ziggi/certmanager
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
eb218c4bf6969aab214cf4949f6d7c4fa1a9492d
certmanager/internal/logic/x509.go
Олег Бородин eb218c4bf6 certmanager updated
2024-08-06 08:19:01 +02:00

277 lines
6.8 KiB
Go
Raw Blame History

package logic
import (
"crypto/rand"
"crypto/rsa"
"crypto/x509"
"crypto/x509/pkix"
"encoding/base64"
"encoding/pem"
"fmt"
"math/big"
"net"
"time"
)
type CreateIssuerPairParams struct {
CommonName string
}
type CreateIssuerPairResult struct {
Name string
Cert string
Key string
}
func CreateIssuerPair(params *CreateIssuerPairParams) (*CreateIssuerPairResult, error) {
var err error
res := &CreateIssuerPairResult{}
certPem := make([]byte, 0)
keyPem := make([]byte, 0)
now := time.Now()
const yearsAfter int = 10
const keySize int = 2048
key, err := rsa.GenerateKey(rand.Reader, keySize)
if err != nil {
err := fmt.Errorf("Can't create a private key: %v", err)
return res, err
}
keyPemBlock := pem.Block{
Type: "RSA PRIVATE KEY",
Bytes: x509.MarshalPKCS1PrivateKey(key),
}
keyPem = pem.EncodeToMemory(&keyPemBlock)
subjectName := pkix.Name{
CommonName: params.CommonName,
}
res.Name = subjectName.String()
tml := x509.Certificate{
SerialNumber: big.NewInt(now.Unix()),
NotBefore: now,
NotAfter: now.AddDate(yearsAfter, 0, 0),
Subject: subjectName,
IsCA: true,
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth},
KeyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
BasicConstraintsValid: true,
}
certBytes, err := x509.CreateCertificate(rand.Reader, &tml, &tml, &key.PublicKey, key)
if err != nil {
err := fmt.Errorf("Can't create a certificate: %v", err)
return res, err
}
certPemBlock := pem.Block{
Type: "CERTIFICATE",
Bytes: certBytes,
}
certPem = pem.EncodeToMemory(&certPemBlock)
if err != nil {
return res, err
}
res.Cert = base64.StdEncoding.EncodeToString(certPem)
res.Key = base64.StdEncoding.EncodeToString(keyPem)
return res, err
}
type CreateServicePairParams struct {
CommonName string
DNSNames []string
IPAddresses []string
IssuerKey string
IssuerCert string
}
type CreateServicePairResult struct {
Name string
Cert string
Key string
}
func CreateServicePair(params *CreateServicePairParams) (*CreateServicePairResult, error) {
var err error
res := &CreateServicePairResult{}
certPem := make([]byte, 0)
keyPem := make([]byte, 0)
now := time.Now()
const yearsAfter int = 10
const keySize int = 2048
key, err := rsa.GenerateKey(rand.Reader, keySize)
if err != nil {
err := fmt.Errorf("Can't create a private key: %v", err)
return res, err
}
keyPemBlock := pem.Block{
Type: "RSA PRIVATE KEY",
Bytes: x509.MarshalPKCS1PrivateKey(key),
}
keyPem = pem.EncodeToMemory(&keyPemBlock)
caKeyPem, err := base64.StdEncoding.DecodeString(params.IssuerKey)
if err != nil {
return res, err
}
pemBlock, _ := pem.Decode(caKeyPem)
if pemBlock == nil {
err := fmt.Errorf("Can't parse a CA private key block")
return res, err
}
caKey, err := x509.ParsePKCS1PrivateKey(pemBlock.Bytes)
if err != nil {
err := fmt.Errorf("Can't parse a CA private key")
return res, err
}
netAddresses := make([]net.IP, 0)
for _, ipAddress := range params.IPAddresses {
netAddress := net.ParseIP(ipAddress)
netAddresses = append(netAddresses, netAddress)
}
tml := x509.Certificate{
SerialNumber: big.NewInt(now.Unix()),
NotBefore: now,
NotAfter: now.AddDate(yearsAfter, 0, 0),
Subject: pkix.Name{
