// ToCSRBundle converts a byte-based raw DER certificate bundle
// to a PEM-based string certificate bundle
func (p *ParsedCSRBundle) ToCSRBundle() (*CSRBundle, error) {
result := &CSRBundle{}
block := pem.Block{
Type: "CERTIFICATE REQUEST",
}
if p.CSRBytes != nil && len(p.CSRBytes) > 0 {
block.Bytes = p.CSRBytes
result.CSR = strings.TrimSpace(string(pem.EncodeToMemory(&block)))
}
if p.PrivateKeyBytes != nil && len(p.PrivateKeyBytes) > 0 {
block.Bytes = p.PrivateKeyBytes
switch p.PrivateKeyType {
case RSAPrivateKey:
result.PrivateKeyType = "rsa"
block.Type = "RSA PRIVATE KEY"
case ECPrivateKey:
result.PrivateKeyType = "ec"
block.Type = "EC PRIVATE KEY"
default:
return nil, errutil.InternalError{"Could not determine private key type when creating block"}
}
result.PrivateKey = strings.TrimSpace(string(pem.EncodeToMemory(&block)))
}
return result, nil
}
func GenKeyPairIfNone(privateName string, publicName string) {
dir, _ := filepath.Abs(filepath.Dir(os.Args[0]))
privatekey := filepath.Join(dir, privateName)
publickey := filepath.Join(dir, publicName)
if _, err := os.Stat(string(privatekey)); os.IsNotExist(err) {
log.Println("Generating JWT private key at ", string(privatekey))
k, err := rsa.GenerateKey(rand.Reader, 2048)
if err != nil {
log.Fatal(err)
}
var private pem.Block
private.Type = "RSA PRIVATE KEY"
private.Bytes = x509.MarshalPKCS1PrivateKey(k)
pp := new(bytes.Buffer)
pem.Encode(pp, &private)
err = ioutil.WriteFile(string(privatekey), pp.Bytes(), 0644)
if err != nil {
log.Fatal(err)
}
log.Println("Generating JWT public key at ", string(privatekey))
var public pem.Block
public.Type = "RSA PUBLIC KEY"
public.Bytes, _ = x509.MarshalPKIXPublicKey(&k.PublicKey)
ps := new(bytes.Buffer)
pem.Encode(ps, &public)
err = ioutil.WriteFile(string(publickey), ps.Bytes(), 0644)
if err != nil {
log.Fatal(err)
}
}
}
func encrypt(key []byte, keytype Type, password string) (out []byte, err error) {
cryptkey, iv, err := encryptKey(key, password)
if err != nil {
return
}
var block pem.Block
switch keytype {
case KEY_RSA:
block.Type = "RSA PRIVATE KEY"
case KEY_ECDSA:
block.Type = "EC PRIVATE KEY"
case KEY_DSA:
block.Type = "DSA PRIVATE KEY"
default:
err = ErrInvalidPrivateKey
return
}
block.Bytes = cryptkey
block.Headers = make(map[string]string)
block.Headers["Proc-Type"] = "4,ENCRYPTED"
block.Headers["DEK-Info"] = fmt.Sprintf("AES-128-CBC,%X", iv)
out = pem.EncodeToMemory(&block)
return
}
// Export writes the keychain to a file in PEM format.
