예제 #1
0
//CreateHTTPSKeys generates a key-pair signed by the CA to be used in its HTTPS server
func CreateHTTPSKeys(outKey, outCert *string) error {
	logger.Info.Println("Creating https key")

	keyLength := 4096
	// create keys
	keys, err := pkix.CreateRSAKey(keyLength)
	if err != nil {
		return err
	}

	caIPList, caDomainList, err = util.GetHostnameAndIp()
	// create csr
	name := "ca"
	ipListStr := util.ListToString(caIPList, "")
	domainListStr := util.ListToString(caDomainList, "")
	organization := "symbios"
	country := "PT-PT"
	ttl := 2 // years

	logger.Info.Printf("HTTPS Cert with: %s  ; %s", *domainListStr, *ipListStr)

	csr, err := pkix.CreateCertificateSigningRequest(keys, name, *ipListStr, *domainListStr, organization, country)
	if err != nil {
		return err
	}

	certificate, err := pkix.CreateCertificateHost(caCertificate, caInfo, caKey, csr, ttl)

	if err := keys.SavePrivate(outKey); err != nil {
		return fmt.Errorf("Unable to save https key: %s", err)
	}

	if err := certificate.Save(outCert); err != nil {
		return fmt.Errorf("Unable to save https certificate: %s", err)
	}
	return nil
}
예제 #2
0
//SignCSR signs the Certificate Signing Request if the token is valid, generating a certificate with time-to-live ttl
func SignCSR(csr *pkix.CertificateSigningRequest, token string, days int) (*pkix.Certificate, error) {
	x509Csr, err := csr.GetRawCertificateSigningRequest()
	if err != nil {
		return nil, err
	}

	subject := x509Csr.Subject
	commonName := subject.CommonName
	ipList := x509Csr.IPAddresses
	domainList := x509Csr.DNSNames
	fmt.Printf("\n New CSR: subject: %s \n IP List: %s \n Domains: %s \n", subject, ipList, domainList)

	if err := ValidateToken(token, userCertificate, &commonName); err != nil {
		return nil, err
	}

	ipListStr := make([]string, 10)
	for _, v := range ipList {
		s := v.String()
		ipListStr = append(ipListStr, s)
	}

	if existsInArray(ipListStr, caIPList) {
		return nil, fmt.Errorf("ALERT! Someone is trying to impersonate the CA HTTPS! Same IP: %s. ", ipList)
	}

	if existsInArray(domainList, caDomainList) {
		return nil, fmt.Errorf("ALERT! Someone is trying to impersonate the CA HTTPS! Same domain: %s. ", domainList)
	}

	certificate, err := pkix.CreateCertificateHost(caCertificate, caInfo, caKey, csr, days)
	if err != nil {
		return nil, err
	}
	return certificate, nil
}