ziggi/certmanager
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

certmanager updated

Browse Source
This commit is contained in:
Олег Бородин
2024-08-06 19:10:36 +02:00
parent c7b9532377
commit f89cfe7d90
7 changed files with 281 additions and 206 deletions
Download Patch File Download Diff File Expand all files Collapse all files

33
api/certmanagercontrol/certmanagercontrol.pb.go
View File

@@ -918,10 +918,10 @@ type CreateServicePairResult struct {
unknownFields protoimpl.UnknownFields
ServiceID int64 `protobuf:"varint,1,opt,name=serviceID,proto3" json:"serviceID,omitempty"`
Name string `protobuf:"bytes,2,opt,name=name,proto3" json:"name,omitempty"`
ServiceName string `protobuf:"bytes,2,opt,name=serviceName,proto3" json:"serviceName,omitempty"`
IssuerCertificate string `protobuf:"bytes,3,opt,name=issuerCertificate,proto3" json:"issuerCertificate,omitempty"`
IssuerID int64 `protobuf:"varint,4,opt,name=issuerID,proto3" json:"issuerID,omitempty"`
Cerificate string `protobuf:"bytes,5,opt,name=cerificate,proto3" json:"cerificate,omitempty"`
Certificate string `protobuf:"bytes,5,opt,name=certificate,proto3" json:"certificate,omitempty"`
Key string `protobuf:"bytes,6,opt,name=key,proto3" json:"key,omitempty"`
}
@@ -964,9 +964,9 @@ func (x *CreateServicePairResult) GetServiceID() int64 {
return 0
}
func (x *CreateServicePairResult) GetName() string {
func (x *CreateServicePairResult) GetServiceName() string {
if x != nil {
return x.Name
return x.ServiceName
}
return ""
}
@@ -985,9 +985,9 @@ func (x *CreateServicePairResult) GetIssuerID() int64 {
return 0
}
func (x *CreateServicePairResult) GetCerificate() string {
func (x *CreateServicePairResult) GetCertificate() string {
if x != nil {
return x.Cerificate
return x.Certificate
}
return ""
}
@@ -1622,18 +1622,19 @@ var file_certmanagercontrol_proto_rawDesc = []byte{
0x03, 0x28, 0x09, 0x52, 0x09, 0x68, 0x6f, 0x73, 0x74, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x12, 0x24,
0x0a, 0x0d, 0x69, 0x6e, 0x65, 0x74, 0x41, 0x64, 0x64, 0x72, 0x65, 0x73, 0x73, 0x65, 0x73, 0x18,
0x06, 0x20, 0x03, 0x28, 0x09, 0x52, 0x0d, 0x69, 0x6e, 0x65, 0x74, 0x41, 0x64, 0x64, 0x72, 0x65,
0x73, 0x73, 0x65, 0x73, 0x22, 0xc7, 0x01, 0x0a, 0x17, 0x63, 0x72, 0x65, 0x61, 0x74, 0x65, 0x53,
0x73, 0x73, 0x65, 0x73, 0x22, 0xd7, 0x01, 0x0a, 0x17, 0x63, 0x72, 0x65, 0x61, 0x74, 0x65, 0x53,
0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x50, 0x61, 0x69, 0x72, 0x52, 0x65, 0x73, 0x75, 0x6c, 0x74,
0x12, 0x1c, 0x0a, 0x09, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x49, 0x44, 0x18, 0x01, 0x20,
0x01, 0x28, 0x03, 0x52, 0x09, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x49, 0x44, 0x12, 0x12,
0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x6e, 0x61,
0x6d, 0x65, 0x12, 0x2c, 0x0a, 0x11, 0x69, 0x73, 0x73, 0x75, 0x65, 0x72, 0x43, 0x65, 0x72, 0x74,
0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x11, 0x69,
0x73, 0x73, 0x75, 0x65, 0x72, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65,
0x12, 0x1a, 0x0a, 0x08, 0x69, 0x73, 0x73, 0x75, 0x65, 0x72, 0x49, 0x44, 0x18, 0x04, 0x20, 0x01,
0x28, 0x03, 0x52, 0x08, 0x69, 0x73, 0x73, 0x75, 0x65, 0x72, 0x49, 0x44, 0x12, 0x1e, 0x0a, 0x0a,
0x63, 0x65, 0x72, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x18, 0x05, 0x20, 0x01, 0x28, 0x09,
0x52, 0x0a, 0x63, 0x65, 0x72, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x12, 0x10, 0x0a, 0x03,
0x01, 0x28, 0x03, 0x52, 0x09, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x49, 0x44, 0x12, 0x20,
0x0a, 0x0b, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x4e, 0x61, 0x6d, 0x65, 0x18, 0x02, 0x20,
0x01, 0x28, 0x09, 0x52, 0x0b, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x4e, 0x61, 0x6d, 0x65,
0x12, 0x2c, 0x0a, 0x11, 0x69, 0x73, 0x73, 0x75, 0x65, 0x72, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66,
0x69, 0x63, 0x61, 0x74, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x11, 0x69, 0x73, 0x73,
0x75, 0x65, 0x72, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x12, 0x1a,
0x0a, 0x08, 0x69, 0x73, 0x73, 0x75, 0x65, 0x72, 0x49, 0x44, 0x18, 0x04, 0x20, 0x01, 0x28, 0x03,
0x52, 0x08, 0x69, 0x73, 0x73, 0x75, 0x65, 0x72, 0x49, 0x44, 0x12, 0x20, 0x0a, 0x0b, 0x63, 0x65,
0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x18, 0x05, 0x20, 0x01, 0x28, 0x09, 0x52,
0x0b, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x12, 0x10, 0x0a, 0x03,
0x6b, 0x65, 0x79, 0x18, 0x06, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x22, 0x9b,
0x01, 0x0a, 0x17, 0x72, 0x65, 0x76, 0x6f, 0x6b, 0x65, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65,
0x50, 0x61, 0x69, 0x72, 0x50, 0x61, 0x72, 0x61, 0x6d, 0x73, 0x12, 0x1c, 0x0a, 0x09, 0x73, 0x65,

