func main() { // Validate input // All flags are required flag.Parse() missing := false flag.VisitAll(func(f *flag.Flag) { if len(f.Value.String()) == 0 { missing = true } }) if missing { log.Critical("All flags must be provided.") flag.Usage() return } jsonConfig, err := ioutil.ReadFile(*configFile) if err != nil { log.Criticalf("Unable to read config: %v", err) return } var config Config err = json.Unmarshal(jsonConfig, &config) if err != nil { log.Criticalf("Unable to parse config: %v", err) return } if len(config.Name.C) == 0 || len(config.Name.O) == 0 || len(config.Name.CN) == 0 { log.Criticalf("Config must provide country, organizationName, and commonName") return } if config.NotBefore.After(config.NotAfter) { log.Criticalf("Invalid validity: notAfter is before notBefore") return } // Set up PKCS#11 key priv, err := pkcs11key.New(*module, *token, *pin, *label) if err != nil { log.Criticalf("Unable to instantiate PKCS#11 private key: %v", err) return } pub := priv.Public() // Generate serial number serialLimit := new(big.Int).Lsh(big.NewInt(1), 128) serialNumber, err := rand.Int(rand.Reader, serialLimit) if err != nil { log.Criticalf("Error generating serial number: %v", err) return } // Generate subject key ID pubDER, err := x509.MarshalPKIXPublicKey(pub) if err != nil { log.Criticalf("Error serializing public key: %v", err) return } h := sha1.New() h.Write(pubDER) keyID := h.Sum(nil) // Sign the certificate rootTemplate := &x509.Certificate{ SignatureAlgorithm: x509.SHA256WithRSA, SerialNumber: serialNumber, Subject: pkix.Name{ Country: []string{config.Name.C}, Organization: []string{config.Name.O}, CommonName: config.Name.CN, }, NotBefore: config.NotBefore, NotAfter: config.NotAfter, BasicConstraintsValid: true, IsCA: true, SubjectKeyId: keyID, } rootDER, err := x509.CreateCertificate(rand.Reader, rootTemplate, rootTemplate, pub, priv) if err != nil { log.Criticalf("Error signing certificate: %v", err) return } fmt.Println(string(pem.EncodeToMemory(&pem.Block{ Type: "CERTIFICATE", Bytes: rootDER, }))) }
func main() { // Validate input // All flags are required flag.Parse() missing := false flag.VisitAll(func(f *flag.Flag) { if len(f.Value.String()) == 0 { missing = true } }) if missing { log.Critical("All flags must be provided.") flag.Usage() return } // Read the issuer cert certPEM, err := ioutil.ReadFile(*certFile) if err != nil { log.Criticalf("Unable to read certificate: %v", err) return } certBlock, _ := pem.Decode(certPEM) cert, err := x509.ParseCertificate(certBlock.Bytes) if err != nil { log.Criticalf("Unable to parse certificate: %v", err) return } // Read the list of revoked certs jsonConfig, err := ioutil.ReadFile(*listFile) if err != nil { log.Criticalf("Unable to read list of revoked certs: %v", err) return } var config Config err = json.Unmarshal(jsonConfig, &config) if err != nil { log.Criticalf("Unable to parse list of revoked certs: %v", err) return } // Set up PKCS#11 key priv, err := pkcs11key.New(*module, *token, *pin, *label) if err != nil { log.Criticalf("Unable to instantiate PKCS#11 private key: %v", err) return } // Sign the CRL crlDER, err := cert.CreateCRL(rand.Reader, priv, config.RevokedCerts, config.ThisUpdate, config.NextUpdate) if err != nil { log.Criticalf("Error signing certificate: %v", err) return } fmt.Println(string(pem.EncodeToMemory(&pem.Block{ Type: "X509 CRL", Bytes: crlDER, }))) }