// CreateAndWriteRootCA creates a Certificate authority for a new Swarm Cluster, potentially // overwriting any existing CAs. func CreateAndWriteRootCA(rootCN string, paths CertPaths) (RootCA, error) { // Create a simple CSR for the CA using the default CA validator and policy req := cfcsr.CertificateRequest{ CN: rootCN, KeyRequest: &cfcsr.BasicKeyRequest{A: RootKeyAlgo, S: RootKeySize}, CA: &cfcsr.CAConfig{Expiry: RootCAExpiration}, } // Generate the CA and get the certificate and private key cert, _, key, err := initca.New(&req) if err != nil { return RootCA{}, err } // Ensure directory exists err = os.MkdirAll(filepath.Dir(paths.Cert), 0755) if err != nil { return RootCA{}, err } // Write the Private Key and Certificate to disk, using decent permissions if err := ioutils.AtomicWriteFile(paths.Cert, cert, 0644); err != nil { return RootCA{}, err } if err := ioutils.AtomicWriteFile(paths.Key, key, 0600); err != nil { return RootCA{}, err } return NewRootCA(cert, key, DefaultNodeCertExpiration) }
// CreateRootCA creates a Certificate authority for a new Swarm Cluster, potentially // overwriting any existing CAs. func CreateRootCA(rootCN string, paths CertPaths) (RootCA, error) { // Create a simple CSR for the CA using the default CA validator and policy req := cfcsr.CertificateRequest{ CN: rootCN, KeyRequest: &cfcsr.BasicKeyRequest{A: RootKeyAlgo, S: RootKeySize}, CA: &cfcsr.CAConfig{Expiry: RootCAExpiration}, } // Generate the CA and get the certificate and private key cert, _, key, err := initca.New(&req) if err != nil { return RootCA{}, err } rootCA, err := NewRootCA(cert, key, DefaultNodeCertExpiration) if err != nil { return RootCA{}, err } // save the cert to disk if err := saveRootCA(rootCA, paths); err != nil { return RootCA{}, err } return rootCA, nil }
// initialCAHandler is an HTTP handler that accepts a JSON blob in the // same format as the CSR endpoint; this blob should contain the // identity information for the CA's root key. This endpoint is not // suitable for creating intermediate certificates. func initialCAHandler(w http.ResponseWriter, r *http.Request) error { log.Info("setting up initial CA handler") body, err := ioutil.ReadAll(r.Body) if err != nil { log.Warningf("failed to read request body: %v", err) return errors.NewBadRequest(err) } r.Body.Close() req := new(csr.CertificateRequest) req.KeyRequest = csr.NewBasicKeyRequest() err = json.Unmarshal(body, req) if err != nil { log.Warningf("failed to unmarshal request: %v", err) return errors.NewBadRequest(err) } cert, _, key, err := initca.New(req) if err != nil { log.Warningf("failed to initialise new CA: %v", err) return err } response := api.NewSuccessResponse(&NewCA{string(key), string(cert)}) enc := json.NewEncoder(w) err = enc.Encode(response) return err }
func TestLoadSigner(t *testing.T) { lca := &CA{} certPEM, csrPEM, keyPEM, err := initca.New(ExampleRequest()) assert.NoErrorT(t, err) _, err = lca.CACertificate() assert.ErrorEqT(t, errNotSetup, err) _, err = lca.SignCSR(csrPEM) assert.ErrorEqT(t, errNotSetup, err) lca.KeyFile, err = tempName() assert.NoErrorT(t, err) defer os.Remove(lca.KeyFile) lca.CertFile, err = tempName() assert.NoErrorT(t, err) defer os.Remove(lca.CertFile) err = ioutil.WriteFile(lca.KeyFile, keyPEM, 0644) assert.NoErrorT(t, err) err = ioutil.WriteFile(lca.CertFile, certPEM, 0644) assert.NoErrorT(t, err) err = Load(lca, ExampleSigningConfig()) assert.NoErrorT(t, err) }
