add keygen command

make key generation happen in generation module

Author: TheFox0x7

cmd/generate.go

@@ -5,10 +5,12 @@
 package cmd
 
 import (
+	"encoding/pem"
 	"fmt"
 	"os"
 
 	"code.gitea.io/gitea/modules/generate"
+	"golang.org/x/crypto/ssh"
 
 	"github.com/mattn/go-isatty"
 	"github.com/urfave/cli/v2"
@@ -21,6 +23,7 @@ var (
 		Usage: "Generate Gitea's secrets/keys/tokens",
 		Subcommands: []*cli.Command{
 			subcmdSecret,
+			subcmdKeygen,
 		},
 	}
 
@@ -33,6 +36,17 @@ var (
 			microcmdGenerateSecretKey,
 		},
 	}
+	keygenFlags = []cli.Flag{
+		&cli.StringFlag{Name: "bits", Aliases: []string{"b"}, Usage: "Number of bits in the key, ignored when key is ed25519"},
+		&cli.StringFlag{Name: "type", Aliases: []string{"t"}, Value: "ed25519", Usage: "Keytype to generate"},
+		&cli.StringFlag{Name: "file", Aliases: []string{"f"}, Usage: "Specifies the filename of the key file", Required: true},
+	}
+	subcmdKeygen = &cli.Command{
+		Name:   "ssh-keygen",
+		Usage:  "Generate a ssh keypair",
+		Flags:  keygenFlags,
+		Action: runGenerateKeyPair,
+	}
 
 	microcmdGenerateInternalToken = &cli.Command{
 		Name:   "INTERNAL_TOKEN",
@@ -98,3 +112,34 @@ func runGenerateSecretKey(c *cli.Context) error {
 
 	return nil
 }
+
+func runGenerateKeyPair(c *cli.Context) error {
+	keytype := c.String("type")
+	file := c.String("file")
+	bits := c.Int("bits")
+	// provide defaults for bits, ed25519 ignores bit length so it's ommited
+	if bits == 0 {
+		if keytype == "rsa" {
+			bits = 3096
+		} else {
+			bits = 256
+		}
+	}
+
+	pub, priv, err := generate.NewSSHKey(keytype, bits)
+	if err != nil {
+		return err
+	}
+	f, err := os.OpenFile(file, os.O_RDWR|os.O_CREATE|os.O_TRUNC, 0o600)
+	if err != nil {
+		return err
+	}
+	defer f.Close()
+	err = pem.Encode(f, priv)
+	if err != nil {
+		return err
+	}
+	return os.WriteFile(file+".pub", ssh.MarshalAuthorizedKey(pub), 0o644)
+
+	return nil
+}

modules/generate/generate.go

@@ -5,13 +5,20 @@
 package generate
 
 import (
+	"crypto"
+	"crypto/ecdsa"
+	"crypto/ed25519"
+	"crypto/elliptic"
 	"crypto/rand"
+	"crypto/rsa"
 	"encoding/base64"
+	"encoding/pem"
 	"fmt"
 	"io"
 	"time"
 
 	"code.gitea.io/gitea/modules/util"
+	"golang.org/x/crypto/ssh"
 
 	"github.com/golang-jwt/jwt/v5"
 )
@@ -72,3 +79,59 @@ func NewSecretKey() (string, error) {
 
 	return secretKey, nil
 }
+
+func NewSSHKey(keytype string, bits int) (ssh.PublicKey, *pem.Block, error) {
+	pub, priv, err := commonKeyGen(keytype, bits)
+	if err != nil {
+		return nil, nil, err
+	}
+	pemPriv, err := ssh.MarshalPrivateKey(priv, "")
+	if err != nil {
+		return nil, nil, err
+	}
+	sshPub, err := ssh.NewPublicKey(pub)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	return sshPub, pemPriv, nil
+}
+
+// commonKeyGen is an abstraction over rsa, ecdsa and ed25519 generating functions
+func commonKeyGen(keytype string, bits int) (publicKey crypto.PublicKey, privateKey crypto.PublicKey, err error) {
+	switch keytype {
+	case "rsa":
+		privateKey, err := rsa.GenerateKey(rand.Reader, bits)
+		if err != nil {
+			return nil, nil, err
+		}
+		return &privateKey.PublicKey, privateKey, nil
+	case "ed25519":
+		return ed25519.GenerateKey(rand.Reader)
+	case "ecdsa":
+		curve, err := getElipticCurve(bits)
+		if err != nil {
+			return nil, nil, err
+		}
+		privateKey, err := ecdsa.GenerateKey(curve, rand.Reader)
+		if err != nil {
+			return nil, nil, err
+		}
+		return &privateKey.PublicKey, privateKey, nil
+	default:
+		return nil, nil, fmt.Errorf("unknown keytype: %s", keytype)
+	}
+}
+
+func getElipticCurve(bits int) (elliptic.Curve, error) {
+	switch bits {
+	case 256:
+		return elliptic.P256(), nil
+	case 384:
+		return elliptic.P384(), nil
+	case 521:
+		return elliptic.P521(), nil
+	default:
+		return nil, fmt.Errorf("unsupported ECDSA curve bit length: %d", bits)
+	}
+}