-
Notifications
You must be signed in to change notification settings - Fork 1
/
root.go
79 lines (69 loc) · 1.58 KB
/
root.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
package authority
import (
"crypto"
"github.com/effective-security/xpki/cryptoprov"
"github.com/effective-security/xpki/csr"
"github.com/pkg/errors"
)
// NewRoot creates a new root certificate from the certificate request.
func NewRoot(profile string, cfg *Config, provider cryptoprov.Provider, req *csr.CertificateRequest) (certPEM, csrPEM, key []byte, err error) {
err = req.Validate()
if err != nil {
err = errors.WithMessage(err, "invalid request")
return
}
err = cfg.Validate()
if err != nil {
err = errors.WithMessage(err, "invalid configuration")
return
}
var (
gkey crypto.PrivateKey
keyID string
c = csr.NewProvider(provider)
)
csrPEM, gkey, keyID, err = c.GenerateKeyAndRequest(req)
if err != nil {
err = errors.WithMessage(err, "process request")
return
}
signer := gkey.(crypto.Signer)
uri, keyBytes, err := provider.ExportKey(keyID)
if err != nil {
err = errors.WithMessage(err, "failed to export key")
return
}
if keyBytes == nil {
key = []byte(uri)
} else {
key = keyBytes
}
issuer := &Issuer{
cfg: IssuerConfig{
Profiles: cfg.Profiles,
},
signer: signer,
sigAlgo: csr.DefaultSigAlgo(signer),
}
/*
if cfg.Authority != nil {
// TODO: AIA to root CA
// issuer.cfg.AIA = cfg.Authority.DefaultAIA
}
*/
sreq := csr.SignRequest{
SAN: req.SAN,
Request: string(csrPEM),
Profile: profile,
Subject: &csr.X509Subject{
CommonName: req.CommonName,
Names: req.Names,
},
}
_, certPEM, err = issuer.Sign(sreq)
if err != nil {
err = errors.WithMessage(err, "sign request")
return
}
return
}