// Performs the heavy lifting of generating a certificate from a CSR.
// Returns a ParsedCertBundle sans private keys.
func signCertificate(creationInfo *creationBundle,
csr *x509.CertificateRequest) (*certutil.ParsedCertBundle, error) {
switch {
case creationInfo == nil:
return nil, errutil.UserError{Err: "nil creation info given to signCertificate"}
case creationInfo.SigningBundle == nil:
return nil, errutil.UserError{Err: "nil signing bundle given to signCertificate"}
case csr == nil:
return nil, errutil.UserError{Err: "nil csr given to signCertificate"}
}
err := csr.CheckSignature()
if err != nil {
return nil, errutil.UserError{Err: "request signature invalid"}
}
result := &certutil.ParsedCertBundle{}
serialNumber, err := certutil.GenerateSerialNumber()
if err != nil {
return nil, err
}
marshaledKey, err := x509.MarshalPKIXPublicKey(csr.PublicKey)
if err != nil {
return nil, errutil.InternalError{Err: fmt.Sprintf("error marshalling public key: %s", err)}
}
subjKeyID := sha1.Sum(marshaledKey)
subject := pkix.Name{
CommonName: creationInfo.CommonName,
}
certTemplate := &x509.Certificate{
SerialNumber: serialNumber,
Subject: subject,
NotBefore: time.Now().Add(-30 * time.Second),
NotAfter: time.Now().Add(creationInfo.TTL),
SubjectKeyId: subjKeyID[:],
}
switch creationInfo.SigningBundle.PrivateKeyType {
case certutil.RSAPrivateKey:
certTemplate.SignatureAlgorithm = x509.SHA256WithRSA
case certutil.ECPrivateKey:
certTemplate.SignatureAlgorithm = x509.ECDSAWithSHA256
}
if creationInfo.UseCSRValues {
certTemplate.Subject = csr.Subject
certTemplate.DNSNames = csr.DNSNames
certTemplate.EmailAddresses = csr.EmailAddresses
certTemplate.IPAddresses = csr.IPAddresses
certTemplate.ExtraExtensions = csr.Extensions
} else {
certTemplate.DNSNames = creationInfo.DNSNames
certTemplate.EmailAddresses = creationInfo.EmailAddresses
certTemplate.IPAddresses = creationInfo.IPAddresses
}
addKeyUsages(creationInfo, certTemplate)
var certBytes []byte
caCert := creationInfo.SigningBundle.Certificate
certTemplate.IssuingCertificateURL = creationInfo.URLs.IssuingCertificates
certTemplate.CRLDistributionPoints = creationInfo.URLs.CRLDistributionPoints
certTemplate.OCSPServer = creationInfo.SigningBundle.URLs.OCSPServers
if creationInfo.IsCA {
certTemplate.BasicConstraintsValid = true
certTemplate.IsCA = true
if creationInfo.SigningBundle.Certificate.MaxPathLen == 0 &&
creationInfo.SigningBundle.Certificate.MaxPathLenZero {
return nil, errutil.UserError{Err: "signing certificate has a max path length of zero, and cannot issue further CA certificates"}
}
certTemplate.MaxPathLen = creationInfo.MaxPathLength
if certTemplate.MaxPathLen == 0 {
certTemplate.MaxPathLenZero = true
}
}
certBytes, err = x509.CreateCertificate(rand.Reader, certTemplate, caCert, csr.PublicKey, creationInfo.SigningBundle.PrivateKey)
if err != nil {
return nil, errutil.InternalError{Err: fmt.Sprintf("unable to create certificate: %s", err)}
}
result.CertificateBytes = certBytes
result.Certificate, err = x509.ParseCertificate(certBytes)
if err != nil {
return nil, errutil.InternalError{Err: fmt.Sprintf("unable to parse created certificate: %s", err)}
}
result.IssuingCABytes = creationInfo.SigningBundle.CertificateBytes
result.IssuingCA = creationInfo.SigningBundle.Certificate
return result, nil
}
// Performs the heavy lifting of generating a certificate from a CSR.
