Initial implementation

Brice Figureau · Brice Figureau · commit 772a43872a52 · 2016-05-23T11:17:55.000+02:00
This resulted from the split of the winrm project in a lib and this
winrm-cli tool.
diff --git a/LICENSE b/LICENSE
@@ -186,8 +186,8 @@
       same "printed page" as the copyright notice for easier
       identification within third-party archives.
 
-   Copyright {yyyy} {name of copyright owner}
-
+   Copyright 2016 Brice Figureau
+   
    Licensed under the Apache License, Version 2.0 (the "License");
    you may not use this file except in compliance with the License.
    You may obtain a copy of the License at
diff --git a/Makefile b/Makefile
@@ -0,0 +1,34 @@
+NO_COLOR=\033[0m
+OK_COLOR=\033[32;01m
+ERROR_COLOR=\033[31;01m
+WARN_COLOR=\033[33;01m
+DEPS = $(go list -f '{{range .TestImports}}{{.}} {{end}}' ./... | fgrep -v 'winrm')
+
+all: deps
+	@mkdir -p bin/
+	@printf "$(OK_COLOR)==> Building$(NO_COLOR)\n"
+	@go build -o $(GOPATH)/bin/winrm github.com/masterzen/winrm
+
+deps:
+	@printf "$(OK_COLOR)==> Installing dependencies$(NO_COLOR)\n"
+	@go get -d -v ./...
+	@echo $(DEPS) | xargs -n1 go get -d
+
+updatedeps:
+	go list ./... | xargs go list -f '{{join .Deps "\n"}}' | grep -v github.com/masterzen/winrm-cli | sort -u | xargs go get -f -u -v
+
+clean:
+	@rm -rf bin/ pkg/ src/
+
+format:
+	go fmt ./...
+
+ci: deps
+	@printf "$(OK_COLOR)==> Testing with Coveralls...$(NO_COLOR)\n"
+	"$(CURDIR)/scripts/test.sh"
+
+test: deps
+	@printf "$(OK_COLOR)==> Testing...$(NO_COLOR)\n"
+	go test ./...
+
+.PHONY: all clean deps format test updatedeps
diff --git a/README.md b/README.md
@@ -1,2 +1,63 @@
 # winrm-cli
-Command-line tool to remotely execute commands on Windows machines through WinRM
+
+This is a Go command-line executable to execute remote commands on Windows machines through
+the use of WinRM/WinRS.
+
+_Note_: this tool doesn't support domain users (it doesn't support GSSAPI nor Kerberos). It's primary target is to execute remote commands on EC2 windows machines.
+
+## Contact
+
+- Bugs: https://github.com/masterzen/winrm/issues
+
+
+## Getting Started
+WinRM is available on Windows Server 2008 and up. This project natively supports basic authentication for local accounts, see the steps in the next section on how to prepare the remote Windows machine for this scenario. The authentication model is pluggable, see below for an example on using Negotiate/NTLM authentication (e.g. for connecting to vanilla Azure VMs).
+
+### Preparing the remote Windows machine for Basic authentication
+This project supports only basic authentication for local accounts (domain users are not supported). The remote windows system must be prepared for winrm:
+
+_For a PowerShell script to do what is described below in one go, check [Richard Downer's blog](http://www.frontiertown.co.uk/2011/12/overthere-control-windows-from-java/)_
+
+On the remote host, a PowerShell prompt, using the __Run as Administrator__ option and paste in the following lines:
+
+    winrm quickconfig
+    y
+    winrm set winrm/config/service/Auth '@{Basic="true"}'
+    winrm set winrm/config/service '@{AllowUnencrypted="true"}'
+    winrm set winrm/config/winrs '@{MaxMemoryPerShellMB="1024"}'
+
+__N.B.:__ The Windows Firewall needs to be running to run this command. See [Microsoft Knowledge Base article #2004640](http://support.microsoft.com/kb/2004640).
+
+__N.B.:__ Do not disable Negotiate authentication as the windows `winrm` command itself uses this for internal authentication, and you risk getting a system where `winrm` doesn't work anymore.
+
+__N.B.:__ The `MaxMemoryPerShellMB` option has no effects on some Windows 2008R2 systems because of a WinRM bug. Make sure to install the hotfix described [Microsoft Knowledge Base article #2842230](http://support.microsoft.com/kb/2842230) if you need to run commands that uses more than 150MB of memory.
+
+For more information on WinRM, please refer to <a href="http://msdn.microsoft.com/en-us/library/windows/desktop/aa384426(v=vs.85).aspx">the online documentation at Microsoft's DevCenter</a>.
