config/main: Re-write config files - add to new config v3
- New config format.
```
{
"version": "3",
"address": ":9000",
"backend": {
"type": "fs",
"disk": "/path"
},
"credential": {
"accessKey": "WLGDGYAQYIGI833EV05A",
"secretKey": "BYvgJM101sHngl2uzjXS/OBF/aMxAN06JrJ3qJlF"
},
"region": "us-east-1",
"logger": {
"file": {
"enable": false,
"fileName": "",
"level": "error"
},
"syslog": {
"enable": false,
"address": "",
"level": "debug"
},
"console": {
"enable": true,
"level": "fatal"
}
}
}
```
New command lines in lieu of supporting XL.
Minio initialize filesystem backend.
~~~
$ minio init fs <path>
~~~
Minio initialize XL backend.
~~~
$ minio init xl <url1>...<url16>
~~~
For 'fs' backend it starts the server.
~~~
$ minio server
~~~
For 'xl' backend it waits for servers to join.
~~~
$ minio server
... [PROGRESS BAR] of servers connecting
~~~
Now on other servers execute 'join' and they connect.
~~~
....
minio join <url1> -- from <url2> && minio server
minio join <url1> -- from <url3> && minio server
...
...
minio join <url1> -- from <url16> && minio server
~~~
2016-02-12 18:27:10 -05:00
|
|
|
/*
|
2017-03-08 22:20:01 -05:00
|
|
|
* Minio Cloud Storage, (C) 2015, 2016, 2017 Minio, Inc.
|
config/main: Re-write config files - add to new config v3
- New config format.
```
{
"version": "3",
"address": ":9000",
"backend": {
"type": "fs",
"disk": "/path"
},
"credential": {
"accessKey": "WLGDGYAQYIGI833EV05A",
"secretKey": "BYvgJM101sHngl2uzjXS/OBF/aMxAN06JrJ3qJlF"
},
"region": "us-east-1",
"logger": {
"file": {
"enable": false,
"fileName": "",
"level": "error"
},
"syslog": {
"enable": false,
"address": "",
"level": "debug"
},
"console": {
"enable": true,
"level": "fatal"
}
}
}
```
New command lines in lieu of supporting XL.
Minio initialize filesystem backend.
~~~
$ minio init fs <path>
~~~
Minio initialize XL backend.
~~~
$ minio init xl <url1>...<url16>
~~~
For 'fs' backend it starts the server.
~~~
$ minio server
~~~
For 'xl' backend it waits for servers to join.
~~~
$ minio server
... [PROGRESS BAR] of servers connecting
~~~
Now on other servers execute 'join' and they connect.
~~~
....
minio join <url1> -- from <url2> && minio server
minio join <url1> -- from <url3> && minio server
...
...
minio join <url1> -- from <url16> && minio server
~~~
2016-02-12 18:27:10 -05:00
|
|
|
*
|
|
|
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
|
|
|
* you may not use this file except in compliance with the License.
|
|
|
|
* You may obtain a copy of the License at
|
|
|
|
*
|
|
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
*
|
|
|
|
* Unless required by applicable law or agreed to in writing, software
|
|
|
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
|
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
|
|
* See the License for the specific language governing permissions and
|
|
|
|
* limitations under the License.
|
|
|
|
*/
|
|
|
|
|
2016-08-18 19:23:42 -04:00
|
|
|
package cmd
|
config/main: Re-write config files - add to new config v3
- New config format.
```
{
"version": "3",
"address": ":9000",
"backend": {
"type": "fs",
"disk": "/path"
},
"credential": {
"accessKey": "WLGDGYAQYIGI833EV05A",
"secretKey": "BYvgJM101sHngl2uzjXS/OBF/aMxAN06JrJ3qJlF"
},
"region": "us-east-1",
"logger": {
"file": {
"enable": false,
"fileName": "",
"level": "error"
},
"syslog": {
"enable": false,
"address": "",
"level": "debug"
},
"console": {
"enable": true,
"level": "fatal"
}
}
}
```
New command lines in lieu of supporting XL.
Minio initialize filesystem backend.
~~~
$ minio init fs <path>
~~~
Minio initialize XL backend.
~~~
$ minio init xl <url1>...<url16>
~~~
For 'fs' backend it starts the server.
~~~
$ minio server
~~~
For 'xl' backend it waits for servers to join.
~~~
$ minio server
... [PROGRESS BAR] of servers connecting
~~~
Now on other servers execute 'join' and they connect.
~~~
....
minio join <url1> -- from <url2> && minio server
minio join <url1> -- from <url3> && minio server
...