func (kc *KeyChain) Export(filename string) (err error) {
if !kc.Validate() {
return ErrInvalidKeyChain
}
var blk pem.Block
var buf = new(bytes.Buffer)
var fail = func() {
buf.Reset()
err = ErrInvalidKeyChain
}
blk.Type = "RSA PRIVATE KEY"
blk.Bytes = x509.MarshalPKCS1PrivateKey(kc.Private)
err = pem.Encode(buf, &blk)
if err != nil {
fail()
return
}
blk.Type = "RSA PUBLIC KEY"
for _, pk := range kc.Public {
if pk.Key == nil {
continue
}
if pk.Id != "" {
if blk.Headers == nil {
blk.Headers = make(map[string]string)
}
blk.Headers["id"] = pk.Id
} else {
if blk.Headers != nil {
delete(blk.Headers, "id")
blk.Headers = nil
}
}
blk.Bytes, err = x509.MarshalPKIXPublicKey(pk.Key)
if err != nil {
fail()
return
}
err = pem.Encode(buf, &blk)
if err != nil {
fail()
}
fmt.Println("wrote a public key")
}
err = ioutil.WriteFile(filename, buf.Bytes(), 0400)
buf.Reset()
return
}
func execSSH(url, uuid string, key *rsa.PrivateKey, args []string) error {
f, err := ioutil.TempFile("", "runx")
if err != nil {
return fmt.Errorf("tmpfile: %s", err)
}
defer f.Close()
var b pem.Block
b.Type = "RSA PRIVATE KEY"
b.Bytes = x509.MarshalPKCS1PrivateKey(key)
if err = pem.Encode(f, &b); err != nil {
return fmt.Errorf("pem: %s", err)
}
f.Seek(0, 0)
argv := []string{
"ssh",
"-i" + f.Name(),
"-oProxyCommand=hk runx [proxy]",
"-oLocalCommand=rm " + f.Name(),
"-oStrictHostKeyChecking=no",
"-oUserKnownHostsFile=/dev/null",
"dyno@" + uuid,
}
env := append(os.Environ(), "RUNX_URL="+url)
return syscall.Exec("/usr/bin/ssh", append(argv, args...), env)
}
func EncodePEM(binary []byte, blockType string, password string) (pemBlock string, err error) {
var blk *pem.Block
/* Awaiting Go 1.1 */
if password != "" {
passwordBytes := ([]byte)(password)
blk, err = x509.EncryptPEMBlock(rand.Reader, blockType, binary, passwordBytes, x509.PEMCipherAES256)
if err != nil {
return
}
} else {
/* */
blk = new(pem.Block)
blk.Type = blockType
blk.Bytes = binary
/* Awaiting Go 1.1 */
}
/* */
buf := new(bytes.Buffer)
err = pem.Encode(buf, blk)
if err != nil {
return
}
pemBlock = buf.String()
return
}
func (pk *PrivateKey) Marshal(ss ...string) ([]byte, error) {
var k = x509.MarshalPKCS1PrivateKey(&pk.PrivateKey)
var block pem.Block
block.Bytes = k
block.Type = strings.Join(ss, " ")
return pem.EncodeToMemory(&block), nil
}
// Read a PEM file and ask for a password to decrypt it if needed
func ReadPEMData(pemFile string, pemPass []byte) ([]byte, error) {
pemData, err := ioutil.ReadFile(pemFile)
if err != nil {
return pemData, err
}
// We should really just get the pem.Block back here, if there's other
// junk on the end, warn about it.
pemBlock, rest := pem.Decode(pemData)
if len(rest) > 0 {
log.Warning("Didn't parse all of", pemFile)
}
if x509.IsEncryptedPEMBlock(pemBlock) {
// Decrypt and get the ASN.1 DER bytes here
pemData, err = x509.DecryptPEMBlock(pemBlock, pemPass)
if err != nil {
return pemData, err
} else {
log.Info("Decrypted", pemFile, "successfully")
}
// Shove the decrypted DER bytes into a new pem Block with blank headers
var newBlock pem.Block
newBlock.Type = pemBlock.Type
newBlock.Bytes = pemData
// This is now like reading in an uncrypted key from a file and stuffing it
// into a byte stream
pemData = pem.EncodeToMemory(&newBlock)
}
return pemData, nil
}
// Given a private key and a (possibly empty) password, returns a byte
// slice containing a PEM-encoded private key in the appropriate
// OpenSSH format.