8
cmd/certmanagerctl/main.go
View File

@@ -65,11 +65,11 @@ type Util struct {
issuerName string
keyFilename string
signerID int64
signerName string
signerID int64
signerName string
serviceID int64
serviceName string
serviceID int64
serviceName string
}
func NewUtil() *Util {

68
internal/logic/issuer.go
View File

@@ -7,39 +7,39 @@ import (
cmapi "certmanager/api/certmanagercontrol"
"certmanager/internal/descriptor"
"certmanager/pkg/cm509"
"certmanager/pkg/cm509"
)
func (lg *Logic) CreateIssuerPair(ctx context.Context, params *cmapi.CreateIssuerPairParams) (*cmapi.CreateIssuerPairResult, error) {
var err error
res := &cmapi.CreateIssuerPairResult{}
var signerDescr *descriptor.Issuer
var signerExists bool
if params.SignerID > 0 {
signerExists, signerDescr, err = lg.db.GetIssuerByID(ctx, params.SignerID)
if !signerExists {
err := fmt.Errorf("Issuer with id %d cannot found", params.SignerID)
if err != nil {
return res, err
}
}
} else if params.SignerName != "" {
signerExists, signerDescr, err = lg.db.GetIssuerByName(ctx, params.SignerName)
if signerExists {
err := fmt.Errorf("Issuer with name %s cannot found", params.SignerName)
if err != nil {
return res, err
}
}
}
var signerDescr *descriptor.Issuer
var signerExists bool
if params.SignerID > 0 {
signerExists, signerDescr, err = lg.db.GetIssuerByID(ctx, params.SignerID)
if !signerExists {
err := fmt.Errorf("Issuer with id %d cannot found", params.SignerID)
if err != nil {
return res, err
}
}
} else if params.SignerName != "" {
signerExists, signerDescr, err = lg.db.GetIssuerByName(ctx, params.SignerName)
if signerExists {
err := fmt.Errorf("Issuer with name %s cannot found", params.SignerName)
if err != nil {
return res, err
}
}
}
createIssuerPairParams := &cm509.CreateIssuerPairParams{
CommonName: params.IssuerCommonName,
}
if signerDescr != nil {
lg.log.Debugf("Create issuer with signer name %s", signerDescr.Name)
createIssuerPairParams.SignerCert = signerDescr.Cert
createIssuerPairParams.SignerKey = signerDescr.Key
}
if signerDescr != nil {
lg.log.Debugf("Create issuer with signer name %s", signerDescr.Name)
createIssuerPairParams.SignerCert = signerDescr.Cert
createIssuerPairParams.SignerKey = signerDescr.Key
}
createIssuerPairRes, err := cm509.CreateIssuerPair(createIssuerPairParams)
if err != nil {
@@ -52,21 +52,21 @@ func (lg *Logic) CreateIssuerPair(ctx context.Context, params *cmapi.CreateIssue
Key: createIssuerPairRes.Key,
}
issuerExists, _, err := lg.db.GetIssuerByName(ctx, issuerDescr.Name)
if issuerExists {
err := fmt.Errorf("Issuer with name %s already exists", issuerDescr.Name)
if err != nil {
return res, err
}
}
issuerExists, _, err := lg.db.GetIssuerByName(ctx, issuerDescr.Name)
if issuerExists {
err := fmt.Errorf("Issuer with name %s already exists", issuerDescr.Name)
if err != nil {
return res, err
}
}
issuerID, err := lg.db.InsertIssuer(ctx, issuerDescr)
if err != nil {
return res, err
}
res.IssuerID = issuerID
res.IssuerName = createIssuerPairRes.Name
res.Certificate = createIssuerPairRes.Cert
res.IssuerName = createIssuerPairRes.Name
res.Certificate = createIssuerPairRes.Cert
return res, err
}

