package cert import ( "bytes" "crypto/ecdsa" "crypto/elliptic" "crypto/rand" "crypto/x509" "crypto/x509/pkix" "encoding/pem" "errors" "fmt" "time" "gitlab.com/urkob/go-cert-gen/pkg/ca" "gitlab.com/urkob/go-cert-gen/pkg/client" ) const ( CERTIFICATE = "CERTIFICATE" PRIVATE_KEY = "PRIVATE KEY" ) type rootCA struct { caPEM []byte keyPEM []byte } func (r *rootCA) Key() []byte { return r.keyPEM } func (r *rootCA) PEM() []byte { return r.caPEM } func (r *rootCA) WithClientCert(config *client.ClientCertConfig) (client.ClientCertIface, error) { x509RootCA, err := parseCertificate(r.caPEM) if err != nil { return nil, fmt.Errorf("parseCertificate: %s", err) } clientCertPEM, clientKeyPEM, err := newClientCert(config, x509RootCA, r.keyPEM) if err != nil { return nil, fmt.Errorf("newClientCert: %s", err) } return &clientCert{ certPEM: clientCertPEM, keyPEM: clientKeyPEM, }, nil } // Create a self-signed certificate. func newRootCA(config *ca.CaConfig) ([]byte, []byte, error) { if config == nil { return nil, nil, errors.New("ca.CaConfig config is nil") } priv, err := newPrivateKey() if err != nil { return nil, nil, fmt.Errorf("newPrivateKey: %s", err) } template := x509.Certificate{ SerialNumber: config.SerialNumber, Subject: pkix.Name{ Organization: []string{config.Subject.Organization}, CommonName: config.Subject.CommonName, }, NotBefore: time.Now().Add(-time.Minute), NotAfter: time.Now().Add(config.Duration), IsCA: true, KeyUsage: config.KeyUsage, ExtKeyUsage: config.ExtKeyUsage, BasicConstraintsValid: true, } der, err := x509.CreateCertificate(rand.Reader, &template, &template, &priv.PublicKey, priv) if err != nil { return nil, nil, fmt.Errorf("x509.CreateCertificate: %s", err) } out := &bytes.Buffer{} err = pem.Encode(out, &pem.Block{Type: CERTIFICATE, Bytes: der}) if err != nil { return nil, nil, fmt.Errorf("pem.Encode: %s", err) } caPEM := out.Bytes() keyPEM, err := encodePrivateKey(priv) if err != nil { return nil, nil, fmt.Errorf("encodePrivateKey: %s", err) } return caPEM, keyPEM, nil } func NewRootCA(config *ca.CaConfig) (ca.RootCACertificateIface, error) { caPEM, keyPEM, err := newRootCA(config) if err != nil { return nil, fmt.Errorf("newRootCA: %s", err) } return &rootCA{ caPEM: caPEM, keyPEM: keyPEM, }, nil } // Creates a new 512bit private key. func newPrivateKey() (*ecdsa.PrivateKey, error) { priv, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) if err != nil { return nil, fmt.Errorf("ecdsa: %s", err) } return priv, nil } // Parse a text PEM file into a x509 cert. func parseCertificate(data []byte) (*x509.Certificate, error) { block, _ := pem.Decode(data) if block == nil { return nil, fmt.Errorf("parseCertificate (pem.Decode)") } cert, err := x509.ParseCertificate(block.Bytes) if err != nil { return nil, fmt.Errorf("parseCertificate: %w", err) } return cert, nil } // Encodes a private key into PEM. func encodePrivateKey(priv *ecdsa.PrivateKey) ([]byte, error) { out := &bytes.Buffer{} privBytes, err := x509.MarshalPKCS8PrivateKey(priv) if err != nil { return nil, fmt.Errorf("x509.MarshalPKCS8PrivateKey: %s", err) } err = pem.Encode(out, &pem.Block{ Type: PRIVATE_KEY, Bytes: privBytes, }) if err != nil { return nil, err } return out.Bytes(), nil }