func MarshalPrivate(priv interface{}, password string) (out []byte, err error) {
var (
keytype Type
der []byte
btype string
)
switch priv.(type) {
case *rsa.PrivateKey:
keytype = KEY_RSA
der = x509.MarshalPKCS1PrivateKey(priv.(*rsa.PrivateKey))
if der == nil {
err = ErrInvalidPrivateKey
return
}
btype = "RSA PRIVATE KEY"
case *ecdsa.PrivateKey:
keytype = KEY_ECDSA
der, err = marshalECDSAKey(priv.(*ecdsa.PrivateKey))
btype = "EC PRIVATE KEY"
case *dsa.PrivateKey:
keytype = KEY_DSA
dsakey := priv.(*dsa.PrivateKey)
k := struct {
Version int
P *big.Int
Q *big.Int
G *big.Int
Priv *big.Int
Pub *big.Int
}{
Version: 1,
P: dsakey.PublicKey.P,
Q: dsakey.PublicKey.Q,
G: dsakey.PublicKey.G,
Priv: dsakey.PublicKey.Y,
Pub: dsakey.X,
}
der, err = asn1.Marshal(k)
if err != nil {
return
}
btype = "DSA PRIVATE KEY"
default:
err = ErrInvalidPrivateKey
return
}
if password != "" {
out, err = encrypt(der, keytype, password)
return
}
var block pem.Block
block.Type = btype
block.Bytes = der
out = pem.EncodeToMemory(&block)
return
}
func convertBag(bag *safeBag, password []byte) (*pem.Block, error) {
b := new(pem.Block)
for _, attribute := range bag.Attributes {
k, v, err := convertAttribute(&attribute)
if err != nil {
return nil, err
}
if b.Headers == nil {
b.Headers = make(map[string]string)
}
b.Headers[k] = v
}
switch {
case bag.ID.Equal(oidCertBagType):
b.Type = CertificateType
certsData, err := decodeCertBag(bag.Value.Bytes)
if err != nil {
return nil, err
}
b.Bytes = certsData
case bag.ID.Equal(oidPkcs8ShroudedKeyBagType):
b.Type = PrivateKeyType
key, err := decodePkcs8ShroudedKeyBag(bag.Value.Bytes, password)
if err != nil {
return nil, err
}
switch key := key.(type) {
case *rsa.PrivateKey:
b.Bytes = x509.MarshalPKCS1PrivateKey(key)
case *ecdsa.PrivateKey:
b.Bytes, err = x509.MarshalECPrivateKey(key)
if err != nil {
return nil, err
}
default:
return nil, errors.New("found unknown private key type in PKCS#8 wrapping")
}
default:
return nil, errors.New("don't know how to convert a safe bag of type " + bag.ID.String())
}
return b, nil
}
// GenerateKeyAndCSR generates a new PEM-encoded private key and
// certificate signature request. The keyType parameter controls what
// type of key is generated; the size parameter controls what size key
// (in bits) is generated. For ECDSA, valid key sizes are 256, 384,
// and 521; these translate to secp256v1, secp384r1, and secp521r1. The
// SubjectInfo parameter contains the information used to create the CSR.