23
internal/logic/service.go
View File

@@ -4,9 +4,9 @@ import (
"context"
"fmt"
"certmanager/internal/descriptor"
cmapi "certmanager/api/certmanagercontrol"
"certmanager/pkg/cm509"
"certmanager/internal/descriptor"
"certmanager/pkg/cm509"
)
func (lg *Logic) CreateServicePair(ctx context.Context, params *cmapi.CreateServicePairParams) (*cmapi.CreateServicePairResult, error) {
@@ -19,7 +19,7 @@ func (lg *Logic) CreateServicePair(ctx context.Context, params *cmapi.CreateServ
case params.IssuerID != 0:
issuerExists, issuerDescr, err = lg.db.GetIssuerByID(ctx, params.IssuerID)
if !issuerExists {
err := fmt.Errorf("No signer with this ID was found")
err := fmt.Errorf("No signer with id was found", params.IssuerID)
if err != nil {
return res, err
}
@@ -27,7 +27,7 @@ func (lg *Logic) CreateServicePair(ctx context.Context, params *cmapi.CreateServ
case params.IssuerName != "":
issuerExists, issuerDescr, err = lg.db.GetIssuerByName(ctx, params.IssuerName)
if !issuerExists {
err := fmt.Errorf("No signer with this common name was found")
err := fmt.Errorf("No signer with name %s was found", params.IssuerName)
if err != nil {
return res, err
}
@@ -56,8 +56,9 @@ func (lg *Logic) CreateServicePair(ctx context.Context, params *cmapi.CreateServ
IssuerKey: issuerDescr.Key,
IssuerCert: issuerDescr.Cert,
IPAddresses: params.InetAddresses,
DNSNames: params.Hostnames,
}
createSericePairRes, err := cm509.CreateServicePairV2(createServicePairParams)
createSericePairRes, err := cm509.CreateServicePair(createServicePairParams)
if err != nil {
return res, err
}
@@ -73,9 +74,9 @@ func (lg *Logic) CreateServicePair(ctx context.Context, params *cmapi.CreateServ
if err != nil {
return res, err
}
res.Name = createSericePairRes.Name
res.ServiceName = createSericePairRes.Name
res.ServiceID = serviceID
res.Cerificate = createSericePairRes.Cert
res.Certificate = createSericePairRes.Cert
res.Key = createSericePairRes.Key
res.IssuerID = issuerDescr.ID
res.IssuerCertificate = issuerDescr.Cert
@@ -157,7 +158,7 @@ func (lg *Logic) RevokeServicePair(ctx context.Context, params *cmapi.RevokeServ
case params.ServiceID != 0:
serviceExists, serviceDescr, err = lg.db.GetServiceByID(ctx, params.ServiceID)
if !serviceExists {
err := fmt.Errorf("No signer with this ID was found")
err := fmt.Errorf("No signer with id %d was found", params.ServiceID)
if err != nil {
return res, err
}
@@ -165,7 +166,7 @@ func (lg *Logic) RevokeServicePair(ctx context.Context, params *cmapi.RevokeServ
case params.ServiceName != "":
serviceExists, serviceDescr, err = lg.db.GetServiceByName(ctx, params.ServiceName)
if !serviceExists {
err := fmt.Errorf("No signer with this common name was found")
err := fmt.Errorf("No signer with name %s was found", params.ServiceName)
if err != nil {
return res, err
}
@@ -202,7 +203,7 @@ func (lg *Logic) UnrevokeServicePair(ctx context.Context, params *cmapi.Unrevoke
case params.ServiceID != 0:
serviceExists, serviceDescr, err = lg.db.GetServiceByID(ctx, params.ServiceID)
if !serviceExists {
err := fmt.Errorf("No signer with this ID was found")
err := fmt.Errorf("No signer with id %d was found", params.ServiceID)
if err != nil {
return res, err
}
@@ -210,7 +211,7 @@ func (lg *Logic) UnrevokeServicePair(ctx context.Context, params *cmapi.Unrevoke
case params.ServiceName != "":
serviceExists, serviceDescr, err = lg.db.GetServiceByName(ctx, params.ServiceName)
if !serviceExists {
err := fmt.Errorf("No signer with this common name was found")
err := fmt.Errorf("No signer with name %s was found", params.ServiceName)
if err != nil {
return res, err
}

