ergo/irc/mkcerts/certs.go

// Copyright (c) 2016 Daniel Oaks <daniel@danieloaks.net>
// released under the MIT license

package mkcerts

import (
	"crypto/rand"
	"crypto/rsa"
	"crypto/x509"
	"crypto/x509/pkix"
	"encoding/pem"
	"fmt"
	"math/big"
	"net"
	"os"
	"time"
)

// CreateCertBytes creates a testing ECDSA certificate, returning the cert and key bytes.
func CreateCertBytes(orgName string, host string) (certBytes []byte, keyBytes []byte, err error) {
	validFrom := time.Now()
	validFor := 365 * 24 * time.Hour
	notAfter := validFrom.Add(validFor)

	priv, err := rsa.GenerateKey(rand.Reader, 2048)
	if err != nil {
		return
	}

	serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)
	serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
	if err != nil {
		return nil, nil, fmt.Errorf("failed to generate serial number: %s", err)
	}

	template := x509.Certificate{
		SerialNumber: serialNumber,
		Subject: pkix.Name{
			Organization: []string{orgName},
		},
		NotBefore: validFrom,
		NotAfter:  notAfter,

		KeyUsage:              x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
		BasicConstraintsValid: true,
	}

	// TODO: allow explicitly listing allowed addresses/names
	template.IPAddresses = append(template.IPAddresses, net.ParseIP("127.0.0.1"))
	template.IPAddresses = append(template.IPAddresses, net.ParseIP("::1"))
	if host != "" {
		template.DNSNames = append(template.DNSNames, host)
	}
	template.DNSNames = append(template.DNSNames, "localhost")

	derBytes, err := x509.CreateCertificate(rand.Reader, &template, &template, &priv.PublicKey, priv)
	if err != nil {
		return nil, nil, fmt.Errorf("Failed to create certificate: %s", err.Error())
	}

	certBytes = pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: derBytes})

	b, err := x509.MarshalPKCS8PrivateKey(priv)
	if err != nil {
		return nil, nil, fmt.Errorf("Unable to marshal private key: %v", err.Error())
	}
	pemBlock := pem.Block{Type: "PRIVATE KEY", Bytes: b}
	keyBytes = pem.EncodeToMemory(&pemBlock)
	return certBytes, keyBytes, nil
}

// CreateCert creates a testing ECDSA certificate, outputting the cert and key at the given filenames.
func CreateCert(orgName string, host string, certFilename string, keyFilename string) error {
	certBytes, keyBytes, err := CreateCertBytes(orgName, host)

	if err != nil {
		return err
	}

	certOut, err := os.Create(certFilename)
	if err != nil {
		return fmt.Errorf("failed to open %s for writing: %s", certFilename, err.Error())
	}
	defer certOut.Close()
	_, err = certOut.Write(certBytes)
	if err != nil {
		return fmt.Errorf("failed to write out cert file %s: %s", certFilename, err.Error())
	}

	keyOut, err := os.OpenFile(keyFilename, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0600)
	if err != nil {
		return fmt.Errorf("failed to open %s for writing: %s", keyFilename, err.Error())
	}
	defer keyOut.Close()
	_, err = keyOut.Write(keyBytes)
	if err != nil {
		return fmt.Errorf("failed to write out key file %s: %s", keyFilename, err.Error())
	}

	return nil
}
Fix dates at top of source files 2017-03-27 14:15:02 +02:00			`// Copyright (c) 2016 Daniel Oaks <daniel@danieloaks.net>`
mkcerts: Split into separate file 2016-08-12 23:40:58 +02:00			`// released under the MIT license`

			`package mkcerts`

			`import (`
			`"crypto/rand"`
fix #898 2020-03-22 19:46:17 +01:00			`"crypto/rsa"`
mkcerts: Split into separate file 2016-08-12 23:40:58 +02:00			`"crypto/x509"`
			`"crypto/x509/pkix"`
			`"encoding/pem"`
			`"fmt"`
			`"math/big"`
			`"net"`
			`"os"`
			`"time"`
			`)`

mkcerts: Clean up and rename to be nicer 2016-08-13 10:17:40 +02:00			`// CreateCertBytes creates a testing ECDSA certificate, returning the cert and key bytes.`
			`func CreateCertBytes(orgName string, host string) (certBytes []byte, keyBytes []byte, err error) {`
mkcerts: Split into separate file 2016-08-12 23:40:58 +02:00			`validFrom := time.Now()`
			`validFor := 365 * 24 * time.Hour`
			`notAfter := validFrom.Add(validFor)`

fix #898 2020-03-22 19:46:17 +01:00			`priv, err := rsa.GenerateKey(rand.Reader, 2048)`
			`if err != nil {`
			`return`
			`}`
mkcerts: Split into separate file 2016-08-12 23:40:58 +02:00
			`serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)`
			`serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)`
			`if err != nil {`
mkcerts: Clean up and rename to be nicer 2016-08-13 10:17:40 +02:00			`return nil, nil, fmt.Errorf("failed to generate serial number: %s", err)`
mkcerts: Split into separate file 2016-08-12 23:40:58 +02:00			`}`

