func TestTLSConnection(t *testing.T) { reactor := NewReactor() client := reactor.CreateServer("local") initialiseServerConnection(client) // generate a test certificate to use priv, _ := ecdsa.GenerateKey(elliptic.P521(), rand.Reader) duration30Days, _ := time.ParseDuration("-30h") notBefore := time.Now().Add(duration30Days) // valid 30 hours ago duration1Year, _ := time.ParseDuration("90h") notAfter := notBefore.Add(duration1Year) // for 90 hours serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128) serialNumber, _ := rand.Int(rand.Reader, serialNumberLimit) template := x509.Certificate{ SerialNumber: serialNumber, Subject: pkix.Name{ Organization: []string{"gIRC-Go Co"}, }, NotBefore: notBefore, NotAfter: notAfter, KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign, ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth}, BasicConstraintsValid: true, IsCA: true, } template.IPAddresses = append(template.IPAddresses, net.ParseIP("127.0.0.1")) template.IPAddresses = append(template.IPAddresses, net.ParseIP("::")) template.DNSNames = append(template.DNSNames, "localhost") derBytes, _ := x509.CreateCertificate(rand.Reader, &template, &template, &priv.PublicKey, priv) c := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: derBytes}) b, _ := x509.MarshalECPrivateKey(priv) k := pem.EncodeToMemory(&pem.Block{Type: "EC PRIVATE KEY", Bytes: b}) // we mock up a server connection to test the client listenerKeyPair, _ := tls.X509KeyPair(c, k) var listenerTLSConfig tls.Config listenerTLSConfig.Certificates = make([]tls.Certificate, 0) listenerTLSConfig.Certificates = append(listenerTLSConfig.Certificates, listenerKeyPair) listener, _ := tls.Listen("tcp", ":0", &listenerTLSConfig) // mock up the client side too clientTLSCertPool := x509.NewCertPool() clientTLSCertPool.AppendCertsFromPEM(c) var clientTLSConfig tls.Config clientTLSConfig.RootCAs = clientTLSCertPool clientTLSConfig.ServerName = "localhost" go client.Connect(listener.Addr().String(), true, &clientTLSConfig) go client.ReceiveLoop() testServerConnection(t, reactor, client, listener) }
func GenerateCertificateForTest() *v2tls.Certificate { priv, err := rsa.GenerateKey(rand.Reader, 2048) common.Must(err) serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128) serialNumber, err := rand.Int(rand.Reader, serialNumberLimit) if err != nil { log.Fatalf("failed to generate serial number: %s", err) } template := x509.Certificate{ SerialNumber: serialNumber, Subject: pkix.Name{ Organization: []string{"V2Ray Inc"}, }, NotBefore: time.Now(), NotAfter: time.Now().Add(time.Hour), KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature, ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth}, BasicConstraintsValid: true, DNSNames: []string{"www.v2ray.com"}, } derBytes, err := x509.CreateCertificate(rand.Reader, &template, &template, &priv.PublicKey, priv) common.Must(err) certPEM := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: derBytes}) keyPEM := pem.EncodeToMemory(&pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(priv)}) return &v2tls.Certificate{ Certificate: certPEM, Key: keyPEM, } }
func GenerateKey() (pkPem []byte, pubkPem []byte, pubSSHAK []byte, err error) { pk, err := rsa.GenerateKey(rand.Reader, 2048) if err != nil { return } pkDer := x509.MarshalPKCS1PrivateKey(pk) pkBlock := pem.Block{ Type: "RSA PRIVATE KEY", Headers: nil, Bytes: pkDer, } pkPem = pem.EncodeToMemory(&pkBlock) pubk := pk.PublicKey pubkDer, err := x509.MarshalPKIXPublicKey(&pubk) if err != nil { return } pubkBlock := pem.Block{ Type: "PUBLIC KEY", Headers: nil, Bytes: pubkDer, } pubkPem = pem.EncodeToMemory(&pubkBlock) pubSSH, err := ssh.NewPublicKey(&pubk) if err != nil { return } pubSSHAK = ssh.MarshalAuthorizedKey(pubSSH) return }
