145 lines
3.7 KiB
Go
145 lines
3.7 KiB
Go
package main
|
|
|
|
import (
|
|
`crypto/x509`
|
|
`crypto/x509/pkix`
|
|
`embed`
|
|
`net`
|
|
`time`
|
|
)
|
|
|
|
var (
|
|
pairTypes []string = []string{
|
|
"ca",
|
|
"inter",
|
|
"leaf_server",
|
|
"leaf_user",
|
|
}
|
|
|
|
keyTypes []string = []string{
|
|
/*
|
|
Per:
|
|
https://pkg.go.dev/crypto/x509#CreateCertificate
|
|
https://pkg.go.dev/crypto/x509#CreateCertificateRequest
|
|
ECDH keys are not supported for certificates (only ECDSA, ED25519, and RSA).
|
|
*/
|
|
// "ecdh",
|
|
"ecdsa",
|
|
"ed25519",
|
|
"rsa",
|
|
}
|
|
|
|
// Populated by init.
|
|
pairs map[string]*Pair = make(map[string]*Pair)
|
|
)
|
|
|
|
var (
|
|
//go:embed "_testdata/*"
|
|
pems embed.FS
|
|
)
|
|
|
|
const (
|
|
caCn string = "gen_test_pki Root CA"
|
|
interCn string = "gen_test_pki Intermediate CA"
|
|
serverCn string = "server.example.com"
|
|
userCn string = "username@example.com"
|
|
)
|
|
|
|
var (
|
|
pkixCommon *pkix.Name = &pkix.Name{
|
|
Country: []string{
|
|
"XX",
|
|
},
|
|
Organization: []string{
|
|
"An Example Organization",
|
|
},
|
|
OrganizationalUnit: []string{
|
|
"An Example Department",
|
|
},
|
|
Locality: []string{
|
|
"Some City",
|
|
},
|
|
Province: []string{
|
|
"Some State",
|
|
},
|
|
StreetAddress: []string{
|
|
"123 Example Street",
|
|
},
|
|
PostalCode: []string{
|
|
"12345",
|
|
},
|
|
// SerialNumber: "", // SerialNumber should be blank, and contextually generated via getSerial().
|
|
// CommonName: "", // CommonName should be blank, and contextually generated via getSubj().
|
|
Names: nil,
|
|
ExtraNames: nil,
|
|
}
|
|
certTpl map[string]*x509.Certificate = map[string]*x509.Certificate{
|
|
"ca": &x509.Certificate{
|
|
SerialNumber: getSerial(),
|
|
Subject: getSubj(caCn),
|
|
NotBefore: time.Now().Add(time.Second * -10),
|
|
NotAfter: time.Now().Add(10 * 365 * 24 * time.Hour), // (about) 10 years
|
|
KeyUsage: x509.KeyUsageCertSign | x509.KeyUsageCRLSign,
|
|
BasicConstraintsValid: true,
|
|
IsCA: true,
|
|
MaxPathLen: 1,
|
|
},
|
|
"inter": &x509.Certificate{
|
|
SerialNumber: getSerial(),
|
|
Subject: getSubj(interCn),
|
|
NotBefore: time.Now().Add(time.Second * -9),
|
|
NotAfter: time.Now().Add(9 * 365 * 24 * time.Hour), // (about) 9 years
|
|
KeyUsage: x509.KeyUsageCertSign | x509.KeyUsageCRLSign,
|
|
BasicConstraintsValid: true,
|
|
IsCA: true,
|
|
MaxPathLen: 0,
|
|
},
|
|
"leaf_server": &x509.Certificate{
|
|
SerialNumber: getSerial(),
|
|
Subject: getSubj(serverCn),
|
|
NotBefore: time.Now().Add(time.Second * -8),
|
|
NotAfter: time.Now().Add(9 * 365 * 24 * time.Hour), // (about) 8 years
|
|
KeyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment,
|
|
ExtKeyUsage: []x509.ExtKeyUsage{
|
|
x509.ExtKeyUsageServerAuth,
|
|
},
|
|
},
|
|
"leaf_user": &x509.Certificate{
|
|
SerialNumber: getSerial(),
|
|
Subject: getSubj(userCn),
|
|
NotBefore: time.Now().Add(time.Second * -8),
|
|
NotAfter: time.Now().Add(9 * 365 * 24 * time.Hour), // (about) 8 years
|
|
KeyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment,
|
|
ExtKeyUsage: []x509.ExtKeyUsage{
|
|
x509.ExtKeyUsageClientAuth,
|
|
},
|
|
},
|
|
}
|
|
csrs map[string]*x509.CertificateRequest = map[string]*x509.CertificateRequest{
|
|
"inter": &x509.CertificateRequest{
|
|
Subject: getSubj(interCn),
|
|
},
|
|
"leaf_server": &x509.CertificateRequest{
|
|
Subject: getSubj(serverCn),
|
|
IPAddresses: []net.IP{
|
|
net.IP(net.ParseIP("127.0.0.1")),
|
|
net.IP(net.ParseIP("::ffff:127.0.0.1")),
|
|
net.IP(net.ParseIP("::1")),
|
|
},
|
|
},
|
|
"leaf_user": &x509.CertificateRequest{
|
|
Subject: getSubj(userCn),
|
|
},
|
|
}
|
|
parents map[string]string = map[string]string{
|
|
"inter": "ca",
|
|
"leaf_server": "inter",
|
|
"leaf_user": "inter",
|
|
}
|
|
certgenOrder []string = []string{
|
|
"inter",
|
|
"leaf_server",
|
|
"leaf_user",
|
|
}
|
|
)
|