func GenerateKeyAndCSR(keyType PublicAlgo, size int, si *SubjectInfo) (pemKey []byte, csr []byte, err error) {
var priv interface{}
var block pem.Block
switch keyType {
case RSA:
priv, err = rsa.GenerateKey(rand.Reader, size)
if err != nil {
return nil, nil, err
}
block.Bytes = x509.MarshalPKCS1PrivateKey(priv.(*rsa.PrivateKey))
block.Type = "RSA PRIVATE KEY"
case ECDSA:
var curve elliptic.Curve
switch size {
case 256:
curve = elliptic.P256()
case 384:
curve = elliptic.P384()
case 521:
curve = elliptic.P521()
default:
err = ErrUnsupportedPrivate
return
}
priv, err = ecdsa.GenerateKey(curve, rand.Reader)
if err != nil {
return
}
block.Bytes, err = x509.MarshalECPrivateKey(priv.(*ecdsa.PrivateKey))
if err != nil {
return
}
block.Type = "EC PRIVATE KEY"
default:
err = ErrUnsupportedPrivate
return
}
pemKey = pem.EncodeToMemory(&block)
csr, err = NewCertificateRequest(priv, si)
return
}
func main() {
key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
pubkey := key.Public()
bytes, _ := x509.MarshalECPrivateKey(key)
block := pem.Block{}
block.Bytes = bytes
block.Type = "EC PRIVATE KEY"
bytes_encoded := pem.EncodeToMemory(&block)
fmt.Println(string(bytes_encoded))
if err != nil {
fmt.Println(err)
}
bytes, _ = x509.MarshalPKIXPublicKey(pubkey)
block = pem.Block{}
block.Type = "EC PUBLIC KEY"
block.Bytes = bytes
bytes_encoded = pem.EncodeToMemory(&block)
fmt.Println(string(bytes_encoded))
if err != nil {
fmt.Println(err)
}
// dat, err := ioutil.ReadFile("prime256v1-key.pem")
// pemblock, _ := pem.Decode(dat)
// check(err)
// privkey, parseerr := x509.ParseECPrivateKey(pemblock.Bytes)
//
// if parseerr != nil {
// fmt.Println(err)
// }
//
// bytes, _ = x509.MarshalECPrivateKey(privkey)
// block = pem.Block{}
// block.Bytes = bytes
// block.Type = "EC PRIVATE KEY"
// bytes_encoded = pem.EncodeToMemory(&block)
// fmt.Println(string(bytes_encoded))
}
func (pk *PublicKey) Marshal(ss ...string) ([]byte, error) {
var k, err = x509.MarshalPKIXPublicKey(&pk.PublicKey)
if err != nil {
return nil, err
}
var block pem.Block
block.Bytes = k
block.Type = strings.Join(ss, " ")
return pem.EncodeToMemory(&block), nil
}
func main() {
k, err := rsa.GenerateKey(rand.Reader, 768)
if err != nil {
log.Fatal(err)
}
var b pem.Block
b.Type = "RSA PRIVATE KEY"
b.Bytes = x509.MarshalPKCS1PrivateKey(k)
pem.Encode(os.Stdout, &b)
}
// ToCertBundle converts a byte-based raw DER certificate bundle
// to a PEM-based string certificate bundle
func (p *ParsedCertBundle) ToCertBundle() (*CertBundle, error) {
result := &CertBundle{}
block := pem.Block{
Type: "CERTIFICATE",
}
if p.Certificate != nil {
result.SerialNumber = strings.TrimSpace(GetHexFormatted(p.Certificate.SerialNumber.Bytes(), ":"))
}
if p.CertificateBytes != nil && len(p.CertificateBytes) > 0 {
block.Bytes = p.CertificateBytes
result.Certificate = strings.TrimSpace(string(pem.EncodeToMemory(&block)))
}
for _, caCert := range p.CAChain {
block.Bytes = caCert.Bytes
certificate := strings.TrimSpace(string(pem.EncodeToMemory(&block)))
result.CAChain = append(result.CAChain, certificate)
}
if p.PrivateKeyBytes != nil && len(p.PrivateKeyBytes) > 0 {
block.Type = string(p.PrivateKeyFormat)
block.Bytes = p.PrivateKeyBytes
result.PrivateKeyType = p.PrivateKeyType
//Handle bundle not parsed by us
if block.Type == "" {
switch p.PrivateKeyType {
case ECPrivateKey:
block.Type = string(ECBlock)
case RSAPrivateKey:
block.Type = string(PKCS1Block)
}
}
result.PrivateKey = strings.TrimSpace(string(pem.EncodeToMemory(&block)))
}
return result, nil
}
func saveKey(keyPath string, key crypto.PrivateKey) error {
if fileExists(keyPath) {
return nil
}
f, err := os.Create(keyPath)
if err != nil {
return err
}
w := bufio.NewWriter(f)
defer f.Close()
var block pem.Block
switch i := key.(type) {
case *ecdsa.PrivateKey:
// TODO: How do we encode and save the parameters of the curve? Do we need to?
