-
Notifications
You must be signed in to change notification settings - Fork 6
/
chain.go
145 lines (121 loc) · 4.11 KB
/
chain.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
package crypto
import (
"bytes"
"crypto/x509"
"encoding/pem"
"fmt"
"os"
"path/filepath"
"strings"
"github.com/coinbase/baseca/internal/types"
)
const (
_subordinatePrivateKey = "/ca-subordinate.key"
_subordinateCertificate = "/ca-subordinate.crt"
_subordinateSerialNumber = "/serial.txt"
_intermediateCertificate = "/ca-intermediate.crt"
_certificateAuthorityArn = "/acm-pca.txt"
_rootCertificate = "/ca-root.crt"
)
func BuildCertificateChain(ca_path string, certificate []byte, subordinate_ca []byte) (*bytes.Buffer, *bytes.Buffer, *bytes.Buffer, error) {
var err error
leaf_certificate := new(bytes.Buffer)
intermediate_chained_certificate := new(bytes.Buffer)
root_chained_certificate := new(bytes.Buffer)
intermediate_ca, root_ca, err := retrieveCertificateAuthority(ca_path)
if err != nil {
return nil, nil, nil, err
}
// End Entity Certificate
err = pem.Encode(leaf_certificate, &pem.Block{Type: "CERTIFICATE", Bytes: certificate})
if err != nil {
return nil, nil, nil, err
}
// Build Intermediate Certificate Chain
err = pem.Encode(intermediate_chained_certificate, &pem.Block{Type: "CERTIFICATE", Bytes: certificate})
if err != nil {
return nil, nil, nil, err
}
var intermediate_chain [][]byte
if intermediate_ca != nil {
intermediate_chain = [][]byte{subordinate_ca, intermediate_ca}
}
for _, crt := range intermediate_chain {
err = pem.Encode(intermediate_chained_certificate, &pem.Block{Type: "CERTIFICATE", Bytes: crt})
if err != nil {
return nil, nil, nil, err
}
}
// Build Root Certificate Chains Depending on Existence of Intermediate CA
err = pem.Encode(root_chained_certificate, &pem.Block{Type: "CERTIFICATE", Bytes: certificate})
if err != nil {
return nil, nil, nil, err
}
var root_chain [][]byte
if intermediate_ca != nil {
root_chain = [][]byte{subordinate_ca, intermediate_ca, root_ca}
} else {
root_chain = [][]byte{subordinate_ca, root_ca}
}
for _, crt := range root_chain {
err = pem.Encode(root_chained_certificate, &pem.Block{Type: "CERTIFICATE", Bytes: crt})
if err != nil {
return nil, nil, nil, err
}
}
return leaf_certificate, intermediate_chained_certificate, root_chained_certificate, nil
}
func GetSubordinateCaPath(service string) (*string, *string, error) {
directoryPath := filepath.Join(types.SubordinatePath, service)
caPath := filepath.Join(directoryPath, _subordinateCertificate)
if !strings.HasPrefix(caPath, types.SubordinatePath) {
return nil, nil, fmt.Errorf("unsafe file input, read ca subordinate certificate")
}
keyPath := filepath.Join(directoryPath, _subordinatePrivateKey)
if !strings.HasPrefix(caPath, types.SubordinatePath) {
return nil, nil, fmt.Errorf("unsafe file input, read ca subordinate private key")
}
return &caPath, &keyPath, nil
}
func retrieveCertificateAuthority(service string) ([]byte, []byte, error) {
intermediatePath := filepath.Join(types.SubordinatePath, service+_intermediateCertificate)
rootPath := filepath.Join(types.SubordinatePath, service+_rootCertificate)
if !strings.HasPrefix(intermediatePath, types.SubordinatePath) || !strings.HasPrefix(rootPath, types.SubordinatePath) {
return nil, nil, fmt.Errorf("unsafe file input")
}
var x509_intermediate_ca *x509.Certificate
if _, err := os.Stat(intermediatePath); !os.IsNotExist(err) {
intermediate_ca, err := os.ReadFile(filepath.Clean(intermediatePath))
if err != nil {
return nil, nil, err
}
x509_intermediate_ca, err = parseCertificate(intermediate_ca)
if err != nil {
return nil, nil, err
}
}
root_ca, err := os.ReadFile(filepath.Clean(rootPath))
if err != nil {
return nil, nil, err
}
x509_root_ca, err := parseCertificate(root_ca)
if err != nil {
return nil, nil, err
}
var intermediateRaw []byte
if x509_intermediate_ca != nil {
intermediateRaw = x509_intermediate_ca.Raw
}
return intermediateRaw, x509_root_ca.Raw, nil
}
func parseCertificate(ca []byte) (*x509.Certificate, error) {
pemBlock, _ := pem.Decode(ca)
if pemBlock == nil {
return nil, fmt.Errorf("failed to parse certificate PEM")
}
cert, err := x509.ParseCertificate(pemBlock.Bytes)
if err != nil {
return nil, err
}
return cert, nil
}