62
internal/test/logic_issuer_create_test.go
View File

@@ -43,7 +43,7 @@ func TestIssuerCreateV0(t *testing.T) {
signerCommonName := "foo.bar"
var signerID int64
var signerCert string
var signerName string
var signerName string
{
createIssuerPairParams := &cmapi.CreateIssuerPairParams{
IssuerCommonName: signerCommonName,
@@ -61,27 +61,27 @@ func TestIssuerCreateV0(t *testing.T) {
signerName = createIssuerPairRes.IssuerName
printObj("signerName", signerName)
signerCertObj, err := cm509.ParseDoubleEncodedCerificate(signerCert)
require.NoError(t, err)
signerCertObj, err := cm509.ParseDoubleEncodedCerificate(signerCert)
require.NoError(t, err)
require.NotNil(t, signerCertObj)
printObj("signerCertObj Subject", signerCertObj.Subject.String())
printObj("signerCertObj Issuer", signerCertObj.Issuer.String())
printObj("signerCertObj Subject", signerCertObj.Subject.String())
printObj("signerCertObj Issuer", signerCertObj.Issuer.String())
}
issuerCommonName := "make.love.not.war"
var issuerID int64
var issuerCert string
var issuerName string
var issuerName string
{
createIssuerPairParams := &cmapi.CreateIssuerPairParams{
IssuerCommonName: issuerCommonName,
SignerID: signerID,
SignerID: signerID,
}
createIssuerPairRes, err := lg.CreateIssuerPair(ctx, createIssuerPairParams)
require.NoError(t, err)
require.NotNil(t, createIssuerPairRes)
issuerID = createIssuerPairRes.IssuerID
printObj("issuerID", issuerID)
printObj("issuerID", issuerID)
issuerCert = createIssuerPairRes.Certificate
printObj("issuerCert", issuerCert)
@@ -89,17 +89,50 @@ func TestIssuerCreateV0(t *testing.T) {
issuerName = createIssuerPairRes.IssuerName
printObj("issuerName", issuerName)
issuerCertObj, err := cm509.ParseDoubleEncodedCerificate(issuerCert)
require.NoError(t, err)
issuerCertObj, err := cm509.ParseDoubleEncodedCerificate(issuerCert)
require.NoError(t, err)
require.NotNil(t, issuerCertObj)
printObj("issuerCertObj Subject", issuerCertObj.Subject.String())
printObj("issuerCertObj Issuer", issuerCertObj.Issuer.String())
printObj("issuerCertObj Subject", issuerCertObj.Subject.String())
printObj("issuerCertObj Issuer", issuerCertObj.Issuer.String())
require.NotEqual(t, issuerCertObj.Subject.String(), issuerCertObj.Issuer.String())
require.NotEqual(t, issuerCertObj.Subject.String(), issuerCertObj.Issuer.String())
}
serviceCommonName := "dont.worry"
var serviceID int64
var serviceCert string
var serviceName string
{
createServicePairParams := &cmapi.CreateServicePairParams{
ServiceCommonName: serviceCommonName,
IssuerID: issuerID,
InetAddresses: []string{"1.1.1.1", "1.1.1.2", "1.1.1.3"},
Hostnames: []string{"dont.worry", "be.happy"},
}
createServicePairRes, err := lg.CreateServicePair(ctx, createServicePairParams)
require.NoError(t, err)
require.NotNil(t, createServicePairRes)
serviceID = createServicePairRes.ServiceID
printObj("serviceID", serviceID)
serviceCert = createServicePairRes.Certificate
printObj("serviceCert", serviceCert)
serviceName = createServicePairRes.ServiceName
printObj("serviceName", serviceName)
serviceCertObj, err := cm509.ParseDoubleEncodedCerificate(serviceCert)
require.NoError(t, err)
require.NotNil(t, serviceCertObj)
printObj("serviceCertObj Subject", serviceCertObj.Subject.String())
printObj("serviceCertObj Service", serviceCertObj.Issuer.String())
printObj("serviceCertObj DNSNames", serviceCertObj.DNSNames)
printObj("serviceCertObj IP addresses", serviceCertObj.IPAddresses)
require.NotEqual(t, serviceCertObj.Subject.String(), serviceCertObj.Issuer.String())
}
}
func XXXTestIssuerCreate(t *testing.T) {
var err error
var lg *logic.Logic
@@ -260,4 +293,3 @@ func XXXTestIssuerCreate(t *testing.T) {
printObj("getServicePairRes", getServicePairRes)
}
}

