forked from TrueCloudLab/certificates
Add wrapper around x509.CreateCertificate.
This wrapper generates some data if needed and cleans key usages in templates.
This commit is contained in:
parent
3766702de9
commit
abc0a63e32
2 changed files with 110 additions and 0 deletions
|
@ -1,6 +1,9 @@
|
||||||
package x509util
|
package x509util
|
||||||
|
|
||||||
import (
|
import (
|
||||||
|
"crypto"
|
||||||
|
"crypto/rand"
|
||||||
|
"crypto/rsa"
|
||||||
"crypto/x509"
|
"crypto/x509"
|
||||||
"crypto/x509/pkix"
|
"crypto/x509/pkix"
|
||||||
"encoding/json"
|
"encoding/json"
|
||||||
|
@ -75,6 +78,11 @@ func (c *Certificate) GetCertificate() *x509.Certificate {
|
||||||
cert.IPAddresses = c.IPAddresses
|
cert.IPAddresses = c.IPAddresses
|
||||||
cert.URIs = c.URIs
|
cert.URIs = c.URIs
|
||||||
|
|
||||||
|
// SANs slice.
|
||||||
|
for _, san := range c.SANs {
|
||||||
|
san.Set(cert)
|
||||||
|
}
|
||||||
|
|
||||||
// Subject.
|
// Subject.
|
||||||
c.Subject.Set(cert)
|
c.Subject.Set(cert)
|
||||||
|
|
||||||
|
@ -105,6 +113,41 @@ func (c *Certificate) GetCertificate() *x509.Certificate {
|
||||||
return cert
|
return cert
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func CreateCertificate(template, parent *x509.Certificate, pub crypto.PublicKey, signer crypto.Signer) (*x509.Certificate, error) {
|
||||||
|
var err error
|
||||||
|
// Complete certificate.
|
||||||
|
if template.SerialNumber == nil {
|
||||||
|
if template.SerialNumber, err = generateSerialNumber(); err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if template.SubjectKeyId == nil {
|
||||||
|
if template.SubjectKeyId, err = generateSubjectKeyID(pub); err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// Remove KeyEncipherment and DataEncipherment for non-rsa keys.
|
||||||
|
// See:
|
||||||
|
// https://github.com/golang/go/issues/36499
|
||||||
|
// https://tools.ietf.org/html/draft-ietf-lamps-5480-ku-clarifications-02
|
||||||
|
if _, ok := pub.(*rsa.PublicKey); !ok {
|
||||||
|
template.KeyUsage &= ^x509.KeyUsageKeyEncipherment
|
||||||
|
template.KeyUsage &= ^x509.KeyUsageDataEncipherment
|
||||||
|
}
|
||||||
|
|
||||||
|
// Sign certificate
|
||||||
|
asn1Data, err := x509.CreateCertificate(rand.Reader, template, parent, pub, signer)
|
||||||
|
if err != nil {
|
||||||
|
return nil, errors.Wrap(err, "error creating certificate")
|
||||||
|
}
|
||||||
|
cert, err := x509.ParseCertificate(asn1Data)
|
||||||
|
if err != nil {
|
||||||
|
return nil, errors.Wrap(err, "error parsing certificate")
|
||||||
|
}
|
||||||
|
return cert, nil
|
||||||
|
}
|
||||||
|
|
||||||
// Name is the JSON representation of X.501 type Name, used in the X.509 subject
|
// Name is the JSON representation of X.501 type Name, used in the X.509 subject
|
||||||
// and issuer fields.
|
// and issuer fields.
|
||||||
type Name struct {
|
type Name struct {
|
||||||
|
|
67
x509util/utils.go
Normal file
67
x509util/utils.go
Normal file
|
@ -0,0 +1,67 @@
|
||||||
|
package x509util
|
||||||
|
|
||||||
|
import (
|
||||||
|
"crypto"
|
||||||
|
"crypto/rand"
|
||||||
|
"crypto/sha1"
|
||||||
|
"crypto/x509"
|
||||||
|
"math/big"
|
||||||
|
"net"
|
||||||
|
"net/url"
|
||||||
|
|
||||||
|
"github.com/pkg/errors"
|
||||||
|
"github.com/smallstep/cli/crypto/x509util"
|
||||||
|
)
|
||||||
|
|
||||||
|
// SplitSANs splits a slice of Subject Alternative Names into slices of
|
||||||
|
// IP Addresses and DNS Names. If an element is not an IP address, then it
|
||||||
|
// is bucketed as a DNS Name.
|
||||||
|
func SplitSANs(sans []string) (dnsNames []string, ips []net.IP, emails []string, uris []*url.URL) {
|
||||||
|
return x509util.SplitSANs(sans)
|
||||||
|
}
|
||||||
|
|
||||||
|
func CreateSANs(sans []string) []SubjectAlternativeName {
|
||||||
|
dnsNames, ips, emails, uris := SplitSANs(sans)
|
||||||
|
sanTypes := make([]SubjectAlternativeName, 0, len(sans))
|
||||||
|
for _, v := range dnsNames {
|
||||||
|
sanTypes = append(sanTypes, SubjectAlternativeName{Type: "dns", Value: v})
|
||||||
|
}
|
||||||
|
for _, v := range ips {
|
||||||
|
sanTypes = append(sanTypes, SubjectAlternativeName{Type: "ip", Value: v.String()})
|
||||||
|
}
|
||||||
|
for _, v := range emails {
|
||||||
|
sanTypes = append(sanTypes, SubjectAlternativeName{Type: "email", Value: v})
|
||||||
|
}
|
||||||
|
for _, v := range uris {
|
||||||
|
sanTypes = append(sanTypes, SubjectAlternativeName{Type: "uri", Value: v.String()})
|
||||||
|
}
|
||||||
|
return sanTypes
|
||||||
|
}
|
||||||
|
|
||||||
|
func CreateTemplateData(commonName string, sans []string) TemplateData {
|
||||||
|
return TemplateData{
|
||||||
|
SubjectKey: Subject{
|
||||||
|
CommonName: commonName,
|
||||||
|
},
|
||||||
|
SANsKey: CreateSANs(sans),
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// generateSerialNumber returns a random serial number.
|
||||||
|
func generateSerialNumber() (*big.Int, error) {
|
||||||
|
limit := new(big.Int).Lsh(big.NewInt(1), 128)
|
||||||
|
sn, err := rand.Int(rand.Reader, limit)
|
||||||
|
if err != nil {
|
||||||
|
return nil, errors.Wrap(err, "error generating serial number")
|
||||||
|
}
|
||||||
|
return sn, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func generateSubjectKeyID(pub crypto.PublicKey) ([]byte, error) {
|
||||||
|
b, err := x509.MarshalPKIXPublicKey(pub)
|
||||||
|
if err != nil {
|
||||||
|
return nil, errors.Wrap(err, "error marshaling public key")
|
||||||
|
}
|
||||||
|
hash := sha1.Sum(b)
|
||||||
|
return hash[:], nil
|
||||||
|
}
|
Loading…
Reference in a new issue