forked from TheThingsArchive/ttn
-
Notifications
You must be signed in to change notification settings - Fork 0
/
generate_keys.go
104 lines (92 loc) · 2.44 KB
/
generate_keys.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
// Copyright © 2017 The Things Network
// Use of this source code is governed by the MIT license that can be found in the LICENSE file.
package security
import (
"crypto/ecdsa"
"crypto/elliptic"
"crypto/rand"
"crypto/x509"
"crypto/x509/pkix"
"encoding/pem"
"io/ioutil"
"math/big"
"net"
"path/filepath"
"time"
)
var (
validFor = 365 * 24 * time.Hour
)
// GenerateKeypair generates a new keypair in the given location
func GenerateKeypair(location string) error {
// Generate private key
key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
if err != nil {
return err
}
privPEM, err := PrivatePEM(key)
if err != nil {
return err
}
pubPEM, err := PublicPEM(key)
if err != nil {
return err
}
err = ioutil.WriteFile(filepath.Clean(location+"/server.pub"), pubPEM, 0644)
if err != nil {
return err
}
err = ioutil.WriteFile(filepath.Clean(location+"/server.key"), privPEM, 0600)
if err != nil {
return err
}
return nil
}
// GenerateCert generates a certificate for the given hostnames in the given location
func GenerateCert(location string, hostnames ...string) error {
privKey, err := LoadKeypair(location)
if err != nil {
return err
}
// Build Certificate
notBefore := time.Now()
notAfter := notBefore.Add(validFor)
serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)
serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
if err != nil {
return err
}
template := x509.Certificate{
SerialNumber: serialNumber,
Subject: pkix.Name{
Organization: []string{"The Things Network"},
},
IsCA: true,
NotBefore: notBefore,
NotAfter: notAfter,
KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth},
BasicConstraintsValid: true,
}
for _, h := range hostnames {
if ip := net.ParseIP(h); ip != nil {
template.IPAddresses = append(template.IPAddresses, ip)
} else {
template.DNSNames = append(template.DNSNames, h)
}
}
// Generate certificate
certBytes, err := x509.CreateCertificate(rand.Reader, &template, &template, privKey.Public(), privKey)
if err != nil {
return err
}
certPEM := pem.EncodeToMemory(&pem.Block{
Type: "CERTIFICATE",
Bytes: certBytes,
})
err = ioutil.WriteFile(filepath.Clean(location+"/server.cert"), certPEM, 0644)
if err != nil {
return err
}
return nil
}