// When comparing certificates created at different times for equality, we do
// not want to worry about fields which are dependent on the time of creation.
// Thus we nullify these fields before comparing the certificates.
func nullifyTimeDependency(cert *x509.Certificate) *x509.Certificate {
cert.Raw = nil
cert.RawTBSCertificate = nil
cert.RawSubjectPublicKeyInfo = nil
cert.Signature = nil
cert.PublicKey = nil
cert.SerialNumber = nil
cert.NotBefore = time.Time{}
cert.NotAfter = time.Time{}
cert.Extensions = nil
cert.SubjectKeyId = nil
cert.AuthorityKeyId = nil
return cert
}
func templateWithKey(template *x509.Certificate, size int) (*x509.Certificate, *rsa.PrivateKey, error) {
priv, err := rsa.GenerateKey(rand.Reader, size)
if err != nil {
return nil, nil, err
}
keyID, err := hashPublicKey(&priv.PublicKey)
if err != nil {
return nil, nil, err
}
template.SubjectKeyId = keyID
template.PublicKey = priv.Public()
return template, priv, nil
}
// FillTemplate is a utility function that tries to load as much of
// the certificate template as possible from the profiles and current
// template. It fills in the key uses, expiration, revocation URLs
// and SKI.
func FillTemplate(template *x509.Certificate, defaultProfile, profile *config.SigningProfile) error {
ski, err := ComputeSKI(template)
var (
eku []x509.ExtKeyUsage
ku x509.KeyUsage
backdate time.Duration
expiry time.Duration
notBefore time.Time
notAfter time.Time
crlURL, ocspURL string
)
// The third value returned from Usages is a list of unknown key usages.
// This should be used when validating the profile at load, and isn't used
// here.
ku, eku, _ = profile.Usages()
if profile.IssuerURL == nil {
profile.IssuerURL = defaultProfile.IssuerURL
}
if ku == 0 && len(eku) == 0 {
return cferr.New(cferr.PolicyError, cferr.NoKeyUsages)
}
if expiry = profile.Expiry; expiry == 0 {
expiry = defaultProfile.Expiry
}
if crlURL = profile.CRL; crlURL == "" {
crlURL = defaultProfile.CRL
}
if ocspURL = profile.OCSP; ocspURL == "" {
ocspURL = defaultProfile.OCSP
}
if backdate = profile.Backdate; backdate == 0 {
backdate = -5 * time.Minute
} else {
backdate = -1 * profile.Backdate
}
if !profile.NotBefore.IsZero() {
notBefore = profile.NotBefore.UTC()
} else {
notBefore = time.Now().Round(time.Minute).Add(backdate).UTC()
}
if !profile.NotAfter.IsZero() {
notAfter = profile.NotAfter.UTC()
} else {
notAfter = notBefore.Add(expiry).UTC()
}
template.NotBefore = notBefore
template.NotAfter = notAfter
template.KeyUsage = ku
template.ExtKeyUsage = eku
template.BasicConstraintsValid = true
template.IsCA = profile.CA
template.SubjectKeyId = ski
if ocspURL != "" {
template.OCSPServer = []string{ocspURL}
}
if crlURL != "" {
template.CRLDistributionPoints = []string{crlURL}
}
if len(profile.IssuerURL) != 0 {
template.IssuingCertificateURL = profile.IssuerURL
}
if len(profile.Policies) != 0 {
err = addPolicies(template, profile.Policies)
if err != nil {
return cferr.Wrap(cferr.PolicyError, cferr.InvalidPolicy, err)
}
}
if profile.OCSPNoCheck {
ocspNoCheckExtension := pkix.Extension{
Id: asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 48, 1, 5},
Critical: false,
Value: []byte{0x05, 0x00},
}
template.ExtraExtensions = append(template.ExtraExtensions, ocspNoCheckExtension)
}
return nil
}
func (s *Signer) sign(template *x509.Certificate, profile *config.SigningProfile) (cert []byte, err error) {
pub := template.PublicKey
encodedpub, err := x509.MarshalPKIXPublicKey(pub)
if err != nil {
return
}
pubhash := sha1.New()
pubhash.Write(encodedpub)
if profile == nil {
profile = s.Policy.Default
}
var (
eku []x509.ExtKeyUsage
ku x509.KeyUsage
expiry time.Duration
crlURL, ocspURL string
)
// The third value returned from Usages is a list of unknown key usages.
