This repository has been archived by the owner on Oct 20, 2021. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 7
/
cert_helper_test.go
115 lines (95 loc) · 3.03 KB
/
cert_helper_test.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
package uaa_go_client_test
import (
"crypto/ecdsa"
"crypto/elliptic"
"crypto/rand"
"crypto/tls"
"crypto/x509"
"crypto/x509/pkix"
"encoding/pem"
"fmt"
"math/big"
"net"
"time"
)
type CertType int
const (
isCA CertType = iota
isServer
isClient
)
func createCA() (*x509.Certificate, *ecdsa.PrivateKey, error) {
caPriv, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
if err != nil {
return nil, nil, fmt.Errorf("generate key: %s", err)
}
tmpl, err := createCertTemplate(isCA)
if err != nil {
return nil, nil, fmt.Errorf("create cert template: %s", err)
}
caDER, err := x509.CreateCertificate(rand.Reader, &tmpl, &tmpl, &caPriv.PublicKey, caPriv)
if err != nil {
return nil, nil, fmt.Errorf("creating certificate: %s", err)
}
caCert, err := x509.ParseCertificate(caDER)
if err != nil {
return nil, nil, fmt.Errorf("parsing ca cert: %s", err)
}
return caCert, caPriv, nil
}
func createCertificate(rootCert *x509.Certificate, caPriv *ecdsa.PrivateKey, certType CertType) (tls.Certificate, error) {
certPriv, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
if err != nil {
return tls.Certificate{}, fmt.Errorf("generate key: %s", err)
}
certTemplate, err := createCertTemplate(certType)
if err != nil {
return tls.Certificate{}, fmt.Errorf("create cert template: %s", err)
}
certDER, err := x509.CreateCertificate(rand.Reader, &certTemplate, rootCert, &certPriv.PublicKey, caPriv)
if err != nil {
return tls.Certificate{}, fmt.Errorf("x509 create certificate: %s", err)
}
privBytes, err := x509.MarshalECPrivateKey(certPriv)
if err != nil {
return tls.Certificate{}, fmt.Errorf("marshal ec private key: %s", err)
}
keyPEM := pem.EncodeToMemory(&pem.Block{
Type: "EC PRIVATE KEY", Bytes: privBytes,
})
certPEM := pem.EncodeToMemory(&pem.Block{
Type: "CERTIFICATE", Bytes: certDER,
})
x509KeyPair, err := tls.X509KeyPair(certPEM, keyPEM)
if err != nil {
return tls.Certificate{}, fmt.Errorf("making x509 key pair: %s", err)
}
return x509KeyPair, nil
}
func createCertTemplate(certType CertType) (x509.Certificate, error) {
serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)
serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
if err != nil {
return x509.Certificate{}, fmt.Errorf("random int: %s", err)
}
tmpl := x509.Certificate{
SerialNumber: serialNumber,
Subject: pkix.Name{Organization: []string{"TESTING"}},
SignatureAlgorithm: x509.ECDSAWithSHA256,
NotBefore: time.Now(),
NotAfter: time.Now().AddDate(10, 0, 0),
BasicConstraintsValid: true,
IPAddresses: []net.IP{net.ParseIP("127.0.0.1")},
}
switch certType {
case isCA:
tmpl.IsCA = true
tmpl.KeyUsage = x509.KeyUsageCertSign | x509.KeyUsageDigitalSignature
tmpl.ExtKeyUsage = []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth}
case isServer:
tmpl.ExtKeyUsage = []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth}
case isClient:
tmpl.ExtKeyUsage = []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth}
}
return tmpl, err
}