package main import ( `crypto/x509` `crypto/x509/pkix` `embed` `net` `time` ) var ( pairTypes []string = []string{ "ca", "inter", "leaf_server", "leaf_user", } keyTypes []string = []string{ /* Per: https://pkg.go.dev/crypto/x509#CreateCertificate https://pkg.go.dev/crypto/x509#CreateCertificateRequest ECDH keys are not supported for certificates (only ECDSA, ED25519, and RSA). */ // "ecdh", "ecdsa", "ed25519", "rsa", } // Populated by init. pairs map[string]*Pair = make(map[string]*Pair) ) var ( //go:embed "_testdata/*" pems embed.FS ) const ( caCn string = "gen_test_pki Root CA" interCn string = "gen_test_pki Intermediate CA" serverCn string = "server.example.com" userCn string = "username@example.com" ) var ( pkixCommon *pkix.Name = &pkix.Name{ Country: []string{ "XX", }, Organization: []string{ "An Example Organization", }, OrganizationalUnit: []string{ "An Example Department", }, Locality: []string{ "Some City", }, Province: []string{ "Some State", }, StreetAddress: []string{ "123 Example Street", }, PostalCode: []string{ "12345", }, // SerialNumber: "", // SerialNumber should be blank, and contextually generated via getSerial(). // CommonName: "", // CommonName should be blank, and contextually generated via getSubj(). Names: nil, ExtraNames: nil, } certTpl map[string]*x509.Certificate = map[string]*x509.Certificate{ "ca": &x509.Certificate{ SerialNumber: getSerial(), Subject: getSubj(caCn), NotBefore: time.Now().Add(time.Second * -10), NotAfter: time.Now().Add(10 * 365 * 24 * time.Hour), // (about) 10 years KeyUsage: x509.KeyUsageCertSign | x509.KeyUsageCRLSign, BasicConstraintsValid: true, IsCA: true, MaxPathLen: 1, }, "inter": &x509.Certificate{ SerialNumber: getSerial(), Subject: getSubj(interCn), NotBefore: time.Now().Add(time.Second * -9), NotAfter: time.Now().Add(9 * 365 * 24 * time.Hour), // (about) 9 years KeyUsage: x509.KeyUsageCertSign | x509.KeyUsageCRLSign, BasicConstraintsValid: true, IsCA: true, MaxPathLen: 0, }, "leaf_server": &x509.Certificate{ SerialNumber: getSerial(), Subject: getSubj(serverCn), NotBefore: time.Now().Add(time.Second * -8), NotAfter: time.Now().Add(9 * 365 * 24 * time.Hour), // (about) 8 years KeyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment, ExtKeyUsage: []x509.ExtKeyUsage{ x509.ExtKeyUsageServerAuth, }, }, "leaf_user": &x509.Certificate{ SerialNumber: getSerial(), Subject: getSubj(userCn), NotBefore: time.Now().Add(time.Second * -8), NotAfter: time.Now().Add(9 * 365 * 24 * time.Hour), // (about) 8 years KeyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment, ExtKeyUsage: []x509.ExtKeyUsage{ x509.ExtKeyUsageClientAuth, }, }, } csrs map[string]*x509.CertificateRequest = map[string]*x509.CertificateRequest{ "inter": &x509.CertificateRequest{ Subject: getSubj(interCn), }, "leaf_server": &x509.CertificateRequest{ Subject: getSubj(serverCn), IPAddresses: []net.IP{ net.IP(net.ParseIP("127.0.0.1")), net.IP(net.ParseIP("::ffff:127.0.0.1")), net.IP(net.ParseIP("::1")), }, }, "leaf_user": &x509.CertificateRequest{ Subject: getSubj(userCn), }, } parents map[string]string = map[string]string{ "inter": "ca", "leaf_server": "inter", "leaf_user": "inter", } certgenOrder []string = []string{ "inter", "leaf_server", "leaf_user", } )