make staking cert/key read-only

staking/gen_staker_key.go

@@ -40,20 +40,27 @@ func GenerateStakingKeyCert(keyPath, certPath string) error {
 		return fmt.Errorf("couldn't create certificate: %w", err)
 	}
 
-	// Write cert to disk
-	if err := os.MkdirAll(filepath.Dir(certPath), 0755); err != nil {
-		return fmt.Errorf("couldn't create path for key/cert: %w", err)
+	// Ensure directory where key/cert will live exist
+	if err := os.MkdirAll(filepath.Dir(certPath), 0700); err != nil {
+		return fmt.Errorf("couldn't create path for cert: %w", err)
+	} else if err := os.MkdirAll(filepath.Dir(keyPath), 0700); err != nil {
+		return fmt.Errorf("couldn't create path for key: %w", err)
 	}
-	certOut, err := os.Create(certPath)
+
+	// Write cert to disk
+	certFile, err := os.Create(certPath)
 	if err != nil {
 		return fmt.Errorf("couldn't create cert file: %w", err)
 	}
-	if err := pem.Encode(certOut, &pem.Block{Type: "CERTIFICATE", Bytes: certBytes}); err != nil {
+	if err := pem.Encode(certFile, &pem.Block{Type: "CERTIFICATE", Bytes: certBytes}); err != nil {
 		return fmt.Errorf("couldn't write cert file: %w", err)
 	}
-	if err := certOut.Close(); err != nil {
+	if err := certFile.Close(); err != nil {
 		return fmt.Errorf("couldn't close cert file: %w", err)
 	}
+	if err := os.Chmod(certPath, 0400); err != nil { // Make cert read-only
+		return fmt.Errorf("couldn't change permissions on cert: %w", err)
+	}
 
 	// Write key to disk
 	keyOut, err := os.Create(keyPath)
@@ -70,5 +77,9 @@ func GenerateStakingKeyCert(keyPath, certPath string) error {
 	if err := keyOut.Close(); err != nil {
 		return fmt.Errorf("couldn't close key file: %w", err)
 	}
+	if err := os.Chmod(keyPath, 0400); err != nil { // Make key read-only
+		return fmt.Errorf("couldn't change permissions on key")
+	}
+
 	return nil
 }