Esempio n. 1
0
func TestCreateCertificateCahin(t *testing.T) {
	ca, caPriv := createCA()
	caPub := key.PublicKey(caPriv)
	caBytes := Sign(ca, ca, caPub, caPriv)
	interCa, interCaPriv := createInterCA()
	interCaPub := key.PublicKey(interCaPriv)
	interCaBytes := Sign(interCa, ca, interCaPub, caPriv)
	client, clientPriv := createClient()
	clientPub := key.PublicKey(clientPriv)
	clientBytes := Sign(client, interCa, clientPub, interCaPriv)

	clientCert, _ := x509.ParseCertificate(clientBytes)
	ouIssuer := getPkixValue(clientCert.Issuer.Names, OU)
	if ouIssuer != "WebInterCA" {
		t.Fatalf("Wrong issuer ou wanted: WebInterCA, got: %v\n", ouIssuer)
	}
	interCert, _ := x509.ParseCertificate(interCaBytes)
	ouIssuer = getPkixValue(interCert.Issuer.Names, OU)
	if ouIssuer != "WebCA" {
		t.Fatalf("Wrong issuer ou wanted: WebCA, got: %v\n", ouIssuer)
	}
	caCert, _ := x509.ParseCertificate(caBytes)
	ouIssuer = getPkixValue(caCert.Issuer.Names, OU)
	if ouIssuer != "WebCA" {
		t.Fatalf("Wrong issuer ou wanted: WebCA, got: %v\n", ouIssuer)
	}
}
Esempio n. 2
0
// NOTE:
//If an SSL certificate has a Subject Alternative Name (SAN) field, then SSL clients are supposed to ignore
//the common name value and seek a match in the SAN list.
//This is why the Cert always repeats the common name as the first SAN in the certificate.
func CreateCertificateTemplate(data Certificate) *x509.Certificate {
	pub := key.PublicKey(data.PrivateKey)
	subjectKeyId := keyIdentifier(pub)
	keyUsage, extKeyUsage := getUsage(data.Usage, data.CA)
	cert := &x509.Certificate{
		SerialNumber: new(big.Int).SetBytes([]byte(data.Id)),
		Subject: pkix.Name{
			Country:            []string{data.Country},
			Organization:       []string{data.Organization},
			OrganizationalUnit: []string{data.OrganizationalUnit},
		},
		NotBefore:             data.ValidFrom,
		NotAfter:              data.ValidTo,
		SubjectKeyId:          subjectKeyId,
		BasicConstraintsValid: true,
		SignatureAlgorithm:    signatureAlgorithm(data.SignatureAlg, data.PrivateKey),
		IsCA:                  data.CA,
		ExtKeyUsage:           extKeyUsage,
		KeyUsage:              keyUsage,
	}

	if data.CommonName != "" {
		cert.Subject.CommonName = data.CommonName
	}

	//TODO: handle alternative ip

	if len(data.AlternativeNames) > 0 {
		cert.DNSNames = data.AlternativeNames
		if !isStringInList(data.CommonName, data.AlternativeNames) {
			cert.DNSNames = append(cert.DNSNames, data.CommonName)
		}
	}
	return cert
}
Esempio n. 3
0
func TestValidSignedCertificateCahin(t *testing.T) {
	ca, caPriv := createCA()
	caPub := key.PublicKey(caPriv)
	caBytes := Sign(ca, ca, caPub, caPriv)
	interCa, interCaPriv := createInterCA()
	interCaPub := key.PublicKey(interCaPriv)
	interCaBytes := Sign(interCa, ca, interCaPub, caPriv)
	client, clientPriv := createClient()
	clientPub := key.PublicKey(clientPriv)
	clientBytes := Sign(client, interCa, clientPub, interCaPriv)
	for _, name := range []string{"", "www.baz.se", "www.foo.se", "www.bar.se"} {
		chainOk := CheckCertificate(name, caBytes, interCaBytes, clientBytes)
		if !chainOk {
			t.Fatalf("Failed to verify client for dnsName: ", name)
		}
	}
}
Esempio n. 4
0
func (c *Certs) setupSigner() {
	c.certSigners = make(map[string][]string)
	for _, val := range c.Certificates {
		parent := val.CertConfig.Parent
		id := val.CertConfig.Id
		if parent == id {
			privKey := val.PrivateKey
			// self signed certificate
			val.CertBytes = certificate.Sign(val.CertTemplate, val.CertTemplate, key.PublicKey(privKey), privKey)
			val.signed = true
		} else if c.certSigners[parent] == nil {
			c.certSigners[parent] = []string{id}
		} else {
			c.certSigners[parent] = append(c.certSigners[parent], id)
		}
	}
}
Esempio n. 5
0
func (c *Certs) signAll() {
	for {
		sign := findSigners(c)
		if len(sign) == 0 {
			break
		}
		for _, s := range sign {
			id := s.CertConfig.Id
			signer, _ := c.findByid(id)
			list := c.certSigners[id]
			for _, certId := range list {
				cert, _ := c.findByid(certId)
				cert.CertBytes = certificate.Sign(cert.CertTemplate, signer.CertTemplate, key.PublicKey(cert.PrivateKey), signer.PrivateKey)
				cert.signed = true
				if s.Signers == nil {
					cert.Signers = []string{id}
				} else {
					cert.Signers = append(s.Signers, id)
				}
			}
		}
	}
}