key := key.(*ecdsa.PrivateKey)
b, err := x509.MarshalECPrivateKey(key)
if err != nil {
return err
}
block.Type = "EC PARAMETERS"
err = pem.Encode(w, &block)
block.Type = "EC PRIVATE KEY"
block.Bytes = b
case *rsa.PrivateKey:
k := x509.MarshalPKCS1PrivateKey(key.(*rsa.PrivateKey))
block.Type = "RSA PRIVATE KEY"
block.Bytes = k
default:
fmt.Println(i)
return new(unknownKeyError)
}
err = pem.Encode(w, &block)
if err != nil {
return err
}
return w.Flush()
}
// ExportPrivatePEM writes the RSA private key to a file in PEM format.
func ExportPrivatePEM(prv *rsa.PrivateKey, filename string) (err error) {
cert := x509.MarshalPKCS1PrivateKey(prv)
blk := new(pem.Block)
blk.Type = "RSA PRIVATE KEY"
blk.Bytes = cert
out, err := os.Create(filename)
if err == nil {
err = pem.Encode(out, blk)
}
return
}
func PrintPublicKey(pubkey crypto.PublicKey) {
bytes, _ := x509.MarshalPKIXPublicKey(pubkey)
block := pem.Block{}
block.Type = "EC PUBLIC KEY"
block.Bytes = bytes
bytes_encoded := pem.EncodeToMemory(&block)
log.Debugf("Public key:\n%s", string(bytes_encoded))
}
func newECDSACertificateRequest(priv *ecdsa.PrivateKey, si *SubjectInfo) (out []byte, err error) {
var siAttr rdnSequence
rdnAppendPrintable(si.Country, asn1CountryName, &siAttr)
rdnAppendPrintable(si.StateOrProvince, asn1StateOrProvName, &siAttr)
rdnAppendPrintable(si.Locality, asn1LocalityName, &siAttr)
rdnAppendPrintable(si.OrgName, asn1OrgName, &siAttr)
rdnAppendPrintable(si.OrgUnitName, asn1OrgUnitName, &siAttr)
rdnAppendPrintable(si.CommonName, asn1CommonName, &siAttr)
rdnAppendPrintable(si.Email, asn1EmailAddress, &siAttr)
pkInfo, err := encodeECDSA(priv.PublicKey)
if err != nil {
return
}
var csrInfo = certificateRequestInfo{
Subject: siAttr,
PKInfo: pkInfo,
}
sigData, err := asn1.Marshal(csrInfo)
if err != nil {
return
}
sum := sha256.Sum256(sigData)
r, s, err := ecdsa.Sign(rand.Reader, priv, sum[:])
if err != nil {
return
}
ecdsaSig := ecdsaSignature{r, s}
sig, err := asn1.Marshal(ecdsaSig)
if err != nil {
return
}
var crt = certificateRequest{
Info: csrInfo,
SigAlgo: nullAlgorithm(asn1SHA256withECDSA),
Signature: toBitString(sig),
}
var block pem.Block
block.Type = "CERTIFICATE REQUEST"
block.Bytes, err = asn1.Marshal(crt)
if err != nil {
return
}
out = pem.EncodeToMemory(&block)
return
}
// ExportPublicPEM writes the public key to a file in PEM format.
