change api for work with x509

go.mod

@@ -6,6 +6,7 @@ require (
 	go.osspkg.com/casecheck v0.3.0
 	go.osspkg.com/errors v0.4.0
 	go.osspkg.com/random v0.5.0
+	go.osspkg.com/syncing v0.4.3
 	golang.org/x/crypto v0.43.0
 )
 

go.sum

@@ -4,6 +4,8 @@ go.osspkg.com/errors v0.4.0 h1:E17+WyUzTXEHCTxGm8lOMPOOojzHG1lsOuQtTVGoATQ=
 go.osspkg.com/errors v0.4.0/go.mod h1:s75ZovPemYtrCtRPVsbQNq9MgMbmLMK1NEypr+uwjXI=
 go.osspkg.com/random v0.5.0 h1:6x2CQ5Vb6PVyuGi6Ao3K6Pr2fzVviBPCEEJC5HQNSmg=
 go.osspkg.com/random v0.5.0/go.mod h1:lsg3FI87PQdjhVWIVo2GXyPBclipljUxjMlWqRl2cck=
+go.osspkg.com/syncing v0.4.3 h1:XioXG9zje1LNCsfQhNHkNPCQqPSJZHWTzM8Xig2zvAU=
+go.osspkg.com/syncing v0.4.3/go.mod h1:/LBmgCAHFW6nQgVDILpEuo6eRCFK1yyFeNbDs4eVNls=
 golang.org/x/crypto v0.43.0 h1:dduJYIi3A3KOfdGOHX8AVZ/jGiyPa3IbBozJ5kNuE04=
 golang.org/x/crypto v0.43.0/go.mod h1:BFbav4mRNlXJL4wNeejLpWxB7wMbc79PdRGhWKncxR0=
 golang.org/x/sys v0.37.0 h1:fdNQudmxPjkdUTPnLn5mdQv7Zwvbvpaxqs831goi9kQ=

pki/alg_ecdsa.go

@@ -0,0 +1,70 @@
+/*
+ *  Copyright (c) 2024-2025 Mikhail Knyazhev <markus621@yandex.ru>. All rights reserved.
+ *  Use of this source code is governed by a BSD 3-Clause license that can be found in the LICENSE file.
+ */
+
+package pki
+
+import (
+	"crypto"
+	"crypto/ecdsa"
+	"crypto/elliptic"
+	"crypto/rand"
+	"crypto/x509"
+	"fmt"
+	"reflect"
+)
+
+type _ecdsa struct{}
+
+func (*_ecdsa) Name() x509.PublicKeyAlgorithm {
+	return x509.ECDSA
+}
+
+func (*_ecdsa) IsPrivateKey(key crypto.Signer) bool {
+	_, ok := key.(*ecdsa.PrivateKey)
+	return ok
+}
+
+func (*_ecdsa) IsCertificate(cert x509.Certificate) bool {
+	_, ok := cert.PublicKey.(*ecdsa.PublicKey)
+	return ok
+}
+
+func (*_ecdsa) IsRequest(cert x509.CertificateRequest) bool {
+	_, ok := cert.PublicKey.(*ecdsa.PublicKey)
+	return ok
+}
+
+func (*_ecdsa) IsValidPair(key crypto.Signer, cert x509.Certificate) bool {
+	raw, ok := key.(*ecdsa.PrivateKey)
+	if !ok {
+		return false
+	}
+	pk, ok := raw.Public().(*ecdsa.PublicKey)
+	if !ok {
+		return false
+	}
+	ck, ok := cert.PublicKey.(*ecdsa.PublicKey)
+	if !ok {
+		return false
+	}
+
+	return reflect.DeepEqual(pk, ck)
+}
+
+func (*_ecdsa) Generate(ct CertType) (crypto.Signer, error) {
+	var curve elliptic.Curve
+	switch ct {
+	case RootCaCert:
+		curve = elliptic.P256()
+	case InterCACert:
+		curve = elliptic.P384()
+	case ClientCert:
+		curve = elliptic.P256()
+	default:
+		return nil, fmt.Errorf("unknown certificate curve for '%s'", ct)
+	}
+
+	return ecdsa.GenerateKey(curve, rand.Reader)
+}

