func TestCreateCertificateCahin(t *testing.T) { ca, caPriv := createCA() caPub := key.PublicKey(caPriv) caBytes := Sign(ca, ca, caPub, caPriv) interCa, interCaPriv := createInterCA() interCaPub := key.PublicKey(interCaPriv) interCaBytes := Sign(interCa, ca, interCaPub, caPriv) client, clientPriv := createClient() clientPub := key.PublicKey(clientPriv) clientBytes := Sign(client, interCa, clientPub, interCaPriv) clientCert, _ := x509.ParseCertificate(clientBytes) ouIssuer := getPkixValue(clientCert.Issuer.Names, OU) if ouIssuer != "WebInterCA" { t.Fatalf("Wrong issuer ou wanted: WebInterCA, got: %v\n", ouIssuer) } interCert, _ := x509.ParseCertificate(interCaBytes) ouIssuer = getPkixValue(interCert.Issuer.Names, OU) if ouIssuer != "WebCA" { t.Fatalf("Wrong issuer ou wanted: WebCA, got: %v\n", ouIssuer) } caCert, _ := x509.ParseCertificate(caBytes) ouIssuer = getPkixValue(caCert.Issuer.Names, OU) if ouIssuer != "WebCA" { t.Fatalf("Wrong issuer ou wanted: WebCA, got: %v\n", ouIssuer) } }
// NOTE: //If an SSL certificate has a Subject Alternative Name (SAN) field, then SSL clients are supposed to ignore //the common name value and seek a match in the SAN list. //This is why the Cert always repeats the common name as the first SAN in the certificate. func CreateCertificateTemplate(data Certificate) *x509.Certificate { pub := key.PublicKey(data.PrivateKey) subjectKeyId := keyIdentifier(pub) keyUsage, extKeyUsage := getUsage(data.Usage, data.CA) cert := &x509.Certificate{ SerialNumber: new(big.Int).SetBytes([]byte(data.Id)), Subject: pkix.Name{ Country: []string{data.Country}, Organization: []string{data.Organization}, OrganizationalUnit: []string{data.OrganizationalUnit}, }, NotBefore: data.ValidFrom, NotAfter: data.ValidTo, SubjectKeyId: subjectKeyId, BasicConstraintsValid: true, SignatureAlgorithm: signatureAlgorithm(data.SignatureAlg, data.PrivateKey), IsCA: data.CA, ExtKeyUsage: extKeyUsage, KeyUsage: keyUsage, } if data.CommonName != "" { cert.Subject.CommonName = data.CommonName } //TODO: handle alternative ip if len(data.AlternativeNames) > 0 { cert.DNSNames = data.AlternativeNames if !isStringInList(data.CommonName, data.AlternativeNames) { cert.DNSNames = append(cert.DNSNames, data.CommonName) } } return cert }
func TestValidSignedCertificateCahin(t *testing.T) { ca, caPriv := createCA() caPub := key.PublicKey(caPriv) caBytes := Sign(ca, ca, caPub, caPriv) interCa, interCaPriv := createInterCA() interCaPub := key.PublicKey(interCaPriv) interCaBytes := Sign(interCa, ca, interCaPub, caPriv) client, clientPriv := createClient() clientPub := key.PublicKey(clientPriv) clientBytes := Sign(client, interCa, clientPub, interCaPriv) for _, name := range []string{"", "www.baz.se", "www.foo.se", "www.bar.se"} { chainOk := CheckCertificate(name, caBytes, interCaBytes, clientBytes) if !chainOk { t.Fatalf("Failed to verify client for dnsName: ", name) } } }
func (c *Certs) setupSigner() { c.certSigners = make(map[string][]string) for _, val := range c.Certificates { parent := val.CertConfig.Parent id := val.CertConfig.Id if parent == id { privKey := val.PrivateKey // self signed certificate val.CertBytes = certificate.Sign(val.CertTemplate, val.CertTemplate, key.PublicKey(privKey), privKey) val.signed = true } else if c.certSigners[parent] == nil { c.certSigners[parent] = []string{id} } else { c.certSigners[parent] = append(c.certSigners[parent], id) } } }
func (c *Certs) signAll() { for { sign := findSigners(c) if len(sign) == 0 { break } for _, s := range sign { id := s.CertConfig.Id signer, _ := c.findByid(id) list := c.certSigners[id] for _, certId := range list { cert, _ := c.findByid(certId) cert.CertBytes = certificate.Sign(cert.CertTemplate, signer.CertTemplate, key.PublicKey(cert.PrivateKey), signer.PrivateKey) cert.signed = true if s.Signers == nil { cert.Signers = []string{id} } else { cert.Signers = append(s.Signers, id) } } } } }