func (crtkit *CertKit) GenerateServer(subject pkix.Name, host, email string, NotBefore ...time.Time) error { var e error var derBytes []byte var notBefore time.Time priv, err := rsa.GenerateKey(rand.Reader, 2048) if err != nil { return errors.New(fmt.Sprintf("failed to generate private key: %s", err)) } if len(NotBefore) > 0 { notBefore = NotBefore[0] } else { notBefore = time.Now() } serialNumber, err := rand.Int(rand.Reader, new(big.Int).Lsh(big.NewInt(1), 128)) if err != nil { return errors.New(fmt.Sprintf("failed to generate serial number: %s", err)) } if host == "" { host, _ = os.Hostname() } Goose.Generator.Logf(6, "Certificate authority used: %#v", crtkit.CACert) template := x509.Certificate{ SerialNumber: serialNumber, Subject: subject, IsCA: false, NotBefore: notBefore, NotAfter: notBefore.Add(365 * 24 * time.Hour), DNSNames: []string{host, strings.Split(host, ".")[0]}, AuthorityKeyId: crtkit.CACert.SubjectKeyId, KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageContentCommitment, ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth}, BasicConstraintsValid: true, } Goose.Generator.Logf(4, "X509 Template: %#v", template) if crtkit.CACert.CRLDistributionPoints != nil { template.CRLDistributionPoints = crtkit.CACert.CRLDistributionPoints } else { Goose.Generator.Logf(1, "Certificate authority without CRL distribution points") } crtkit.ServerKey = priv crtkit.ServerCert = &template derBytes, e = x509.CreateCertificate(rand.Reader, &template, crtkit.CACert, &priv.PublicKey, crtkit.CAKey) if e != nil { return errors.New(fmt.Sprintf("Failed to create certificate: %s", e)) } Goose.Generator.Logf(4, "DER Certificate: %s", derBytes) crtkit.ServerCertPem = pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: derBytes}) crtkit.ServerKeyPem = pem.EncodeToMemory(&pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(priv)}) Goose.Generator.Logf(4, "PEM Certificate: %s", crtkit.ServerCertPem) return nil }
func generateSshKeyUsingGo() (string, string, error) { privateKey, err := rsa.GenerateKey(rand.Reader, 2014) if err != nil { return "", "", err } fmt.Printf("----> creating ssh private key using Golang\n") privateKeyDer := x509.MarshalPKCS1PrivateKey(privateKey) privateKeyBlock := pem.Block{ Type: "RSA PRIVATE KEY", Headers: nil, Bytes: privateKeyDer, } privateKeyPem := string(pem.EncodeToMemory(&privateKeyBlock)) fmt.Printf("----> creating ssh public key using Golang\n") publicKey := privateKey.PublicKey publicKeyDer, err := x509.MarshalPKIXPublicKey(&publicKey) if err != nil { return "", "", err } publicKeyBlock := pem.Block{ Type: "PUBLIC KEY", Headers: nil, Bytes: publicKeyDer, } publicKeyPem := string(pem.EncodeToMemory(&publicKeyBlock)) return privateKeyPem, publicKeyPem, nil }
func (reg Registration) Export(password string) (*RegistrationExport, error) { keyBlock, err := reg.SigningKey.EncryptPrivateKey(password, utils.PemDefaultCipher) if nil != err { return nil, err } jsonBytes, err := json.Marshal(rawRegistrationExportJson{ Resource: reg.Resource, LinkTermsOfService: reg.LinkTermsOfService, RecoveryToken: reg.RecoveryToken, }) if nil != err { return nil, err } jsonBlock := &pem.Block{ Type: pemTypeAcmeJsonRegistration, Bytes: jsonBytes, } if err := utils.EncryptPemBlock(jsonBlock, password, utils.PemDefaultCipher); nil != err { return nil, err } return &RegistrationExport{ JsonPem: pem.EncodeToMemory(jsonBlock), SigningKeyPem: pem.EncodeToMemory(keyBlock), Location: reg.Location, Name: reg.Name, }, nil }
