func TestCreateCertificateCahin(t *testing.T) {
ca, caPriv := createCA()
caPub := key.PublicKey(caPriv)
caBytes := Sign(ca, ca, caPub, caPriv)
interCa, interCaPriv := createInterCA()
interCaPub := key.PublicKey(interCaPriv)
interCaBytes := Sign(interCa, ca, interCaPub, caPriv)
client, clientPriv := createClient()
clientPub := key.PublicKey(clientPriv)
clientBytes := Sign(client, interCa, clientPub, interCaPriv)
clientCert, _ := x509.ParseCertificate(clientBytes)
ouIssuer := getPkixValue(clientCert.Issuer.Names, OU)
if ouIssuer != "WebInterCA" {
t.Fatalf("Wrong issuer ou wanted: WebInterCA, got: %v\n", ouIssuer)
}
interCert, _ := x509.ParseCertificate(interCaBytes)
ouIssuer = getPkixValue(interCert.Issuer.Names, OU)
if ouIssuer != "WebCA" {
t.Fatalf("Wrong issuer ou wanted: WebCA, got: %v\n", ouIssuer)
}
caCert, _ := x509.ParseCertificate(caBytes)
ouIssuer = getPkixValue(caCert.Issuer.Names, OU)
if ouIssuer != "WebCA" {
t.Fatalf("Wrong issuer ou wanted: WebCA, got: %v\n", ouIssuer)
}
}
// NOTE:
//If an SSL certificate has a Subject Alternative Name (SAN) field, then SSL clients are supposed to ignore
//the common name value and seek a match in the SAN list.
//This is why the Cert always repeats the common name as the first SAN in the certificate.
func CreateCertificateTemplate(data Certificate) *x509.Certificate {
pub := key.PublicKey(data.PrivateKey)
subjectKeyId := keyIdentifier(pub)
keyUsage, extKeyUsage := getUsage(data.Usage, data.CA)
cert := &x509.Certificate{
SerialNumber: new(big.Int).SetBytes([]byte(data.Id)),
Subject: pkix.Name{
Country: []string{data.Country},
Organization: []string{data.Organization},
OrganizationalUnit: []string{data.OrganizationalUnit},
},
NotBefore: data.ValidFrom,
NotAfter: data.ValidTo,
SubjectKeyId: subjectKeyId,
BasicConstraintsValid: true,
SignatureAlgorithm: signatureAlgorithm(data.SignatureAlg, data.PrivateKey),
IsCA: data.CA,
ExtKeyUsage: extKeyUsage,
KeyUsage: keyUsage,
}
if data.CommonName != "" {
cert.Subject.CommonName = data.CommonName
}
//TODO: handle alternative ip
if len(data.AlternativeNames) > 0 {
cert.DNSNames = data.AlternativeNames
if !isStringInList(data.CommonName, data.AlternativeNames) {
cert.DNSNames = append(cert.DNSNames, data.CommonName)
}
}
return cert
}
func TestValidSignedCertificateCahin(t *testing.T) {
ca, caPriv := createCA()
caPub := key.PublicKey(caPriv)
caBytes := Sign(ca, ca, caPub, caPriv)
interCa, interCaPriv := createInterCA()
interCaPub := key.PublicKey(interCaPriv)
interCaBytes := Sign(interCa, ca, interCaPub, caPriv)
client, clientPriv := createClient()
clientPub := key.PublicKey(clientPriv)
clientBytes := Sign(client, interCa, clientPub, interCaPriv)
for _, name := range []string{"", "www.baz.se", "www.foo.se", "www.bar.se"} {
chainOk := CheckCertificate(name, caBytes, interCaBytes, clientBytes)
if !chainOk {
t.Fatalf("Failed to verify client for dnsName: ", name)
}
}
}
func (c *Certs) setupSigner() {
c.certSigners = make(map[string][]string)
for _, val := range c.Certificates {
parent := val.CertConfig.Parent
id := val.CertConfig.Id
if parent == id {
privKey := val.PrivateKey
// self signed certificate
val.CertBytes = certificate.Sign(val.CertTemplate, val.CertTemplate, key.PublicKey(privKey), privKey)
val.signed = true
} else if c.certSigners[parent] == nil {
c.certSigners[parent] = []string{id}
} else {
c.certSigners[parent] = append(c.certSigners[parent], id)
}
}
}
func (c *Certs) signAll() {
for {
sign := findSigners(c)
if len(sign) == 0 {
break
}
for _, s := range sign {
id := s.CertConfig.Id
signer, _ := c.findByid(id)
list := c.certSigners[id]
for _, certId := range list {
cert, _ := c.findByid(certId)
cert.CertBytes = certificate.Sign(cert.CertTemplate, signer.CertTemplate, key.PublicKey(cert.PrivateKey), signer.PrivateKey)
cert.signed = true
if s.Signers == nil {
cert.Signers = []string{id}
} else {
cert.Signers = append(s.Signers, id)
}
}
}
}
}