func ExportPublicPEM(pub *rsa.PublicKey, filename string) (err error) {
cert, err := x509.MarshalPKIXPublicKey(pub)
if err != nil {
return
}
blk := new(pem.Block)
blk.Type = "RSA PUBLIC KEY"
blk.Bytes = cert
out, err := os.Create(filename)
if err == nil {
err = pem.Encode(out, blk)
}
return
}
// ToCertBundle converts a byte-based raw DER certificate bundle
// to a PEM-based string certificate bundle
func (p *ParsedCertBundle) ToCertBundle() (*CertBundle, error) {
result := &CertBundle{}
block := pem.Block{
Type: "CERTIFICATE",
}
if p.Certificate != nil {
result.SerialNumber = strings.TrimSpace(GetOctalFormatted(p.Certificate.SerialNumber.Bytes(), ":"))
}
if p.CertificateBytes != nil && len(p.CertificateBytes) > 0 {
block.Bytes = p.CertificateBytes
result.Certificate = strings.TrimSpace(string(pem.EncodeToMemory(&block)))
}
if p.IssuingCABytes != nil && len(p.IssuingCABytes) > 0 {
block.Bytes = p.IssuingCABytes
result.IssuingCA = strings.TrimSpace(string(pem.EncodeToMemory(&block)))
}
if p.PrivateKeyBytes != nil && len(p.PrivateKeyBytes) > 0 {
block.Bytes = p.PrivateKeyBytes
switch p.PrivateKeyType {
case RSAPrivateKey:
result.PrivateKeyType = "rsa"
block.Type = "RSA PRIVATE KEY"
case ECPrivateKey:
result.PrivateKeyType = "ec"
block.Type = "EC PRIVATE KEY"
default:
return nil, InternalError{"Could not determine private key type when creating block"}
}
result.PrivateKey = strings.TrimSpace(string(pem.EncodeToMemory(&block)))
}
return result, nil
}
func generatePrivatePem(prv *rsa.PrivateKey) (prvPem string, err error) {
cert := x509.MarshalPKCS1PrivateKey(prv)
blk := new(pem.Block)
blk.Type = "RSA PRIVATE KEY"
blk.Bytes = cert
var b bytes.Buffer
err = pem.Encode(&b, blk)
if err != nil {
return
}
prvPem = b.String()
return
}
// packageBox actually handles boxing. It can output either PEM-encoded or
// DER-encoded boxes.
func packageBox(lockedKey, box []byte, armour bool) (pkg []byte, err error) {
var pkgBox = boxPackage{lockedKey, box}
pkg, err = asn1.Marshal(pkgBox)
if err != nil {
fmt.Println("[!] couldn't package the box")
return
}
if armour {
var block pem.Block
block.Type = "SSHBOX ENCRYPTED FILE"
block.Bytes = pkg
pkg = pem.EncodeToMemory(&block)
}
return
}
func generatePublicPem(pub *rsa.PublicKey) (pubPem string, err error) {
cert, err := x509.MarshalPKIXPublicKey(pub)
if err != nil {
return
}
blk := new(pem.Block)
blk.Type = "RSA PUBLIC KEY"
blk.Bytes = cert
var b bytes.Buffer
err = pem.Encode(&b, blk)
if err != nil {
return
}
pubPem = b.String()
return
}
// Export a private key to PEM format.
func ExportPrivatePEM(prv *PrivateKey) (out []byte, err error) {
der, err := MarshalPrivate(prv)
if err != nil {
return
}
var block pem.Block
block.Type = "ELLIPTIC CURVE PRIVATE KEY"
block.Bytes = der
buf := new(bytes.Buffer)
err = pem.Encode(buf, &block)
if err != nil {
return
} else {
out = buf.Bytes()
}
return
}
// Export a public key to PEM format.
