go-cert-gen/internal/cert/root_ca.go

package cert

import (
	"bytes"
	"crypto/ecdsa"
	"crypto/elliptic"
	"crypto/rand"
	"crypto/x509"
	"crypto/x509/pkix"
	"encoding/pem"
	"fmt"
	"time"

	"gitlab.com/urkob/go-cert-gen/pkg/ca"
	"gitlab.com/urkob/go-cert-gen/pkg/client"
)

const (
	CERTIFICATE = "CERTIFICATE"
	PRIVATE_KEY = "PRIVATE KEY"
)

type rootCA struct {
	caPEM  []byte
	keyPEM []byte
}

func (r *rootCA) Key() []byte {
	return r.keyPEM
}

func (r *rootCA) PEM() []byte {
	return r.caPEM
}

func (r *rootCA) WithClientCert(config *client.ClientCertConfig) (client.ClientCertIface, error) {
	x509RootCA, err := parseCertificate(r.caPEM)
	if err != nil {
		return nil, fmt.Errorf("parseCertificate: %s", err)
	}

	clientCertPEM, clientKeyPEM, err := newClientCert(config, x509RootCA, r.keyPEM)
	if err != nil {
		return nil, fmt.Errorf("newClientCert: %s", err)
	}

	return &clientCert{
		certPEM: clientCertPEM,
		keyPEM:  clientKeyPEM,
	}, nil
}

// Create a self-signed certificate.
func newRootCA(config *ca.CaConfig) ([]byte, []byte, error) {
	priv, err := newPrivateKey()
	if err != nil {
		return nil, nil, fmt.Errorf("newPrivateKey: %s", err)
	}

	template := x509.Certificate{
		SerialNumber: config.SerialNumber,
		Subject: pkix.Name{
			Organization: []string{config.Subject.Organization},
			CommonName:   config.Subject.CommonName,
		},
		NotBefore:             time.Now().Add(-time.Minute),
		NotAfter:              time.Now().Add(config.Duration),
		IsCA:                  true,
		KeyUsage:              config.KeyUsage,
		ExtKeyUsage:           config.ExtKeyUsage,
		BasicConstraintsValid: true,
	}
	der, err := x509.CreateCertificate(rand.Reader, &template, &template, &priv.PublicKey, priv)
	if err != nil {
		return nil, nil, fmt.Errorf("x509.CreateCertificate: %s", err)
	}

	out := &bytes.Buffer{}
	err = pem.Encode(out, &pem.Block{Type: CERTIFICATE, Bytes: der})
	if err != nil {
		return nil, nil, fmt.Errorf("pem.Encode: %s", err)
	}

	caPEM := out.Bytes()
	keyPEM, err := encodePrivateKey(priv)
	if err != nil {
		return nil, nil, fmt.Errorf("encodePrivateKey: %s", err)
	}

	return caPEM, keyPEM, nil
}

func NewRootCA(config *ca.CaConfig) (ca.RootCACertificateIface, error) {
	caPEM, keyPEM, err := newRootCA(config)
	if err != nil {
		return nil, fmt.Errorf("newRootCA: %s", err)
	}

	return &rootCA{
		caPEM:  caPEM,
		keyPEM: keyPEM,
	}, nil
}

// Creates a new 512bit private key.
func newPrivateKey() (*ecdsa.PrivateKey, error) {
	priv, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
	if err != nil {
		return nil, fmt.Errorf("ecdsa: %s", err)
	}

	return priv, nil
}

// Parse a text PEM file into a x509 cert.
func parseCertificate(data []byte) (*x509.Certificate, error) {
	block, _ := pem.Decode(data)
	if block == nil {
		return nil, fmt.Errorf("parseCertificate (pem.Decode)")
	}
	cert, err := x509.ParseCertificate(block.Bytes)
	if err != nil {
		return nil, fmt.Errorf("parseCertificate: %w", err)
	}
	return cert, nil
}

// Encodes a private key into PEM.
func encodePrivateKey(priv *ecdsa.PrivateKey) ([]byte, error) {
	out := &bytes.Buffer{}
	privBytes, err := x509.MarshalPKCS8PrivateKey(priv)
	if err != nil {
		return nil, fmt.Errorf("x509.MarshalPKCS8PrivateKey: %s", err)
	}

	err = pem.Encode(out, &pem.Block{
		Type:  PRIVATE_KEY,
		Bytes: privBytes,
	})
	if err != nil {
		return nil, err
	}

	return out.Bytes(), nil
}
feat: cert generation implementation 2023-02-15 11:10:23 +01:00			`package cert`

