); } if (!nodeKeyFiles || !nodeKeyFiles.certificateFile) { throw new MissingArgumentError('nodeKeyFiles.certificateFile is required'); } const keyPem = await this.convertPrivateKeyToPem(nodeKey.privateKey); const certPems = []; nodeKey.certificateChain.forEach(cert => { certPems.push(cert.toString('pem')); }); const self = this; return new Promise((resolve, reject) => { try { this.logger.debug(`Storing ${keyName} key for node: ${nodeAlias}`, { nodeKeyFiles }); fs.writeFileSync(nodeKeyFiles.privateKeyFile, keyPem); // remove if the certificate file exists already as otherwise we'll keep appending to the last if (fs.existsSync(nodeKeyFiles.certificateFile)) { fs.rmSync(nodeKeyFiles.certificateFile); } certPems.forEach(certPem => { fs.writeFileSync(nodeKeyFiles.certificateFile, certPem + '\n', { flag: 'a' }); }); self.logger.debug(`Stored ${keyName} key for node: ${nodeAlias}`, { nodeKeyFiles, }); resolve(nodeKeyFiles); } catch (e) { reject(e); } }); } /** * Load node keys and certs from PEM files * @param nodeAlias * @param keysDir - directory where keys and certs are stored * @param algo - algorithm used for key * @param nodeKeyFiles an object stores privateKeyFile and certificateFile * @param [keyName] - optional key type name for logging * @returns */ async loadNodeKey(nodeAlias, keysDir, algo, nodeKeyFiles, keyName = '') { if (!nodeAlias) { throw new MissingArgumentError('nodeAlias is required'); } if (!keysDir) { throw new MissingArgumentError('keysDir is required'); } if (!algo) { throw new MissingArgumentError('algo is required'); } if (!nodeKeyFiles || !nodeKeyFiles.privateKeyFile) { throw new MissingArgumentError('nodeKeyFiles.privateKeyFile is required'); } if (!nodeKeyFiles || !nodeKeyFiles.certificateFile) { throw new MissingArgumentError('nodeKeyFiles.certificateFile is required'); } this.logger.debug(`Loading ${keyName}-keys for node: ${nodeAlias}`, { nodeKeyFiles }); const keyBytes = fs.readFileSync(nodeKeyFiles.privateKeyFile); const keyPem = keyBytes.toString(); const key = await this.convertPemToPrivateKey(keyPem, algo); const certBytes = fs.readFileSync(nodeKeyFiles.certificateFile); const certPems = x509.PemConverter.decode(certBytes.toString()); const certs = []; certPems.forEach(certPem => { const cert = new x509.X509Certificate(certPem); certs.push(cert); }); const certChain = await new x509.X509ChainBuilder({ certificates: certs.slice(1) }).build(certs[0]); this.logger.debug(`Loaded ${keyName}-key for node: ${nodeAlias}`, { nodeKeyFiles, cert: certs[0].toString('pem'), }); return { privateKey: key, certificate: certs[0], certificateChain: certChain, }; } /** Generate signing key and certificate */ async generateSigningKey(nodeAlias) { try { const keyPrefix = constants.SIGNING_KEY_PREFIX; const curDate = new Date(); const friendlyName = Templates.renderNodeFriendlyName(keyPrefix, nodeAlias); this.logger.debug(`generating ${keyPrefix}-key for node: ${nodeAlias}`, { friendlyName }); const keypair = await crypto.subtle.generateKey(KeyManager_1.SigningKeyAlgo, true, KeyManager_1.SigningKeyUsage); const cert = await x509.X509CertificateGenerator.createSelfSigned({ serialNumber: '01', name: `CN=${friendlyName}`, notBefore: curDate, // @ts-ignore notAfter: new Date().setFullYear(curDate.getFullYear() + constants.CERTIFICATE_VALIDITY_YEARS), keys: keypair, extensions: [ new x509.BasicConstraintsExtension(true, 1, true), new x509.ExtendedKeyUsageExtension([x509.ExtendedKeyUsage.serverAuth, x509.ExtendedKeyUsage.clientAuth], true), new x509.KeyUsagesExtension(x509.KeyUsageFlags.keyCertSign | x509.KeyUsageFlags.cRLSign, true), await