// Returns a ParsedCertBundle sans private keys.
func signCertificate(creationInfo *creationBundle,
csr *x509.CertificateRequest) (*certutil.ParsedCertBundle, error) {
switch {
case creationInfo == nil:
return nil, certutil.UserError{Err: "nil creation info given to signCertificate"}
case creationInfo.SigningBundle == nil:
return nil, certutil.UserError{Err: "nil signing bundle given to signCertificate"}
case csr == nil:
return nil, certutil.UserError{Err: "nil csr given to signCertificate"}
}
err := csr.CheckSignature()
if err != nil {
return nil, certutil.UserError{Err: "request signature invalid"}
}
result := &certutil.ParsedCertBundle{}
serialNumber, err := certutil.GenerateSerialNumber()
if err != nil {
return nil, err
}
marshaledKey, err := x509.MarshalPKIXPublicKey(csr.PublicKey)
if err != nil {
return nil, certutil.InternalError{Err: fmt.Sprintf("error marshalling public key: %s", err)}
}
subjKeyID := sha1.Sum(marshaledKey)
subject := pkix.Name{
CommonName: creationInfo.CommonName,
}
certTemplate := &x509.Certificate{
SerialNumber: serialNumber,
Subject: subject,
NotBefore: time.Now(),
NotAfter: time.Now().Add(creationInfo.TTL),
SubjectKeyId: subjKeyID[:],
}
switch creationInfo.SigningBundle.PrivateKeyType {
case certutil.RSAPrivateKey:
certTemplate.SignatureAlgorithm = x509.SHA256WithRSA
case certutil.ECPrivateKey:
certTemplate.SignatureAlgorithm = x509.ECDSAWithSHA256
}
if creationInfo.UseCSRValues {
certTemplate.Subject = csr.Subject
certTemplate.DNSNames = csr.DNSNames
certTemplate.EmailAddresses = csr.EmailAddresses
certTemplate.IPAddresses = csr.IPAddresses
certTemplate.ExtraExtensions = csr.Extensions
// Do not sign a CA certificate if they didn't go through the sign-intermediate
// endpoint
if !creationInfo.IsCA && oidInExtensions(oidExtensionBasicConstraints, certTemplate.ExtraExtensions) {
return nil, certutil.UserError{Err: "will not sign a CSR asking for CA rights through this endpoint"}
}
} else {
certTemplate.DNSNames = creationInfo.DNSNames
certTemplate.EmailAddresses = creationInfo.EmailAddresses
certTemplate.IPAddresses = creationInfo.IPAddresses
certTemplate.KeyUsage = x509.KeyUsage(x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment | x509.KeyUsageKeyAgreement)
if creationInfo.Usage&serverUsage != 0 {
certTemplate.ExtKeyUsage = append(certTemplate.ExtKeyUsage, x509.ExtKeyUsageServerAuth)
}
if creationInfo.Usage&clientUsage != 0 {
certTemplate.ExtKeyUsage = append(certTemplate.ExtKeyUsage, x509.ExtKeyUsageClientAuth)
}
if creationInfo.Usage&codeSigningUsage != 0 {
certTemplate.ExtKeyUsage = append(certTemplate.ExtKeyUsage, x509.ExtKeyUsageCodeSigning)
}
if creationInfo.Usage&emailProtectionUsage != 0 {
certTemplate.ExtKeyUsage = append(certTemplate.ExtKeyUsage, x509.ExtKeyUsageEmailProtection)
}
if creationInfo.IsCA {
certTemplate.KeyUsage = x509.KeyUsage(certTemplate.KeyUsage | x509.KeyUsageCertSign | x509.KeyUsageCRLSign)
certTemplate.ExtKeyUsage = append(certTemplate.ExtKeyUsage, x509.ExtKeyUsageOCSPSigning)
}
}
var certBytes []byte
caCert := creationInfo.SigningBundle.Certificate
certTemplate.IssuingCertificateURL = creationInfo.URLs.IssuingCertificates
certTemplate.CRLDistributionPoints = creationInfo.URLs.CRLDistributionPoints
certTemplate.OCSPServer = creationInfo.SigningBundle.URLs.OCSPServers
if creationInfo.IsCA {
certTemplate.BasicConstraintsValid = true
certTemplate.IsCA = true
if creationInfo.SigningBundle.Certificate.MaxPathLen == 0 &&
creationInfo.SigningBundle.Certificate.MaxPathLenZero {
return nil, certutil.UserError{Err: "signing certificate has a max path length of zero, and cannot issue further CA certificates"}
}
certTemplate.MaxPathLen = creationInfo.MaxPathLength
if certTemplate.MaxPathLen == 0 {
certTemplate.MaxPathLenZero = true
}
}
certBytes, err = x509.CreateCertificate(rand.Reader, certTemplate, caCert, csr.PublicKey, creationInfo.SigningBundle.PrivateKey)
if err != nil {
return nil, certutil.InternalError{Err: fmt.Sprintf("unable to create certificate: %s", err)}
}
result.CertificateBytes = certBytes
result.Certificate, err = x509.ParseCertificate(certBytes)
if err != nil {
return nil, certutil.InternalError{Err: fmt.Sprintf("unable to parse created certificate: %s", err)}
}
result.IssuingCABytes = creationInfo.SigningBundle.CertificateBytes
result.IssuingCA = creationInfo.SigningBundle.Certificate
return result, nil
}
// Performs the heavy lifting of creating a certificate. Returns
// a fully-filled-in ParsedCertBundle.