...
minio join <url1> -- from <url16> && minio server
~~~
2016-02-12 18:27:10 -05:00
|
|
|
|
|
|
|
import (
|
2018-05-09 04:56:38 -04:00
|
|
|
"bytes"
|
2018-04-24 18:47:30 -04:00
|
|
|
"crypto"
|
|
|
|
"crypto/ecdsa"
|
2017-07-12 19:33:21 -04:00
|
|
|
"crypto/tls"
|
2016-10-14 07:48:08 -04:00
|
|
|
"crypto/x509"
|
|
|
|
"encoding/pem"
|
|
|
|
"io/ioutil"
|
2018-01-05 02:48:08 -05:00
|
|
|
"os"
|
2018-05-31 15:30:15 -04:00
|
|
|
|
|
|
|
"github.com/minio/minio/pkg/certs"
|
config/main: Re-write config files - add to new config v3
- New config format.
```
{
"version": "3",
"address": ":9000",
"backend": {
"type": "fs",
"disk": "/path"
},
"credential": {
"accessKey": "WLGDGYAQYIGI833EV05A",
"secretKey": "BYvgJM101sHngl2uzjXS/OBF/aMxAN06JrJ3qJlF"
},
"region": "us-east-1",
"logger": {
"file": {
"enable": false,
"fileName": "",
"level": "error"
},
"syslog": {
"enable": false,
"address": "",
"level": "debug"
},
"console": {
"enable": true,
"level": "fatal"
}
}
}
```
New command lines in lieu of supporting XL.
Minio initialize filesystem backend.
~~~
$ minio init fs <path>
~~~
Minio initialize XL backend.
~~~
$ minio init xl <url1>...<url16>
~~~
For 'fs' backend it starts the server.
~~~
$ minio server
~~~
For 'xl' backend it waits for servers to join.
~~~
$ minio server
... [PROGRESS BAR] of servers connecting
~~~
Now on other servers execute 'join' and they connect.
~~~
....
minio join <url1> -- from <url2> && minio server
minio join <url1> -- from <url3> && minio server
...
...
minio join <url1> -- from <url16> && minio server
~~~
2016-02-12 18:27:10 -05:00
|
|
|
)
|
|
|
|
|
2018-01-05 02:48:08 -05:00
|
|
|
// TLSPrivateKeyPassword is the environment variable which contains the password used
|
|
|
|
// to decrypt the TLS private key. It must be set if the TLS private key is
|
|
|
|
// password protected.
|
|
|
|
const TLSPrivateKeyPassword = "MINIO_CERT_PASSWD"
|
|
|
|
|
2017-07-12 19:33:21 -04:00
|
|
|
func parsePublicCertFile(certFile string) (x509Certs []*x509.Certificate, err error) {
|
|
|
|
// Read certificate file.
|
|
|
|
var data []byte
|
|
|
|
if data, err = ioutil.ReadFile(certFile); err != nil {
|
|
|
|
return nil, err
|
2017-03-08 22:20:01 -05:00
|
|
|
}
|
config/main: Re-write config files - add to new config v3
- New config format.
```
{
"version": "3",
"address": ":9000",
"backend": {
"type": "fs",
"disk": "/path"
},
"credential": {
"accessKey": "WLGDGYAQYIGI833EV05A",
"secretKey": "BYvgJM101sHngl2uzjXS/OBF/aMxAN06JrJ3qJlF"
},
"region": "us-east-1",
"logger": {
"file": {
"enable": false,
"fileName": "",
"level": "error"
},
"syslog": {
"enable": false,
"address": "",
"level": "debug"
},
"console": {
"enable": true,
"level": "fatal"
}
}
}
```
New command lines in lieu of supporting XL.
Minio initialize filesystem backend.
~~~
$ minio init fs <path>
~~~
Minio initialize XL backend.
~~~
$ minio init xl <url1>...<url16>
~~~
For 'fs' backend it starts the server.
~~~
$ minio server
~~~
For 'xl' backend it waits for servers to join.
~~~
$ minio server
... [PROGRESS BAR] of servers connecting
~~~
Now on other servers execute 'join' and they connect.
~~~
....
minio join <url1> -- from <url2> && minio server
minio join <url1> -- from <url3> && minio server
...
