/
certificate.go
224 lines (194 loc) · 5.44 KB
/
certificate.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
package certificate
import (
"bytes"
"crypto"
"crypto/ecdsa"
"crypto/ed25519"
"crypto/rand"
"crypto/rsa"
"crypto/tls"
"crypto/x509"
"encoding/base64"
"encoding/pem"
"errors"
"fmt"
"strings"
)
var (
errKeyPairTypes = fmt.Errorf("private key type does not match public key type")
errKeyPair = fmt.Errorf("private key does not match public key")
)
type KeyPair struct {
Cert []byte `json:"cert,omitempty" toml:"cert,omitempty" yaml:"cert,omitempty"`
Key []byte `json:"key,omitempty" toml:"key,omitempty" yaml:"key,omitempty"`
}
func X509(pair *KeyPair) (tls.Certificate, error) {
return X509KeyPair(pair.Cert, pair.Key)
}
func X509KeyPair(certPEMBlock, keyPEMBlock []byte) (tls.Certificate, error) {
var (
cert tls.Certificate
err error
)
// Parse CERTIFICATE if provided
if len(certPEMBlock) > 0 {
cert.Certificate, err = Decode(certPEMBlock, "CERTIFICATE")
if err != nil {
return tls.Certificate{}, err
}
// Set certificate leaf
cert.Leaf, err = x509.ParseCertificate(cert.Certificate[0])
if err != nil {
return tls.Certificate{}, err
}
}
// Parse PRIVATE KEY if provided
if len(keyPEMBlock) > 0 {
var keys [][]byte
keys, err = Decode(keyPEMBlock, "PRIVATE KEY")
if err != nil {
return tls.Certificate{}, err
}
cert.PrivateKey, err = ParsePrivateKey(keys[0])
if err != nil {
return tls.Certificate{}, err
}
}
// Test certificate and private key matches
if cert.Leaf != nil && cert.PrivateKey != nil {
switch pub := cert.Leaf.PublicKey.(type) {
case *rsa.PublicKey:
priv, ok := cert.PrivateKey.(*rsa.PrivateKey)
if !ok {
return tls.Certificate{}, errKeyPairTypes
}
if pub.N.Cmp(priv.N) != 0 {
return tls.Certificate{}, errKeyPair
}
case *ecdsa.PublicKey:
priv, ok := cert.PrivateKey.(*ecdsa.PrivateKey)
if !ok {
return tls.Certificate{}, errKeyPairTypes
}
if pub.X.Cmp(priv.X) != 0 || pub.Y.Cmp(priv.Y) != 0 {
return tls.Certificate{}, errKeyPair
}
case ed25519.PublicKey:
priv, ok := cert.PrivateKey.(ed25519.PrivateKey)
if !ok {
return tls.Certificate{}, errKeyPairTypes
}
if !bytes.Equal(priv.Public().(ed25519.PublicKey), pub) {
return tls.Certificate{}, errKeyPair
}
default:
return tls.Certificate{}, fmt.Errorf("unknown public key algorithm")
}
}
return cert, nil
}
func GenerateCertificate(keyPEMBlock []byte, template *x509.Certificate) (*tls.Certificate, error) {
privKey, err := ParsePrivateKey(keyPEMBlock)
if err != nil {
return nil, err
}
certBytes, err := x509.CreateCertificate(rand.Reader, template, template, ParsePublicKey(privKey), privKey)
if err != nil {
return nil, err
}
var cert tls.Certificate
cert.Certificate = [][]byte{certBytes}
// Set certificate leaf
cert.Leaf, err = x509.ParseCertificate(certBytes)
if err != nil {
return nil, err
}
return &cert, nil
}
func Decode(block []byte, typ string) ([][]byte, error) {
var (
certs [][]byte
err error
)
// Parses assuming block has a valid format
if certs, err = decode(block, typ); err == nil {
return certs, nil
}
rErr := err
// Parses assuming block headers are missing
if certs, err = decode([]byte(fmt.Sprintf("-----BEGIN %v-----\n%v\n-----END %v-----", typ, string(block), typ)), typ); err == nil {
return certs, nil
}
// Parses assuming block is 1 line
if block, err = decodeBase64(block); err != nil {
return nil, rErr
}
if certs, err := decode([]byte(fmt.Sprintf("-----BEGIN %v-----\n%v\n-----END %v-----", typ, string(block), typ)), typ); err == nil {
return certs, nil
}
return nil, rErr
}
func decode(raw []byte, typ string) ([][]byte, error) {
var (
blocks [][]byte
skippedBlockTypes []string
)
for {
var block *pem.Block
block, raw = pem.Decode(raw)
if block == nil {
break
}
if block.Type == typ || strings.HasSuffix(block.Type, " "+typ) {
blocks = append(blocks, block.Bytes)
} else {
skippedBlockTypes = append(skippedBlockTypes, block.Type)
}
}
if len(blocks) == 0 {
if len(skippedBlockTypes) == 0 {
return nil, fmt.Errorf("failed to find any data in input")
}
return nil, fmt.Errorf("failed to find %q block in input after skipping blocks of the following types: %v", typ, skippedBlockTypes)
}
return blocks, nil
}
func decodeBase64(data []byte) ([]byte, error) {
resultData := make([]byte, base64.StdEncoding.DecodedLen(len(data)))
n, err := base64.StdEncoding.Decode(resultData, data)
if err != nil {
return nil, err
}
resultData = resultData[:n]
return resultData, nil
}
func ParsePublicKey(priv interface{}) interface{} {
switch k := priv.(type) {
case *rsa.PrivateKey:
return &k.PublicKey
case *ecdsa.PrivateKey:
return &k.PublicKey
default:
return nil
}
}
// ParsePrivateKey attempts to parse the given private key DER block. OpenSSL 0.9.8 generates
// PKCS#1 private keys by default, while OpenSSL 1.0.0 generates PKCS#8 keys.
// OpenSSL ecparam generates SEC1 EC private keys for ECDSA. We try all three.
func ParsePrivateKey(der []byte) (crypto.PrivateKey, error) {
if key, err := x509.ParsePKCS1PrivateKey(der); err == nil {
return key, nil
}
if key, err := x509.ParsePKCS8PrivateKey(der); err == nil {
switch key := key.(type) {
case *rsa.PrivateKey, *ecdsa.PrivateKey, ed25519.PrivateKey:
return key, nil
default:
return nil, errors.New("found unknown private key type in PKCS#8 wrapping")
}
}
if key, err := x509.ParseECPrivateKey(der); err == nil {
return key, nil
}
return nil, errors.New("failed to parse private key")
}