//CreateHTTPSKeys generates a key-pair signed by the CA to be used in its HTTPS server
func CreateHTTPSKeys(outKey, outCert *string) error {
logger.Info.Println("Creating https key")
keyLength := 4096
// create keys
keys, err := pkix.CreateRSAKey(keyLength)
if err != nil {
return err
}
caIPList, caDomainList, err = util.GetHostnameAndIp()
// create csr
name := "ca"
ipListStr := util.ListToString(caIPList, "")
domainListStr := util.ListToString(caDomainList, "")
organization := "symbios"
country := "PT-PT"
ttl := 2 // years
logger.Info.Printf("HTTPS Cert with: %s ; %s", *domainListStr, *ipListStr)
csr, err := pkix.CreateCertificateSigningRequest(keys, name, *ipListStr, *domainListStr, organization, country)
if err != nil {
return err
}
certificate, err := pkix.CreateCertificateHost(caCertificate, caInfo, caKey, csr, ttl)
if err := keys.SavePrivate(outKey); err != nil {
return fmt.Errorf("Unable to save https key: %s", err)
}
if err := certificate.Save(outCert); err != nil {
return fmt.Errorf("Unable to save https certificate: %s", err)
}
return nil
}
//SignCSR signs the Certificate Signing Request if the token is valid, generating a certificate with time-to-live ttl
func SignCSR(csr *pkix.CertificateSigningRequest, token string, days int) (*pkix.Certificate, error) {
x509Csr, err := csr.GetRawCertificateSigningRequest()
if err != nil {
return nil, err
}
subject := x509Csr.Subject
commonName := subject.CommonName
ipList := x509Csr.IPAddresses
domainList := x509Csr.DNSNames
fmt.Printf("\n New CSR: subject: %s \n IP List: %s \n Domains: %s \n", subject, ipList, domainList)
if err := ValidateToken(token, userCertificate, &commonName); err != nil {
return nil, err
}
ipListStr := make([]string, 10)
for _, v := range ipList {
s := v.String()
ipListStr = append(ipListStr, s)
}
if existsInArray(ipListStr, caIPList) {
return nil, fmt.Errorf("ALERT! Someone is trying to impersonate the CA HTTPS! Same IP: %s. ", ipList)
}
if existsInArray(domainList, caDomainList) {
return nil, fmt.Errorf("ALERT! Someone is trying to impersonate the CA HTTPS! Same domain: %s. ", domainList)
}
certificate, err := pkix.CreateCertificateHost(caCertificate, caInfo, caKey, csr, days)
if err != nil {
return nil, err
}
return certificate, nil
}