// Generate creates a new CSR from a CertificateRequest structure and
// an existing key. The KeyRequest field is ignored.
func Generate(priv crypto.Signer, req *CertificateRequest) (csr []byte, err error) {
sigAlgo := helpers.SignerAlgo(priv, crypto.SHA256)
if sigAlgo == x509.UnknownSignatureAlgorithm {
return nil, cferr.New(cferr.PrivateKeyError, cferr.Unavailable)
}
var tpl = x509.CertificateRequest{
Subject: req.Name(),
SignatureAlgorithm: sigAlgo,
}
for i := range req.Hosts {
if ip := net.ParseIP(req.Hosts[i]); ip != nil {
tpl.IPAddresses = append(tpl.IPAddresses, ip)
} else {
tpl.DNSNames = append(tpl.DNSNames, req.Hosts[i])
}
}
csr, err = x509.CreateCertificateRequest(rand.Reader, &tpl, priv)
if err != nil {
log.Errorf("failed to generate a CSR: %v", err)
err = cferr.Wrap(cferr.CSRError, cferr.BadRequest, err)
return
}
block := pem.Block{
Type: "CERTIFICATE REQUEST",
Bytes: csr,
}
log.Info("encoded CSR")
csr = pem.EncodeToMemory(&block)
return
}
// New generates a new CA from a certificate request and signing profile.
func New(req *csr.CertificateRequest, profiles *config.Signing) (*CA, error) {
certPEM, _, keyPEM, err := initca.New(req)
if err != nil {
return nil, err
}
// If initca returns successfully, the following (which are
// all CFSSL internal functions) should not return an
// error. If they do, we should abort --- something about
// CFSSL has become inconsistent, and it can't be trusted.
priv, err := helpers.ParsePrivateKeyPEM(keyPEM)
assert.NoError(err, "CFSSL-generated private key can't be parsed")
cert, err := helpers.ParseCertificatePEM(certPEM)
assert.NoError(err, "CFSSL-generated certificate can't be parsed")
s, err := local.NewSigner(priv, cert, helpers.SignerAlgo(priv), profiles)
assert.NoError(err, "a signer could not be constructed")
return NewFromSigner(s), nil
}