289
pkg/cm509/x509.go
View File

@@ -15,8 +15,8 @@ import (
type CreateIssuerPairParams struct {
CommonName string
SignerCert string
SignerKey string
SignerCert string
SignerKey string
}
type CreateIssuerPairResult struct {
Name string
@@ -24,34 +24,33 @@ type CreateIssuerPairResult struct {
Key string
}
func CreateIssuerPair(params *CreateIssuerPairParams) (*CreateIssuerPairResult, error) {
var err error
res := &CreateIssuerPairResult{}
if params.SignerKey != "" && params.SignerCert == "" {
err = fmt.Errorf("The signature key and certificate must be defined together")
return res, err
}
if params.SignerKey == "" && params.SignerCert != "" {
err = fmt.Errorf("The signature key and certificate must be defined together")
return res, err
}
if params.SignerKey != "" && params.SignerCert == "" {
err = fmt.Errorf("The signature key and certificate must be defined together")
return res, err
}
if params.SignerKey == "" && params.SignerCert != "" {
err = fmt.Errorf("The signature key and certificate must be defined together")
return res, err
}
var signerKey any
if params.SignerKey != "" {
signerKey, err = ParseDoubleEncodedKey(params.SignerKey)
if err != nil {
return res, err
}
}
var signerCert *x509.Certificate
if params.SignerCert != "" {
signerCert, err = ParseDoubleEncodedCerificate(params.SignerCert)
if err != nil {
return res, err
}
}
var signerKey any
if params.SignerKey != "" {
signerKey, err = ParseDoubleEncodedKey(params.SignerKey)
if err != nil {
return res, err
}
}
var signerCert *x509.Certificate
if params.SignerCert != "" {
signerCert, err = ParseDoubleEncodedCerificate(params.SignerCert)
if err != nil {
return res, err
}
}
certPem := make([]byte, 0)
keyPem := make([]byte, 0)
@@ -77,34 +76,35 @@ func CreateIssuerPair(params *CreateIssuerPairParams) (*CreateIssuerPairResult,
CommonName: params.CommonName,
}
certIssuer := certSubject
if signerCert != nil {
certIssuer = signerCert.Subject
}
certIssuer := certSubject
if signerCert != nil {
certIssuer = signerCert.Subject
}
var issuerKey any = certKey
if signerKey != nil {
issuerKey = signerKey
}
var issuerKey any = certKey
if signerKey != nil {
issuerKey = signerKey
}
res.Name = certSubject.String()
certTempl := &x509.Certificate{
SerialNumber: big.NewInt(now.Unix()),
NotBefore: now,
NotAfter: now.AddDate(yearsAfter, 0, 0),
Subject: certSubject,
Issuer: certIssuer,
IsCA: true,
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth},
KeyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
SerialNumber: big.NewInt(now.Unix()),
NotBefore: now,
NotAfter: now.AddDate(yearsAfter, 0, 0),
Subject: certSubject,
Issuer: certIssuer,
IsCA: true,
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth},
KeyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign |
x509.KeyUsageKeyEncipherment | x509.KeyUsageCRLSign,
BasicConstraintsValid: true,
}
parentCert := certTempl
if signerCert != nil {
parentCert = signerCert
}
parentCert := certTempl
if signerCert != nil {
parentCert = signerCert
}
certBytes, err := x509.CreateCertificate(rand.Reader, certTempl, parentCert, &certKey.PublicKey, issuerKey)
if err != nil {
@@ -126,69 +126,6 @@ func CreateIssuerPair(params *CreateIssuerPairParams) (*CreateIssuerPairResult,
return res, err
}