+
+### Building the winrm-cli executable
+
+You can build winrm-cli from source:
+
+```sh
+git clone https://github.com/masterzen/winrm-cli
+cd winrm-cli
+make
+```
+
+This will generate a binary in the base directory called `./winrm`.
+
+_Note_: you need go 1.5+. Please check your installation with
+
+```
+go version
+```
+
+## Command-line usage
+
+Once built, you can run remote commands like this:
+
+```sh
+./winrm -hostname remote.domain.com -username "Administrator" -password "secret" "ipconfig /all"
+```
+
+
diff --git a/certgen.go b/certgen.go
@@ -0,0 +1,241 @@
+package main
+
+import (
+	"crypto/ecdsa"
+	"crypto/elliptic"
+	"crypto/rand"
+	"crypto/rsa"
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"encoding/asn1"
+	"encoding/pem"
+	"fmt"
+	"math/big"
+	"time"
+)
+
+// KeyType for RSA/ECDSA
+type KeyType uint8
+
+// CertConfig struct for
+// generating base certificates x509
+// for ssl/tls auth
+type CertConfig struct {
+	// Subject identifies the entity associated with the public
+	// key stored in the subject public key fields.
+	Subject pkix.Name
+	// ValidFrom creation date formated as Feb 16 10:04:20 2016
+	ValidFrom time.Time
+	// ValidFor the duration that certificate will be valid for
+	// The validity period for a certificate is the period of time
+	// form notBefore through notAfter, inclusive.
+	//	Note this fileds will be parsed into the notAfter,notBefore
+	//	x509 cert fields
+	ValidFor time.Duration
+	// SizeT can represent the size of bytes RSA cert if you specify in the
+	SizeT int
+	// Method to be RSA or it can be ECDSA flag if you specify the ECDSA flag
+	Method KeyType
+}
+
+// definition flags for specific elliptic curves formats
+const (
+	// P224 curve which implements P-224 (see FIPS 186-3, section D.2.2)
+	P224 = iota
+	// P256 curve which implements P-256 (see FIPS 186-3, section D.2.3)
+	P256
+	// P384 curve which implements P-384 (see FIPS 186-3, section D.2.4)
+	P384
+	// P521 curve which implements P-521 (see FIPS 186-3, section D.2.5)
+	P521
+
+	// definition flags for specific methods that the cert will be generated
+	// RSA method
+	RSA KeyType = iota
+	// ECDSA method
+	ECDSA
+)
+
+// OtherName type for asn1 encoding
+type OtherName struct {
+	A string `asn1:"utf8"`
+}
+
+// GeneralName type for asn1 encoding
+type GeneralName struct {
+	OID       asn1.ObjectIdentifier
+	OtherName `asn1:"tag:0"`
+}
+
+// GeneralNames type for asn1 encoding
+type GeneralNames struct {
+	GeneralName `asn1:"tag:0"`
+}
+
+var (
+	// https://support.microsoft.com/en-us/kb/287547
+	//  szOID_NT_PRINCIPAL_NAME 1.3.6.1.4.1.311.20.2.3
+	szOID = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 311, 20, 2, 3}
+	// http://www.umich.edu/~x509/ssleay/asn1-oids.html
+	// 2 5 29 17  subjectAltName
+	subjAltName = asn1.ObjectIdentifier{2, 5, 29, 17}
+)
+
+//  getUPNExtensionValue returns marsheled asn1 encoded info
+func getUPNExtensionValue(subject pkix.Name) ([]byte, error) {
+	// returns the ASN.1 encoding of val
+	// in addition to the struct tags recognized
+	// we used:
+	// utf8 => causes string to be marsheled as ASN.1, UTF8 strings
+	// tag:x => specifies the ASN.1 tag number; imples ASN.1 CONTEXT SPECIFIC
+	return asn1.Marshal(GeneralNames{
+		GeneralName: GeneralName{
+			// init our ASN.1 object identifier
+			OID: szOID,
+			OtherName: OtherName{
+				A: subject.CommonName,
+			},
+		},
+	})
+}
+
+// NewCert generates a new x509 certificates based on the CertConfig passed
+func NewCert(config CertConfig) (string, string, error) {
+	var (
+		err       error
+		notAfter  time.Time
+		notBefore time.Time
+		// PrivateKey that can be:
+		// type e.g *rsa.PrivateKey
+		// or *ecdsa.PrivateKey
+		PrivateKey interface{}
+	)
+	// parse the time vars from the config into notAfter and notBefore
+	notBefore = config.ValidFrom
+	notAfter = notBefore.Add(config.ValidFor)
+
+	// choose the method to generate the certificate
+	switch config.Method {
+	case RSA:
+		PrivateKey, err = rsa.GenerateKey(rand.Reader, config.SizeT)
+		if err != nil {
+			return "", "", fmt.Errorf("Can't generate rsa private key")
+		}
+
+	// if the ECDSA byte is set
+	case ECDSA:
+		PrivateKey, err = genKeyEcdsa(config.SizeT)
+		if err != nil {
+			return "", "", fmt.Errorf("Can't generate ecdsa private key")
+		}
+	default:
+		return "", "", fmt.Errorf("Unknown method type to use")
+	}
+
+	// get asn1 encoded info of the subject pkix
+	value, err := getUPNExtensionValue(config.Subject)
+	if err != nil {
+		return "", "", fmt.Errorf("Can't marshal asn1 encoded")
+	}
+
+	// A serial number can be up to 20 octets in size.