// newLeaf generates a certificate/key pair suitable for use by a leaf node. func newLeaf(caCertPEM, caKeyPEM string, expiry time.Time, hostnames []string, extKeyUsage []x509.ExtKeyUsage) (certPEM, keyPEM string, err error) { tlsCert, err := tls.X509KeyPair([]byte(caCertPEM), []byte(caKeyPEM)) if err != nil { return "", "", err } if len(tlsCert.Certificate) != 1 { return "", "", fmt.Errorf("more than one certificate for CA") } caCert, err := x509.ParseCertificate(tlsCert.Certificate[0]) if err != nil { return "", "", err } if !caCert.BasicConstraintsValid || !caCert.IsCA { return "", "", fmt.Errorf("CA certificate is not a valid CA") } caKey, ok := tlsCert.PrivateKey.(*rsa.PrivateKey) if !ok { return "", "", fmt.Errorf("CA private key has unexpected type %T", tlsCert.PrivateKey) } key, err := rsa.GenerateKey(rand.Reader, KeyBits) if err != nil { return "", "", fmt.Errorf("cannot generate key: %v", err) } now := time.Now() template := &x509.Certificate{ SerialNumber: new(big.Int), Subject: pkix.Name{ // This won't match host names with dots. The hostname // is hardcoded when connecting to avoid the issue. CommonName: "*", Organization: []string{"juju"}, }, NotBefore: now.UTC().AddDate(0, 0, -7), NotAfter: expiry.UTC(), SubjectKeyId: bigIntHash(key.N), KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageKeyAgreement, ExtKeyUsage: extKeyUsage, } for _, hostname := range hostnames { if ip := net.ParseIP(hostname); ip != nil { template.IPAddresses = append(template.IPAddresses, ip) } else { template.DNSNames = append(template.DNSNames, hostname) } } certDER, err := x509.CreateCertificate(rand.Reader, template, caCert, &key.PublicKey, caKey) if err != nil { return "", "", err } certPEMData := pem.EncodeToMemory(&pem.Block{ Type: "CERTIFICATE", Bytes: certDER, }) keyPEMData := pem.EncodeToMemory(&pem.Block{ Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(key), }) return string(certPEMData), string(keyPEMData), nil }
func CreatePrivateKey(d *schema.ResourceData, meta interface{}) error { keyAlgoName := d.Get("algorithm").(string) var keyFunc keyAlgo var ok bool if keyFunc, ok = keyAlgos[keyAlgoName]; !ok { return fmt.Errorf("invalid key_algorithm %#v", keyAlgoName) } key, err := keyFunc(d) if err != nil { return err } var keyPemBlock *pem.Block switch k := key.(type) { case *rsa.PrivateKey: keyPemBlock = &pem.Block{ Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(k), } case *ecdsa.PrivateKey: keyBytes, err := x509.MarshalECPrivateKey(k) if err != nil { return fmt.Errorf("error encoding key to PEM: %s", err) } keyPemBlock = &pem.Block{ Type: "EC PRIVATE KEY", Bytes: keyBytes, } default: return fmt.Errorf("unsupported private key type") } keyPem := string(pem.EncodeToMemory(keyPemBlock)) pubKey := publicKey(key) pubKeyBytes, err := x509.MarshalPKIXPublicKey(pubKey) if err != nil { return fmt.Errorf("failed to marshal public key: %s", err) } pubKeyPemBlock := &pem.Block{ Type: "PUBLIC KEY", Bytes: pubKeyBytes, } d.SetId(hashForState(string((pubKeyBytes)))) d.Set("private_key_pem", keyPem) d.Set("public_key_pem", string(pem.EncodeToMemory(pubKeyPemBlock))) sshPubKey, err := ssh.NewPublicKey(pubKey) if err == nil { // Not all EC types can be SSH keys, so we'll produce this only // if an appropriate type was selected. sshPubKeyBytes := ssh.MarshalAuthorizedKey(sshPubKey) d.Set("public_key_openssh", string(sshPubKeyBytes)) } else { d.Set("public_key_openssh", "") } return nil }
func TestExportKeysByID(t *testing.T) { s := NewTestExportStore() b := &pem.Block{} b.Bytes = make([]byte, 1000) rand.Read(b.Bytes) c := &pem.Block{} c.Bytes = make([]byte, 1000) rand.Read(c.Bytes) bBytes := pem.EncodeToMemory(b) cBytes := pem.EncodeToMemory(c) s.data["ankh"] = bBytes s.data["morpork/identifier"] = cBytes buf := bytes.NewBuffer(nil) err := ExportKeysByID(buf, s, []string{"identifier"}) require.NoError(t, err) out, err := ioutil.ReadAll(buf) require.NoError(t, err) cFinal, rest := pem.Decode(out) require.Equal(t, c.Bytes, cFinal.Bytes) require.Equal(t, "morpork/identifier", cFinal.Headers["path"]) require.Len(t, rest, 0) }