func CreateIssuerPairV0(params *CreateIssuerPairParams) (*CreateIssuerPairResult, error) {
var err error
res := &CreateIssuerPairResult{}
certPem := make([]byte, 0)
keyPem := make([]byte, 0)
now := time.Now()
const yearsAfter int = 10
const keySize int = 2048
key, err := rsa.GenerateKey(rand.Reader, keySize)
if err != nil {
err := fmt.Errorf("Can't create a private key: %v", err)
return res, err
}
keyPemBlock := pem.Block{
Type: "RSA PRIVATE KEY",
Bytes: x509.MarshalPKCS1PrivateKey(key),
}
keyPem = pem.EncodeToMemory(&keyPemBlock)
subjectName := pkix.Name{
CommonName: params.CommonName,
}
issuerName := subjectName
res.Name = subjectName.String()
certTempl := x509.Certificate{
SerialNumber: big.NewInt(now.Unix()),
NotBefore: now,
NotAfter: now.AddDate(yearsAfter, 0, 0),
Subject: subjectName,
Issuer: issuerName,
IsCA: true,
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth},
KeyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
BasicConstraintsValid: true,
}
certBytes, err := x509.CreateCertificate(rand.Reader, &certTempl, &certTempl, &key.PublicKey, key)
if err != nil {
err := fmt.Errorf("Can't create a certificate: %v", err)
return res, err
}
certPemBlock := pem.Block{
Type: "CERTIFICATE",
Bytes: certBytes,
}
certPem = pem.EncodeToMemory(&certPemBlock)
if err != nil {
return res, err
}
res.Cert = base64.StdEncoding.EncodeToString(certPem)
res.Key = base64.StdEncoding.EncodeToString(keyPem)
return res, err
}
type CreateServicePairParams struct {
CommonName string
DNSNames []string
@@ -202,7 +139,116 @@ type CreateServicePairResult struct {
Key string
}
func CreateServicePairV2(params *CreateServicePairParams) (*CreateServicePairResult, error) {
func CreateServicePair(params *CreateServicePairParams) (*CreateServicePairResult, error) {
var err error
res := &CreateServicePairResult{}
if params.IssuerKey != "" && params.IssuerCert == "" {
err = fmt.Errorf("The signature key and certificate must be defined together")
return res, err
}
if params.IssuerKey == "" && params.IssuerCert != "" {
err = fmt.Errorf("The signature key and certificate must be defined together")
return res, err
}
var signerKey any
if params.IssuerKey != "" {
signerKey, err = ParseDoubleEncodedKey(params.IssuerKey)
if err != nil {
return res, err
}
}
var signerCert *x509.Certificate
if params.IssuerCert != "" {
signerCert, err = ParseDoubleEncodedCerificate(params.IssuerCert)
if err != nil {
return res, err
}
}
certPem := make([]byte, 0)
keyPem := make([]byte, 0)
now := time.Now()
const yearsAfter int = 10
const keySize int = 2048
certKey, err := rsa.GenerateKey(rand.Reader, keySize)
if err != nil {
err := fmt.Errorf("Can't create a private key: %v", err)
return res, err
}
keyPemBlock := &pem.Block{
Type: "RSA PRIVATE KEY",
Bytes: x509.MarshalPKCS1PrivateKey(certKey),
}
keyPem = pem.EncodeToMemory(keyPemBlock)
certSubject := pkix.Name{
CommonName: params.CommonName,
}
certIssuer := certSubject
if signerCert != nil {
certIssuer = signerCert.Subject
}
var issuerKey any = certKey
if signerKey != nil {
issuerKey = signerKey
}
res.Name = certSubject.String()
netAddresses := make([]net.IP, 0)
for _, ipAddress := range params.IPAddresses {
netAddress := net.ParseIP(ipAddress)
netAddresses = append(netAddresses, netAddress)
}
certTempl := &x509.Certificate{