CommonName: params.CommonName,
},
DNSNames: params.DNSNames,
IPAddresses: netAddresses,
IsCA: false,
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth},
KeyUsage: x509.KeyUsageDigitalSignature,
BasicConstraintsValid: true,
}
certBytes, err := x509.CreateCertificate(rand.Reader, &tml, &tml, &key.PublicKey, caKey)
if err != nil {
return res, fmt.Errorf("Can't create a certificate: %v", err)
}
certPemBlock := pem.Block{
Type: "CERTIFICATE",
Bytes: certBytes,
}
certPem = pem.EncodeToMemory(&certPemBlock)
if err != nil {
return res, err
}
res.Cert = base64.StdEncoding.EncodeToString(certPem)
res.Key = base64.StdEncoding.EncodeToString(keyPem)
return res, err
}
func ParseDoubleEncodedCerificate(certString string) (*x509.Certificate, error) {
var err error
res := &x509.Certificate{}
certPEM, err := base64.StdEncoding.DecodeString(certString)
if err != nil {
return res, err
}
certBlock, _ := pem.Decode([]byte(certPEM))
if certBlock == nil {
err := fmt.Errorf("Failed to parse certificate PEM")
return res, err
}
res, err = x509.ParseCertificate(certBlock.Bytes)
if err != nil {
return res, err
}
return res, err
}
func ParseEncodedCerificate(certPEM string) (*x509.Certificate, error) {
var err error
res := &x509.Certificate{}
certBlock, _ := pem.Decode([]byte(certPEM))
if certBlock == nil {
err := fmt.Errorf("Failed to parse certificate PEM")
return res, err
}
res, err = x509.ParseCertificate(certBlock.Bytes)
if err != nil {
return res, err
}
return res, err
}
func ParseDoubleEncodedKey(keyString string) (*rsa.PrivateKey, error) {
var err error
res := &rsa.PrivateKey{}
keyPEM, err := base64.StdEncoding.DecodeString(keyString)
if err != nil {
return res, err
}
keyBlock, _ := pem.Decode([]byte(keyPEM))
if keyBlock == nil {
err := fmt.Errorf("Failed to parse key PEM")
return res, err
}
res, err = x509.ParsePKCS1PrivateKey(keyBlock.Bytes)
if err != nil {
return res, err
}
return res, err
}
type CertificateCortege struct {
CertString string
CertObj *x509.Certificate
}
func CheckCertificateChain(topIssuerCN string, certCorteges []*CertificateCortege) ([]*CertificateCortege, error) {
var err error
res := make([]*CertificateCortege, 0)
issuerFound := false
issuerIndex := -1
for i, cortege := range certCorteges {
if topIssuerCN == cortege.CertObj.Subject.String() {
issuerIndex = i
issuerFound = true
}
}
if !issuerFound {
err := fmt.Errorf("Issuer for %s cannot found", topIssuerCN)
return res, err
}
interInssuerCortege := certCorteges[issuerIndex]
if !interInssuerCortege.CertObj.IsCA {
err := fmt.Errorf("Issuer %s is not CA", interInssuerCortege.CertObj.Subject.String())
return res, err
}
expired := interInssuerCortege.CertObj.NotAfter.Before(time.Now())
if !expired {
err := fmt.Errorf("Issuer %s expired %v", interInssuerCortege.CertObj.Subject.String(),
interInssuerCortege.CertObj.NotAfter)
return res, err
}
res = append(res, interInssuerCortege)
if interInssuerCortege.CertObj.Subject.String() == interInssuerCortege.CertObj.Issuer.String() {
return res, err
}
updatedCorteges := append(certCorteges[:issuerIndex], certCorteges[issuerIndex+1:]...)
topIssuerCN = interInssuerCortege.CertObj.Issuer.String()
cortegeTail, err := CheckCertificateChain(topIssuerCN, updatedCorteges)
if err != nil {
return res, err
}
res = append(res, cortegeTail...)
return res, err
}
Reference in New Issue View Git Blame Copy Permalink