slawek/lab-ca
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 3 Wiki Activity

Moved the rest of CA related code.

Browse Source
This commit is contained in:
Sławek Koszewski
2025-07-27 14:25:42 +02:00
parent a8946bfb10
commit 82142d70de
2 changed files with 146 additions and 114 deletions
Download Patch File Download Diff File Expand all files Collapse all files

149
ca.go
View File

@@ -9,18 +9,25 @@ import (
"fmt" "fmt"
"math/big" "math/big"
"os" "os"
"path/filepath"
"time" "time"
gohcl "github.com/hashicorp/hcl/v2/gohcl" gohcl "github.com/hashicorp/hcl/v2/gohcl"
hclparse "github.com/hashicorp/hcl/v2/hclparse" hclparse "github.com/hashicorp/hcl/v2/hclparse"
) )
type PathsConfig struct {
Certificates string `hcl:"certificates"`
PrivateKeys string `hcl:"private_keys"`
}
type CAConfig struct { type CAConfig struct {
Label string `hcl:",label"` Label string `hcl:",label"`
Name string `hcl:"name"` Name string `hcl:"name"`
Country string `hcl:"country"` Country string `hcl:"country"`
Organization string `hcl:"organization"` Organization string `hcl:"organization"`
SerialType string `hcl:"serial_type"` SerialType string `hcl:"serial_type"`
Paths PathsConfig `hcl:"paths,block"`
} }
type ConfigFile struct { type ConfigFile struct {
@@ -96,6 +103,16 @@ func SavePEM(filename string, data []byte, secure bool, overwrite bool) error {
} }
} }
func (p *PathsConfig) Validate() error {
if p.Certificates == "" {
return fmt.Errorf("paths.certificates is required")
}
if p.PrivateKeys == "" {
return fmt.Errorf("paths.private_keys is required")
}
return nil
}
func (c *CAConfig) Validate() error { func (c *CAConfig) Validate() error {
if c.Name == "" { if c.Name == "" {
return fmt.Errorf("CA 'name' is required") return fmt.Errorf("CA 'name' is required")
@@ -112,5 +129,127 @@ func (c *CAConfig) Validate() error {
if c.SerialType != "random" && c.SerialType != "sequential" { if c.SerialType != "random" && c.SerialType != "sequential" {
return fmt.Errorf("CA 'serial_type' must be 'random' or 'sequential'") return fmt.Errorf("CA 'serial_type' must be 'random' or 'sequential'")
} }
if err := c.Paths.Validate(); err != nil {
return err
}
return nil return nil
} }
func InitCA(configPath string, overwrite bool) {
config, err := LoadCAConfig(configPath)
if err != nil {
fmt.Println("Error loading config:", err)
return
}
// Create directories for certificates and private keys if they don't exist
dirs := []string{config.Paths.Certificates, config.Paths.PrivateKeys}
for _, dir := range dirs {
if dir == "" {
continue
}
if err := os.MkdirAll(dir, 0700); err != nil {
fmt.Printf("Error creating directory '%s': %v\n", dir, err)
return
}
}
certPEM, keyPEM, err := GenerateCA(config)
if err != nil {
fmt.Println("Error generating CA:", err)
return
}
if err := SavePEM(filepath.Join(config.Paths.Certificates, "ca_cert.pem"), certPEM, false, overwrite); err != nil {
fmt.Println("Error saving CA certificate:", err)
return
}
if err := SavePEM(filepath.Join(config.Paths.PrivateKeys, "ca_key.pem"), keyPEM, true, overwrite); err != nil {
fmt.Println("Error saving CA key:", err)
return
}
fmt.Println("CA certificate and key generated.")
}
func IssueCertificate(configPath, subject string, overwrite bool) {
config, err := LoadCAConfig(configPath)
if err != nil {
fmt.Println("Error loading config:", err)
return
}
caCertPath := filepath.Join(config.Paths.Certificates, "ca_cert.pem")
caKeyPath := filepath.Join(config.Paths.PrivateKeys, "ca_key.pem")
caCertPEM, err := os.ReadFile(caCertPath)
if err != nil {
fmt.Println("Error reading CA certificate file:", err)
return
}
caKeyPEM, err := os.ReadFile(caKeyPath)
if err != nil {
fmt.Println("Error reading CA key file:", err)
return
}
caCertBlock, _ := pem.Decode(caCertPEM)
if caCertBlock == nil {
fmt.Println("Failed to parse CA certificate PEM")
return
}
caCert, err := x509.ParseCertificate(caCertBlock.Bytes)
if err != nil {
fmt.Println("Failed to parse CA certificate:", err)
return
}
caKeyBlock, _ := pem.Decode(caKeyPEM)
if caKeyBlock == nil {
fmt.Println("Failed to parse CA key PEM")
return
}
caKey, err := x509.ParsePKCS1PrivateKey(caKeyBlock.Bytes)
if err != nil {
fmt.Println("Failed to parse CA private key:", err)
return
}
priv, err := rsa.GenerateKey(rand.Reader, 4096)
if err != nil {
fmt.Println("Failed to generate private key:", err)
return
}
serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)
serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
if err != nil {
fmt.Println("Failed to generate serial number:", err)
return
}
certTmpl := x509.Certificate{
SerialNumber: serialNumber,
Subject: pkix.Name{
CommonName: subject,
},
NotBefore: time.Now(),
NotAfter: time.Now().AddDate(1, 0, 0), // 1 year
KeyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment,
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth},
}
certDER, err := x509.CreateCertificate(rand.Reader, &certTmpl, caCert, &priv.PublicKey, caKey)
if err != nil {
fmt.Println("Failed to create certificate:", err)
return
}
certPEM := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: certDER})
keyPEM := pem.EncodeToMemory(&pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(priv)})
certFile := filepath.Join(config.Paths.Certificates, subject+".crt.pem")
keyFile := filepath.Join(config.Paths.PrivateKeys, subject+".key.pem")
if err := SavePEM(certFile, certPEM, false, overwrite); err != nil {
fmt.Println("Error saving certificate:", err)
return
}
if err := SavePEM(keyFile, keyPEM, true, overwrite); err != nil {
fmt.Println("Error saving key:", err)
return
}
fmt.Printf("Certificate and key for '%s' generated.\n", subject)
}

