From f89cfe7d9050790a7cdd17028a8415cb3faf07e3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=D0=9E=D0=BB=D0=B5=D0=B3=20=D0=91=D0=BE=D1=80=D0=BE=D0=B4?= =?UTF-8?q?=D0=B8=D0=BD?= Date: Tue, 6 Aug 2024 19:10:36 +0200 Subject: [PATCH] certmanager updated --- .../certmanagercontrol.pb.go | 33 +-- cmd/certmanagerctl/main.go | 8 +- internal/logic/issuer.go | 68 +++--- internal/logic/service.go | 23 +- internal/test/logic_issuer_create_test.go | 62 +++-- pkg/cm509/x509.go | 223 +++++++++++------- proto/certmanagercontrol.proto | 4 +- 7 files changed, 248 insertions(+), 173 deletions(-) diff --git a/api/certmanagercontrol/certmanagercontrol.pb.go b/api/certmanagercontrol/certmanagercontrol.pb.go index 6ea1610..111f894 100644 --- a/api/certmanagercontrol/certmanagercontrol.pb.go +++ b/api/certmanagercontrol/certmanagercontrol.pb.go @@ -918,10 +918,10 @@ type CreateServicePairResult struct { unknownFields protoimpl.UnknownFields ServiceID int64 `protobuf:"varint,1,opt,name=serviceID,proto3" json:"serviceID,omitempty"` - Name string `protobuf:"bytes,2,opt,name=name,proto3" json:"name,omitempty"` + ServiceName string `protobuf:"bytes,2,opt,name=serviceName,proto3" json:"serviceName,omitempty"` IssuerCertificate string `protobuf:"bytes,3,opt,name=issuerCertificate,proto3" json:"issuerCertificate,omitempty"` IssuerID int64 `protobuf:"varint,4,opt,name=issuerID,proto3" json:"issuerID,omitempty"` - Cerificate string `protobuf:"bytes,5,opt,name=cerificate,proto3" json:"cerificate,omitempty"` + Certificate string `protobuf:"bytes,5,opt,name=certificate,proto3" json:"certificate,omitempty"` Key string `protobuf:"bytes,6,opt,name=key,proto3" json:"key,omitempty"` } @@ -964,9 +964,9 @@ func (x *CreateServicePairResult) GetServiceID() int64 { return 0 } -func (x *CreateServicePairResult) GetName() string { +func (x *CreateServicePairResult) GetServiceName() string { if x != nil { - return x.Name + return x.ServiceName } return "" } @@ -985,9 +985,9 @@ func (x *CreateServicePairResult) GetIssuerID() int64 { return 0 } -func (x *CreateServicePairResult) GetCerificate() string { +func (x *CreateServicePairResult) GetCertificate() string { if x != nil { - return x.Cerificate + return x.Certificate } return "" } @@ -1622,18 +1622,19 @@ var file_certmanagercontrol_proto_rawDesc = []byte{ 0x03, 0x28, 0x09, 0x52, 0x09, 0x68, 0x6f, 0x73, 0x74, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x12, 0x24, 0x0a, 0x0d, 0x69, 0x6e, 0x65, 0x74, 0x41, 0x64, 0x64, 0x72, 0x65, 0x73, 0x73, 0x65, 0x73, 0x18, 0x06, 0x20, 0x03, 0x28, 0x09, 0x52, 0x0d, 0x69, 0x6e, 0x65, 0x74, 0x41, 0x64, 0x64, 0x72, 0x65, - 0x73, 0x73, 0x65, 0x73, 0x22, 0xc7, 0x01, 0x0a, 0x17, 0x63, 0x72, 0x65, 0x61, 0x74, 0x65, 0x53, + 0x73, 0x73, 0x65, 0x73, 0x22, 0xd7, 0x01, 0x0a, 0x17, 0x63, 0x72, 0x65, 0x61, 0x74, 0x65, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x50, 0x61, 0x69, 0x72, 0x52, 0x65, 0x73, 0x75, 0x6c, 0x74, 0x12, 0x1c, 0x0a, 0x09, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x49, 0x44, 0x18, 0x01, 0x20, - 0x01, 0x28, 0x03, 0x52, 0x09, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x49, 0x44, 0x12, 0x12, - 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x6e, 0x61, - 0x6d, 0x65, 0x12, 0x2c, 0x0a, 0x11, 0x69, 0x73, 0x73, 0x75, 0x65, 0x72, 0x43, 0x65, 0x72, 0x74, - 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x11, 0x69, - 0x73, 0x73, 0x75, 0x65, 0x72, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, - 0x12, 0x1a, 0x0a, 0x08, 0x69, 0x73, 0x73, 0x75, 0x65, 0x72, 0x49, 0x44, 0x18, 0x04, 0x20, 0x01, - 0x28, 0x03, 0x52, 0x08, 0x69, 0x73, 0x73, 0x75, 0x65, 0x72, 0x49, 0x44, 0x12, 0x1e, 0x0a, 0x0a, - 0x63, 0x65, 0x72, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x18, 0x05, 0x20, 0x01, 