func newConfig() (client, server *tls.Config) { now := time.Now() tpl := x509.Certificate{ SerialNumber: new(big.Int).SetInt64(42), Subject: pkix.Name{CommonName: ServerName}, NotBefore: now.Add(-2 * time.Hour).UTC(), NotAfter: now.Add(2 * time.Hour).UTC(), BasicConstraintsValid: true, IsCA: true, } priv, err := rsa.GenerateKey(rand.Reader, 512) if err != nil { panic(err) } crt, err := x509.CreateCertificate(rand.Reader, &tpl, &tpl, &priv.PublicKey, priv) if err != nil { panic(err) } key := x509.MarshalPKCS1PrivateKey(priv) pair, err := tls.X509KeyPair( pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: crt}), pem.EncodeToMemory(&pem.Block{Type: "RSA PRIVATE KEY", Bytes: key}), ) if err != nil { panic(err) } root, err := x509.ParseCertificate(crt) if err != nil { panic(err) } server = &tls.Config{Certificates: []tls.Certificate{pair}} client = &tls.Config{RootCAs: x509.NewCertPool(), ServerName: ServerName} client.RootCAs.AddCert(root) return }
func jwsTestKey(notBefore, notAfter time.Time) (pemKey []byte, pemCert []byte) { key, err := rsa.GenerateKey(rand.Reader, 1024) if err != nil { panic(fmt.Sprintf("rsa.GenerateKey: %v", err)) } pemKey = pem.EncodeToMemory(&pem.Block{ Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(key), }) tcert := x509.Certificate{ SerialNumber: big.NewInt(1), Subject: pkix.Name{CommonName: "www.example.org"}, Issuer: pkix.Name{CommonName: "www.example.org"}, NotBefore: notBefore, NotAfter: notAfter, KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature, ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth}, BasicConstraintsValid: true, } var cert []byte cert, err = x509.CreateCertificate(rand.Reader, &tcert, &tcert, &key.PublicKey, key) if err != nil { panic(fmt.Sprintf("x509.CreateCertificate: %v", err)) } pemCert = pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: cert}) return pemKey, pemCert }
// newKey realiza la generación y codificación de las claves RSA en codificación PEM. func newKey() *Key { privateKey, err := rsa.GenerateKey(rand.Reader, 2048) if err != nil { log.LogE("failed to generate private key", "pkg", "try6", "func", "NewKey(string) *Key", "error", err.Error()) return nil } privPEM := pem.EncodeToMemory( &pem.Block{ Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(privateKey), }, ) pubKeyPKIX, err := x509.MarshalPKIXPublicKey(&privateKey.PublicKey) if err != nil { log.LogE("failed to generate DER public key", "pkg", "try6", "func", "NewKey(string) *Key", "error", err.Error()) return nil } pubPEM := pem.EncodeToMemory(&pem.Block{ Type: "RSA PUBLIC KEY", Bytes: pubKeyPKIX, }) return &Key{ PubKey: pubPEM, PrivKey: privPEM, } }
func genKey() (private, public []byte) { priKey, err := rsa.GenerateKey(rand.Reader, 2048) if err != nil { fmt.Println(err) return } priDer := x509.MarshalPKCS1PrivateKey(priKey) private = pem.EncodeToMemory( &pem.Block{ Type: "RSA PRIVATE KEY", Bytes: priDer, }, ) pub := priKey.PublicKey pubDer, err := x509.MarshalPKIXPublicKey(&pub) if err != nil { fmt.Println(err) return } public = pem.EncodeToMemory( &pem.Block{ Type: "PUBLIC KEY", Headers: nil, Bytes: pubDer, }, ) ioutil.WriteFile("public.pem", public, 0644) ioutil.WriteFile("private.pem", private, 0644) return }
func generateRSAKeys(bits int) (string, string, error) { if err := validateRSABits(bits); err != nil { return "", "", err } privateKey, err := rsa.GenerateKey(rand.Reader, bits) if err != nil { return "", "", err } pubASN1, err := x509.MarshalPKIXPublicKey(&privateKey.PublicKey) if err != nil { return "", "", err } publicKeyBytes := pem.EncodeToMemory( &pem.Block{ Type: rsaPublicBlockType, Bytes: pubASN1, }, ) privateKeyBytes := pem.EncodeToMemory( &pem.Block{ Type: rsaPrivateBlockType, Bytes: x509.MarshalPKCS1PrivateKey(privateKey), }, ) return string(publicKeyBytes), string(privateKeyBytes), nil }
