Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Certificate generation improvements #23

Closed
wants to merge 1 commit into from
Closed

Certificate generation improvements #23

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
53 changes: 40 additions & 13 deletions cert/cert.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,19 +28,18 @@ var CipherSuites = []uint16{
// commonName is the CN of the certificate
// Example for commonName: "deviceModel-deviceSerialNumber"
func CreateCertificate(organizationalUnit, organization, country, commonName string) (tls.Certificate, error) {
privateKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
rootKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
if err != nil {
return tls.Certificate{}, err
}

// Create the EEBUS service SKI using the private key
asn1, err := x509.MarshalECPrivateKey(privateKey)
// Create a random serial big int value
maxValue := new(big.Int)
maxValue.Exp(big.NewInt(2), big.NewInt(130), nil).Sub(maxValue, big.NewInt(1))
serialNumber, err := rand.Int(rand.Reader, maxValue)
if err != nil {
return tls.Certificate{}, err
}
// SHIP 12.2: Required to be created according to RFC 3280 4.2.1.2
// #nosec G401
ski := sha1.Sum(asn1)

subject := pkix.Name{
OrganizationalUnit: []string{organizationalUnit},
Expand All @@ -49,27 +48,55 @@ func CreateCertificate(organizationalUnit, organization, country, commonName str
CommonName: commonName,
}

// Create a random serial big int value
maxValue := new(big.Int)
maxValue.Exp(big.NewInt(2), big.NewInt(130), nil).Sub(maxValue, big.NewInt(1))
serialNumber, err := rand.Int(rand.Reader, maxValue)
rootTemplate := &x509.Certificate{
SignatureAlgorithm: x509.ECDSAWithSHA256,
SerialNumber: serialNumber,
Subject: subject,
NotBefore: time.Now(), // Valid starting now
NotAfter: time.Now().Add(time.Hour * 24 * 365 * 10), // Valid for 10 years
KeyUsage: x509.KeyUsageCRLSign | x509.KeyUsageCertSign | x509.KeyUsageDigitalSignature,
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth},
BasicConstraintsValid: true,
IsCA: true,
}

rootCertBytes, err := x509.CreateCertificate(rand.Reader, rootTemplate, rootTemplate, &rootKey.PublicKey, rootKey)
if err != nil {
return tls.Certificate{}, err
}

rootCert, err := x509.ParseCertificate(rootCertBytes)
if err != nil {
return tls.Certificate{}, err
}

privateKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
if err != nil {
return tls.Certificate{}, err
}

// Create the EEBUS service SKI using the private key
asn1, err := x509.MarshalECPrivateKey(privateKey)
if err != nil {
return tls.Certificate{}, err
}
// SHIP 12.2: Required to be created according to RFC 3280 4.2.1.2
// #nosec G401
ski := sha1.Sum(asn1)

template := x509.Certificate{
template := &x509.Certificate{
SignatureAlgorithm: x509.ECDSAWithSHA256,
SerialNumber: serialNumber,
Subject: subject,
NotBefore: time.Now(), // Valid starting now
NotAfter: time.Now().Add(time.Hour * 24 * 365 * 10), // Valid for 10 years
KeyUsage: x509.KeyUsageDigitalSignature,
BasicConstraintsValid: true,
IsCA: true,
SubjectKeyId: ski[:],
AuthorityKeyId: ski[:],
}

certBytes, err := x509.CreateCertificate(rand.Reader, &template, &template, &privateKey.PublicKey, privateKey)
certBytes, err := x509.CreateCertificate(rand.Reader, template, rootCert, &privateKey.PublicKey, rootKey)
if err != nil {
return tls.Certificate{}, err
}
Expand Down
Loading