...
minio join <url1> -- from <url16> && minio server
~~~
2016-02-12 18:27:10 -05:00
|
|
|
|
2018-05-09 04:56:38 -04:00
|
|
|
// Trimming leading and tailing white spaces.
|
|
|
|
data = bytes.TrimSpace(data)
|
|
|
|
|
2017-03-08 22:20:01 -05:00
|
|
|
// Parse all certs in the chain.
|
2017-07-12 19:33:21 -04:00
|
|
|
current := data
|
2017-03-08 22:20:01 -05:00
|
|
|
for len(current) > 0 {
|
2017-07-12 19:33:21 -04:00
|
|
|
var pemBlock *pem.Block
|
|
|
|
if pemBlock, current = pem.Decode(current); pemBlock == nil {
|
2018-05-08 22:04:36 -04:00
|
|
|
return nil, uiErrSSLUnexpectedData(nil).Msg("Could not read PEM block from file %s", certFile)
|
2017-03-08 22:20:01 -05:00
|
|
|
}
|
config/main: Re-write config files - add to new config v3
- New config format.
```
{
"version": "3",
"address": ":9000",
"backend": {
"type": "fs",
"disk": "/path"
},
"credential": {
"accessKey": "WLGDGYAQYIGI833EV05A",
"secretKey": "BYvgJM101sHngl2uzjXS/OBF/aMxAN06JrJ3qJlF"
},
"region": "us-east-1",
"logger": {
"file": {
"enable": false,
"fileName": "",
"level": "error"
},
"syslog": {
"enable": false,
"address": "",
"level": "debug"
},
"console": {
"enable": true,
"level": "fatal"
}
}
}
```
New command lines in lieu of supporting XL.
Minio initialize filesystem backend.
~~~
$ minio init fs <path>
~~~
Minio initialize XL backend.
~~~
$ minio init xl <url1>...<url16>
~~~
For 'fs' backend it starts the server.
~~~
$ minio server
~~~
For 'xl' backend it waits for servers to join.
~~~
$ minio server
... [PROGRESS BAR] of servers connecting
~~~
Now on other servers execute 'join' and they connect.
~~~
....
minio join <url1> -- from <url2> && minio server
minio join <url1> -- from <url3> && minio server
...
...
minio join <url1> -- from <url16> && minio server
~~~
2016-02-12 18:27:10 -05:00
|
|
|
|
2017-07-12 19:33:21 -04:00
|
|
|
var x509Cert *x509.Certificate
|
|
|
|
if x509Cert, err = x509.ParseCertificate(pemBlock.Bytes); err != nil {
|
2018-05-08 22:04:36 -04:00
|
|
|
return nil, uiErrSSLUnexpectedData(err)
|
2017-03-02 17:21:30 -05:00
|
|
|
}
|
2016-11-11 10:18:44 -05:00
|
|
|
|
2017-07-12 19:33:21 -04:00
|
|
|
x509Certs = append(x509Certs, x509Cert)
|
2016-11-11 10:18:44 -05:00
|
|
|
}
|
2017-03-02 17:21:30 -05:00
|
|
|
|
2017-07-12 19:33:21 -04:00
|
|
|
if len(x509Certs) == 0 {
|
2018-05-08 22:04:36 -04:00
|
|
|
return nil, uiErrSSLUnexpectedData(nil).Msg("Empty public certificate file %s", certFile)
|
2017-03-08 22:20:01 -05:00
|
|
|
}
|
config/main: Re-write config files - add to new config v3
- New config format.
```
{
"version": "3",
"address": ":9000",
"backend": {
"type": "fs",
"disk": "/path"
},
"credential": {
"accessKey": "WLGDGYAQYIGI833EV05A",
"secretKey": "BYvgJM101sHngl2uzjXS/OBF/aMxAN06JrJ3qJlF"
},
"region": "us-east-1",
"logger": {
"file": {
"enable": false,
"fileName": "",
"level": "error"
},
"syslog": {
"enable": false,
"address": "",
"level": "debug"
},
"console": {
"enable": true,
"level": "fatal"
}
}
}
```
New command lines in lieu of supporting XL.
Minio initialize filesystem backend.
~~~
$ minio init fs <path>
~~~
Minio initialize XL backend.
~~~
$ minio init xl <url1>...<url16>
~~~
For 'fs' backend it starts the server.
~~~
$ minio server
~~~
For 'xl' backend it waits for servers to join.
~~~
$ minio server
... [PROGRESS BAR] of servers connecting
~~~
Now on other servers execute 'join' and they connect.
~~~
....
minio join <url1> -- from <url2> && minio server
minio join <url1> -- from <url3> && minio server
...
...
minio join <url1> -- from <url16> && minio server
~~~
2016-02-12 18:27:10 -05:00
|
|
|
|
2017-07-12 19:33:21 -04:00
|
|
|
return x509Certs, nil
|
config/main: Re-write config files - add to new config v3
- New config format.