func getCertificate(clientHello *tls.ClientHelloInfo) (*tls.Certificate, error) { fmt.Printf("getCertificate(%#v)", clientHello) // name := clientHello.ServerName name := "www.gov.cn" glog.Infof("Generating RootCA for %s", name) template := x509.Certificate{ IsCA: true, SerialNumber: big.NewInt(1), Subject: pkix.Name{ Organization: []string{name}, }, NotBefore: time.Now().Add(-time.Duration(5 * time.Minute)), NotAfter: time.Now().Add(180 * 24 * time.Hour), KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign, ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth}, BasicConstraintsValid: true, } priv, err := rsa.GenerateKey(rand.Reader, 1024) if err != nil { return nil, err } derBytes, err := x509.CreateCertificate(rand.Reader, &template, &template, &priv.PublicKey, priv) if err != nil { return nil, err } certPEMBlock := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: derBytes}) keyPEMBlock := pem.EncodeToMemory(&pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(priv)}) cert, err := tls.X509KeyPair(certPEMBlock, keyPEMBlock) return &cert, err }
func CreateTLS() *tls.Config { priv, err := rsa.GenerateKey(rand.Reader, 2048) if err != nil { log.Fatal("failed to generate private key:", err) } var notBefore time.Time notBefore = time.Now() notAfter := notBefore.Add(365 * 24 * time.Hour) serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128) serialNumber, err := rand.Int(rand.Reader, serialNumberLimit) if err != nil { log.Fatal("failed to generate serial number:", err) } template := x509.Certificate{ SerialNumber: serialNumber, Subject: pkix.Name{ Organization: []string{"Wago"}, }, NotBefore: notBefore, NotAfter: notAfter, KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature, ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth}, BasicConstraintsValid: true, } hosts := []string{"127.0.0.1", "::1", "localhost"} for _, h := range hosts { if ip := net.ParseIP(h); ip != nil { template.IPAddresses = append(template.IPAddresses, ip) } else { template.DNSNames = append(template.DNSNames, h) } } template.IsCA = true template.KeyUsage |= x509.KeyUsageCertSign derBytes, err := x509.CreateCertificate(rand.Reader, &template, &template, &priv.PublicKey, priv) if err != nil { log.Fatal("Failed to create certificate:", err) } certPEMBlock := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: derBytes}) keyPEMBlock := pem.EncodeToMemory(&pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(priv)}) cert, err := tls.X509KeyPair(certPEMBlock, keyPEMBlock) if err != nil { log.Fatal(err) } return &tls.Config{ Certificates: []tls.Certificate{cert}, } }
func createTLSConfig(host string) (certPEMBlock, keyPEMBlock []byte, err error) { now := time.Now() tpl := x509.Certificate{ SerialNumber: new(big.Int).SetInt64(0), Subject: pkix.Name{CommonName: host}, NotBefore: now.Add(-24 * time.Hour).UTC(), NotAfter: now.AddDate(1, 0, 0).UTC(), KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign, BasicConstraintsValid: true, MaxPathLen: 1, IsCA: true, SubjectKeyId: []byte{1, 2, 3, 4}, Version: 2, } key, err := rsa.GenerateKey(rand.Reader, 2048) if err != nil { return } der, err := x509.CreateCertificate(rand.Reader, &tpl, &tpl, &key.PublicKey, key) if err != nil { return } certPEMBlock = pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: der}) keyPEMBlock = pem.EncodeToMemory(&pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(key)}) return }
// generate RSA key pair func GenerateKeyPair() (map[string]string, error) { kp := make(map[string]string) privateKey, err := rsa.GenerateKey(rand.Reader, 2048) if err != nil { return kp, err } // calculations to speed up private key operations and // some basic sanity checks privateKey.Precompute() if err = privateKey.Validate(); err != nil { return kp, err } // convert private key to pem encode privBlock := &pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(privateKey)} privPEMData := pem.EncodeToMemory(privBlock) // convert public key to pem encode PubASN1, err := x509.MarshalPKIXPublicKey(&privateKey.PublicKey) if err != nil { return kp, err } pubPEMData := pem.EncodeToMemory(&pem.Block{ Type: "PUBLIC KEY", Bytes: PubASN1, }) kp["private_key"] = string(privPEMData) kp["public_key"] = string(pubPEMData) return kp, nil }