x509.SubjectKeyIdentifierExtension.create(keypair.publicKey), ], }); const certChain = await new x509.X509ChainBuilder().build(cert); this.logger.debug(`generated ${keyPrefix}-key for node: ${nodeAlias}`, { cert: cert.toString('pem') }); return { privateKey: keypair.privateKey, certificate: cert, certificateChain: certChain, }; } catch (e) { throw new SoloError(`failed to generate signing key: ${e.message}`, e); } } /** * Store signing key and certificate * @param nodeAlias * @param nodeKey - an object containing privateKeyPem, certificatePem data * @param keysDir - directory where keys and certs are stored * @returns returns a Promise that saves the keys and certs as PEM files */ storeSigningKey(nodeAlias, nodeKey, keysDir) { const nodeKeyFiles = this.prepareNodeKeyFilePaths(nodeAlias, keysDir); return this.storeNodeKey(nodeAlias, nodeKey, keysDir, nodeKeyFiles, 'signing'); } /** * Load signing key and certificate * @param nodeAlias * @param keysDir - directory path where pem files are stored */ loadSigningKey(nodeAlias, keysDir) { const nodeKeyFiles = this.prepareNodeKeyFilePaths(nodeAlias, keysDir); return this.loadNodeKey(nodeAlias, keysDir, KeyManager_1.SigningKeyAlgo, nodeKeyFiles, 'signing'); } /** * Generate gRPC TLS key * * It generates TLS keys in PEM format such as below: * hedera-<nodeAlias>.key * hedera-<nodeAlias>.crt * * @param nodeAlias * @param distinguishedName distinguished name as: new x509.Name(`CN=${nodeAlias},ST=${state},L=${locality},O=${org},OU=${orgUnit},C=${country}`) */ async generateGrpcTlsKey(nodeAlias, distinguishedName = new x509.Name(`CN=${nodeAlias}`)) { if (!nodeAlias) throw new MissingArgumentError('nodeAlias is required'); if (!distinguishedName) throw new MissingArgumentError('distinguishedName is required'); try { const curDate = new Date(); this.logger.debug(`generating gRPC TLS for node: ${nodeAlias}`, { distinguishedName }); const keypair = await crypto.subtle.generateKey(KeyManager_1.TLSKeyAlgo, true, KeyManager_1.TLSKeyUsage); const cert = await x509.X509CertificateGenerator.createSelfSigned({ serialNumber: '01', name: distinguishedName, notBefore: curDate, // @ts-ignore notAfter: new Date().setFullYear(curDate.getFullYear() + constants.CERTIFICATE_VALIDITY_YEARS), keys: keypair, extensions: [ new x509.BasicConstraintsExtension(false, 0, true), new x509.KeyUsagesExtension(KeyManager_1.TLSCertKeyUsages, true), new x509.ExtendedKeyUsageExtension(KeyManager_1.TLSCertKeyExtendedUsages, true), await x509.SubjectKeyIdentifierExtension.create(keypair.publicKey, false), await x509.AuthorityKeyIdentifierExtension.create(keypair.publicKey, false), ], }); const certChain = await new x509.X509ChainBuilder().build(cert); this.logger.debug(`generated gRPC TLS for node: ${nodeAlias}`, { cert: cert.toString('pem') }); return { privateKey: keypair.privateKey, certificate: cert, certificateChain: certChain, }; } catch (e) { throw new SoloError(`failed to generate gRPC TLS key: ${e.message}`, e); } } /** * Store TLS key and certificate * @param nodeAlias * @param nodeKey * @param keysDir - directory where keys and certs are stored * @returns a Promise that saves the keys and certs as PEM files */ storeTLSKey(nodeAlias, nodeKey, keysDir) { const nodeKeyFiles = this.prepareTLSKeyFilePaths(nodeAlias, keysDir); return this.storeNodeKey(nodeAlias, nodeKey, keysDir, nodeKeyFiles, 'gRPC TLS'); } /** * Load TLS key and certificate * @param nodeAlias * @param keysDir - directory path where pem files are stored */ loadTLSKey(nodeAlias, keysDir) { const nodeKeyFiles = this.prepareTLSKeyFilePaths(nodeAlias, keysDir); return this.loadNodeKey(nodeAlias, keysDir, KeyManager_1.TLSKeyAlgo, nodeKeyFiles, 