0x28, 0x09, - 0x52, 0x0a, 0x63, 0x65, 0x72, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x12, 0x10, 0x0a, 0x03, + 0x01, 0x28, 0x03, 0x52, 0x09, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x49, 0x44, 0x12, 0x20, + 0x0a, 0x0b, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x4e, 0x61, 0x6d, 0x65, 0x18, 0x02, 0x20, + 0x01, 0x28, 0x09, 0x52, 0x0b, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x4e, 0x61, 0x6d, 0x65, + 0x12, 0x2c, 0x0a, 0x11, 0x69, 0x73, 0x73, 0x75, 0x65, 0x72, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, + 0x69, 0x63, 0x61, 0x74, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x11, 0x69, 0x73, 0x73, + 0x75, 0x65, 0x72, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x12, 0x1a, + 0x0a, 0x08, 0x69, 0x73, 0x73, 0x75, 0x65, 0x72, 0x49, 0x44, 0x18, 0x04, 0x20, 0x01, 0x28, 0x03, + 0x52, 0x08, 0x69, 0x73, 0x73, 0x75, 0x65, 0x72, 0x49, 0x44, 0x12, 0x20, 0x0a, 0x0b, 0x63, 0x65, + 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x18, 0x05, 0x20, 0x01, 0x28, 0x09, 0x52, + 0x0b, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x06, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x22, 0x9b, 0x01, 0x0a, 0x17, 0x72, 0x65, 0x76, 0x6f, 0x6b, 0x65, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x50, 0x61, 0x69, 0x72, 0x50, 0x61, 0x72, 0x61, 0x6d, 0x73, 0x12, 0x1c, 0x0a, 0x09, 0x73, 0x65, diff --git a/cmd/certmanagerctl/main.go b/cmd/certmanagerctl/main.go index d40a0be..d73fa52 100644 --- a/cmd/certmanagerctl/main.go +++ b/cmd/certmanagerctl/main.go @@ -65,11 +65,11 @@ type Util struct { issuerName string keyFilename string - signerID int64 - signerName string + signerID int64 + signerName string - serviceID int64 - serviceName string + serviceID int64 + serviceName string } func NewUtil() *Util { diff --git a/internal/logic/issuer.go b/internal/logic/issuer.go index 7573bd0..b43879d 100644 --- a/internal/logic/issuer.go +++ b/internal/logic/issuer.go @@ -7,39 +7,39 @@ import ( cmapi "certmanager/api/certmanagercontrol" "certmanager/internal/descriptor" - "certmanager/pkg/cm509" + "certmanager/pkg/cm509" ) func (lg *Logic) CreateIssuerPair(ctx context.Context, params *cmapi.CreateIssuerPairParams) (*cmapi.CreateIssuerPairResult, error) { var err error res := &cmapi.CreateIssuerPairResult{} - var signerDescr *descriptor.Issuer - var signerExists bool - if params.SignerID > 0 { - signerExists, signerDescr, err = lg.db.GetIssuerByID(ctx, params.SignerID) - if !signerExists { - err := fmt.Errorf("Issuer with id %d cannot found", params.SignerID) - if err != nil { - return res, err - } - } - } else if params.SignerName != "" { - signerExists, signerDescr, err = lg.db.GetIssuerByName(ctx, params.SignerName) - if signerExists { - err := fmt.Errorf("Issuer with name %s cannot found", params.SignerName) - if err != nil { - return res, err - } - } - } + var signerDescr *descriptor.Issuer + var signerExists bool + if params.SignerID > 0 { + signerExists, signerDescr, err = lg.db.GetIssuerByID(ctx, params.SignerID) + if !signerExists { + err := fmt.Errorf("Issuer with id %d cannot found", params.SignerID) + if err != nil { + return res, err + } + } + } else if params.SignerName != "" { + signerExists, signerDescr, err = lg.db.GetIssuerByName(ctx, params.SignerName) + if signerExists { + err := fmt.Errorf("Issuer with name %s cannot found", params.SignerName) + if err != nil { + return res, err + } + } + } createIssuerPairParams := &cm509.CreateIssuerPairParams{ CommonName: params.IssuerCommonName, - } - if signerDescr != nil { - lg.log.Debugf("Create issuer with signer name %s", signerDescr.Name) - createIssuerPairParams.SignerCert = signerDescr.Cert - createIssuerPairParams.SignerKey = signerDescr.Key + } + if signerDescr != nil { + lg.log.Debugf("Create issuer with signer name %s", signerDescr.Name) + createIssuerPairParams.SignerCert = signerDescr.Cert + createIssuerPairParams.SignerKey = signerDescr.Key } createIssuerPairRes, err := cm509.CreateIssuerPair(createIssuerPairParams) if err != nil { @@ -52,21 +52,21 @@ func (lg *Logic) CreateIssuerPair(ctx context.Context, params *cmapi.CreateIssue Key: createIssuerPairRes.Key, } - issuerExists, _, err := lg.db.GetIssuerByName(ctx, issuerDescr.Name) - if issuerExists { - err := fmt.Errorf("Issuer with name %s already exists", issuerDescr.Name) - if err != nil { - return res, err - } - } + issuerExists, _, err := lg.db.GetIssuerByName(ctx, issuerDescr.Name) + if issuerExists { + err := fmt.Errorf("Issuer with name %s already exists", issuerDescr.Name) + if err != nil { + return res, err + } + } issuerID, err := lg.db.InsertIssuer(ctx, issuerDescr) if err != nil { return res, err } res.IssuerID = issuerID - res.IssuerName = createIssuerPairRes.Name - res.Certificate = createIssuerPairRes.Cert + res.IssuerName = createIssuerPairRes.Name + res.Certificate = createIssuerPairRes.Cert return res, err } diff --git a/internal/logic/service.go b/internal/logic/service.go index d29004e..c342f7d 100644 --- a/internal/logic/service.go +++ b/internal/logic/service.go @@ -4,9 +4,9 @@ import ( "context" "fmt" - "certmanager/internal/descriptor" cmapi "certmanager/api/certmanagercontrol" - "certmanager/pkg/cm509" + "certmanager/internal/descriptor" + "certmanager/pkg/cm509" ) func (lg *Logic) CreateServicePair(ctx context.Context, params *cmapi.CreateServicePairParams) (*cmapi.CreateServicePairResult, error) { @@ -19,7 +19,7 @@ func (lg *Logic) CreateServicePair(ctx context.Context, params *cmapi.CreateServ case params.IssuerID != 0: issuerExists, issuerDescr, err = lg.db.GetIssuerByID(ctx, params.IssuerID) if !issuerExists { - err := fmt.Errorf("No signer with this ID was found") + err := fmt.Errorf("No signer with id was found", params.IssuerID) if err != nil { return res, err } @@ -27,7 +27,7 @@ func (lg *Logic) CreateServicePair(ctx context.Context, params *cmapi.CreateServ case params.IssuerName != "": issuerExists, issuerDescr, err = lg.db.GetIssuerByName(ctx, params.IssuerName) if !issuerExists { - err := fmt.Errorf("No signer with this common name was found") + err := fmt.Errorf("No signer with name %s was found", params.IssuerName) if err != nil { return res, err } @@ -56,8 +56,9 @@ func (lg *Logic) CreateServicePair(ctx context.Context, params *cmapi.CreateServ IssuerKey: issuerDescr.Key, IssuerCert: issuerDescr.Cert, IPAddresses: params.InetAddresses, + DNSNames: params.Hostnames, } - createSericePairRes, err := cm509.CreateServicePairV2(createServicePairParams) + createSericePairRes, err := cm509.CreateServicePair(createServicePairParams) if err != nil { return res, err } @@ -73,9 +74,9 @@ func (lg *Logic) CreateServicePair(ctx context.Context, params *cmapi.CreateServ if err != nil { return res, err } - res.Name = createSericePairRes.Name + res.ServiceName = createSericePairRes.Name res.ServiceID = serviceID - res.Cerificate = createSericePairRes.Cert + res.Certificate = createSericePairRes.Cert res.Key = createSericePairRes.Key res.IssuerID = issuerDescr.ID res.IssuerCertificate = issuerDescr.Cert @@ -157,7 +158,7 @@ func (lg *Logic) RevokeServicePair(ctx context.Context, params *cmapi.RevokeServ case params.ServiceID != 0: serviceExists, serviceDescr, err = lg.db.GetServiceByID(ctx, params.ServiceID) if !serviceExists { - err := fmt.Errorf("No signer with this ID was found") + err := fmt.Errorf("No signer with id %d was found", params.ServiceID) if err != nil { return res, err } @@ -165,7 +166,7 @@ func (lg *Logic) RevokeServicePair(ctx