/
ca.go
123 lines (104 loc) · 2.75 KB
/
ca.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
// (C) Copyright 2021 Hewlett Packard Enterprise Development LP
//
// Licensed under the Apache License, Version 2.0 (the "License"); you may
// not use this file except in compliance with the License. You may obtain
// a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
// WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
// License for the specific language governing permissions and limitations
// under the License.
package x509ca
import (
"crypto"
"crypto/rand"
"crypto/sha1"
"crypto/x509"
"encoding/asn1"
"encoding/pem"
"errors"
"fmt"
"math/big"
)
type CertificateAuthority interface {
Sign(template *x509.Certificate) ([]byte, error)
}
func X509KeyPair(certPEMBlock, keyPEMBlock []byte) (CertificateAuthority, error) {
var cert *x509.Certificate
var key crypto.PrivateKey
var block *pem.Block
var err error
for {
block, certPEMBlock = pem.Decode(certPEMBlock)
if block == nil {
break
}
if block.Type == "CERTIFICATE" {
cert, err = x509.ParseCertificate(block.Bytes)
if err != nil {
return nil, err
}
}
if keyPEMBlock == nil && block.Type == "PRIVATE KEY" {
key, err = x509.ParsePKCS8PrivateKey(block.Bytes)
if err != nil {
return nil, err
}
}
}
if keyPEMBlock != nil {
for {
block, keyPEMBlock = pem.Decode(keyPEMBlock)
if block == nil {
break
}
if block.Type == "PRIVATE KEY" {
key, err = x509.ParsePKCS8PrivateKey(block.Bytes)
if err != nil {
return nil, err
}
}
}
}
return &certificateAuthority{
cert: cert,
key: key,
}, nil
}
type certificateAuthority struct {
cert *x509.Certificate
key crypto.PrivateKey
}
func (ca *certificateAuthority) uniqueSerialNumber(template *x509.Certificate) (*big.Int, error) {
pubBytes, err := x509.MarshalPKIXPublicKey(template.PublicKey)
if err != nil {
return nil, fmt.Errorf("failed to marshal public key: %w", err)
}
subjData, err := asn1.Marshal(template.Subject)
if err != nil {
return nil, err
}
h := sha1.New()
h.Write(ca.cert.Raw)
h.Write(subjData)
h.Write(pubBytes)
sn := template.SerialNumber
if sn != nil {
h.Write(sn.Bytes())
}
return new(big.Int).SetBytes(h.Sum(nil)), nil
}
func (ca *certificateAuthority) Sign(template *x509.Certificate) ([]byte, error) {
if template.PublicKey == nil {
return nil, errors.New("missing public key")
}
sn, err := ca.uniqueSerialNumber(template)
if err != nil {
return nil, fmt.Errorf("failed to generate an unique serial number: %w", err)
}
template.SerialNumber = sn
return x509.CreateCertificate(rand.Reader, template, ca.cert, template.PublicKey, ca.key)
}