func (ca *CA) createCAKeyPair(name string) *ecdsa.PrivateKey { caLogger.Debug("Creating CA key pair.") curve := primitives.GetDefaultCurve() priv, err := ecdsa.GenerateKey(curve, rand.Reader) if err == nil { raw, _ := x509.MarshalECPrivateKey(priv) cooked := pem.EncodeToMemory( &pem.Block{ Type: "ECDSA PRIVATE KEY", Bytes: raw, }) err = ioutil.WriteFile(ca.path+"/"+name+".priv", cooked, 0644) if err != nil { caLogger.Panic(err) } raw, _ = x509.MarshalPKIXPublicKey(&priv.PublicKey) cooked = pem.EncodeToMemory( &pem.Block{ Type: "ECDSA PUBLIC KEY", Bytes: raw, }) err = ioutil.WriteFile(ca.path+"/"+name+".pub", cooked, 0644) if err != nil { caLogger.Panic(err) } } if err != nil { caLogger.Panic(err) } return priv }
func genKeyPair(keySize int) (string, string, error) { prikey, err := rsa.GenerateKey(rand.Reader, keySize) if err != nil { return "", "", err } marshaled := x509.MarshalPKCS1PrivateKey(prikey) marshaledPublic, errpk := x509.MarshalPKIXPublicKey(&prikey.PublicKey) if errpk != nil { return "", "", errpk } privateKeyPEM := pem.EncodeToMemory(&pem.Block{ Type: "RSA PRIVATE KEY", Headers: nil, Bytes: marshaled, }) publicKeyPEM := pem.EncodeToMemory(&pem.Block{ Type: "RSA PUBLIC KEY", Headers: nil, Bytes: marshaledPublic, }) return string(privateKeyPEM), string(publicKeyPEM), nil }
// NewCA generates a CA certificate/key pair suitable for signing server // keys for an environment with the given name. func NewCA(envName string, expiry time.Time) (certPEM, keyPEM string, err error) { key, err := rsa.GenerateKey(rand.Reader, KeyBits) if err != nil { return "", "", err } now := time.Now() template := &x509.Certificate{ SerialNumber: new(big.Int), Subject: pkix.Name{ CommonName: fmt.Sprintf("juju-generated CA for environment %q", envName), Organization: []string{"juju"}, }, NotBefore: now.UTC().AddDate(0, 0, -7), NotAfter: expiry.UTC(), SubjectKeyId: bigIntHash(key.N), KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign, IsCA: true, MaxPathLen: 0, // Disallow delegation for now. BasicConstraintsValid: true, } certDER, err := x509.CreateCertificate(rand.Reader, template, template, &key.PublicKey, key) if err != nil { return "", "", fmt.Errorf("cannot create certificate: %v", err) } certPEMData := pem.EncodeToMemory(&pem.Block{ Type: "CERTIFICATE", Bytes: certDER, }) keyPEMData := pem.EncodeToMemory(&pem.Block{ Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(key), }) return string(certPEMData), string(keyPEMData), nil }
func TestExportKeysByID(t *testing.T) { setUp(t) tempBaseDir, err := ioutil.TempDir("", "notary-test-") require.NoError(t, err) defer os.RemoveAll(tempBaseDir) output, err := ioutil.TempFile("", "notary-test-import-") require.NoError(t, err) defer os.RemoveAll(output.Name()) k := &keyCommander{ configGetter: func() (*viper.Viper, error) { v := viper.New() v.SetDefault("trust_dir", tempBaseDir) return v, nil }, } k.outFile = output.Name() err = output.Close() // close so export can open require.NoError(t, err) k.exportKeyIDs = []string{"one", "three"} b := &pem.Block{} b.Bytes = make([]byte, 1000) rand.Read(b.Bytes) b2 := &pem.Block{} b2.Bytes = make([]byte, 1000) rand.Read(b2.Bytes) c := &pem.Block{} c.Bytes = make([]byte, 1000) rand.Read(c.Bytes) bBytes := pem.EncodeToMemory(b) b2Bytes := pem.EncodeToMemory(b2) cBytes := pem.EncodeToMemory(c) fileStore, err := store.NewPrivateKeyFileStorage(tempBaseDir, notary.KeyExtension) require.NoError(t, err) err = fileStore.Set("one", bBytes) require.NoError(t, err) err = fileStore.Set("two", b2Bytes) require.NoError(t, err) err = fileStore.Set("three", cBytes) require.NoError(t, err) err = k.exportKeys(&cobra.Command{}, nil) require.NoError(t, err) outRes, err := ioutil.ReadFile(k.outFile) require.NoError(t, err) block, rest := pem.Decode(outRes) require.Equal(t, b.Bytes, block.Bytes) require.Equal(t, "one", block.Headers["path"]) block, rest = pem.Decode(rest) require.Equal(t, c.Bytes, block.Bytes) require.Equal(t, "three", block.Headers["path"]) require.Len(t, rest, 0) }