			`template := x509.Certificate{`
			`SerialNumber: serialNumber,`
			`Subject: pkix.Name{`
			`Organization: []string{orgName},`
			`},`
			`NotBefore: validFrom,`
			`NotAfter: notAfter,`

			`KeyUsage: x509.KeyUsageKeyEncipherment \| x509.KeyUsageDigitalSignature,`
			`ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},`
			`BasicConstraintsValid: true,`
			`}`

			`// TODO: allow explicitly listing allowed addresses/names`
			`template.IPAddresses = append(template.IPAddresses, net.ParseIP("127.0.0.1"))`
			`template.IPAddresses = append(template.IPAddresses, net.ParseIP("::1"))`
			`if host != "" {`
			`template.DNSNames = append(template.DNSNames, host)`
			`}`
			`template.DNSNames = append(template.DNSNames, "localhost")`

			`derBytes, err := x509.CreateCertificate(rand.Reader, &template, &template, &priv.PublicKey, priv)`
			`if err != nil {`
mkcerts: Clean up and rename to be nicer 2016-08-13 10:17:40 +02:00			`return nil, nil, fmt.Errorf("Failed to create certificate: %s", err.Error())`
			`}`

			`certBytes = pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: derBytes})`

fix #898 2020-03-22 19:46:17 +01:00			`b, err := x509.MarshalPKCS8PrivateKey(priv)`
mkcerts: Clean up and rename to be nicer 2016-08-13 10:17:40 +02:00			`if err != nil {`
fix #898 2020-03-22 19:46:17 +01:00			`return nil, nil, fmt.Errorf("Unable to marshal private key: %v", err.Error())`
mkcerts: Clean up and rename to be nicer 2016-08-13 10:17:40 +02:00			`}`
fix #898 2020-03-22 19:46:17 +01:00			`pemBlock := pem.Block{Type: "PRIVATE KEY", Bytes: b}`
mkcerts: Clean up and rename to be nicer 2016-08-13 10:17:40 +02:00			`keyBytes = pem.EncodeToMemory(&pemBlock)`
			`return certBytes, keyBytes, nil`
			`}`

			`// CreateCert creates a testing ECDSA certificate, outputting the cert and key at the given filenames.`
			`func CreateCert(orgName string, host string, certFilename string, keyFilename string) error {`
			`certBytes, keyBytes, err := CreateCertBytes(orgName, host)`

			`if err != nil {`
			`return err`
mkcerts: Split into separate file 2016-08-12 23:40:58 +02:00			`}`

			`certOut, err := os.Create(certFilename)`
			`if err != nil {`
			`return fmt.Errorf("failed to open %s for writing: %s", certFilename, err.Error())`
			`}`
mkcerts: Clean up and rename to be nicer 2016-08-13 10:17:40 +02:00			`defer certOut.Close()`
			`_, err = certOut.Write(certBytes)`
			`if err != nil {`
			`return fmt.Errorf("failed to write out cert file %s: %s", certFilename, err.Error())`
			`}`
mkcerts: Split into separate file 2016-08-12 23:40:58 +02:00
			`keyOut, err := os.OpenFile(keyFilename, os.O_WRONLY\|os.O_CREATE\|os.O_TRUNC, 0600)`
			`if err != nil {`
			`return fmt.Errorf("failed to open %s for writing: %s", keyFilename, err.Error())`
			`}`
mkcerts: Clean up and rename to be nicer 2016-08-13 10:17:40 +02:00			`defer keyOut.Close()`
			`_, err = keyOut.Write(keyBytes)`
mkcerts: Split into separate file 2016-08-12 23:40:58 +02:00			`if err != nil {`
mkcerts: Clean up and rename to be nicer 2016-08-13 10:17:40 +02:00			`return fmt.Errorf("failed to write out key file %s: %s", keyFilename, err.Error())`
mkcerts: Split into separate file 2016-08-12 23:40:58 +02:00			`}`
mkcerts: Clean up and rename to be nicer 2016-08-13 10:17:40 +02:00
mkcerts: Split into separate file 2016-08-12 23:40:58 +02:00			`return nil`
			`}`