-
Notifications
You must be signed in to change notification settings - Fork 0
/
ssc.go
100 lines (97 loc) · 2.87 KB
/
ssc.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
package afssl
import (
"crypto/tls"
"crypto/x509"
"encoding/pem"
"fmt"
"time"
)
func SSC(caPEM []byte, keyPEM []byte) (serverTLS *tls.Config, clientTLS *tls.Config, err error) {
block, _ := pem.Decode(caPEM)
ca, parseCaErr := x509.ParseCertificate(block.Bytes)
if parseCaErr != nil {
err = parseCaErr
return
}
config := CertificateConfig{
Issuer: &CertificatePkixName{
Country: ca.Issuer.Country[0],
Province: ca.Issuer.Province[0],
Locality: ca.Issuer.Locality[0],
Organization: ca.Issuer.Organization[0],
OrganizationalUnit: ca.Issuer.OrganizationalUnit[0],
StreetAddress: ca.Issuer.StreetAddress[0],
PostalCode: ca.Issuer.PostalCode[0],
SerialNumber: "",
CommonName: ca.Issuer.CommonName,
},
Subject: &CertificatePkixName{
Country: ca.Subject.Country[0],
Province: ca.Subject.Province[0],
Locality: ca.Subject.Locality[0],
Organization: ca.Subject.Organization[0],
OrganizationalUnit: ca.Subject.OrganizationalUnit[0],
StreetAddress: ca.Subject.StreetAddress[0],
PostalCode: ca.Subject.PostalCode[0],
SerialNumber: "",
CommonName: ca.Subject.CommonName,
},
IPs: nil,
Emails: nil,
DNSNames: nil,
}
cas := x509.NewCertPool()
if !cas.AppendCertsFromPEM(caPEM) {
err = fmt.Errorf("afssl: append into cert pool failed")
return
}
// server
serverCert, serverKey, createServerErr := GenerateCertificate(config, WithParent(caPEM, keyPEM), WithExpirationDays(int(ca.NotAfter.Sub(time.Now()).Hours())/24))
if createServerErr != nil {
err = createServerErr
return
}
serverCertificate, serverCertificateErr := tls.X509KeyPair(serverCert, serverKey)
if serverCertificateErr != nil {
err = serverCertificateErr
return
}
serverTLS = &tls.Config{
ClientCAs: cas,
Certificates: []tls.Certificate{serverCertificate},
ClientAuth: tls.RequireAndVerifyClientCert,
}
// client
clientCert, clientKey, createClientErr := GenerateCertificate(config, WithParent(caPEM, keyPEM), WithExpirationDays(int(ca.NotAfter.Sub(time.Now()).Hours())/24))
if createClientErr != nil {
err = createClientErr
return
}
clientCertificate, clientCertificateErr := tls.X509KeyPair(clientCert, clientKey)
if clientCertificateErr != nil {
err = clientCertificateErr
return
}
clientTLS = &tls.Config{
RootCAs: cas,
Certificates: []tls.Certificate{clientCertificate},
InsecureSkipVerify: true,
}
return
}
func CreateCA(cn string, expireDays int) (crtPEM []byte, keyPEM []byte, err error) {
if cn == "" {
cn = "AFSSL"
}
if expireDays < 1 {
expireDays = 3650
}
crtPEM, keyPEM, err = GenerateCertificate(CertificateConfig{
Subject: &CertificatePkixName{
Country: "CN",
Organization: "FNS",
CommonName: cn,
},
}, CA(), WithExpirationDays(expireDays))
return
}