pki/alg_rsa.go

@@ -0,0 +1,69 @@
+/*
+ *  Copyright (c) 2024-2025 Mikhail Knyazhev <markus621@yandex.ru>. All rights reserved.
+ *  Use of this source code is governed by a BSD 3-Clause license that can be found in the LICENSE file.
+ */
+
+package pki
+
+import (
+	"crypto"
+	"crypto/rand"
+	"crypto/rsa"
+	"crypto/x509"
+	"fmt"
+	"reflect"
+)
+
+type _rsa struct{}
+
+func (*_rsa) Name() x509.PublicKeyAlgorithm {
+	return x509.RSA
+}
+
+func (*_rsa) IsPrivateKey(key crypto.Signer) bool {
+	_, ok := key.(*rsa.PrivateKey)
+	return ok
+}
+
+func (*_rsa) IsCertificate(cert x509.Certificate) bool {
+	_, ok := cert.PublicKey.(*rsa.PublicKey)
+	return ok
+}
+
+func (*_rsa) IsRequest(cert x509.CertificateRequest) bool {
+	_, ok := cert.PublicKey.(*rsa.PublicKey)
+	return ok
+}
+
+func (*_rsa) IsValidPair(key crypto.Signer, cert x509.Certificate) bool {
+	raw, ok := key.(*rsa.PrivateKey)
+	if !ok {
+		return false
+	}
+	pk, ok := raw.Public().(*rsa.PublicKey)
+	if !ok {
+		return false
+	}
+	ck, ok := cert.PublicKey.(*rsa.PublicKey)
+	if !ok {
+		return false
+	}
+
+	return reflect.DeepEqual(pk, ck)
+}
+
+func (*_rsa) Generate(ct CertType) (crypto.Signer, error) {
+	var bits int
+	switch ct {
+	case RootCaCert:
+		bits = 4096
+	case InterCACert:
+		bits = 3072
+	case ClientCert:
+		bits = 2048
+	default:
+		return nil, fmt.Errorf("unknown certificate bits for '%s'", ct)
+	}
+
+	return rsa.GenerateKey(rand.Reader, bits)
+}

pki/alg_type.go

@@ -0,0 +1,49 @@
+/*
+ *  Copyright (c) 2024-2025 Mikhail Knyazhev <markus621@yandex.ru>. All rights reserved.
+ *  Use of this source code is governed by a BSD 3-Clause license that can be found in the LICENSE file.
+ */
+
+package pki
+
+import (
+	"crypto"
+	"crypto/x509"
+
+	"go.osspkg.com/syncing"
+)
+
+var (
+	signatures = syncing.NewMap[x509.SignatureAlgorithm, x509.PublicKeyAlgorithm](5)
+	algorithms = syncing.NewMap[x509.PublicKeyAlgorithm, Algorithm](5)
+)
+
+func Register(k x509.SignatureAlgorithm, v Algorithm) {
+	signatures.Set(k, v.Name())
+	algorithms.Set(v.Name(), v)
+}
+
+func init() {
+	Register(x509.SHA256WithRSA, &_rsa{})
+	Register(x509.SHA384WithRSA, &_rsa{})
+	Register(x509.SHA512WithRSA, &_rsa{})
+	Register(x509.ECDSAWithSHA256, &_ecdsa{})
+	Register(x509.ECDSAWithSHA384, &_ecdsa{})
+	Register(x509.ECDSAWithSHA512, &_ecdsa{})
+}
+
+type Algorithm interface {
+	Name() x509.PublicKeyAlgorithm
+	IsPrivateKey(key crypto.Signer) bool
+	IsRequest(cert x509.CertificateRequest) bool
+	IsCertificate(cert x509.Certificate) bool
+	IsValidPair(key crypto.Signer, cert x509.Certificate) bool
+	Generate(ct CertType) (crypto.Signer, error)
+}
+
+type CertType string
+
+const (
+	RootCaCert  CertType = "root_ca_cert"
+	InterCACert CertType = "intermediate_ca_cert"
+	ClientCert  CertType = "client_cert"
+)

x509cert/common.go → pki/common.go

@@ -3,7 +3,7 @@
  *  Use of this source code is governed by a BSD 3-Clause license that can be found in the LICENSE file.
  */
 