// ToCSRBundle converts a byte-based raw DER certificate bundle // to a PEM-based string certificate bundle func (p *ParsedCSRBundle) ToCSRBundle() (*CSRBundle, error) { result := &CSRBundle{} block := pem.Block{ Type: "CERTIFICATE REQUEST", } if p.CSRBytes != nil && len(p.CSRBytes) > 0 { block.Bytes = p.CSRBytes result.CSR = strings.TrimSpace(string(pem.EncodeToMemory(&block))) } if p.PrivateKeyBytes != nil && len(p.PrivateKeyBytes) > 0 { block.Bytes = p.PrivateKeyBytes switch p.PrivateKeyType { case RSAPrivateKey: result.PrivateKeyType = "rsa" block.Type = "RSA PRIVATE KEY" case ECPrivateKey: result.PrivateKeyType = "ec" block.Type = "EC PRIVATE KEY" default: return nil, errutil.InternalError{"Could not determine private key type when creating block"} } result.PrivateKey = strings.TrimSpace(string(pem.EncodeToMemory(&block))) } return result, nil }
// GeneratePem generates a new PEM with the config of the current KeyStore instance and returns it. // This PEM will be stored in the KeyStore instance. func (instance KeyStore) GeneratePem(name string) ([]byte, *x509.Certificate, error) { if !instance.enabled { return []byte{}, nil, errors.New("KeyStore is not enabled.") } privateKey, privateKeyBytes, publicKey, err := generatePrivateKey(instance.Config()) if err != nil { return []byte{}, nil, errors.New("Could not generate pem for '%v'.", name).CausedBy(err) } certificateDerBytes, err := instance.generateClientCertificate(name, publicKey, privateKey) if err != nil { return []byte{}, nil, err } cert, err := x509.ParseCertificate(certificateDerBytes) if err != nil || cert == nil { return []byte{}, nil, errors.New("Wow! Could not parse right now created certificate for '%v'?", name).CausedBy(err) } pemBytes := []byte{} pemBytes = append(pemBytes, pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: certificateDerBytes})...) pemBytes = append(pemBytes, pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: instance.cert.Raw})...) pemBytes = append(pemBytes, pem.EncodeToMemory(&pem.Block{Type: "RSA PRIVATE KEY", Bytes: privateKeyBytes})...) return pemBytes, cert, nil }
// Bundle bundles the certificate with the issuer certificate. func (c *Client) Bundle(certResp *CertificateResponse) (bundledPEM []byte, err error) { if !certResp.IsAvailable() { return nil, errors.New("Cannot bundle without certificate") } if certResp.Issuer == "" { return nil, errors.New("Could not bundle certificates. Issuer not found") } resp, err := c.client.Get(certResp.Issuer) if err != nil { return nil, fmt.Errorf("Error requesting issuer certificate: %s", err) } defer resp.Body.Close() issuerDER, err := ioutil.ReadAll(resp.Body) if err != nil { return nil, fmt.Errorf("Error reading issuer certificate: %s", err) } certPEM := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: certResp.Certificate.Raw}) issuerPEM := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: issuerDER}) return append(certPEM, issuerPEM...), nil }
func generateKeys(c Config) { keyPath := c.KeyDirectory username := c.Username privPath := fmt.Sprintf("%s/privatekey_%s.pem", keyPath, username) pubPath := fmt.Sprintf("%s/publickey_%s.pem", keyPath, username) // generate private key privatekey, err := rsa.GenerateKey(rand.Reader, 1024) checkError(err) // Write Private Key privBytes := pem.EncodeToMemory(&pem.Block{ Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(privatekey), }) ioutil.WriteFile(privPath, privBytes, 0600) log.Info("Private Key: ", privPath) fmt.Println(string(privBytes)) // Write Public Key ansipub, err := x509.MarshalPKIXPublicKey(&privatekey.PublicKey) checkError(err) pubBytes := pem.EncodeToMemory(&pem.Block{ Type: "RSA PUBLIC KEY", Bytes: ansipub, }) ioutil.WriteFile(pubPath, pubBytes, 0644) log.Info("Public Key: ", pubPath) fmt.Println(string(pubBytes)) }
