/
cmd_ca.go
94 lines (72 loc) · 2.36 KB
/
cmd_ca.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
// Copyright (c) 2019 The Tor Project, Inc. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
package main
import (
"bytes"
"crypto/rand"
"crypto/x509"
"crypto/x509/pkix"
"encoding/pem"
"io/ioutil"
"log"
"time"
"github.com/urfave/cli"
)
func CommandCA(c *cli.Context) error {
// Load our ed25519 keys into memory.
secretKeyPath := c.String("secret-key")
log.Printf("Loading ed25519 keys from %s", secretKeyPath)
keyPair, err := Ed25519KeyPairFromFile(secretKeyPath)
if err != nil {
log.Fatalf("Unable to load ed25519 keys from file %s: %s", secretKeyPath, err)
}
log.Printf("Loaded ed25519 keys for %s", OnionHostname(keyPair.PublicKey()))
// Generate our CA certificate.
notBefore := time.Now()
validFromString := c.String("valid-from")
validFor := c.Duration("valid-for")
if validFromString != "" {
notBefore, err = time.Parse("Jan 2 15:04:05 2006", validFromString)
if err != nil {
log.Fatalf("Unable to parse valid-from date: %s", err)
}
}
notAfter := notBefore.Add(validFor)
ca := &x509.Certificate{
SerialNumber: RandomSerialNumber(),
Subject: pkix.Name{
Organization: []string{c.String("organization")},
Country: []string{c.String("country")},
Province: []string{c.String("province")},
Locality: []string{c.String("locality")},
StreetAddress: []string{c.String("street-address")},
PostalCode: []string{c.String("postal-code")},
},
NotBefore: notBefore,
NotAfter: notAfter,
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth},
KeyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
IsCA: true,
BasicConstraintsValid: true,
}
log.Printf("Creating CA certificate")
caDER, err := x509.CreateCertificate(rand.Reader, ca, ca, keyPair.Public(), keyPair)
if err != nil {
log.Fatalf("Unable to create CA certificate: %s", err)
}
// Encode our CA certificate from DER to PEM.
caPEM := new(bytes.Buffer)
pem.Encode(caPEM, &pem.Block{
Type: "CERTIFICATE",
Bytes: caDER,
})
// Save it to disk.
outputFile := c.String("output")
log.Printf("Saving Certificate Authority to %s", outputFile)
err = ioutil.WriteFile(outputFile, caPEM.Bytes(), 0600)
if err != nil {
log.Fatalf("Unable to write certificate authority to file: %s", err)
}
return nil
}