+	// https://tools.ietf.org/html/rfc5280#section-4.1.2.2
+	serialNum, err := rand.Int(rand.Reader, new(big.Int).Lsh(big.NewInt(1), 8*20))
+	if err != nil {
+		return "", "", fmt.Errorf("Failed to generate serial number: %s", err.Error())
+	}
+
+	// make a new x509 temaplte certificate
+	// entry point for the generation process
+	template := x509.Certificate{
+		SerialNumber: serialNum,
+		Subject:      config.Subject,
+		// when extenstions are used, as expected in this profile,
+		// versions MUST be 3(value is 2).
+		Version:     2,
+		NotBefore:   config.ValidFrom,
+		NotAfter:    notAfter,
+		KeyUsage:    x509.KeyUsageKeyEncipherment,
+		ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth},
+		ExtraExtensions: []pkix.Extension{
+			{
+				Id:       subjAltName,
+				Critical: false,
+				Value:    value,
+			},
+		},
+	}
+
+	cert, err := x509.CreateCertificate(rand.Reader, &template, &template, getPublicKey(PrivateKey), PrivateKey)
+	if err != nil {
+		return "", "", fmt.Errorf("Failed to generate cert")
+	}
+
+	certPem := pem.EncodeToMemory(&pem.Block{
+		Type:  "CERTIFICATE",
+		Bytes: cert,
+	})
+
+	privPem, err := exportPrivKeyToPem(PrivateKey)
+	if err != nil {
+		return "", "", fmt.Errorf("Failed to export priv key")
+	}
+
+	return string(certPem), string(privPem), nil
+}
+
+// getPublicKey fetch public key with assertion
+func getPublicKey(p interface{}) interface{} {
+	switch t := p.(type) {
+	case *rsa.PrivateKey:
+		return t.Public()
+	case *ecdsa.PrivateKey:
+		return t.Public()
+	default:
+		return nil
+	}
+}
+
+// choose the format for the key and generate it
+func genKeyEcdsa(szT int) (*ecdsa.PrivateKey, error) {
+	switch szT {
+	case P224:
+		return ecdsa.GenerateKey(elliptic.P224(), rand.Reader)
+	case P256:
+		return ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	case P384:
+		return ecdsa.GenerateKey(elliptic.P384(), rand.Reader)
+	case P521:
+		return ecdsa.GenerateKey(elliptic.P521(), rand.Reader)
+	default:
+		return nil, fmt.Errorf("Can't generate private key, please specify a format")
+	}
+
+}
+
+// ExportPrivKeyToPem exports private key from the previous generation
+func exportPrivKeyToPem(key interface{}) ([]byte, error) {
+
+	var pemBlock *pem.Block
+
+	switch k := key.(type) {
+	case *rsa.PrivateKey:
+		pemBlock = &pem.Block{
+			Type:  "RSA PRIVATE KEY",
+			Bytes: x509.MarshalPKCS1PrivateKey(k),
+		}
+	case *ecdsa.PrivateKey:
+		b, err := x509.MarshalECPrivateKey(k)
+		if err != nil {
+			return nil, fmt.Errorf("Unable to export ecdsa private key")
+		}
+		pemBlock = &pem.Block{
+			Type:  "EC PRIVATE KEY",
+			Bytes: b,
+		}
+	default:
+		return nil, fmt.Errorf("The private key is not RSA or ECDSA")
+	}
+
+	return pem.EncodeToMemory(pemBlock), nil
+}
diff --git a/certgen_test.go b/certgen_test.go
diff --git a/winrm.go b/winrm.go