-package x509cert
+package pki
 
 import (
 	_ "crypto/md5"

pki/config.go

@@ -0,0 +1,79 @@
+/*
+ *  Copyright (c) 2024-2025 Mikhail Knyazhev <markus621@yandex.ru>. All rights reserved.
+ *  Use of this source code is governed by a BSD 3-Clause license that can be found in the LICENSE file.
+ */
+
+package pki
+
+import (
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"encoding/asn1"
+)
+
+type Config struct {
+	SignatureAlgorithm x509.SignatureAlgorithm `yaml:"signature_algorithm" json:"signature_algorithm"`
+
+	Organization       string `yaml:"organization,omitempty" json:"organization,omitempty"`
+	OrganizationalUnit string `yaml:"organizational_unit,omitempty" json:"organizational_unit,omitempty"`
+	Country            string `yaml:"country,omitempty" json:"country,omitempty"`
+	Province           string `yaml:"province,omitempty" json:"province,omitempty"`
+	Locality           string `yaml:"locality,omitempty" json:"locality,omitempty"`
+	StreetAddress      string `yaml:"street_address,omitempty" json:"street_address,omitempty"`
+	PostalCode         string `yaml:"postal_code,omitempty" json:"postal_code,omitempty"`
+	CommonName         string `yaml:"common_name,omitempty" json:"common_name,omitempty"`
+
+	EmailAddress             []string `yaml:"email_address,omitempty" json:"email_address,omitempty"`
+	OCSPServerURLs           []string `yaml:"ocsp_server_ur_ls,omitempty" json:"ocsp_server_ur_ls,omitempty"`
+	IssuingCertificateURLs   []string `yaml:"issuing_certificate_urls,omitempty" json:"issuing_certificate_urls,omitempty"`
+	CRLDistributionPointURLs []string `yaml:"crl_distribution_point_ur_ls,omitempty" json:"crl_distribution_point_ur_ls,omitempty"`
+	CertificatePoliciesURLs  []string `yaml:"certificate_policies_urls,omitempty" json:"certificate_policies_urls,omitempty"`
+}
+
+func (v Config) Subject() pkix.Name {
+	result := pkix.Name{}
+
+	if len(v.Country) > 0 {
+		result.Country = []string{v.Country}
+	}
+	if len(v.Organization) > 0 {
+		result.Organization = []string{v.Organization}
+	}
+	if len(v.OrganizationalUnit) > 0 {
+		result.OrganizationalUnit = []string{v.OrganizationalUnit}
+	}
+	if len(v.Locality) > 0 {
+		result.Locality = []string{v.Locality}
+	}
+	if len(v.Province) > 0 {
+		result.Province = []string{v.Province}
+	}
+	if len(v.StreetAddress) > 0 {
+		result.StreetAddress = []string{v.StreetAddress}
+	}
+	if len(v.PostalCode) > 0 {
+		result.PostalCode = []string{v.PostalCode}
+	}
+	if len(v.CommonName) > 0 {
+		result.CommonName = v.CommonName
+	}
+
+	return result
+}
+
+func (v Config) ExtraExtensions() []pkix.Extension {
+	var result []pkix.Extension
+
+	if len(v.IssuingCertificateURLs) > 0 {
+		for _, value := range stringsPrepare(v.CertificatePoliciesURLs) {
+			result = append(result, pkix.Extension{
+				Id:       asn1.ObjectIdentifier{2, 23, 140, 1, 1},
+				Critical: true,
+				Value:    []byte(value),
+			})
+		}
+
+	}
+
+	return result
+}