func makeSigningKeyWithChain(rootKey libtrust.PrivateKey, depth int) (libtrust.PrivateKey, error) { if depth == 0 { // Don't need to build a chain. return rootKey, nil } var ( x5c = make([]string, depth) parentKey = rootKey key libtrust.PrivateKey cert *x509.Certificate err error ) for depth > 0 { if key, err = libtrust.GenerateECP256PrivateKey(); err != nil { return nil, err } if cert, err = libtrust.GenerateCACert(parentKey, key); err != nil { return nil, err } depth-- x5c[depth] = base64.StdEncoding.EncodeToString(cert.Raw) parentKey = key } key.AddExtendedField("x5c", x5c) return key, nil }
func makeRootCerts(rootKeys []libtrust.PrivateKey) ([]*x509.Certificate, error) { certs := make([]*x509.Certificate, 0, len(rootKeys)) for _, key := range rootKeys { cert, err := libtrust.GenerateCACert(key, key) if err != nil { return nil, err } certs = append(certs, cert) } return certs, nil }
func main() { key, err := libtrust.LoadKeyFile(clientPrivateKeyFilename) if err != nil { log.Fatal(err) } keyPEMBlock, err := key.PEMBlock() if err != nil { log.Fatal(err) } encodedPrivKey := pem.EncodeToMemory(keyPEMBlock) fmt.Printf("Client Key:\n\n%s\n", string(encodedPrivKey)) cert, err := libtrust.GenerateSelfSignedClientCert(key) if err != nil { log.Fatal(err) } encodedCert := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: cert.Raw}) fmt.Printf("Client Cert:\n\n%s\n", string(encodedCert)) trustedServerKeys, err := libtrust.LoadKeySetFile(trustedHostsFilename) if err != nil { log.Fatal(err) } hostname, _, err := net.SplitHostPort(serverAddress) if err != nil { log.Fatal(err) } trustedServerKeys, err = libtrust.FilterByHosts(trustedServerKeys, hostname, false) if err != nil { log.Fatal(err) } caCert, err := libtrust.GenerateCACert(key, trustedServerKeys[0]) if err != nil { log.Fatal(err) } encodedCert = pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: caCert.Raw}) fmt.Printf("CA Cert:\n\n%s\n", string(encodedCert)) }