```
{
"version": "3",
"address": ":9000",
"backend": {
"type": "fs",
"disk": "/path"
},
"credential": {
"accessKey": "WLGDGYAQYIGI833EV05A",
"secretKey": "BYvgJM101sHngl2uzjXS/OBF/aMxAN06JrJ3qJlF"
},
"region": "us-east-1",
"logger": {
"file": {
"enable": false,
"fileName": "",
"level": "error"
},
"syslog": {
"enable": false,
"address": "",
"level": "debug"
},
"console": {
"enable": true,
"level": "fatal"
}
}
}
```
New command lines in lieu of supporting XL.
Minio initialize filesystem backend.
~~~
$ minio init fs <path>
~~~
Minio initialize XL backend.
~~~
$ minio init xl <url1>...<url16>
~~~
For 'fs' backend it starts the server.
~~~
$ minio server
~~~
For 'xl' backend it waits for servers to join.
~~~
$ minio server
... [PROGRESS BAR] of servers connecting
~~~
Now on other servers execute 'join' and they connect.
~~~
....
minio join <url1> -- from <url2> && minio server
minio join <url1> -- from <url3> && minio server
...
...
minio join <url1> -- from <url16> && minio server
~~~
2016-02-12 18:27:10 -05:00
|
|
|
}
|
|
|
|
|
2017-03-08 22:20:01 -05:00
|
|
|
func getRootCAs(certsCAsDir string) (*x509.CertPool, error) {
|
|
|
|
// Get all CA file names.
|
|
|
|
var caFiles []string
|
2018-03-07 11:46:28 -05:00
|
|
|
fis, err := readDir(certsCAsDir)
|
2016-10-14 14:15:59 -04:00
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
2016-10-14 07:48:08 -04:00
|
|
|
}
|
2017-03-08 22:20:01 -05:00
|
|
|
for _, fi := range fis {
|
2018-03-07 11:46:28 -05:00
|
|
|
// Skip all directories.
|
|
|
|
if hasSuffix(fi, slashSeparator) {
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
// We are only interested in regular files here.
|
|
|
|
caFiles = append(caFiles, pathJoin(certsCAsDir, fi))
|
2017-03-08 22:20:01 -05:00
|
|
|
}
|
|
|
|
if len(caFiles) == 0 {
|
|
|
|
return nil, nil
|
|
|
|
}
|
2016-10-14 07:48:08 -04:00
|
|
|
|
2017-03-08 22:20:01 -05:00
|
|
|
rootCAs, err := x509.SystemCertPool()
|
|
|
|
if err != nil {
|
|
|
|
// In some systems like Windows, system cert pool is not supported.
|
|
|
|
// Hence we create a new cert pool.
|
|
|
|
rootCAs = x509.NewCertPool()
|
|
|
|
}
|
2016-10-14 07:48:08 -04:00
|
|
|
|
2017-03-08 22:20:01 -05:00
|
|
|
// Load custom root CAs for client requests
|
|
|
|
for _, caFile := range caFiles {
|
|
|
|
caCert, err := ioutil.ReadFile(caFile)
|
2016-10-14 07:48:08 -04:00
|
|
|
if err != nil {
|
2017-07-12 19:33:21 -04:00
|
|
|
return nil, err
|
2016-10-14 07:48:08 -04:00
|
|
|
}
|
|
|
|
|
2017-03-08 22:20:01 -05:00
|
|
|
rootCAs.AppendCertsFromPEM(caCert)
|
2016-10-14 07:48:08 -04:00
|
|
|
}
|
2017-03-08 22:20:01 -05:00
|
|
|
|
|
|
|
return rootCAs, nil
|
2016-10-14 07:48:08 -04:00
|
|
|
}
|
2017-01-10 19:43:48 -05:00
|
|
|
|
2018-01-05 02:48:08 -05:00
|
|
|
// load an X509 key pair (private key , certificate) from the provided
|
|
|
|
// paths. The private key may be encrypted and is decrypted using the
|
|
|
|
// ENV_VAR: MINIO_CERT_PASSWD.