func genkeyMain(args []string) (err error) { csrFile, args, err := popFirstArgument(args) if err != nil { return } csrFileBytes, err := ioutil.ReadFile(csrFile) if err != nil { return } var req csr.CertificateRequest err = json.Unmarshal(csrFileBytes, &req) if err != nil { return } if Config.isCA { var key, cert []byte cert, key, err = initca.New(&req) if err != nil { return } var out = struct { Key string `json:"key"` Cert string `json:"cert"` }{string(key), string(cert)} var jsonOut []byte jsonOut, err = json.Marshal(out) if err != nil { return } fmt.Printf("%s\n", string(jsonOut)) } else { var key, csrPEM []byte g := &csr.Generator{validator} csrPEM, key, err = g.ProcessRequest(&req) if err != nil { key = nil return } var out = struct { Key string `json:"key"` CSR string `json:"csr"` }{string(key), string(csrPEM)} var jsonOut []byte jsonOut, err = json.Marshal(out) if err != nil { return } fmt.Printf("%s\n", string(jsonOut)) } return nil }
// createAndWriteca.RootCA creates a Certificate authority for a new Swarm Cluster. // We're copying CreateAndWriteca.RootCA, so we can have smaller key-sizes for tests func createAndWriteRootCA(rootCN string, paths ca.CertPaths, expiry time.Duration) (ca.RootCA, error) { // Create a simple CSR for the CA using the default CA validator and policy req := cfcsr.CertificateRequest{ CN: rootCN, KeyRequest: cfcsr.NewBasicKeyRequest(), CA: &cfcsr.CAConfig{Expiry: ca.RootCAExpiration}, } // Generate the CA and get the certificate and private key cert, _, key, err := initca.New(&req) if err != nil { return ca.RootCA{}, err } // Convert the key given by initca to an object to create a ca.RootCA parsedKey, err := helpers.ParsePrivateKeyPEM(key) if err != nil { log.Errorf("failed to parse private key: %v", err) return ca.RootCA{}, err } // Convert the certificate into an object to create a ca.RootCA parsedCert, err := helpers.ParseCertificatePEM(cert) if err != nil { return ca.RootCA{}, err } // Create a Signer out of the private key signer, err := local.NewSigner(parsedKey, parsedCert, cfsigner.DefaultSigAlgo(parsedKey), ca.SigningPolicy(expiry)) if err != nil { log.Errorf("failed to create signer: %v", err) return ca.RootCA{}, err } // Ensure directory exists err = os.MkdirAll(filepath.Dir(paths.Cert), 0755) if err != nil { return ca.RootCA{}, err } // Write the Private Key and Certificate to disk, using decent permissions if err := ioutils.AtomicWriteFile(paths.Cert, cert, 0644); err != nil { return ca.RootCA{}, err } if err := ioutils.AtomicWriteFile(paths.Key, key, 0600); err != nil { return ca.RootCA{}, err } // Create a Pool with our Root CA Certificate pool := x509.NewCertPool() if !pool.AppendCertsFromPEM(cert) { return ca.RootCA{}, fmt.Errorf("failed to append certificate to cert pool") } return ca.RootCA{Signer: signer, Key: key, Cert: cert, Pool: pool}, nil }
// CreateRootCertAndKey returns a generated certificate and key for a root CA func CreateRootCertAndKey(rootCN string) ([]byte, []byte, error) { // Create a simple CSR for the CA using the default CA validator and policy req := cfcsr.CertificateRequest{ CN: rootCN, KeyRequest: cfcsr.NewBasicKeyRequest(), CA: &cfcsr.CAConfig{Expiry: ca.RootCAExpiration}, } // Generate the CA and get the certificate and private key cert, _, key, err := initca.New(&req) return cert, key, err }
