// ParseCertificate parses an x509 certificate.
func ParseCertificate(cert *x509.Certificate) *Certificate {
c := &Certificate{
RawPEM: string(helpers.EncodeCertificatePEM(cert)),
SignatureAlgorithm: helpers.SignatureString(cert.SignatureAlgorithm),
NotBefore: cert.NotBefore,
NotAfter: cert.NotAfter,
Subject: ParseName(cert.Subject),
SANs: cert.DNSNames,
}
for _, ip := range cert.IPAddresses {
c.SANs = append(c.SANs, ip.String())
}
return c
}
// ParseCertificate parses an x509 certificate.
func ParseCertificate(cert *x509.Certificate) *Certificate {
c := &Certificate{
RawPEM: string(helpers.EncodeCertificatePEM(cert)),
SignatureAlgorithm: helpers.SignatureString(cert.SignatureAlgorithm),
NotBefore: cert.NotBefore,
NotAfter: cert.NotAfter,
Subject: ParseName(cert.Subject),
Issuer: ParseName(cert.Issuer),
SANs: cert.DNSNames,
AKI: formatKeyID(cert.AuthorityKeyId),
SKI: formatKeyID(cert.SubjectKeyId),
SerialNumber: cert.SerialNumber.String(),
}
for _, ip := range cert.IPAddresses {
c.SANs = append(c.SANs, ip.String())
}
return c
}
// ParseValidateAndSignCSR returns a signed certificate from a particular rootCA and a CSR.
func (rca *RootCA) ParseValidateAndSignCSR(csrBytes []byte, cn, ou, org string) ([]byte, error) {
if !rca.CanSign() {
return nil, ErrNoValidSigner
}
// All managers get added the subject-alt-name of CA, so they can be used for cert issuance
hosts := []string{ou}
if ou == ManagerRole {
hosts = append(hosts, CARole)
}
cert, err := rca.Signer.Sign(cfsigner.SignRequest{
Request: string(csrBytes),
// OU is used for Authentication of the node type. The CN has the random
// node ID.
Subject: &cfsigner.Subject{CN: cn, Names: []cfcsr.Name{{OU: ou, O: org}}},
// Adding ou as DNS alt name, so clients can connect to ManagerRole and CARole
Hosts: hosts,
})
if err != nil {
log.Debugf("failed to sign node certificate: %v", err)
return nil, err
}
// Append the first root CA Cert to the certificate, to create a valid chain
// Get the first Root CA Cert on the bundle
firstRootCA, _, err := helpers.ParseOneCertificateFromPEM(rca.Cert)
if err != nil {
return nil, err
}
if len(firstRootCA) < 1 {
return nil, fmt.Errorf("no valid Root CA certificates found")
}
// Convert the first root CA back to PEM
firstRootCAPEM := helpers.EncodeCertificatePEM(firstRootCA[0])
if firstRootCAPEM == nil {
return nil, fmt.Errorf("error while encoding the Root CA certificate")
}
// Append this Root CA to the certificate to make [Cert PEM]\n[Root PEM][EOF]
certChain := append(cert, firstRootCAPEM...)
return certChain, nil
}
// AppendFirstRootPEM appends the first certificate from this RootCA's cert
// bundle to the given cert bundle (which should already be encoded as a series
// of PEM-encoded certificate blocks).
func (rca *RootCA) AppendFirstRootPEM(cert []byte) ([]byte, error) {
// Append the first root CA Cert to the certificate, to create a valid chain
// Get the first Root CA Cert on the bundle
firstRootCA, _, err := helpers.ParseOneCertificateFromPEM(rca.Cert)
if err != nil {
return nil, err
}
if len(firstRootCA) < 1 {
return nil, errors.New("no valid Root CA certificates found")
}
// Convert the first root CA back to PEM
firstRootCAPEM := helpers.EncodeCertificatePEM(firstRootCA[0])
if firstRootCAPEM == nil {
return nil, errors.New("error while encoding the Root CA certificate")
}
// Append this Root CA to the certificate to make [Cert PEM]\n[Root PEM][EOF]
certChain := append(cert, firstRootCAPEM...)
return certChain, nil
}