|
|
|
|
func loadX509KeyPair(certFile, keyFile string) (tls.Certificate, error) {
|
|
|
|
certPEMBlock, err := ioutil.ReadFile(certFile)
|
|
|
|
if err != nil {
|
2018-05-08 22:04:36 -04:00
|
|
|
return tls.Certificate{}, uiErrSSLUnexpectedError(err)
|
2018-01-05 02:48:08 -05:00
|
|
|
}
|
|
|
|
keyPEMBlock, err := ioutil.ReadFile(keyFile)
|
|
|
|
if err != nil {
|
2018-05-08 22:04:36 -04:00
|
|
|
return tls.Certificate{}, uiErrSSLUnexpectedError(err)
|
2018-01-05 02:48:08 -05:00
|
|
|
}
|
|
|
|
key, rest := pem.Decode(keyPEMBlock)
|
|
|
|
if len(rest) > 0 {
|
2018-05-08 22:04:36 -04:00
|
|
|
return tls.Certificate{}, uiErrSSLUnexpectedData(nil).Msg("The private key contains additional data")
|
2018-01-05 02:48:08 -05:00
|
|
|
}
|
|
|
|
if x509.IsEncryptedPEMBlock(key) {
|
|
|
|
password, ok := os.LookupEnv(TLSPrivateKeyPassword)
|
|
|
|
if !ok {
|
2018-05-08 22:04:36 -04:00
|
|
|
return tls.Certificate{}, uiErrSSLNoPassword(nil)
|
2018-01-05 02:48:08 -05:00
|
|
|
}
|
|
|
|
decryptedKey, decErr := x509.DecryptPEMBlock(key, []byte(password))
|
|
|
|
if decErr != nil {
|
2018-05-08 22:04:36 -04:00
|
|
|
return tls.Certificate{}, uiErrSSLWrongPassword(decErr)
|
2018-01-05 02:48:08 -05:00
|
|
|
}
|
|
|
|
keyPEMBlock = pem.EncodeToMemory(&pem.Block{Type: key.Type, Bytes: decryptedKey})
|
|
|
|
}
|
2018-05-08 22:04:36 -04:00
|
|
|
cert, err := tls.X509KeyPair(certPEMBlock, keyPEMBlock)
|
|
|
|
if err != nil {
|
|
|
|
return tls.Certificate{}, uiErrSSLUnexpectedData(nil).Msg(err.Error())
|
|
|
|
}
|
2018-05-31 15:30:15 -04:00
|
|
|
// Ensure that the private key is not a P-384 or P-521 EC key.
|
|
|
|
// The Go TLS stack does not provide constant-time implementations of P-384 and P-521.
|
|
|
|
if priv, ok := cert.PrivateKey.(crypto.Signer); ok {
|
|
|
|
if pub, ok := priv.Public().(*ecdsa.PublicKey); ok {
|
|
|
|
if name := pub.Params().Name; name == "P-384" || name == "P-521" { // unfortunately there is no cleaner way to check
|
|
|
|
return tls.Certificate{}, uiErrSSLUnexpectedData(nil).Msg("tls: the ECDSA curve '%s' is not supported", name)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
2018-05-08 22:04:36 -04:00
|
|
|
return cert, nil
|
2018-01-05 02:48:08 -05:00
|
|
|
}
|
|
|
|
|
2018-05-31 15:30:15 -04:00
|
|
|
func getSSLConfig() (x509Certs []*x509.Certificate, rootCAs *x509.CertPool, c *certs.Certs, secureConn bool, err error) {
|
2017-03-30 14:21:19 -04:00
|
|
|
if !(isFile(getPublicCertFile()) && isFile(getPrivateKeyFile())) {
|
2017-07-12 19:33:21 -04:00
|
|
|
return nil, nil, nil, false, nil
|
2017-03-30 14:21:19 -04:00
|
|
|
}
|
|
|
|
|
2017-07-12 19:33:21 -04:00
|
|
|
if x509Certs, err = parsePublicCertFile(getPublicCertFile()); err != nil {
|
|
|
|
return nil, nil, nil, false, err
|
2017-03-30 14:21:19 -04:00
|
|
|
}
|
|
|
|
|
2018-05-31 15:30:15 -04:00
|
|
|
c, err = certs.New(getPublicCertFile(), getPrivateKeyFile(), loadX509KeyPair)
|
|
|
|
if err != nil {
|
2017-07-12 19:33:21 -04:00
|
|
|
return nil, nil, nil, false, err
|
|
|
|
}
|
|
|
|
|
2017-03-30 14:21:19 -04:00
|
|
|
if rootCAs, err = getRootCAs(getCADir()); err != nil {
|
2017-07-12 19:33:21 -04:00
|
|
|
return nil, nil, nil, false, err
|
2017-03-30 14:21:19 -04:00
|
|
|
}
|
|
|
|
|
|
|
|
secureConn = true
|
2018-05-31 15:30:15 -04:00
|
|
|
return x509Certs, rootCAs, c, secureConn, nil
|
2017-01-10 19:43:48 -05:00
|
|
|
}
|