func genkeyMain(args []string, c cli.Config) (err error) { csrFile, args, err := cli.PopFirstArgument(args) if err != nil { return } csrFileBytes, err := cli.ReadStdin(csrFile) if err != nil { return } req := csr.CertificateRequest{ KeyRequest: csr.NewBasicKeyRequest(), } err = json.Unmarshal(csrFileBytes, &req) if err != nil { return } if c.IsCA { var key, csrPEM, cert []byte cert, csrPEM, key, err = initca.New(&req) if err != nil { return } cli.PrintCert(key, csrPEM, cert) } else { if req.CA != nil { err = errors.New("ca section only permitted in initca") return } var key, csrPEM []byte g := &csr.Generator{Validator: Validator} csrPEM, key, err = g.ProcessRequest(&req) if err != nil { key = nil return } cli.PrintCert(key, csrPEM, nil) } return nil }
// New generates a new CA from a certificate request and signing profile. func New(req *csr.CertificateRequest, profiles *config.Signing) (*CA, error) { certPEM, _, keyPEM, err := initca.New(req) if err != nil { return nil, err } // If initca returns successfully, the following (which are // all CFSSL internal functions) should not return an // error. If they do, we should abort --- something about // CFSSL has become inconsistent, and it can't be trusted. priv, err := helpers.ParsePrivateKeyPEM(keyPEM) assert.NoError(err, "CFSSL-generated private key can't be parsed") cert, err := helpers.ParseCertificatePEM(certPEM) assert.NoError(err, "CFSSL-generated certificate can't be parsed") s, err := local.NewSigner(priv, cert, helpers.SignerAlgo(priv), profiles) assert.NoError(err, "a signer could not be constructed") return NewFromSigner(s), nil }
func gencertMain(args []string, c cli.Config) error { if c.RenewCA { log.Infof("re-generate a CA certificate from CA cert and key") cert, err := initca.RenewFromPEM(c.CAFile, c.CAKeyFile) if err != nil { log.Errorf("%v\n", err) return err } cli.PrintCert(nil, nil, cert) return nil } csrJSONFile, args, err := cli.PopFirstArgument(args) if err != nil { return err } csrJSONFileBytes, err := cli.ReadStdin(csrJSONFile) if err != nil { return err } req := csr.CertificateRequest{ KeyRequest: csr.NewBasicKeyRequest(), } err = json.Unmarshal(csrJSONFileBytes, &req) if err != nil { return err } switch { case c.IsCA: var key, csrPEM, cert []byte if c.CAKeyFile != "" { log.Infof("re-generate a CA certificate from CSR and CA key") cert, csrPEM, err = initca.NewFromPEM(&req, c.CAKeyFile) if err != nil { log.Errorf("%v\n", err) return err } } else { log.Infof("generating a new CA key and certificate from CSR") cert, csrPEM, key, err = initca.New(&req) if err != nil { return err } } cli.PrintCert(key, csrPEM, cert) default: if req.CA != nil { err = errors.New("ca section only permitted in initca") return err } // Remote can be forced on the command line or in the config if c.Remote == "" && c.CFG == nil { if c.CAFile == "" { log.Error("need a CA certificate (provide one with -ca)") return nil } if c.CAKeyFile == "" { log.Error("need a CA key (provide one with -ca-key)") return nil } } var key, csrBytes []byte g := &csr.Generator{Validator: genkey.Validator} csrBytes, key, err = g.ProcessRequest(&req) if err != nil { key = nil return err } s, err := sign.SignerFromConfig(c) if err != nil { return err } var cert []byte req := signer.SignRequest{ Request: string(csrBytes), Hosts: signer.SplitHosts(c.Hostname), Profile: c.Profile, Label: c.Label, } cert, err = s.Sign(req) if err != nil { return err } cli.PrintCert(key, csrBytes, cert) } return nil }