'gRPC TLS'); } copyNodeKeysToStaging(nodeKey, destDir) { for (const keyFile of [nodeKey.privateKeyFile, nodeKey.certificateFile]) { if (!fs.existsSync(keyFile)) { throw new SoloError(`file (${keyFile}) is missing`); } const fileName = path.basename(keyFile); fs.cpSync(keyFile, path.join(destDir, fileName)); } } copyGossipKeysToStaging(keysDir, stagingKeysDir, nodeAliases) { // copy gossip keys to the staging for (const nodeAlias of nodeAliases) { const signingKeyFiles = this.prepareNodeKeyFilePaths(nodeAlias, keysDir); this.copyNodeKeysToStaging(signingKeyFiles, stagingKeysDir); } } /** * Return a list of subtasks to generate gossip keys * * WARNING: These tasks MUST run in sequence. * * @param nodeAliases * @param keysDir - keys directory * @param curDate - current date * @param [allNodeAliases] - includes the nodeAliases to get new keys as well as existing nodeAliases that will be included in the public.pfx file * @return a list of subtasks */ taskGenerateGossipKeys(nodeAliases, keysDir, curDate = new Date(), allNodeAliases = null) { allNodeAliases = allNodeAliases || nodeAliases; // TODO: unused variable if (!Array.isArray(nodeAliases) || !nodeAliases.every(nodeAlias => typeof nodeAlias === 'string')) { throw new IllegalArgumentError('nodeAliases must be an array of strings, nodeAliases = ' + JSON.stringify(nodeAliases)); } const self = this; const subTasks = []; subTasks.push({ title: 'Backup old files', task: () => helpers.backupOldPemKeys(nodeAliases, keysDir, curDate), }); for (const nodeAlias of nodeAliases) { subTasks.push({ title: `Gossip key for node: ${chalk.yellow(nodeAlias)}`, task: async () => { const signingKey = await self.generateSigningKey(nodeAlias); const signingKeyFiles = await self.storeSigningKey(nodeAlias, signingKey, keysDir); this.logger.debug(`generated Gossip signing keys for node ${nodeAlias}`, { keyFiles: signingKeyFiles }); }, }); } return subTasks; } /** * Return a list of subtasks to generate gRPC TLS keys * * WARNING: These tasks should run in sequence * * @param nodeAliases * @param keysDir keys directory * @param curDate current date * @return return a list of subtasks */ taskGenerateTLSKeys(nodeAliases, keysDir, curDate = new Date()) { // check if nodeAliases is an array of strings if (!Array.isArray(nodeAliases) || !nodeAliases.every(nodeAlias => typeof nodeAlias === 'string')) { throw new SoloError('nodeAliases must be an array of strings'); } const self = this; const nodeKeyFiles = new Map(); const subTasks = []; subTasks.push({ title: 'Backup old files', task: () => helpers.backupOldTlsKeys(nodeAliases, keysDir, curDate), }); for (const nodeAlias of nodeAliases) { subTasks.push({ title: `TLS key for node: ${chalk.yellow(nodeAlias)}`, task: async () => { const tlsKey = await self.generateGrpcTlsKey(nodeAlias); const tlsKeyFiles = await self.storeTLSKey(nodeAlias, tlsKey, keysDir); nodeKeyFiles.set(nodeAlias, { tlsKeyFiles, }); }, }); } return subTasks; } /** * Given the path to the PEM certificate (Base64 ASCII), will return the DER (raw binary) bytes * @param pemCertFullPath */ getDerFromPemCertificate(pemCertFullPath) { const certPem = fs.readFileSync(pemCertFullPath).toString(); const decodedDers = x509.PemConverter.decode(certPem); if (!decodedDers || decodedDers.length === 0) { throw new SoloError('unable to load perm key: ' + pemCertFullPath); } return new Uint8Array(decodedDers[0]); } }; KeyManager = KeyManager_1 = __decorate([ injectable(), __param(0, inject(InjectTokens.SoloLogger)), __metadata("design:paramtypes", [Function]) ], KeyManager); export { KeyManager }; //# sourceMappingURL=key_manager.js.map