3
0
mirror of https://github.com/ergochat/ergo.git synced 2024-11-13 23:49:30 +01:00

mkcerts: Split into separate file

This commit is contained in:
Daniel Oaks 2016-08-13 07:40:58 +10:00
parent 1b67af7e85
commit b519145a8a
2 changed files with 85 additions and 67 deletions

79
mkcerts/certs.go Normal file
View File

@ -0,0 +1,79 @@
// Copyright (c) 2016- Daniel Oaks <daniel@danieloaks.net>
// released under the MIT license
package mkcerts
import (
"crypto/ecdsa"
"crypto/elliptic"
"crypto/rand"
"crypto/x509"
"crypto/x509/pkix"
"encoding/pem"
"fmt"
"math/big"
"net"
"os"
"time"
)
// CreateCert creates a testing ECDSA certificate, outputting the cert and key at the given filenames.
func CreateCert(orgName string, host string, certFilename string, keyFilename string) error {
validFrom := time.Now()
validFor := 365 * 24 * time.Hour
notAfter := validFrom.Add(validFor)
priv, err := ecdsa.GenerateKey(elliptic.P521(), rand.Reader)
serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)
serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
if err != nil {
return fmt.Errorf("failed to generate serial number: %s", err)
}
template := x509.Certificate{
SerialNumber: serialNumber,
Subject: pkix.Name{
Organization: []string{orgName},
},
NotBefore: validFrom,
NotAfter: notAfter,
KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
BasicConstraintsValid: true,
}
// TODO: allow explicitly listing allowed addresses/names
template.IPAddresses = append(template.IPAddresses, net.ParseIP("127.0.0.1"))
template.IPAddresses = append(template.IPAddresses, net.ParseIP("::1"))
if host != "" {
template.DNSNames = append(template.DNSNames, host)
}
template.DNSNames = append(template.DNSNames, "localhost")
derBytes, err := x509.CreateCertificate(rand.Reader, &template, &template, &priv.PublicKey, priv)
if err != nil {
return fmt.Errorf("Failed to create certificate: %s", err.Error())
}
certOut, err := os.Create(certFilename)
if err != nil {
return fmt.Errorf("failed to open %s for writing: %s", certFilename, err.Error())
}
pem.Encode(certOut, &pem.Block{Type: "CERTIFICATE", Bytes: derBytes})
certOut.Close()
keyOut, err := os.OpenFile(keyFilename, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0600)
if err != nil {
return fmt.Errorf("failed to open %s for writing: %s", keyFilename, err.Error())
}
b, err := x509.MarshalECPrivateKey(priv)
if err != nil {
return fmt.Errorf("Unable to marshal ECDSA private key: %v", err.Error())
}
pemBlock := pem.Block{Type: "EC PRIVATE KEY", Bytes: b}
pem.Encode(keyOut, &pemBlock)
keyOut.Close()
return nil
}

View File

@ -6,21 +6,12 @@
package main package main
import ( import (
"crypto/ecdsa"
"crypto/elliptic"
"crypto/rand"
"crypto/x509"
"crypto/x509/pkix"
"encoding/pem"
"fmt" "fmt"
"log" "log"
"math/big"
"net"
"os"
"syscall" "syscall"
"time"
"github.com/DanielOaks/oragono/irc" "github.com/DanielOaks/oragono/irc"
"github.com/DanielOaks/oragono/mkcerts"
"github.com/docopt/docopt-go" "github.com/docopt/docopt-go"
"golang.org/x/crypto/ssh/terminal" "golang.org/x/crypto/ssh/terminal"
) )
@ -74,64 +65,12 @@ Options:
for name, conf := range config.Server.TLSListeners { for name, conf := range config.Server.TLSListeners {
log.Printf(" creating cert for %s listener\n", name) log.Printf(" creating cert for %s listener\n", name)
host := config.Server.Name host := config.Server.Name
validFrom := time.Now() err := mkcerts.CreateCert("Oragono", host, conf.Cert, conf.Key)
validFor := 365 * 24 * time.Hour if err == nil {
notAfter := validFrom.Add(validFor) log.Printf(" Certificate created at %s : %s\n", conf.Cert, conf.Key)
} else {
priv, err := ecdsa.GenerateKey(elliptic.P521(), rand.Reader) log.Fatal(" Could not create certificate:", err.Error())
serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)
serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
if err != nil {
log.Fatalf("failed to generate serial number: %s", err)
} }
template := x509.Certificate{
SerialNumber: serialNumber,
Subject: pkix.Name{
Organization: []string{"Oragono"},
},
NotBefore: validFrom,
NotAfter: notAfter,
KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
BasicConstraintsValid: true,
}
// TODO: allow explicitly listing allowed addresses/names
template.IPAddresses = append(template.IPAddresses, net.ParseIP("127.0.0.1"))
template.IPAddresses = append(template.IPAddresses, net.ParseIP("::1"))
template.DNSNames = append(template.DNSNames, host)
template.DNSNames = append(template.DNSNames, "localhost")
derBytes, err := x509.CreateCertificate(rand.Reader, &template, &template, &priv.PublicKey, priv)
if err != nil {
log.Fatalf("Failed to create certificate: %s", err)
}
certOut, err := os.Create(conf.Cert)
if err != nil {
log.Fatalf("failed to open %s for writing: %s", conf.Cert, err)
}
pem.Encode(certOut, &pem.Block{Type: "CERTIFICATE", Bytes: derBytes})
certOut.Close()
log.Printf(" wrote %s\n", conf.Cert)
keyOut, err := os.OpenFile(conf.Key, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0600)
if err != nil {
log.Print(fmt.Sprintf("failed to open %s for writing:", conf.Key), err)
return
}
b, err := x509.MarshalECPrivateKey(priv)
if err != nil {
fmt.Fprintf(os.Stderr, "Unable to marshal ECDSA private key: %v", err)
os.Exit(2)
}
pemBlock := pem.Block{Type: "EC PRIVATE KEY", Bytes: b}
pem.Encode(keyOut, &pemBlock)
keyOut.Close()
log.Printf(" wrote %s\n", conf.Key)
} }
} else if arguments["run"].(bool) { } else if arguments["run"].(bool) {
irc.Log.SetLevel(config.Server.Log) irc.Log.SetLevel(config.Server.Log)