MB-47905: [generate_cert] Add --client and --san-emails args

Change-Id: Ia3850d157d3a1ff16a5d32c1b9be74003e80277c Reviewed-on: https://review.couchbase.org/c/ns_server/+/170994 Well-Formed: Build Bot <build@couchbase.com> Reviewed-by: Artem Stemkovski <artem@couchbase.com> Tested-by: Timofey Barmin <timofey.barmin@couchbase.com>
couchbase · Apr 6, 2022 · 348b923 · 348b923
1 parent 594a7b7
commit 348b923
Showing 1 changed file with 15 additions and 1 deletion.
diff --git a/deps/gocode/src/generate_cert/generate_cert.go b/deps/gocode/src/generate_cert/generate_cert.go
@@ -69,15 +69,19 @@ var keyLength = 2048
 
 func main() {
 	var genereateLeaf bool
+	var isClient bool
 	var commonName string
 	var sanIPAddrsArg string
 	var sanDNSNamesArg string
+	var sanEmailsArg string
 	var useSha1 bool
 
 	flag.StringVar(&commonName, "common-name", "*", "common name field of certificate (hostname)")
 	flag.StringVar(&sanIPAddrsArg, "san-ip-addrs", "", "Subject Alternative Name IP addresses (comma separated)")
 	flag.StringVar(&sanDNSNamesArg, "san-dns-names", "", "Subject Alternative Name DNS names (comma separated)")
+	flag.StringVar(&sanEmailsArg, "san-emails", "", "Subject Alternative Name Emails (comma separated)")
 	flag.BoolVar(&genereateLeaf, "generate-leaf", false, "whether to generate leaf certificate (passing ca cert and pkey via environment variables)")
+	flag.BoolVar(&isClient, "client", false, "whether to add client auth extension")
 
 	flag.BoolVar(&useSha1, "use-sha1", false, "whether to use sha1 instead of default sha256 signature algorithm")
 
@@ -104,6 +108,12 @@ func main() {
 
 		leafPKey, err := rsa.GenerateKey(rand.Reader, keyLength)
 		mustNoErr(err)
+
+		authExt := x509.ExtKeyUsageServerAuth
+		if isClient {
+			authExt = x509.ExtKeyUsageClientAuth
+		}
+
 		leafTemplate := x509.Certificate{
 			SerialNumber: big.NewInt(time.Now().UnixNano()),
 			NotBefore:    time.Now().AddDate(0, 0, -1),
@@ -114,7 +124,7 @@ func main() {
 			},
 			KeyUsage:              x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
 			SignatureAlgorithm:    caCert.SignatureAlgorithm,
-			ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
+			ExtKeyUsage:           []x509.ExtKeyUsage{authExt},
 			BasicConstraintsValid: true,
 		}
 
@@ -135,6 +145,10 @@ func main() {
 			leafTemplate.DNSNames = strings.Split(sanDNSNamesArg, ",")
 		}
 
+		if sanEmailsArg != "" {
+			leafTemplate.EmailAddresses = strings.Split(sanEmailsArg, ",")
+		}
+
 		certDer, err := x509.CreateCertificate(rand.Reader, &leafTemplate, caCert, &leafPKey.PublicKey, pkey)
 		mustNoErr(err)