Merge branch 'david/revert-ed25519-everywhere' into david/docker-env-file

Author: ddworken

go.mod

@@ -3,8 +3,6 @@ module github.com/keybase/bot-sshca
 go 1.12
 
 require (
-	github.com/ScaleFT/sshkeys v0.0.0-20181112160850-82451a803681
-	github.com/dchest/bcrypt_pbkdf v0.0.0-20150205184540-83f37f9c154a // indirect
 	github.com/google/uuid v1.1.1
 	github.com/keybase/go-keybase-chat-bot v0.0.0-20190812134859-bc54fd9cf83b
 	github.com/sirupsen/logrus v1.4.2

go.sum

@@ -1,12 +1,8 @@
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
-github.com/ScaleFT/sshkeys v0.0.0-20181112160850-82451a803681 h1:JS2rl38kZmHgWa0xINSaSYH0Whtvem64/4+Ef0+Y5pE=
-github.com/ScaleFT/sshkeys v0.0.0-20181112160850-82451a803681/go.mod h1:WfDateMPQ/55dPbZRp5Zxrux5WiEaHsjk9puUhz0KgY=
 github.com/davecgh/go-spew v1.1.0 h1:ZDRjVQ15GmhC3fiQ8ni8+OwkZQO4DARzQgrnXU1Liz8=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/dchest/bcrypt_pbkdf v0.0.0-20150205184540-83f37f9c154a h1:saTgr5tMLFnmy/yg3qDTft4rE5DY2uJ/cCxCe3q0XTU=
-github.com/dchest/bcrypt_pbkdf v0.0.0-20150205184540-83f37f9c154a/go.mod h1:Bw9BbhOJVNR+t0jCqx2GC6zv0TGBsShs56Y3gfSCvl0=
 github.com/google/uuid v1.1.1 h1:Gkbcsh/GbpXz7lPftLA3P6TYMwjCLYm83jiFQZF/3gY=
 github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/keybase/go-keybase-chat-bot v0.0.0-20190812134859-bc54fd9cf83b h1:7Te2f9LQ/rd6XSzpntz6BaCBgglZ0uiCdv3/GdhX9VA=

src/keybaseca/sshutils/generate.go

@@ -0,0 +1,21 @@
+// +build !windows
+
+package sshutils
+
+import (
+	"fmt"
+	"os/exec"
+	"strings"
+)
+
+// Generate a new SSH key. Places the private key at filename and the public key at filename.pub.
+// On unix, we use ed25519 keys since they may be more secure (and are smaller). The go crypto ssh library
+// does not support ed25519 keys so we use ssh-keygen in order to generate the key.
+func generateNewSSHKey(filename string) error {
+	cmd := exec.Command("ssh-keygen", "-t", "ed25519", "-f", filename, "-m", "PEM", "-N", "")
+	bytes, err := cmd.CombinedOutput()
+	if err != nil {
+		return fmt.Errorf("ssh-keygen failed: %s (%v)", strings.TrimSpace(string(bytes)), err)
+	}
+	return nil
+}

src/keybaseca/sshutils/generate_unix.go

@@ -0,0 +1,43 @@
+// +build windows
+// If you edit this file, be sure to test it on windows also. Our current test suite does not test windows support.
+
+package sshutils
+
+import (
+	"crypto/rand"
+	"crypto/rsa"
+	"crypto/x509"
+	"encoding/pem"
+	"io/ioutil"
+	"os"
+
+	"github.com/keybase/bot-sshca/src/shared"
+	"golang.org/x/crypto/ssh"
+)
+
+// Generate a new SSH key. Places the private key at filename and the public key at filename.pub.
+// On windows, we use 2048 bit rsa keys. go's ssh library doesn't support ed25519 and ssh-keygen isn't built in.
+func generateNewSSHKey(filename string) error {
+	privateKey, err := rsa.GenerateKey(rand.Reader, 2048)
+	if err != nil {
+		return err
+	}
+
+	privateKeyFile, err := os.Create(filename)
+	if err != nil {
+		return err
+	}
+	defer privateKeyFile.Close()
+
+	privateKeyPEM := &pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(privateKey)}
+	err = pem.Encode(privateKeyFile, privateKeyPEM)
+	if err != nil {
+		return err
+	}
+
+	pub, err := ssh.NewPublicKey(&privateKey.PublicKey)
+	if err != nil {
+		return err
+	}
+	return ioutil.WriteFile(shared.KeyPathToPubKey(filename), ssh.MarshalAuthorizedKey(pub), 0600)
+}