			`import (`
			`"bytes"`
			`"crypto/ecdsa"`
			`"crypto/elliptic"`
			`"crypto/rand"`
			`"crypto/x509"`
			`"crypto/x509/pkix"`
			`"encoding/pem"`
			`"fmt"`
			`"time"`

			`"gitlab.com/urkob/go-cert-gen/pkg/ca"`
			`"gitlab.com/urkob/go-cert-gen/pkg/client"`
			`)`

feat: add tests 2023-03-03 22:31:10 +01:00			`const (`
			`CERTIFICATE = "CERTIFICATE"`
			`PRIVATE_KEY = "PRIVATE KEY"`
			`)`
feat: cert generation implementation 2023-02-15 11:10:23 +01:00
feat: add tests 2023-03-03 22:31:10 +01:00			`type rootCA struct {`
			`caPEM []byte`
			`keyPEM []byte`
feat: cert generation implementation 2023-02-15 11:10:23 +01:00			`}`

feat: add tests 2023-03-03 22:31:10 +01:00			`func (r *rootCA) Key() []byte {`
			`return r.keyPEM`
			`}`

			`func (r *rootCA) PEM() []byte {`
			`return r.caPEM`
			`}`

			`func (r rootCA) WithClientCert(config client.ClientCertConfig) (client.ClientCertIface, error) {`
			`x509RootCA, err := parseCertificate(r.caPEM)`
feat: cert generation implementation 2023-02-15 11:10:23 +01:00			`if err != nil {`
feat: add tests 2023-03-03 22:31:10 +01:00			`return nil, fmt.Errorf("parseCertificate: %s", err)`
feat: cert generation implementation 2023-02-15 11:10:23 +01:00			`}`

feat: add tests 2023-03-03 22:31:10 +01:00			`clientCertPEM, clientKeyPEM, err := newClientCert(config, x509RootCA, r.keyPEM)`
feat: cert generation implementation 2023-02-15 11:10:23 +01:00			`if err != nil {`
feat: add tests 2023-03-03 22:31:10 +01:00			`return nil, fmt.Errorf("newClientCert: %s", err)`
feat: cert generation implementation 2023-02-15 11:10:23 +01:00			`}`
feat: add tests 2023-03-03 22:31:10 +01:00
			`return &clientCert{`
			`certPEM: clientCertPEM,`
			`keyPEM: clientKeyPEM,`
			`}, nil`
feat: cert generation implementation 2023-02-15 11:10:23 +01:00			`}`

			`// Create a self-signed certificate.`
feat: use viper and cobra to parameterize creation values with viper yaml 2023-02-15 19:30:05 +01:00			`func newRootCA(config *ca.CaConfig) ([]byte, []byte, error) {`
feat: cert generation implementation 2023-02-15 11:10:23 +01:00			`priv, err := newPrivateKey()`
			`if err != nil {`
			`return nil, nil, fmt.Errorf("newPrivateKey: %s", err)`
			`}`

			`template := x509.Certificate{`
			`SerialNumber: config.SerialNumber,`
			`Subject: pkix.Name{`
			`Organization: []string{config.Subject.Organization},`
			`CommonName: config.Subject.CommonName,`
			`},`
			`NotBefore: time.Now().Add(-time.Minute),`
			`NotAfter: time.Now().Add(config.Duration),`
			`IsCA: true,`
			`KeyUsage: config.KeyUsage,`
			`ExtKeyUsage: config.ExtKeyUsage,`
			`BasicConstraintsValid: true,`
			`}`
			`der, err := x509.CreateCertificate(rand.Reader, &template, &template, &priv.PublicKey, priv)`
			`if err != nil {`
			`return nil, nil, fmt.Errorf("x509.CreateCertificate: %s", err)`
			`}`