func createCertificate(creationInfo *creationBundle) (*certutil.ParsedCertBundle, error) {
var err error
result := &certutil.ParsedCertBundle{}
serialNumber, err := certutil.GenerateSerialNumber()
if err != nil {
return nil, err
}
if err := certutil.GeneratePrivateKey(creationInfo.KeyType,
creationInfo.KeyBits,
result); err != nil {
return nil, err
}
subjKeyID, err := certutil.GetSubjKeyID(result.PrivateKey)
if err != nil {
return nil, errutil.InternalError{Err: fmt.Sprintf("error getting subject key ID: %s", err)}
}
subject := pkix.Name{
CommonName: creationInfo.CommonName,
}
certTemplate := &x509.Certificate{
SerialNumber: serialNumber,
Subject: subject,
NotBefore: time.Now().Add(-30 * time.Second),
NotAfter: time.Now().Add(creationInfo.TTL),
IsCA: false,
SubjectKeyId: subjKeyID,
DNSNames: creationInfo.DNSNames,
EmailAddresses: creationInfo.EmailAddresses,
IPAddresses: creationInfo.IPAddresses,
}
// Add this before calling addKeyUsages
if creationInfo.SigningBundle == nil {
certTemplate.IsCA = true
}
addKeyUsages(creationInfo, certTemplate)
certTemplate.IssuingCertificateURL = creationInfo.URLs.IssuingCertificates
certTemplate.CRLDistributionPoints = creationInfo.URLs.CRLDistributionPoints
certTemplate.OCSPServer = creationInfo.URLs.OCSPServers
var certBytes []byte
if creationInfo.SigningBundle != nil {
switch creationInfo.SigningBundle.PrivateKeyType {
case certutil.RSAPrivateKey:
certTemplate.SignatureAlgorithm = x509.SHA256WithRSA
case certutil.ECPrivateKey:
certTemplate.SignatureAlgorithm = x509.ECDSAWithSHA256
}
caCert := creationInfo.SigningBundle.Certificate
certBytes, err = x509.CreateCertificate(rand.Reader, certTemplate, caCert, result.PrivateKey.Public(), creationInfo.SigningBundle.PrivateKey)
} else {
// Creating a self-signed root
if creationInfo.MaxPathLength == 0 {
certTemplate.MaxPathLen = 0
certTemplate.MaxPathLenZero = true
} else {
certTemplate.MaxPathLen = creationInfo.MaxPathLength
}
switch creationInfo.KeyType {
case "rsa":
certTemplate.SignatureAlgorithm = x509.SHA256WithRSA
case "ec":
certTemplate.SignatureAlgorithm = x509.ECDSAWithSHA256
}
certTemplate.BasicConstraintsValid = true
certBytes, err = x509.CreateCertificate(rand.Reader, certTemplate, certTemplate, result.PrivateKey.Public(), result.PrivateKey)
}
if err != nil {
return nil, errutil.InternalError{Err: fmt.Sprintf("unable to create certificate: %s", err)}
}
result.CertificateBytes = certBytes
result.Certificate, err = x509.ParseCertificate(certBytes)
if err != nil {
return nil, errutil.InternalError{Err: fmt.Sprintf("unable to parse created certificate: %s", err)}
}
if creationInfo.SigningBundle != nil {
result.IssuingCABytes = creationInfo.SigningBundle.CertificateBytes
result.IssuingCA = creationInfo.SigningBundle.Certificate
} else {
result.IssuingCABytes = result.CertificateBytes
result.IssuingCA = result.Certificate
}
return result, nil
}
// Performs the heavy lifting of creating a certificate. Returns
// a fully-filled-in ParsedCertBundle.
