From dba4ced05ff8df1ca511a2794b6ab40237efe186 Mon Sep 17 00:00:00 2001 From: Slawek Koszewski Date: Sun, 27 Jul 2025 21:16:18 +0200 Subject: [PATCH] Moved loading CA's private key and certificate to global configuration loading process. --- ca.go | 69 ++++++++++++++++++++++++++++++++--------------------------- 1 file changed, 37 insertions(+), 32 deletions(-) diff --git a/ca.go b/ca.go index 9e1c8d0..4492f03 100644 --- a/ca.go +++ b/ca.go @@ -64,9 +64,11 @@ type Certificates struct { Certificates []CertificateDefinition `hcl:"certificate,block"` } -// Global CA configurationa and state variables +// Global CA configuration and state variables var CAState *_CAState var CAConfig *_CAConfig +var CAKey *rsa.PrivateKey +var CACert *x509.Certificate // LoadCA loads the CA config and sets the global CAConfig variable func LoadCA(path string) error { @@ -89,12 +91,44 @@ func LoadCA(path string) error { if err := config.Current.Validate(); err != nil { return err } + CAConfig = &config.Current + err := error(nil) + + // Load CA key and certificate + caCertPath := filepath.Join(CAConfig.Paths.Certificates, "ca_cert.pem") + caKeyPath := filepath.Join(CAConfig.Paths.PrivateKeys, "ca_key.pem") + + caCertPEM, err := os.ReadFile(caCertPath) + if err != nil { + return fmt.Errorf("error reading CA certificate file: %v", err) + } + caKeyPEM, err := os.ReadFile(caKeyPath) + if err != nil { + return fmt.Errorf("error reading CA key file: %v", err) + } + + caCertBlock, _ := pem.Decode(caCertPEM) + if caCertBlock == nil { + return fmt.Errorf("failed to parse CA certificate PEM") + } + CACert, err = x509.ParseCertificate(caCertBlock.Bytes) + if err != nil { + return fmt.Errorf("failed to parse CA certificate: %v", err) + } + caKeyBlock, _ := pem.Decode(caKeyPEM) + if caKeyBlock == nil { + return fmt.Errorf("failed to parse CA key PEM") + } + CAKey, err = x509.ParsePKCS1PrivateKey(caKeyBlock.Bytes) + if err != nil { + return fmt.Errorf("failed to parse CA private key: %v", err) + } + // Derive caStatePath from caConfig label and config file path caDir := filepath.Dir(path) caLabel := config.Current.Label caStatePath := filepath.Join(caDir, caLabel+"_state.json") - err := error(nil) CAState, err = LoadCAState(caStatePath) if err != nil && !os.IsNotExist(err) { return fmt.Errorf("failed to load CA state: %w", err) @@ -288,35 +322,6 @@ func issueSingleCertificate(def CertificateDefinition, overwrite, verbose bool) def.SAN = append(def.SAN, "dns:"+def.Subject) } - caCertPath := filepath.Join(CAConfig.Paths.Certificates, "ca_cert.pem") - caKeyPath := filepath.Join(CAConfig.Paths.PrivateKeys, "ca_key.pem") - - caCertPEM, err := os.ReadFile(caCertPath) - if err != nil { - return fmt.Errorf("error reading CA certificate file: %v", err) - } - caKeyPEM, err := os.ReadFile(caKeyPath) - if err != nil { - return fmt.Errorf("error reading CA key file: %v", err) - } - - caCertBlock, _ := pem.Decode(caCertPEM) - if caCertBlock == nil { - return fmt.Errorf("failed to parse CA certificate PEM") - } - caCert, err := x509.ParseCertificate(caCertBlock.Bytes) - if err != nil { - return fmt.Errorf("failed to parse CA certificate: %v", err) - } - caKeyBlock, _ := pem.Decode(caKeyPEM) - if caKeyBlock == nil { - return fmt.Errorf("failed to parse CA key PEM") - } - caKey, err := x509.ParsePKCS1PrivateKey(caKeyBlock.Bytes) - if err != nil { - return fmt.Errorf("failed to parse CA private key: %v", err) - } - priv, err := rsa.GenerateKey(rand.Reader, 4096) if err != nil { return fmt.Errorf("failed to generate private key: %v", err) @@ -381,7 +386,7 @@ func issueSingleCertificate(def CertificateDefinition, overwrite, verbose bool) return fmt.Errorf("unknown certificate type. Use one of: client, server, server-only, code-signing, email") } - certDER, err := x509.CreateCertificate(rand.Reader, &certTmpl, caCert, &priv.PublicKey, caKey) + certDER, err := x509.CreateCertificate(rand.Reader, &certTmpl, CACert, &priv.PublicKey, CAKey) if err != nil { return fmt.Errorf("failed to create certificate: %v", err) }