			`out := &bytes.Buffer{}`
feat: add tests 2023-03-03 22:31:10 +01:00			`err = pem.Encode(out, &pem.Block{Type: CERTIFICATE, Bytes: der})`
fix lint 2023-02-15 19:47:52 +01:00			`if err != nil {`
			`return nil, nil, fmt.Errorf("pem.Encode: %s", err)`
			`}`

feat: cert generation implementation 2023-02-15 11:10:23 +01:00			`caPEM := out.Bytes()`
			`keyPEM, err := encodePrivateKey(priv)`
			`if err != nil {`
			`return nil, nil, fmt.Errorf("encodePrivateKey: %s", err)`
			`}`

			`return caPEM, keyPEM, nil`
			`}`

feat: add tests 2023-03-03 22:31:10 +01:00			`func NewRootCA(config *ca.CaConfig) (ca.RootCACertificateIface, error) {`
			`caPEM, keyPEM, err := newRootCA(config)`
feat: cert generation implementation 2023-02-15 11:10:23 +01:00			`if err != nil {`
feat: add tests 2023-03-03 22:31:10 +01:00			`return nil, fmt.Errorf("newRootCA: %s", err)`
feat: cert generation implementation 2023-02-15 11:10:23 +01:00			`}`

feat: add tests 2023-03-03 22:31:10 +01:00			`return &rootCA{`
			`caPEM: caPEM,`
			`keyPEM: keyPEM,`
			`}, nil`
			`}`
fix lint 2023-02-15 19:47:52 +01:00
feat: add tests 2023-03-03 22:31:10 +01:00			`// Creates a new 512bit private key.`
			`func newPrivateKey() (*ecdsa.PrivateKey, error) {`
			`priv, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)`
feat: cert generation implementation 2023-02-15 11:10:23 +01:00			`if err != nil {`
feat: add tests 2023-03-03 22:31:10 +01:00			`return nil, fmt.Errorf("ecdsa: %s", err)`
feat: cert generation implementation 2023-02-15 11:10:23 +01:00			`}`

feat: add tests 2023-03-03 22:31:10 +01:00			`return priv, nil`
feat: cert generation implementation 2023-02-15 11:10:23 +01:00			`}`

feat: add tests 2023-03-03 22:31:10 +01:00			`// Parse a text PEM file into a x509 cert.`
			`func parseCertificate(data []byte) (*x509.Certificate, error) {`
			`block, _ := pem.Decode(data)`
			`if block == nil {`
			`return nil, fmt.Errorf("parseCertificate (pem.Decode)")`
feat: cert generation implementation 2023-02-15 11:10:23 +01:00			`}`
feat: add tests 2023-03-03 22:31:10 +01:00			`cert, err := x509.ParseCertificate(block.Bytes)`
feat: cert generation implementation 2023-02-15 11:10:23 +01:00			`if err != nil {`
feat: add tests 2023-03-03 22:31:10 +01:00			`return nil, fmt.Errorf("parseCertificate: %w", err)`
feat: cert generation implementation 2023-02-15 11:10:23 +01:00			`}`
feat: add tests 2023-03-03 22:31:10 +01:00			`return cert, nil`
feat: cert generation implementation 2023-02-15 11:10:23 +01:00			`}`

feat: add tests 2023-03-03 22:31:10 +01:00			`// Encodes a private key into PEM.`
			`func encodePrivateKey(priv *ecdsa.PrivateKey) ([]byte, error) {`
			`out := &bytes.Buffer{}`
			`privBytes, err := x509.MarshalPKCS8PrivateKey(priv)`
			`if err != nil {`
			`return nil, fmt.Errorf("x509.MarshalPKCS8PrivateKey: %s", err)`
			`}`
feat: cert generation implementation 2023-02-15 11:10:23 +01:00
feat: add tests 2023-03-03 22:31:10 +01:00			`err = pem.Encode(out, &pem.Block{`
			`Type: PRIVATE_KEY,`
			`Bytes: privBytes,`
			`})`
feat: cert generation implementation 2023-02-15 11:10:23 +01:00			`if err != nil {`
feat: add tests 2023-03-03 22:31:10 +01:00			`return nil, err`
feat: cert generation implementation 2023-02-15 11:10:23 +01:00			`}`

feat: add tests 2023-03-03 22:31:10 +01:00			`return out.Bytes(), nil`
feat: cert generation implementation 2023-02-15 11:10:23 +01:00			`}`