From 5cb106d349bb0ce9b9337a3bf9360c966438755b Mon Sep 17 00:00:00 2001
From: Dan Laine <daniel.laine@avalabs.org>
Date: Mon, 22 Jun 2020 10:53:10 -0400
Subject: [PATCH] make staking cert/key read-only

---
 staking/gen_staker_key.go | 23 +++++++++++++++++------
 1 file changed, 17 insertions(+), 6 deletions(-)

diff --git a/staking/gen_staker_key.go b/staking/gen_staker_key.go
index 8969ea3..37142c4 100644
--- a/staking/gen_staker_key.go
+++ b/staking/gen_staker_key.go
@@ -40,20 +40,27 @@ func GenerateStakingKeyCert(keyPath, certPath string) error {
 		return fmt.Errorf("couldn't create certificate: %w", err)
 	}
 
-	// Write cert to disk
-	if err := os.MkdirAll(filepath.Dir(certPath), 0755); err != nil {
-		return fmt.Errorf("couldn't create path for key/cert: %w", err)
+	// Ensure directory where key/cert will live exist
+	if err := os.MkdirAll(filepath.Dir(certPath), 0700); err != nil {
+		return fmt.Errorf("couldn't create path for cert: %w", err)
+	} else if err := os.MkdirAll(filepath.Dir(keyPath), 0700); err != nil {
+		return fmt.Errorf("couldn't create path for key: %w", err)
 	}
-	certOut, err := os.Create(certPath)
+
+	// Write cert to disk
+	certFile, err := os.Create(certPath)
 	if err != nil {
 		return fmt.Errorf("couldn't create cert file: %w", err)
 	}
-	if err := pem.Encode(certOut, &pem.Block{Type: "CERTIFICATE", Bytes: certBytes}); err != nil {
+	if err := pem.Encode(certFile, &pem.Block{Type: "CERTIFICATE", Bytes: certBytes}); err != nil {
 		return fmt.Errorf("couldn't write cert file: %w", err)
 	}
-	if err := certOut.Close(); err != nil {
+	if err := certFile.Close(); err != nil {
 		return fmt.Errorf("couldn't close cert file: %w", err)
 	}
+	if err := os.Chmod(certPath, 0400); err != nil { // Make cert read-only
+		return fmt.Errorf("couldn't change permissions on cert: %w", err)
+	}
 
 	// Write key to disk
 	keyOut, err := os.Create(keyPath)
@@ -70,5 +77,9 @@ func GenerateStakingKeyCert(keyPath, certPath string) error {
 	if err := keyOut.Close(); err != nil {
 		return fmt.Errorf("couldn't close key file: %w", err)
 	}
+	if err := os.Chmod(keyPath, 0400); err != nil { // Make key read-only
+		return fmt.Errorf("couldn't change permissions on key")
+	}
+
 	return nil
 }