-
Notifications
You must be signed in to change notification settings - Fork 2
/
cert_req.go
101 lines (86 loc) · 2.85 KB
/
cert_req.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
package atlasvault
import (
"crypto"
"crypto/rand"
"crypto/x509"
"fmt"
"time"
"github.com/hashicorp/errwrap"
"github.com/hashicorp/vault/sdk/helper/certutil"
"github.com/hashicorp/vault/sdk/helper/errutil"
)
// ATLAS Cert request is everything needed to translate a PKI request to atlas
type atlasCertRequest struct {
CSR []byte
CertTemplate *x509.Certificate
PrivateKey *privKey
}
type privKey struct {
Signer crypto.Signer
Type certutil.PrivateKeyType
Bytes []byte
}
func (hcr *atlasCertRequest) SetParsedPrivateKey(s crypto.Signer, t certutil.PrivateKeyType, r []byte) {
hcr.PrivateKey = &privKey{Signer: s, Type: t, Bytes: r}
}
func (hcr *atlasCertRequest) GenerateCSR(data *dataBundle) error {
var err error
if err := hcr.PopulateCertTemplate(data); err != nil {
return err
}
if err := hcr.GeneratePrivateKey(data); err != nil {
return err
}
csrTemplate := &x509.CertificateRequest{
Subject: data.params.Subject,
DNSNames: data.params.DNSNames,
EmailAddresses: data.params.EmailAddresses,
IPAddresses: data.params.IPAddresses,
URIs: data.params.URIs,
}
if err := handleOtherCSRSANs(csrTemplate, data.params.OtherSANs); err != nil {
return errutil.InternalError{Err: errwrap.Wrapf("error marshaling other SANs: {{err}}", err).Error()}
}
// CSR Is CSR bytes to be sent
hcr.CSR, err = x509.CreateCertificateRequest(rand.Reader, csrTemplate, hcr.PrivateKey.Signer)
if err != nil {
return errutil.InternalError{Err: fmt.Sprintf("unable to create certificate: %s", err)}
}
return nil
}
func (hcr *atlasCertRequest) PopulateCertTemplate(data *dataBundle) error {
hcr.CertTemplate = &x509.Certificate{
// Set by ATLAS
// SerialNumber: serialNumber,
NotBefore: time.Now().Add(-30 * time.Second),
NotAfter: data.params.NotAfter,
IsCA: false,
// Set by generate private key
// SubjectKeyId: subjKeyID,
Subject: data.params.Subject,
DNSNames: data.params.DNSNames,
EmailAddresses: data.params.EmailAddresses,
IPAddresses: data.params.IPAddresses,
URIs: data.params.URIs,
}
addPolicyIdentifiers(data, hcr.CertTemplate)
addKeyUsages(data, hcr.CertTemplate)
addExtKeyUsageOids(data, hcr.CertTemplate)
// This will only be filled in from the generation paths
if len(data.params.PermittedDNSDomains) > 0 {
hcr.CertTemplate.PermittedDNSDomains = data.params.PermittedDNSDomains
hcr.CertTemplate.PermittedDNSDomainsCritical = true
}
return nil
}
func (hcr *atlasCertRequest) GeneratePrivateKey(data *dataBundle) error {
var err error
if err := certutil.GeneratePrivateKey(data.params.KeyType, data.params.KeyBits, hcr); err != nil {
return err
}
hcr.CertTemplate.SubjectKeyId, err = certutil.GetSubjKeyID(hcr.PrivateKey.Signer)
if err != nil {
return errutil.InternalError{Err: fmt.Sprintf("error getting subject key ID: %s", err)}
}
return nil
}