SerialNumber: big.NewInt(now.Unix()),
NotBefore: now,
NotAfter: now.AddDate(yearsAfter, 0, 0),
Subject: certSubject,
Issuer: certIssuer,
DNSNames: params.DNSNames,
IPAddresses: netAddresses,
IsCA: false,
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth},
KeyUsage: x509.KeyUsageDigitalSignature,
BasicConstraintsValid: true,
}
parentCert := certTempl
if signerCert != nil {
parentCert = signerCert
}
certBytes, err := x509.CreateCertificate(rand.Reader, certTempl, parentCert, &certKey.PublicKey, issuerKey)
if err != nil {
err := fmt.Errorf("Can't create a certificate: %v", err)
return res, err
}
certPemBlock := pem.Block{
Type: "CERTIFICATE",
Bytes: certBytes,
}
certPem = pem.EncodeToMemory(&certPemBlock)
if err != nil {
return res, err
}
res.Cert = base64.StdEncoding.EncodeToString(certPem)
res.Key = base64.StdEncoding.EncodeToString(keyPem)
return res, err
}
func XXXCreateServicePair(params *CreateServicePairParams) (*CreateServicePairResult, error) {
var err error
res := &CreateServicePairResult{}
@@ -278,18 +324,13 @@ func CreateServicePairV2(params *CreateServicePairParams) (*CreateServicePairRes
return res, err
}
func ParseDoubleEncodedCerificate(certString string) (*x509.Certificate, error) {
var err error
res := &x509.Certificate{}
certPEM, err := base64.StdEncoding.DecodeString(certString)
if err != nil {
err := fmt.Errorf("Failed to parse base64 certificate string: %v", err)
err := fmt.Errorf("Failed to parse base64 certificate string: %v", err)
return res, err
}
certBlock, _ := pem.Decode([]byte(certPEM))
@@ -297,14 +338,14 @@ func ParseDoubleEncodedCerificate(certString string) (*x509.Certificate, error)
err := fmt.Errorf("Failed to parse certificate PEM")
return res, err
}
if certBlock.Type != "CERTIFICATE" {
if certBlock.Type != "CERTIFICATE" {
err := fmt.Errorf("Unknown PEM certificate type: %s", certBlock.Type)
return res, err
}
if len(certBlock.Bytes) == 0 {
}
if len(certBlock.Bytes) == 0 {
err := fmt.Errorf("Empty PEM certificate block")
return res, err
}
}
res, err = x509.ParseCertificate(certBlock.Bytes)
if err != nil {
@@ -322,14 +363,14 @@ func ParseEncodedCerificate(certPEM string) (*x509.Certificate, error) {
err := fmt.Errorf("Failed to parse certificate PEM")
return res, err
}
if certBlock.Type != "CERTIFICATE" {
if certBlock.Type != "CERTIFICATE" {
err := fmt.Errorf("Unknown PEM certificate type: %s", certBlock.Type)
return res, err
}
if len(certBlock.Bytes) == 0 {
}
if len(certBlock.Bytes) == 0 {
err := fmt.Errorf("Empty PEM certificate block")
return res, err
}
}
res, err = x509.ParseCertificate(certBlock.Bytes)
if err != nil {
return res, err
@@ -343,7 +384,7 @@ func ParseDoubleEncodedKey(keyString string) (any, error) {
keyPEM, err := base64.StdEncoding.DecodeString(keyString)
if err != nil {
err := fmt.Errorf("Failed to parse base64 key string: %v", err)
err := fmt.Errorf("Failed to parse base64 key string: %v", err)
return res, err
}
keyBlock, _ := pem.Decode([]byte(keyPEM))

4
proto/certmanagercontrol.proto
View File

@@ -94,10 +94,10 @@ message createServicePairParams {
}
message createServicePairResult {
int64 serviceID = 1;
string name = 2;
string serviceName = 2;
string issuerCertificate = 3;
int64 issuerID = 4;
string cerificate = 5;
string certificate = 5;
string key = 6;
}