priv pub key encoding

[lukehinds]

Hey, this looks like unicode (utf8?), do you have any pointers on how I can generate this?

    public_key: {
        der: "\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x07\xf8\x51\xaf\xaa\x8c\x56\x83\x90\x31\xb7\x80\xe3\xd6\x1a\xf7\x2f\x36\x06\x71\xec\xdd\x3b\xbe\x7e\x36\x6f\x0d\x1c\x1c\x60\x0b\x7f\xf5\x9f\xff\xe5\x24\x49\x34\x56\xf2\x4b\x10\x5f\xbf\x08\x1f\xf9\x0e\xcf\x35\xb5\x8a\x8a\x8b\x30\x0a\x54\xb7\xbf\x1d\x4d\xb9"
    }
    private_key: {
        [type.googleapis.com/keyspb.PrivateKey] {
            der: "\x30\x81\x87\x02\x01\x00\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x04\x6d\x30\x6b\x02\x01\x01\x04\x20\x84\x33\x84\xfa\x1c\x30\xf8\x12\xf3\xe7\x38\x8f\x52\xe0\xd9\xd3\x5a\x05\x20\x6f\xfa\xe7\xe9\xc7\xea\x23\xc5\x32\x01\x79\xd4\x85\xa1\x44\x03\x42\x00\x04\x07\xf8\x51\xaf\xaa\x8c\x56\x83\x90\x31\xb7\x80\xe3\xd6\x1a\xf7\x2f\x36\x06\x71\xec\xdd\x3b\xbe\x7e\x36\x6f\x0d\x1c\x1c\x60\x0b\x7f\xf5\x9f\xff\xe5\x24\x49\x34\x56\xf2\x4b\x10\x5f\xbf\x08\x1f\xf9\x0e\xcf\x35\xb5\x8a\x8a\x8b\x30\x0a\x54\xb7\xbf\x1d\x4d\xb9"

[pgporada]

Here's how we do it. I'll take recommendations for improvements too. I hope this helps!

# Let's say we're generating a 2021 shard
echo "Generating CTFE signing keys"
SHARD=2021
SHARD_NEXT=$((${SHARD}+1))
LOG_START="$(date -d "${SHARD}-01-01 00:00:00" -u +%s)"
LOG_END="$(date -d "${SHARD_NEXT}-01-07 00:00:00" -u +%s)"
openssl ecparam -name prime256v1 -genkey -noout -outform der -out ${SHARD}-ctfe-signing-key-decrypted.der
PRIVKEY="$(xxd -i -c1000 < ${SHARD}-ctfe-signing-key-decrypted.der | sed s/\,\ 0/\\\\/g | sed s/^..0x/\\\\x/g)"
PUBKEY="$(openssl ec -in ${SHARD}-ctfe-signing-key-decrypted.der -inform der -outform der -pubout | xxd -i -c1000 | sed s/\,\ 0/\\\\/g | sed s/^..0x/\\\\x/g)"

LOG_ID="$(kubectl exec -it fedora -n ${LOG} -- sh -c 'PASS=$(< /dev/urandom tr -dc _A-Z-a-z-0-9-_ | head -c32); \
        openssl ecparam -name prime256v1 -genkey -noout -out createtree-signing-key-decrypted.pem; \
        openssl ec -in createtree-signing-key-decrypted.pem -aes256 -out createtree-signing-privkey.pem -passout pass:${PASS}; \
        /godev/bin/createtree -admin_server log-server:8090 -pem_key_path createtree-signing-privkey.pem -pem_key_password ${PASS} -signature_algorithm ECDSA -display_name '${SHARD}' -description '${SHARD}' -max_root_duration 12h -storage_system mysql -tree_type LOG -tree_state ACTIVE -hash_algorithm SHA256 -hash_strategy RFC6962_SHA256;' | tail -n1)"
echo "${LOG_ID}"

# Cleanup old stuff prior to starting
rm -f "manifests/${LOG}/${LOG}-ct-server.cfg"

# Get prior CTFE config because we must append to it.
# TODO: There's probably a native kubernetes way to do this, but I've not found it.
if kubectl get secrets/ctfe-config -n "${LOG}"; then
    kubectl get secret/ctfe-config -n "${LOG}" -o jsonpath='{.data.ctfe-config}' | base64 -d > "manifests/${LOG}/${LOG}-ct-server.cfg"
fi

cat << EOF >> manifests/${LOG}/${LOG}-ct-server.cfg
config {
 log_id: ${LOG_ID}
 prefix: "${SHARD}"
 not_after_start: {seconds: ${LOG_START}}
 not_after_limit: {seconds: ${LOG_END}}
 roots_pem_file: "/accepted-roots.pem"
 max_merge_delay_sec: 86400
 reject_expired: true
 public_key: {
   der: "${PUBKEY}"
 }
 private_key: {
   [type.googleapis.com/keyspb.PrivateKey] {
     der: "${PRIVKEY}"
   }
 }
}
EOF

if ! kubectl get secrets/ctfe-config -n "${LOG}"; then
    echo "Creating secret/ctfe-config"
    kubectl create secret generic -n "${LOG}" ctfe-config --from-file=ctfe-config-file="manifests/${LOG}/${LOG}-ct-server.cfg"
else
    echo "Updating existing secret/ctfe-config"
    kubectl create secret generic -n "${LOG}" ctfe-config --from-file=ctfe-config-file="manifests/${LOG}/${LOG}-ct-server.cfg" -o yaml --dry-run | kubectl replace -f -
    kubectl patch deployment/trillian-ctfe-deployment -n ${LOG} -p "{\"spec\":{\"template\":{\"metadata\":{\"labels\":{\"date\":\"`date +'%s'`\"}}}}}"
fi