func gencertMain(args []string, c cli.Config) error { if c.RenewCA { log.Infof("re-generate a CA certificate from CA cert and key") cert, err := initca.RenewFromPEM(c.CAFile, c.CAKeyFile) if err != nil { log.Errorf("%v\n", err) return err } cli.PrintCert(nil, nil, cert) return nil } csrJSONFile, args, err := cli.PopFirstArgument(args) if err != nil { return err } csrJSONFileBytes, err := cli.ReadStdin(csrJSONFile) if err != nil { return err } req := csr.CertificateRequest{ KeyRequest: csr.NewBasicKeyRequest(), } err = json.Unmarshal(csrJSONFileBytes, &req) if err != nil { return err } if c.CNOverride != "" { req.CN = c.CNOverride } switch { case c.IsCA: var key, csrPEM, cert []byte if c.CAKeyFile != "" { log.Infof("re-generate a CA certificate from CSR and CA key") cert, csrPEM, err = initca.NewFromPEM(&req, c.CAKeyFile) if err != nil { log.Errorf("%v\n", err) return err } } else { log.Infof("generating a new CA key and certificate from CSR") cert, csrPEM, key, err = initca.New(&req) if err != nil { return err } } cli.PrintCert(key, csrPEM, cert) default: if req.CA != nil { err = errors.New("ca section only permitted in initca") return err } if c.Hostname != "" { req.Hosts = signer.SplitHosts(c.Hostname) } // Remote can be forced on the command line or in the config if c.Remote == "" && c.CFG == nil { if c.CAFile == "" { log.Error("need a CA certificate (provide one with -ca)") return nil } if c.CAKeyFile == "" { log.Error("need a CA key (provide one with -ca-key)") return nil } } var key, csrBytes []byte g := &csr.Generator{Validator: genkey.Validator} csrBytes, key, err = g.ProcessRequest(&req) if err != nil { key = nil return err } s, err := sign.SignerFromConfig(c) if err != nil { return err } var cert []byte signReq := signer.SignRequest{ Request: string(csrBytes), Hosts: signer.SplitHosts(c.Hostname), Profile: c.Profile, Label: c.Label, } if c.CRL != "" { signReq.CRLOverride = c.CRL } cert, err = s.Sign(signReq) if err != nil { return err } // This follows the Baseline Requirements for the Issuance and // Management of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser // Forum (https://cabforum.org). Specifically, section 10.2.3 ("Information // Requirements"), states: // // "Applicant information MUST include, but not be limited to, at least one // Fully-Qualified Domain Name or IP address to be included in the Certificate’s // SubjectAltName extension." if len(signReq.Hosts) == 0 && len(req.Hosts) == 0 { log.Warning(generator.CSRNoHostMessage) } cli.PrintCert(key, csrBytes, cert) } return nil }
func gencertMain(args []string) (err error) { if Config.hostname == "" && !Config.isCA { Config.hostname, args, err = popFirstArgument(args) if err != nil { return } } csrFile, args, err := popFirstArgument(args) if err != nil { return } csrFileBytes, err := readStdin(csrFile) if err != nil { return } var req csr.CertificateRequest err = json.Unmarshal(csrFileBytes, &req) if err != nil { return } if Config.isCA { var key, cert []byte cert, key, err = initca.New(&req) if err != nil { return } printCert(key, nil, cert) } else { if Config.remote != "" { return gencertRemotely(req) } if Config.caFile == "" { log.Error("cannot sign certificate without a CA certificate (provide one with -ca)") return } if Config.caKeyFile == "" { log.Error("cannot sign certificate without a CA key (provide one with -ca-key)") return } var policy *config.Signing // If there is a config, use its signing policy. Otherwise, leave policy == nil // and NewSigner will use DefaultConfig(). if Config.cfg != nil { policy = Config.cfg.Signing } var key, csrPEM []byte g := &csr.Generator{validator} csrPEM, key, err = g.ProcessRequest(&req) if err != nil { key = nil return } var sign *signer.Signer sign, err = signer.NewSigner(Config.caFile, Config.caKeyFile, policy) if err != nil { return } var cert []byte cert, err = sign.Sign(Config.hostname, csrPEM, Config.profile) if err != nil { return } printCert(key, csrPEM, cert) } return nil }