Пример #1
0
// CreateGenericCRL is a helper function that takes in all of the information above, and then calls the createCRL
// function. This outputs the bytes of the created CRL.
func CreateGenericCRL(certList []pkix.RevokedCertificate, key crypto.Signer, issuingCert *x509.Certificate, expiryTime time.Time) ([]byte, error) {
	crlBytes, err := issuingCert.CreateCRL(rand.Reader, key, certList, time.Now(), expiryTime)
	if err != nil {
		log.Debug("error creating CRL: %s", err)
	}

	return crlBytes, err

}
Пример #2
0
// CreateCRL creates a signed X.509 certificate list for revoked certificates.
func (s *Signer) CreateCRL(cert *x509.Certificate, revokedCerts []pkix.RevokedCertificate, now, expiry time.Time) ([]byte, error) {
	if cert == nil {
		return nil, newError("Missing issuing certificate required to create CRL.")
	}
	return cert.CreateCRL(rand.Reader, s.ec, revokedCerts, now, expiry)
}
Пример #3
0
func (crtkit *CertKit) GenerateCA(subject pkix.Name, host, email string, listenport ...string) error {
	var e error
	var derBytes []byte
	var crlurl string
	//   var ecBytes  []byte

	//   priv, err := ecdsa.GenerateKey(elliptic.P521(),rand.Reader)
	priv, err := rsa.GenerateKey(rand.Reader, 2048)
	if err != nil {
		return errors.New(fmt.Sprintf("failed to generate private key: %s", err))
	}

	notBefore := time.Now()
	serialNumber, err := rand.Int(rand.Reader, new(big.Int).Lsh(big.NewInt(1), 128))
	if err != nil {
		return errors.New(fmt.Sprintf("failed to generate serial number: %s", err))
	}

	if host == "" {
		host, _ = os.Hostname()
	}

	if len(listenport) == 0 {
		crlurl = "http://" + host + "/rootCA.crl"
	} else {
		crlurl = "http://" + host + ":" + listenport[0] + "/rootCA.crl"
	}

	template := x509.Certificate{
		SerialNumber:   serialNumber,
		Subject:        subject,
		IsCA:           true,
		SubjectKeyId:   []byte(fmt.Sprintf("%s", priv.PublicKey.N)),
		AuthorityKeyId: []byte(fmt.Sprintf("%s", priv.PublicKey.N)),

		NotBefore:             notBefore,
		NotAfter:              notBefore.Add(365 * 20 * 24 * time.Hour),
		DNSNames:              []string{host, strings.Split(host, ".")[0]},
		PolicyIdentifiers:     []asn1.ObjectIdentifier{[]int{2, 16, 76, 1, 1, 0}}, // Policy: 2.16.76.1.1.0 CPS: http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf
		CRLDistributionPoints: []string{crlurl},

		KeyUsage:              x509.KeyUsageCertSign | x509.KeyUsageCRLSign,
		BasicConstraintsValid: true,
	}

	crtkit.CAKey = priv
	crtkit.CACert = &template
	derBytes, e = x509.CreateCertificate(rand.Reader, &template, &template, &priv.PublicKey, priv)
	if e != nil {
		return errors.New(fmt.Sprintf("Failed to create certificate: %s", e))
	}
	crtkit.CACertPem = pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: derBytes})
	//   ecBytes, e                  = x509.MarshalECPrivateKey(priv)
	//   if err != nil {
	//      return errors.New(fmt.Sprintf("Failed to Marshal ECDSA Private Key: %s", e))
	//   }
	//   crtkit.CAKeyPem             = pem.EncodeToMemory(&pem.Block{Type: "ECDSA PRIVATE KEY", Bytes: ecBytes})
	crtkit.CAKeyPem = pem.EncodeToMemory(&pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(priv)})

	derBytes, e = template.CreateCRL(rand.Reader, priv, []pkix.RevokedCertificate{}, time.Now(), time.Now().Add(time.Hour*24*30))
	if e != nil {
		return errors.New(fmt.Sprintf("Failed to create CRL: %s", e))
	}
	crtkit.CACRL = derBytes

	return nil
}