Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
chore: move certs to a single file; use constant for bit size
Signed-off-by: Fabrizio Sestito <fabrizio.sestito@suse.com>
- Loading branch information
1 parent
d4a3b61
commit c5a217e
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,160 @@ | ||
| package certs | ||
|
|
||
| import ( | ||
| "bytes" | ||
| "crypto/rand" | ||
| "crypto/rsa" | ||
| "crypto/x509" | ||
| "crypto/x509/pkix" | ||
| "encoding/pem" | ||
| "fmt" | ||
| "math/big" | ||
| "net" | ||
| "time" | ||
| ) | ||
|
|
||
| const bitSize = 4096 | ||
|
|
||
| // GenerateCA generates a self-signed CA root certificate and private key | ||
| // The certificate is valid for 10 years. | ||
| func GenerateCA() ([]byte, *rsa.PrivateKey, error) { | ||
| serialNumber, err := rand.Int(rand.Reader, (&big.Int{}).Exp(big.NewInt(2), big.NewInt(159), nil)) | ||
| if err != nil { | ||
| return nil, nil, fmt.Errorf("cannot init serial number: %w", err) | ||
| } | ||
|
|
||
| privateKey, err := rsa.GenerateKey(rand.Reader, bitSize) | ||
| if err != nil { | ||
| return nil, nil, fmt.Errorf("cannot create private key: %w", err) | ||
| } | ||
|
|
||
| caCert := x509.Certificate{ | ||
| SerialNumber: serialNumber, | ||
| Subject: pkix.Name{ | ||
| Organization: []string{""}, | ||
| Country: []string{""}, | ||
| Province: []string{""}, | ||
| Locality: []string{""}, | ||
| StreetAddress: []string{""}, | ||
| PostalCode: []string{""}, | ||
| }, | ||
| NotBefore: time.Now(), | ||
| NotAfter: time.Now().AddDate(10, 0, 0), | ||
| IsCA: true, | ||
| ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth}, | ||
| KeyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign, | ||
| BasicConstraintsValid: true, | ||
| } | ||
|
|
||
| caCertBytes, err := x509.CreateCertificate( | ||
| rand.Reader, | ||
| &caCert, | ||
| &caCert, | ||
| &privateKey.PublicKey, | ||
| privateKey) | ||
| if err != nil { | ||
| return nil, nil, fmt.Errorf("cannot create certificate: %w", err) | ||
| } | ||
|
|
||
| return caCertBytes, privateKey, nil | ||
| } | ||
|
|
||
| // GenerateCert generates a certificate and private key signed by the provided CA. | ||
| // The certificate is valid for 10 years. | ||
| func GenerateCert(ca []byte, | ||
| commonName string, | ||
| extraSANs []string, | ||
| caPrivateKey *rsa.PrivateKey, | ||
| ) ([]byte, *rsa.PrivateKey, error) { | ||
| caCertificate, err := x509.ParseCertificate(ca) | ||
| if err != nil { | ||
| return nil, nil, fmt.Errorf("error parsing certificate: %w", err) | ||
| } | ||
|
|
||
| serialNumber, err := rand.Int(rand.Reader, (&big.Int{}).Exp(big.NewInt(2), big.NewInt(159), nil)) | ||
| if err != nil { | ||
| return nil, nil, fmt.Errorf("cannot generate serialNumber for certificate: %w", err) | ||
| } | ||
|
|
||
| // key size must be higher than 1024, otherwise the PolicyServer | ||
| // TLS acceptor will refuse to start | ||
| privateKey, err := rsa.GenerateKey(rand.Reader, bitSize) | ||
| if err != nil { | ||
| return nil, nil, fmt.Errorf("cannot generate private key: %w", err) | ||
| } | ||
|
|
||
| sansHosts := []string{} | ||
| sansIps := []net.IP{} | ||
|
|
||
| for _, san := range extraSANs { | ||
| sanIP := net.ParseIP(san) | ||
| if sanIP == nil { | ||
| sansHosts = append(sansHosts, san) | ||
| } else { | ||
| sansIps = append(sansIps, sanIP) | ||
| } | ||
| } | ||
|
|
||
| cert := x509.Certificate{ | ||
| SerialNumber: serialNumber, | ||
| Subject: pkix.Name{ | ||
| CommonName: commonName, | ||
| Organization: []string{""}, | ||
| Country: []string{""}, | ||
| Province: []string{""}, | ||
| Locality: []string{""}, | ||
| StreetAddress: []string{""}, | ||
| PostalCode: []string{""}, | ||
| }, | ||
| DNSNames: sansHosts, | ||
| IPAddresses: sansIps, | ||
| NotBefore: time.Now(), | ||
| NotAfter: time.Now().AddDate(10, 0, 0), | ||
| SubjectKeyId: []byte{1, 2, 3, 4, 6}, | ||
| ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth}, | ||
| KeyUsage: x509.KeyUsageDigitalSignature, | ||
| } | ||
|
|
||
| certBytes, err := x509.CreateCertificate( | ||
| rand.Reader, | ||
| &cert, | ||
| caCertificate, | ||
| &privateKey.PublicKey, | ||
| caPrivateKey) | ||
| if err != nil { | ||
| return nil, nil, fmt.Errorf("cannot create certificate: %w", err) | ||
| } | ||
|
|
||
| return certBytes, privateKey, nil | ||
| } | ||
|
|
||
| // PEMEncodeCertificate encodes a certificate to PEM format | ||
| func PEMEncodeCertificate(certificate []byte) ([]byte, error) { | ||
| certificatePEM := new(bytes.Buffer) | ||
|
|
||
| err := pem.Encode(certificatePEM, &pem.Block{ | ||
| Type: "CERTIFICATE", | ||
| Bytes: certificate, | ||
| }) | ||
| if err != nil { | ||
| return []byte{}, fmt.Errorf("PEM encode failure: %w", err) | ||
| } | ||
|
|
||
| return certificatePEM.Bytes(), nil | ||
| } | ||
|
|
||
| // PEMEncodePrivateKey encodes a private key to PEM format | ||
| func PEMEncodePrivateKey(privateKey *rsa.PrivateKey) ([]byte, error) { | ||
| privateKeyBytes := x509.MarshalPKCS1PrivateKey(privateKey) | ||
| privateKeyPEM := new(bytes.Buffer) | ||
|
|
||
| err := pem.Encode(privateKeyPEM, &pem.Block{ | ||
| Type: "RSA PRIVATE KEY", | ||
| Bytes: privateKeyBytes, | ||
| }) | ||
| if err != nil { | ||
| return []byte{}, fmt.Errorf("PEM encode failure: %w", err) | ||
| } | ||
|
|
||
| return privateKeyPEM.Bytes(), nil | ||
| } | ||
