182 lines
5.5 KiB
Go
182 lines
5.5 KiB
Go
package pki
|
|
|
|
import (
|
|
"crypto/rand"
|
|
"crypto/x509"
|
|
"crypto/x509/pkix"
|
|
"encoding/pem"
|
|
"fmt"
|
|
"io"
|
|
"math/big"
|
|
"net"
|
|
"time"
|
|
)
|
|
|
|
// labels used in the pem file format to mark certificate sign requests and certificates
|
|
const (
|
|
PemLabelCertificateRequest = "CERTIFICATE REQUEST"
|
|
PemLabelCertificate = "CERTIFICATE"
|
|
)
|
|
|
|
type (
|
|
// Use CertificateData to fill in the minimum data you need to create a certificate
|
|
// sign request.
|
|
CertificateData struct {
|
|
Subject pkix.Name
|
|
|
|
DNSNames []string
|
|
EmailAddresses []string
|
|
IPAddresses []net.IP
|
|
}
|
|
|
|
// Certificate is an alias on the x509.Certificate to add some methods.
|
|
Certificate x509.Certificate
|
|
// CertificateRequest is an alias on the x509.CertificateRequest to add some methods.
|
|
CertificateRequest x509.CertificateRequest
|
|
|
|
// CertificateOptions is used to provide the necessary information to create
|
|
// a certificate from a certificate sign request.
|
|
CertificateOptions struct {
|
|
SerialNumber *big.Int
|
|
NotBefore time.Time
|
|
NotAfter time.Time // Validity bounds.
|
|
IsCA bool
|
|
// how many sub ca are allowed between this ca and the end/final certificate
|
|
// if it is -1, then no limit will be set
|
|
CALength int
|
|
KeyUsage x509.KeyUsage // for what can the certificate be used
|
|
KeyExtendedUsage []x509.ExtKeyUsage // extended usage for the certificate
|
|
CRLUrls []string
|
|
}
|
|
)
|
|
|
|
// Create a new set of certificate data.
|
|
func NewCertificateData() *CertificateData {
|
|
return &CertificateData{Subject: pkix.Name{}}
|
|
}
|
|
|
|
// Create a certificate sign request from the input data and the private key of
|
|
// the request creator.
|
|
func (c *CertificateData) ToCertificateRequest(private_key PrivateKey) (*CertificateRequest, error) {
|
|
csr := &x509.CertificateRequest{}
|
|
|
|
csr.Subject = c.Subject
|
|
csr.DNSNames = c.DNSNames
|
|
csr.IPAddresses = c.IPAddresses
|
|
csr.EmailAddresses = c.EmailAddresses
|
|
|
|
csr_asn1, err := x509.CreateCertificateRequest(rand.Reader, csr, private_key.PrivateKey())
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
return LoadCertificateSignRequest(csr_asn1)
|
|
}
|
|
|
|
// Load a certificate sign request from its asn1 representation.
|
|
func LoadCertificateSignRequest(raw []byte) (*CertificateRequest, error) {
|
|
csr, err := x509.ParseCertificateRequest(raw)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
return (*CertificateRequest)(csr), nil
|
|
}
|
|
|
|
// ToPem returns a pem.Block representing the CertificateRequest.
|
|
func (c *CertificateRequest) ToPem() (pem.Block, error) {
|
|
return pem.Block{Type: PemLabelCertificateRequest, Bytes: c.Raw}, nil
|
|
}
|
|
|
|
// Return the certificate sign request as a pem block.
|
|
func (c *CertificateRequest) MarshalPem() (io.WriterTo, error) {
|
|
if block, err := c.ToPem(); err != nil {
|
|
return nil, err
|
|
} else {
|
|
return marshalledPemBlock(pem.EncodeToMemory(&block)), nil
|
|
}
|
|
}
|
|
|
|
// Convert the certificate sign request to a certificate using the private key
|
|
// of the signer and the certificate of the signer.
|
|
// If the certificate is null, the sign request will be used to sign itself.
|
|
// Please also see the certificate options struct for information on mandatory fields.
|
|
// For more information, please read http://golang.org/pkg/crypto/x509/#CreateCertificate
|
|
func (c *CertificateRequest) ToCertificate(private_key PrivateKey,
|
|
cert_opts CertificateOptions, ca *Certificate) (*Certificate, error) {
|
|
|
|
if err := cert_opts.Valid(); err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
template := &x509.Certificate{}
|
|
template.Subject = c.Subject
|
|
template.DNSNames = c.DNSNames
|
|
template.IPAddresses = c.IPAddresses
|
|
template.EmailAddresses = c.EmailAddresses
|
|
|
|
// if no ca is given, we have to set IsCA to self sign
|
|
if ca == nil {
|
|
template.IsCA = true
|
|
}
|
|
|
|
template.NotBefore = cert_opts.NotBefore
|
|
template.NotAfter = cert_opts.NotAfter
|
|
template.KeyUsage = cert_opts.KeyUsage
|
|
template.ExtKeyUsage = cert_opts.KeyExtendedUsage
|
|
template.CRLDistributionPoints = cert_opts.CRLUrls
|
|
template.IsCA = cert_opts.IsCA
|
|
if cert_opts.IsCA {
|
|
template.BasicConstraintsValid = true
|
|
}
|
|
if cert_opts.CALength >= 0 {
|
|
template.MaxPathLen = cert_opts.CALength
|
|
template.MaxPathLenZero = true
|
|
template.BasicConstraintsValid = true
|
|
}
|
|
template.SerialNumber = cert_opts.SerialNumber
|
|
|
|
var cert_asn1 []byte
|
|
var err error
|
|
// if we have no ca which can sign the cert, a self signed cert is wanted
|
|
// (or isn't it? Maybe we should split creation of the template? But that would be ugly)
|
|
if ca == nil {
|
|
cert_asn1, err = x509.CreateCertificate(rand.Reader, template, template, c.PublicKey, private_key.PrivateKey())
|
|
} else {
|
|
cert_asn1, err = x509.CreateCertificate(rand.Reader, template, (*x509.Certificate)(ca), c.PublicKey, private_key.PrivateKey())
|
|
}
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
return LoadCertificate(cert_asn1)
|
|
}
|
|
|
|
// Load a certificate from its asn1 representation.
|
|
func LoadCertificate(raw []byte) (*Certificate, error) {
|
|
cert, err := x509.ParseCertificate(raw)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
return (*Certificate)(cert), nil
|
|
}
|
|
|
|
// marshal the certificate to a pem block
|
|
func (c *Certificate) MarshalPem() (io.WriterTo, error) {
|
|
if block, err := c.ToPem(); err != nil {
|
|
return nil, err
|
|
} else {
|
|
return marshalledPemBlock(pem.EncodeToMemory(&block)), nil
|
|
}
|
|
}
|
|
|
|
// ToPem returns the pem block of the certificate.
|
|
func (c *Certificate) ToPem() (pem.Block, error) {
|
|
return pem.Block{Type: PemLabelCertificate, Bytes: c.Raw}, nil
|
|
}
|
|
|
|
// Check if the certificate options have the required fields set.
|
|
func (co *CertificateOptions) Valid() error {
|
|
if co.SerialNumber == nil {
|
|
return fmt.Errorf("No serial number set!")
|
|
}
|
|
return nil
|
|
}
|