// GenerateKeys generates private and public RSA keys func GenerateKeys(bits int) (string, string) { priv, _ := rsa.GenerateKey(rand.Reader, bits) // Get der format. priv_der []byte privDer := x509.MarshalPKCS1PrivateKey(priv) privBlk := pem.Block{ Type: "RSA PRIVATE KEY", Headers: nil, Bytes: privDer, } // Resultant private key in PEM format. privPem := string(pem.EncodeToMemory(&privBlk)) // Public Key generation pub := priv.PublicKey pubDer, _ := x509.MarshalPKIXPublicKey(&pub) pubBlk := pem.Block{ Type: "PUBLIC KEY", Headers: nil, Bytes: pubDer, } // Resultant public key in PEM format. pubPem := string(pem.EncodeToMemory(&pubBlk)) return privPem, pubPem }
// GenerateRSAKeys creates a pair of private and public keys for a client. func GenerateRSAKeys() (string, string, error) { /* Shamelessly borrowed and adapted from some golang-samples */ priv, err := rsa.GenerateKey(rand.Reader, 2048) if err != nil { return "", "", err } if err := priv.Validate(); err != nil { errStr := fmt.Errorf("RSA key validation failed: %s", err) return "", "", errStr } privDer := x509.MarshalPKCS1PrivateKey(priv) /* For some reason chef doesn't label the keys RSA PRIVATE/PUBLIC KEY */ privBlk := pem.Block{ Type: "RSA PRIVATE KEY", Headers: nil, Bytes: privDer, } privPem := string(pem.EncodeToMemory(&privBlk)) pub := priv.PublicKey pubDer, err := x509.MarshalPKIXPublicKey(&pub) if err != nil { errStr := fmt.Errorf("Failed to get der format for public key: %s", err) return "", "", errStr } pubBlk := pem.Block{ Type: "PUBLIC KEY", Headers: nil, Bytes: pubDer, } pubPem := string(pem.EncodeToMemory(&pubBlk)) return privPem, pubPem, nil }
// GenerateKeys returns a new key pair, with the private and public key // encoded in PEM format. func GenerateKeys() (privKey []byte, pubKey []byte, err error) { // Generate a new key pair key, err := ecdsa.GenerateKey(elliptic.P521(), rand.Reader) if err != nil { return nil, nil, err } // Marshal the private key bs, err := x509.MarshalECPrivateKey(key) if err != nil { return nil, nil, err } // Encode it in PEM format privKey = pem.EncodeToMemory(&pem.Block{ Type: "EC PRIVATE KEY", Bytes: bs, }) // Marshal the public key bs, err = x509.MarshalPKIXPublicKey(key.Public()) if err != nil { return nil, nil, err } // Encode it in PEM format pubKey = pem.EncodeToMemory(&pem.Block{ Type: "EC PUBLIC KEY", Bytes: bs, }) return }
// Generates a self-signed RSA keypair for 127.0.0.1 and returns both key and // certificate as byte arrays. func generateRSAKeyPair() (pemCert []byte, pemKey []byte) { priv, err := rsa.GenerateKey(rand.Reader, 2048) if err != nil { panic(fmt.Sprintf("Error generating RSA key: %s", err)) } key := x509.MarshalPKCS1PrivateKey(priv) notBefore := time.Now() notAfter := notBefore.Add(365 * 24 * time.Hour) serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128) serialNumber, _ := rand.Int(rand.Reader, serialNumberLimit) template := x509.Certificate{ SerialNumber: serialNumber, Subject: pkix.Name{Organization: []string{"Example.com"}}, NotBefore: notBefore, NotAfter: notAfter, BasicConstraintsValid: true, IsCA: true, IPAddresses: []net.IP{net.ParseIP("127.0.0.1")}, } var cert []byte cert, err = x509.CreateCertificate(rand.Reader, &template, &template, &priv.PublicKey, priv) if err != nil { panic(fmt.Sprintf("Failed to create certificate: %s", err)) } pemKey = pem.EncodeToMemory(&pem.Block{Type: "RSA PRIVATE KEY", Bytes: key}) pemCert = pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: cert}) return }