111
main.go
View File

@@ -1,15 +1,8 @@
package main package main
import ( import (
"crypto/rand"
"crypto/rsa"
"crypto/x509"
"crypto/x509/pkix"
"encoding/pem"
"fmt" "fmt"
"math/big"
"os" "os"
"time"
"github.com/spf13/cobra" "github.com/spf13/cobra"
) )
@@ -32,7 +25,7 @@ func main() {
Use: "initca", Use: "initca",
Short: "Generate a new CA certificate and key", Short: "Generate a new CA certificate and key",
Run: func(cmd *cobra.Command, args []string) { Run: func(cmd *cobra.Command, args []string) {
handleInitCA(configPath, overwrite) InitCA(configPath, overwrite)
}, },
} }
@@ -43,7 +36,7 @@ func main() {
Use: "issue", Use: "issue",
Short: "Issue a new client/server certificate", Short: "Issue a new client/server certificate",
Run: func(cmd *cobra.Command, args []string) { Run: func(cmd *cobra.Command, args []string) {
handleIssue(configPath, subject, overwrite) IssueCertificate(configPath, subject, overwrite)
}, },
} }
@@ -60,106 +53,6 @@ func main() {
} }
} }
func handleInitCA(configPath string, overwrite bool) {
config, err := LoadCAConfig(configPath)
if err != nil {
fmt.Println("Error loading config:", err)
return
}
certPEM, keyPEM, err := GenerateCA(config)
if err != nil {
fmt.Println("Error generating CA:", err)
return
}
if err := SavePEM("ca_cert.pem", certPEM, false, overwrite); err != nil {
fmt.Println("Error saving CA certificate:", err)
return
}
if err := SavePEM("ca_key.pem", keyPEM, true, overwrite); err != nil {
fmt.Println("Error saving CA key:", err)
return
}
fmt.Println("CA certificate and key generated.")
}
func handleIssue(configPath, subject string, overwrite bool) {
// Load existing CA certificate and key from files
caCertPEM, err := os.ReadFile("ca_cert.pem")
if err != nil {
fmt.Println("Error reading CA certificate file:", err)
return
}
caKeyPEM, err := os.ReadFile("ca_key.pem")
if err != nil {
fmt.Println("Error reading CA key file:", err)
return
}
// Parse CA cert and key
caCertBlock, _ := pem.Decode(caCertPEM)
if caCertBlock == nil {
fmt.Println("Failed to parse CA certificate PEM")
return
}
caCert, err := x509.ParseCertificate(caCertBlock.Bytes)
if err != nil {
fmt.Println("Failed to parse CA certificate:", err)
return
}
caKeyBlock, _ := pem.Decode(caKeyPEM)
if caKeyBlock == nil {
fmt.Println("Failed to parse CA key PEM")
return
}
caKey, err := x509.ParsePKCS1PrivateKey(caKeyBlock.Bytes)
if err != nil {
fmt.Println("Failed to parse CA private key:", err)
return
}
// Generate client/server key
priv, err := rsa.GenerateKey(rand.Reader, 4096)
if err != nil {
fmt.Println("Failed to generate private key:", err)
return
}
serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)
serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
if err != nil {
fmt.Println("Failed to generate serial number:", err)
return
}
certTmpl := x509.Certificate{
SerialNumber: serialNumber,
Subject: pkix.Name{
CommonName: subject,
},
NotBefore: time.Now(),
NotAfter: time.Now().AddDate(1, 0, 0), // 1 year
KeyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment,
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth},
}
certDER, err := x509.CreateCertificate(rand.Reader, &certTmpl, caCert, &priv.PublicKey, caKey)
if err != nil {
fmt.Println("Failed to create certificate:", err)
return
}
certPEM := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: certDER})
keyPEM := pem.EncodeToMemory(&pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(priv)})
certFile := subject + ".crt.pem"
keyFile := subject + ".key.pem"
if err := SavePEM(certFile, certPEM, false, overwrite); err != nil {
fmt.Println("Error saving certificate:", err)
return
}
if err := SavePEM(keyFile, keyPEM, true, overwrite); err != nil {
fmt.Println("Error saving key:", err)
return
}
fmt.Printf("Certificate and key for '%s' generated.\n", subject)
}
func printMainHelp() { func printMainHelp() {
fmt.Println("lab-ca - Certificate Authority Utility") fmt.Println("lab-ca - Certificate Authority Utility")
fmt.Println() fmt.Println()