func ExportPublicPEM(pub *PublicKey) (out []byte, err error) {
der, err := MarshalPublic(pub)
if err != nil {
return
}
var block pem.Block
block.Type = "ELLIPTIC CURVE PUBLIC KEY"
block.Bytes = der
buf := new(bytes.Buffer)
err = pem.Encode(buf, &block)
if err != nil {
return
} else {
out = buf.Bytes()
}
return
}
func main() {
flag.Parse()
if *fMakeKey != "" {
f, err := os.Create(*fMakeKey)
if err != nil {
log.Fatal(err)
}
key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
if err != nil {
log.Fatal(err)
}
data, err := x509.MarshalECPrivateKey(key)
if err != nil {
log.Fatal(err)
}
var blk pem.Block
blk.Bytes = data
blk.Type = "ecdsa-key"
err = pem.Encode(f, &blk)
if err != nil {
log.Fatal(err)
}
f.Close()
return
}
if *fKey == "" {
log.Fatal("Please provide the path to the private key")
}
cfg := gdata.DefaultConfig()
cfg.LoadKey(*fKey)
server, err := gdata.NewServer(cfg)
if err != nil {
log.Fatal(err)
}
if *fLEDir != "" {
fmt.Printf("* Listening on TLS %s", *fPort)
var (
cert = filepath.Join(*fLEDir, "fullchain.pem")
key = filepath.Join(*fLEDir, "privkey.pem")
)
err = http.ListenAndServeTLS(*fPort, cert, key, server)
} else {
fmt.Printf("* Listening on %s", *fPort)
err = http.ListenAndServe(*fPort, server)
}
if err != nil {
log.Fatal(err)
}
}
// Certificate returns the PEM-encoded certificate built from the
// certificate template and corresponding PEM-encoded private key.
func (ct *CertificateTemplate) Certificate(key []byte) ([]byte, error) {
var (
priv interface{}
err error
)
p, _ := pem.Decode(key)
if p == nil {
return nil, ErrInvalidKey
}
switch ct.CSR.Algo {
case csr.RSA:
if p.Type != "RSA PRIVATE KEY" {
return nil, ErrInvalidKey
}
priv, err = x509.ParsePKCS1PrivateKey(p.Bytes)
if err != nil {
return nil, err
}
case csr.ECDSA:
if p.Type != "EC PRIVATE KEY" {
return nil, ErrInvalidKey
}
priv, err = x509.ParseECPrivateKey(p.Bytes)
if err != nil {
return nil, err
}
default:
return nil, ErrInvalidCertificate
}
name := ct.CSR.Subject.Name()
name.SerialNumber = ct.Serial.String()
var usage x509.KeyUsage
for _, use := range ct.Uses {
usage |= use
}
var extUsage = make([]x509.ExtKeyUsage, len(ct.ExtUses))
for i, use := range ct.ExtUses {
extUsage[i] = use
}
var tpl = x509.Certificate{
SerialNumber: ct.Serial,
Subject: name,
NotBefore: ct.Start,
NotAfter: ct.Expires,
KeyUsage: usage,
ExtKeyUsage: extUsage,
BasicConstraintsValid: true,
}
if (usage & x509.KeyUsageCertSign) != 0 {
tpl.IsCA = true
}
for _, h := range ct.Hosts {
h = strings.TrimSpace(h)
if ip := net.ParseIP(h); ip != nil {
tpl.IPAddresses = append(tpl.IPAddresses, ip)
} else {
tpl.DNSNames = append(tpl.DNSNames, h)
}
}
parent := ct.Parent
if parent == nil {
parent = &tpl
}
var block pem.Block
block.Type = "CERTIFICATE"
switch ct.CSR.Algo {
case csr.RSA:
pub := ct.CSR.Public.(rsa.PublicKey)
privKey := priv.(*rsa.PrivateKey)
block.Bytes, err = x509.CreateCertificate(prng, &tpl, parent, &pub, privKey)
case csr.ECDSA:
pub := ct.CSR.Public.(ecdsa.PublicKey)
privKey := priv.(*ecdsa.PrivateKey)
block.Bytes, err = x509.CreateCertificate(prng, &tpl, parent, &pub, privKey)
}
if err != nil {
return nil, err
}
return pem.EncodeToMemory(&block), nil
}
func appendPEM(buf *bytes.Buffer, cert *x509.Certificate) {
block := new(pem.Block)
block.Type = "CERTIFICATE"
block.Bytes = cert.Raw
pem.Encode(buf, block)
}