func createCertificate(creationInfo *creationBundle) (*certutil.ParsedCertBundle, error) {
var err error
result := &certutil.ParsedCertBundle{}
serialNumber, err := certutil.GenerateSerialNumber()
if err != nil {
return nil, err
}
if err := certutil.GeneratePrivateKey(creationInfo.KeyType,
creationInfo.KeyBits,
result); err != nil {
return nil, err
}
subjKeyID, err := certutil.GetSubjKeyID(result.PrivateKey)
if err != nil {
return nil, certutil.InternalError{Err: fmt.Sprintf("error getting subject key ID: %s", err)}
}
subject := pkix.Name{
CommonName: creationInfo.CommonName,
}
certTemplate := &x509.Certificate{
SerialNumber: serialNumber,
Subject: subject,
NotBefore: time.Now(),
NotAfter: time.Now().Add(creationInfo.TTL),
KeyUsage: x509.KeyUsage(x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment | x509.KeyUsageKeyAgreement),
IsCA: false,
SubjectKeyId: subjKeyID,
DNSNames: creationInfo.DNSNames,
EmailAddresses: creationInfo.EmailAddresses,
IPAddresses: creationInfo.IPAddresses,
}
if creationInfo.Usage&serverUsage != 0 {
certTemplate.ExtKeyUsage = append(certTemplate.ExtKeyUsage, x509.ExtKeyUsageServerAuth)
}
if creationInfo.Usage&clientUsage != 0 {
certTemplate.ExtKeyUsage = append(certTemplate.ExtKeyUsage, x509.ExtKeyUsageClientAuth)
}
if creationInfo.Usage&codeSigningUsage != 0 {
certTemplate.ExtKeyUsage = append(certTemplate.ExtKeyUsage, x509.ExtKeyUsageCodeSigning)
}
if creationInfo.Usage&emailProtectionUsage != 0 {
certTemplate.ExtKeyUsage = append(certTemplate.ExtKeyUsage, x509.ExtKeyUsageEmailProtection)
}
certTemplate.IssuingCertificateURL = creationInfo.URLs.IssuingCertificates
certTemplate.CRLDistributionPoints = creationInfo.URLs.CRLDistributionPoints
certTemplate.OCSPServer = creationInfo.URLs.OCSPServers
var certBytes []byte
if creationInfo.SigningBundle != nil {
switch creationInfo.SigningBundle.PrivateKeyType {
case certutil.RSAPrivateKey:
certTemplate.SignatureAlgorithm = x509.SHA256WithRSA
case certutil.ECPrivateKey:
certTemplate.SignatureAlgorithm = x509.ECDSAWithSHA256
}
caCert := creationInfo.SigningBundle.Certificate
certBytes, err = x509.CreateCertificate(rand.Reader, certTemplate, caCert, result.PrivateKey.Public(), creationInfo.SigningBundle.PrivateKey)
} else {
// Creating a self-signed root
if creationInfo.MaxPathLength == 0 {
certTemplate.MaxPathLen = 0
certTemplate.MaxPathLenZero = true
} else {
certTemplate.MaxPathLen = creationInfo.MaxPathLength
}
switch creationInfo.KeyType {
case "rsa":
certTemplate.SignatureAlgorithm = x509.SHA256WithRSA
case "ec":
certTemplate.SignatureAlgorithm = x509.ECDSAWithSHA256
}
certTemplate.BasicConstraintsValid = true
certTemplate.IsCA = true
certTemplate.KeyUsage = x509.KeyUsage(certTemplate.KeyUsage | x509.KeyUsageCertSign | x509.KeyUsageCRLSign)
certTemplate.ExtKeyUsage = append(certTemplate.ExtKeyUsage, x509.ExtKeyUsageOCSPSigning)
certBytes, err = x509.CreateCertificate(rand.Reader, certTemplate, certTemplate, result.PrivateKey.Public(), result.PrivateKey)
}
if err != nil {
return nil, certutil.InternalError{Err: fmt.Sprintf("unable to create certificate: %s", err)}
}
result.CertificateBytes = certBytes
result.Certificate, err = x509.ParseCertificate(certBytes)
if err != nil {
return nil, certutil.InternalError{Err: fmt.Sprintf("unable to parse created certificate: %s", err)}
}
if creationInfo.SigningBundle != nil {
result.IssuingCABytes = creationInfo.SigningBundle.CertificateBytes
result.IssuingCA = creationInfo.SigningBundle.Certificate
} else {
result.IssuingCABytes = result.CertificateBytes
result.IssuingCA = result.Certificate
}
return result, nil
}
