/
cert.go
117 lines (101 loc) · 2.66 KB
/
cert.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
package kube
import (
"crypto/ecdsa"
"crypto/elliptic"
"crypto/rand"
"crypto/rsa"
"crypto/x509"
"crypto/x509/pkix"
"encoding/pem"
"errors"
"fmt"
"math/big"
"os"
"time"
"github.com/bytedance/Elkeid/server/manager/infra/ylog"
)
var caCert *x509.Certificate
var caKey *rsa.PrivateKey
var caByte []byte
func InitCaCert() {
var err error
caCert, caKey, err = loadX509KeyPair("./conf/ca.crt", "./conf/ca.key")
if err != nil {
fmt.Printf("LoadX509KeyPair Error %s\n", err.Error())
ylog.Errorf("LoadX509KeyPair", "failed to load ca %s.", err.Error())
return
}
caByte, err = os.ReadFile("./conf/ca.crt")
if err != nil {
fmt.Printf("ReadFile CA Error %s\n", err.Error())
ylog.Errorf("ReadFile CA", "failed to load ca %s.", err.Error())
}
}
func LoadCaCert() []byte {
return caByte
}
func CreateCert(commonName string, duration time.Duration) (key, cert []byte, err error) {
if caCert == nil || caKey == nil {
return nil, nil, errors.New("ca is not set")
}
clientKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
if err != nil {
return nil, nil, err
}
key, err = decodeKey(clientKey)
if err != nil {
return nil, nil, err
}
notBefore := time.Now()
notAfter := notBefore.Add(duration)
clientTemplate := x509.Certificate{
SerialNumber: new(big.Int).SetInt64(4),
Subject: pkix.Name{
Organization: []string{"Elkeid"},
CommonName: commonName,
},
NotBefore: notBefore,
NotAfter: notAfter,
KeyUsage: x509.KeyUsageDigitalSignature,
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth},
BasicConstraintsValid: true,
IsCA: false,
}
derBytes, err := x509.CreateCertificate(rand.Reader, &clientTemplate, caCert, &clientKey.PublicKey, caKey)
if err != nil {
return nil, nil, err
}
cert = decodeCert(derBytes)
return key, cert, nil
}
func loadX509KeyPair(certFile, keyFile string) (*x509.Certificate, *rsa.PrivateKey, error) {
cf, err := os.ReadFile(certFile)
if err != nil {
return nil, nil, err
}
kf, e := os.ReadFile(keyFile)
if e != nil {
return nil, nil, e
}
cpb, _ := pem.Decode(cf)
kpb, _ := pem.Decode(kf)
crt, err := x509.ParseCertificate(cpb.Bytes)
if e != nil {
return nil, nil, err
}
key, err := x509.ParsePKCS1PrivateKey(kpb.Bytes)
if err != nil {
return nil, nil, err
}
return crt, key, nil
}
func decodeKey(key *ecdsa.PrivateKey) ([]byte, error) {
b, err := x509.MarshalECPrivateKey(key)
if err != nil {
return nil, err
}
return pem.EncodeToMemory(&pem.Block{Type: "EC PRIVATE KEY", Bytes: b}), nil
}
func decodeCert(derBytes []byte) []byte {
return pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: derBytes})
}