// This should be used when validating the profile at load, and isn't used
// here.
ku, eku, _ = profile.Usages()
expiry = profile.Expiry
if profile.IssuerURL == nil {
profile.IssuerURL = s.Policy.Default.IssuerURL
}
if ku == 0 && len(eku) == 0 {
err = cferr.New(cferr.PolicyError, cferr.NoKeyUsages, errors.New("no key usage available"))
return
}
if expiry == 0 {
expiry = s.Policy.Default.Expiry
}
if crlURL = profile.CRL; crlURL == "" {
crlURL = s.Policy.Default.CRL
}
if ocspURL = profile.OCSP; ocspURL == "" {
ocspURL = s.Policy.Default.OCSP
}
now := time.Now()
serialNumber, err := rand.Int(rand.Reader, new(big.Int).SetInt64(math.MaxInt64))
if err != nil {
err = cferr.New(cferr.CertificateError, cferr.Unknown, err)
}
template.SerialNumber = serialNumber
template.NotBefore = now.Add(-5 * time.Minute).UTC()
template.NotAfter = now.Add(expiry).UTC()
template.KeyUsage = ku
template.ExtKeyUsage = eku
template.BasicConstraintsValid = true
template.IsCA = profile.CA
template.SubjectKeyId = pubhash.Sum(nil)
if ocspURL != "" {
template.OCSPServer = []string{ocspURL}
}
if crlURL != "" {
template.CRLDistributionPoints = []string{crlURL}
}
if len(profile.IssuerURL) != 0 {
template.IssuingCertificateURL = profile.IssuerURL
}
var initRoot bool
if s.CA == nil {
if !template.IsCA {
err = cferr.New(cferr.PolicyError, cferr.InvalidRequest, nil)
return
}
template.DNSNames = nil
s.CA = template
initRoot = true
template.MaxPathLen = 2
} else if template.IsCA {
template.MaxPathLen = 1
template.DNSNames = nil
}
derBytes, err := x509.CreateCertificate(rand.Reader, template, s.CA, pub, s.Priv)
if err != nil {
return
}
if initRoot {
s.CA, err = x509.ParseCertificate(derBytes)
if err != nil {
err = cferr.New(cferr.CertificateError, cferr.ParseFailed, err)
return
}
}
cert = pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: derBytes})
return
}
func GenerateCertifcate(pkiroot, name string, template *x509.Certificate) error {
// TODO(jclerc): check that pki has been init
var crtPath string
privateKeyPath := filepath.Join(pkiroot, "private", name+".key")
if name == "ca" {
crtPath = filepath.Join(pkiroot, name+".crt")
} else {
crtPath = filepath.Join(pkiroot, "issued", name+".crt")
}
var caCrt *x509.Certificate
var caKey *rsa.PrivateKey
if _, err := os.Stat(privateKeyPath); err == nil {
return fmt.Errorf("a key pair for %v already exists", name)
}
privateKey, err := GeneratePrivateKey(privateKeyPath)
if err != nil {
return fmt.Errorf("generate private key: %v", err)
}
publicKeyBytes, err := asn1.Marshal(*privateKey.Public().(*rsa.PublicKey))
if err != nil {
return fmt.Errorf("marshal public key: %v", err)
}
subjectKeyId := sha1.Sum(publicKeyBytes)
template.SubjectKeyId = subjectKeyId[:]
template.NotBefore = time.Now()
template.SignatureAlgorithm = x509.SHA256WithRSA
if template.IsCA {
serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)
serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
if err != nil {
return fmt.Errorf("failed to generate ca serial number: %s", err)
}
template.SerialNumber = serialNumber
template.KeyUsage = x509.KeyUsageCertSign | x509.KeyUsageCRLSign
template.BasicConstraintsValid = true
template.Issuer = template.Subject
template.AuthorityKeyId = template.SubjectKeyId
caCrt = template
caKey = privateKey
} else {
template.KeyUsage = x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment
serialNumber, err := NextNumber(pkiroot, "serial")
if err != nil {
return fmt.Errorf("get next serial: %v", err)
}
template.SerialNumber = serialNumber
caCrt, caKey, err = GetCA(pkiroot)
if err != nil {
return fmt.Errorf("get ca: %v", err)
}
}
crt, err := x509.CreateCertificate(rand.Reader, template, caCrt, privateKey.Public(), caKey)
if err != nil {
return fmt.Errorf("create certificate: %v", err)
}
crtFile, err := os.Create(crtPath)
if err != nil {
return fmt.Errorf("create %v: %v", crtPath, err)
}
defer crtFile.Close()
err = pem.Encode(crtFile, &pem.Block{
Type: "CERTIFICATE",
Bytes: crt,
})
if err != nil {
return fmt.Errorf("pem encode crt: %v", err)
}
// I do not think we have to write the ca.crt in the index
if !template.IsCA {
WriteIndex(pkiroot, name, template)
if err != nil {
return fmt.Errorf("write index: %v", err)
}
}
return nil
}