context.Context, params *cmapi.RevokeServ case params.ServiceName != "": serviceExists, serviceDescr, err = lg.db.GetServiceByName(ctx, params.ServiceName) if !serviceExists { - err := fmt.Errorf("No signer with this common name was found") + err := fmt.Errorf("No signer with name %s was found", params.ServiceName) if err != nil { return res, err } @@ -202,7 +203,7 @@ func (lg *Logic) UnrevokeServicePair(ctx context.Context, params *cmapi.Unrevoke case params.ServiceID != 0: serviceExists, serviceDescr, err = lg.db.GetServiceByID(ctx, params.ServiceID) if !serviceExists { - err := fmt.Errorf("No signer with this ID was found") + err := fmt.Errorf("No signer with id %d was found", params.ServiceID) if err != nil { return res, err } @@ -210,7 +211,7 @@ func (lg *Logic) UnrevokeServicePair(ctx context.Context, params *cmapi.Unrevoke case params.ServiceName != "": serviceExists, serviceDescr, err = lg.db.GetServiceByName(ctx, params.ServiceName) if !serviceExists { - err := fmt.Errorf("No signer with this common name was found") + err := fmt.Errorf("No signer with name %s was found", params.ServiceName) if err != nil { return res, err } diff --git a/internal/test/logic_issuer_create_test.go b/internal/test/logic_issuer_create_test.go index 280019f..56b464e 100644 --- a/internal/test/logic_issuer_create_test.go +++ b/internal/test/logic_issuer_create_test.go @@ -43,7 +43,7 @@ func TestIssuerCreateV0(t *testing.T) { signerCommonName := "foo.bar" var signerID int64 var signerCert string - var signerName string + var signerName string { createIssuerPairParams := &cmapi.CreateIssuerPairParams{ IssuerCommonName: signerCommonName, @@ -61,27 +61,27 @@ func TestIssuerCreateV0(t *testing.T) { signerName = createIssuerPairRes.IssuerName printObj("signerName", signerName) - signerCertObj, err := cm509.ParseDoubleEncodedCerificate(signerCert) - require.NoError(t, err) + signerCertObj, err := cm509.ParseDoubleEncodedCerificate(signerCert) + require.NoError(t, err) require.NotNil(t, signerCertObj) - printObj("signerCertObj Subject", signerCertObj.Subject.String()) - printObj("signerCertObj Issuer", signerCertObj.Issuer.String()) + printObj("signerCertObj Subject", signerCertObj.Subject.String()) + printObj("signerCertObj Issuer", signerCertObj.Issuer.String()) } issuerCommonName := "make.love.not.war" var issuerID int64 var issuerCert string - var issuerName string + var issuerName string { createIssuerPairParams := &cmapi.CreateIssuerPairParams{ IssuerCommonName: issuerCommonName, - SignerID: signerID, + SignerID: signerID, } createIssuerPairRes, err := lg.CreateIssuerPair(ctx, createIssuerPairParams) require.NoError(t, err) require.NotNil(t, createIssuerPairRes) issuerID = createIssuerPairRes.IssuerID - printObj("issuerID", issuerID) + printObj("issuerID", issuerID) issuerCert = createIssuerPairRes.Certificate printObj("issuerCert", issuerCert) @@ -89,16 +89,49 @@ func TestIssuerCreateV0(t *testing.T) { issuerName = createIssuerPairRes.IssuerName printObj("issuerName", issuerName) - issuerCertObj, err := cm509.ParseDoubleEncodedCerificate(issuerCert) - require.NoError(t, err) + issuerCertObj, err := cm509.ParseDoubleEncodedCerificate(issuerCert) + require.NoError(t, err) require.NotNil(t, issuerCertObj) - printObj("issuerCertObj Subject", issuerCertObj.Subject.String()) - printObj("issuerCertObj Issuer", issuerCertObj.Issuer.String()) + printObj("issuerCertObj Subject", issuerCertObj.Subject.String()) + printObj("issuerCertObj Issuer", issuerCertObj.Issuer.String()) - require.NotEqual(t, issuerCertObj.Subject.String(), issuerCertObj.Issuer.String()) + require.NotEqual(t, issuerCertObj.Subject.String(), issuerCertObj.Issuer.String()) } -} + serviceCommonName := "dont.worry" + var serviceID int64 + var serviceCert string + var serviceName string + { + createServicePairParams := &cmapi.CreateServicePairParams{ + ServiceCommonName: serviceCommonName, + IssuerID: issuerID, + InetAddresses: []string{"1.1.1.1", "1.1.1.2", "1.1.1.3"}, + Hostnames: []string{"dont.worry", "be.happy"}, + } + createServicePairRes, err := lg.CreateServicePair(ctx, createServicePairParams) + require.NoError(t, err) + require.NotNil(t, createServicePairRes) + + serviceID = createServicePairRes.ServiceID + printObj("serviceID", serviceID) + + serviceCert = createServicePairRes.Certificate + printObj("serviceCert", serviceCert) + serviceName = createServicePairRes.ServiceName + printObj("serviceName", serviceName) + + serviceCertObj, err := cm509.ParseDoubleEncodedCerificate(serviceCert) + require.NoError(t, err) + require.NotNil(t, serviceCertObj) + printObj("serviceCertObj Subject", serviceCertObj.Subject.String()) + printObj("serviceCertObj Service", serviceCertObj.Issuer.String()) + printObj("serviceCertObj DNSNames", serviceCertObj.DNSNames) + printObj("serviceCertObj IP addresses", serviceCertObj.IPAddresses) + + require.NotEqual(t, serviceCertObj.Subject.String(), serviceCertObj.Issuer.String()) + } +} func XXXTestIssuerCreate(t *testing.T) { var err error @@ -260,4 +293,3 @@ func XXXTestIssuerCreate(t *testing.T) { printObj("getServicePairRes", getServicePairRes) } } - diff --git a/pkg/cm509/x509.go b/pkg/cm509/x509.go index 4df5711..0a8f2b6 100644 --- a/pkg/cm509/x509.go +++ b/pkg/cm509/x509.go @@ -15,8 +15,8 @@ import ( type CreateIssuerPairParams struct { CommonName string - SignerCert string - SignerKey string + SignerCert string + SignerKey string } type CreateIssuerPairResult struct { Name string @@ -24,34 +24,33 @@ type CreateIssuerPairResult struct { Key string } - func CreateIssuerPair(params *CreateIssuerPairParams) (*CreateIssuerPairResult, error) { var err error res := &CreateIssuerPairResult{} - if params.SignerKey != "" && params.SignerCert == "" { - err = fmt.Errorf("The signature key and certificate must be defined together") - return res, err - } - if params.SignerKey == "" && params.SignerCert != "" { - err = fmt.Errorf("The signature key and certificate must be defined together") - return res, err - } - - var signerKey any - if params.SignerKey != "" { - signerKey, err = ParseDoubleEncodedKey(params.SignerKey) - if err != nil { - return res, err - } - } - var signerCert *x509.Certificate - if params.SignerCert != "" { - signerCert, err = ParseDoubleEncodedCerificate(params.SignerCert) - if err != nil { - return res, err - } - } + if params.SignerKey != "" && params.SignerCert == "" { + err = fmt.Errorf("The signature key and certificate must be defined together") + return res, err + } + if params.SignerKey == "" && params.SignerCert != "" { + err = fmt.Errorf("The signature key and certificate must be defined together") + return res, err + } + + var signerKey any + if params.SignerKey != "" { + signerKey, err = ParseDoubleEncodedKey(params.SignerKey) + if err != nil { + return res, err + } + } + var signerCert *x509.Certificate + if params.SignerCert != "" { + signerCert, err = ParseDoubleEncodedCerificate(params.SignerCert) + if err != nil { + return res, err + } + } certPem := make([]byte, 0) keyPem := make([]byte, 0) @@ -77,34 +76,35 @@ func CreateIssuerPair(params *CreateIssuerPairParams) (*CreateIssuerPairResult, CommonName: params.CommonName, } - certIssuer := certSubject - if signerCert != nil { - certIssuer = signerCert.Subject - } + certIssuer := certSubject + if signerCert != nil { + certIssuer = signerCert.Subject + } - var issuerKey any = certKey - if signerKey != nil { - issuerKey = signerKey - } + var issuerKey any = certKey + if signerKey != nil { + issuerKey = signerKey + } res.Name = certSubject.String() certTempl := &x509.Certificate{ - SerialNumber: big.NewInt(now.Unix()), - NotBefore: now, - NotAfter: now.AddDate(yearsAfter, 0, 0), - Subject: certSubject, - Issuer: certIssuer, - IsCA: true, - ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth}, - KeyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign, + SerialNumber: big.NewInt(now.Unix()), + NotBefore: now, + NotAfter: now.AddDate(yearsAfter, 0, 0), + Subject: certSubject, + Issuer: certIssuer, + IsCA: true, + ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth}, + KeyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign | + x509.KeyUsageKeyEncipherment | x509.KeyUsageCRLSign, BasicConstraintsValid: true, } - parentCert := certTempl - if signerCert != nil { - parentCert = signerCert - } + parentCert := certTempl + if signerCert != nil { + parentCert = signerCert + } certBytes, err := x509.CreateCertificate(rand.Reader, certTempl, parentCert, &certKey.PublicKey, issuerKey) if err != nil { @@ -126,11 +126,46 @@ func CreateIssuerPair(params *CreateIssuerPairParams) (*CreateIssuerPairResult, return res, err } +type CreateServicePairParams struct { + CommonName string + DNSNames []string + IPAddresses []string + IssuerKey string + IssuerCert string +} +type CreateServicePairResult struct { + Name string + Cert string + Key string +} - -func CreateIssuerPairV0(params *CreateIssuerPairParams) (*CreateIssuerPairResult, error) { +func CreateServicePair(params *CreateServicePairParams) (*CreateServicePairResult, error) { var err error - res := &CreateIssuerPairResult{} + res := &CreateServicePairResult{} + + if params.IssuerKey != "" && params.IssuerCert == "" { + err = fmt.Errorf("The signature key and certificate must be defined together") + return res, err + } + if params.IssuerKey == "" && params.IssuerCert != "" { + err = fmt.Errorf("The signature key and certificate must be defined together") + return res, err + } + + var signerKey any + if params.IssuerKey != "" { + signerKey, err = ParseDoubleEncodedKey(params.IssuerKey) + if err != nil { + return res, err + } + } + var signerCert *x509.Certificate + if params.IssuerCert != "" { + signerCert, err = ParseDoubleEncodedCerificate(params.IssuerCert) + if err != nil { + return res, err + } + } certPem := make([]byte, 0) keyPem := make([]byte, 0) @@ -140,36 +175,60 @@ func CreateIssuerPairV0(params *CreateIssuerPairParams) (*CreateIssuerPairResult const yearsAfter int = 10 const keySize int = 2048 - key, err := rsa.GenerateKey(rand.Reader, keySize) + certKey, err := rsa.GenerateKey(rand.Reader, keySize) if err != nil { err := fmt.Errorf("Can't create a private key: %v", err) return res, err } - keyPemBlock := pem.Block{ + keyPemBlock := &pem.Block{ Type: "RSA PRIVATE KEY", - Bytes: x509.MarshalPKCS1PrivateKey(key), + Bytes: x509.MarshalPKCS1PrivateKey(certKey), } - keyPem = pem.EncodeToMemory(&keyPemBlock) + keyPem = pem.EncodeToMemory(keyPemBlock) - subjectName := pkix.Name{ + certSubject := pkix.Name{ CommonName: params.CommonName, } - issuerName := subjectName - res.Name = subjectName.String() - certTempl := x509.Certificate{ + certIssuer := certSubject + if signerCert != nil { + certIssuer = signerCert.Subject + } + + var issuerKey any = certKey + if signerKey != nil { + issuerKey = signerKey + } + + res.Name = certSubject.String() + + netAddresses := make([]net.IP, 0) + for _, ipAddress := range params.IPAddresses { + netAddress := net.ParseIP(ipAddress) + netAddresses = append(netAddresses, netAddress) + } + + certTempl := &x509.Certificate{ SerialNumber: big.NewInt(now.Unix()), NotBefore: now, NotAfter: now.AddDate(yearsAfter, 0, 0), - Subject: subjectName, - Issuer: issuerName, - IsCA: true, + Subject: certSubject, + Issuer: certIssuer, + DNSNames: params.DNSNames, + IPAddresses: netAddresses, + IsCA: false, ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth}, - KeyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign, + KeyUsage: x509.KeyUsageDigitalSignature, BasicConstraintsValid: true, } - certBytes, err := x509.CreateCertificate(rand.Reader, &certTempl, &certTempl, &key.PublicKey, key) + + parentCert := certTempl + if signerCert != nil { + parentCert = signerCert + } + + certBytes, err := x509.CreateCertificate(rand.Reader, certTempl, parentCert, &certKey.PublicKey, issuerKey) if err != nil { err := fmt.Errorf("Can't create a certificate: %v", err) return res, err @@ -189,20 +248,7 @@ func CreateIssuerPairV0(params *CreateIssuerPairParams) (*CreateIssuerPairResult return res, err } -type CreateServicePairParams struct { - CommonName string - DNSNames []string - IPAddresses []string - IssuerKey string - IssuerCert string -} -type CreateServicePairResult struct { - Name string - Cert string - Key string -} - -func CreateServicePairV2(params *CreateServicePairParams) (*CreateServicePairResult, error) { +func XXXCreateServicePair(params *CreateServicePairParams) (*CreateServicePairResult, error) { var err error res := &CreateServicePairResult{} @@ -278,18 +324,13 @@ func CreateServicePairV2(params *CreateServicePairParams) (*CreateServicePairRes return res, err } - - - - - func ParseDoubleEncodedCerificate(certString string) (*x509.Certificate, error) { var err error res := &x509.Certificate{} certPEM, err := base64.StdEncoding.DecodeString(certString) if err != nil { - err := fmt.Errorf("Failed to parse base64 certificate string: %v", err) + err := fmt.Errorf("Failed to parse base64 certificate string: %v", err) return res, err } certBlock, _ := pem.Decode([]byte(certPEM)) @@ -297,14 +338,14 @@ func ParseDoubleEncodedCerificate(certString string) (*x509.Certificate, error) err := fmt.Errorf("Failed to parse certificate PEM") return res, err } - if certBlock.Type != "CERTIFICATE" { + if certBlock.Type != "CERTIFICATE" { err := fmt.Errorf("Unknown PEM certificate type: %s", certBlock.Type) return res, err - } - if len(certBlock.Bytes) == 0 { + } + if len(certBlock.Bytes) == 0 { err := fmt.Errorf("Empty PEM certificate block") return res, err - } + } res, err = x509.ParseCertificate(certBlock.Bytes) if err != nil { @@ -322,14 +363,14 @@ func ParseEncodedCerificate(certPEM string) (*x509.Certificate, error) { err := fmt.Errorf("Failed to parse certificate PEM") return res, err } - if certBlock.Type != "CERTIFICATE" { + if certBlock.Type != "CERTIFICATE" { err := fmt.Errorf("Unknown PEM certificate type: %s", certBlock.Type) return res, err - } - if len(certBlock.Bytes) == 0 { + } + if len(certBlock.Bytes) == 0 { err := fmt.Errorf("Empty PEM certificate block") return res, err - } + } res, err = x509.ParseCertificate(certBlock.Bytes) if err != nil { return res, err @@ -343,7 +384,7 @@ func ParseDoubleEncodedKey(keyString string) (any, error) { keyPEM, err := base64.StdEncoding.DecodeString(keyString) if err != nil { - err := fmt.Errorf("Failed to parse base64 key string: %v", err) + err := fmt.Errorf("Failed to parse base64 key string: %v", err) return res, err } keyBlock, _ := pem.Decode([]byte(keyPEM)) diff --git a/proto/certmanagercontrol.proto b/proto/certmanagercontrol.proto index 280b16c..c59fb0f 100644 --- a/proto/certmanagercontrol.proto +++ b/proto/certmanagercontrol.proto @@ -94,10 +94,10 @@ message createServicePairParams { } message createServicePairResult { int64 serviceID = 1; - string name = 2; + string serviceName = 2; string issuerCertificate = 3; int64 issuerID = 4; - string cerificate = 5; + string certificate = 5; string key = 6; }