dynamiclistener/factory/ca.go

package factory

import (
	"crypto"
	"crypto/x509"
	"fmt"
	"io/ioutil"
	"os"
	"time"

	"github.com/rancher/dynamiclistener/cert"
)

func GenCA() (*x509.Certificate, crypto.Signer, error) {
	caKey, err := NewPrivateKey()
	if err != nil {
		return nil, nil, err
	}

	caCert, err := NewSelfSignedCACert(caKey, fmt.Sprintf("dynamiclistener-ca@%d", time.Now().Unix()), "dynamiclistener-org")
	if err != nil {
		return nil, nil, err
	}

	return caCert, caKey, nil
}

func LoadOrGenCA() (*x509.Certificate, crypto.Signer, error) {
	cert, key, err := loadCA()
	if err == nil {
		return cert, key, nil
	}

	cert, key, err = GenCA()
	if err != nil {
		return nil, nil, err
	}

	certBytes, keyBytes, err := Marshal(cert, key)
	if err != nil {
		return nil, nil, err
	}

	if err := os.MkdirAll("./certs", 0700); err != nil {
		return nil, nil, err
	}

	if err := ioutil.WriteFile("./certs/ca.pem", certBytes, 0600); err != nil {
		return nil, nil, err
	}

	if err := ioutil.WriteFile("./certs/ca.key", keyBytes, 0600); err != nil {
		return nil, nil, err
	}

	return cert, key, nil
}

func loadCA() (*x509.Certificate, crypto.Signer, error) {
	return LoadCerts("./certs/ca.pem", "./certs/ca.key")
}

func LoadCA(caPem, caKey []byte) (*x509.Certificate, crypto.Signer, error) {
	key, err := cert.ParsePrivateKeyPEM(caKey)
	if err != nil {
		return nil, nil, err
	}
	signer, ok := key.(crypto.Signer)
	if !ok {
		return nil, nil, fmt.Errorf("key is not a crypto.Signer")
	}

	cert, err := ParseCertPEM(caPem)
	if err != nil {
		return nil, nil, err
	}

	return cert, signer, nil
}

func LoadCerts(certFile, keyFile string) (*x509.Certificate, crypto.Signer, error) {
	caPem, err := ioutil.ReadFile(certFile)
	if err != nil {
		return nil, nil, err
	}
	caKey, err := ioutil.ReadFile(keyFile)
	if err != nil {
		return nil, nil, err
	}

	return LoadCA(caPem, caKey)
}
Refactor to not include a server by default 2019-10-27 06:18:58 +00:00			`package factory`

			`import (`
Support old or imported RSA keys 2019-11-15 23:43:02 +00:00			`"crypto"`
Refactor to not include a server by default 2019-10-27 06:18:58 +00:00			`"crypto/x509"`
Support old or imported RSA keys 2019-11-15 23:43:02 +00:00			`"fmt"`
Refactor to not include a server by default 2019-10-27 06:18:58 +00:00			`"io/ioutil"`
			`"os"`
Send complete certificate chain, not just the leaf cert Also, print a warning when signing may change the issuer. Signed-off-by: Brad Davidson <brad.davidson@rancher.com> 2022-05-11 19:43:43 +00:00			`"time"`
Support old or imported RSA keys 2019-11-15 23:43:02 +00:00
			`"github.com/rancher/dynamiclistener/cert"`
Refactor to not include a server by default 2019-10-27 06:18:58 +00:00			`)`

Support old or imported RSA keys 2019-11-15 23:43:02 +00:00			`func GenCA() (*x509.Certificate, crypto.Signer, error) {`
Refactor to not include a server by default 2019-10-27 06:18:58 +00:00			`caKey, err := NewPrivateKey()`
			`if err != nil {`
			`return nil, nil, err`
			`}`

Send complete certificate chain, not just the leaf cert Also, print a warning when signing may change the issuer. Signed-off-by: Brad Davidson <brad.davidson@rancher.com> 2022-05-11 19:43:43 +00:00			`caCert, err := NewSelfSignedCACert(caKey, fmt.Sprintf("dynamiclistener-ca@%d", time.Now().Unix()), "dynamiclistener-org")`
Refactor to not include a server by default 2019-10-27 06:18:58 +00:00			`if err != nil {`
			`return nil, nil, err`
			`}`

			`return caCert, caKey, nil`
			`}`

Support old or imported RSA keys 2019-11-15 23:43:02 +00:00			`func LoadOrGenCA() (*x509.Certificate, crypto.Signer, error) {`
Refactor to not include a server by default 2019-10-27 06:18:58 +00:00			`cert, key, err := loadCA()`
			`if err == nil {`
			`return cert, key, nil`
			`}`

			`cert, key, err = GenCA()`
			`if err != nil {`
			`return nil, nil, err`
			`}`

			`certBytes, keyBytes, err := Marshal(cert, key)`
			`if err != nil {`
			`return nil, nil, err`
			`}`

			`if err := os.MkdirAll("./certs", 0700); err != nil {`
			`return nil, nil, err`
			`}`

			`if err := ioutil.WriteFile("./certs/ca.pem", certBytes, 0600); err != nil {`
			`return nil, nil, err`
			`}`

			`if err := ioutil.WriteFile("./certs/ca.key", keyBytes, 0600); err != nil {`
			`return nil, nil, err`
			`}`

			`return cert, key, nil`
			`}`

Support old or imported RSA keys 2019-11-15 23:43:02 +00:00			`func loadCA() (*x509.Certificate, crypto.Signer, error) {`
Refactor to not include a server by default 2019-10-27 06:18:58 +00:00			`return LoadCerts("./certs/ca.pem", "./certs/ca.key")`
			`}`

Add more helpers 2020-01-31 05:18:44 +00:00			`func LoadCA(caPem, caKey []byte) (*x509.Certificate, crypto.Signer, error) {`
Support old or imported RSA keys 2019-11-15 23:43:02 +00:00			`key, err := cert.ParsePrivateKeyPEM(caKey)`
Refactor to not include a server by default 2019-10-27 06:18:58 +00:00			`if err != nil {`
			`return nil, nil, err`
			`}`
Support old or imported RSA keys 2019-11-15 23:43:02 +00:00			`signer, ok := key.(crypto.Signer)`
			`if !ok {`
			`return nil, nil, fmt.Errorf("key is not a crypto.Signer")`
			`}`
Refactor to not include a server by default 2019-10-27 06:18:58 +00:00
			`cert, err := ParseCertPEM(caPem)`
			`if err != nil {`
			`return nil, nil, err`
			`}`

Support old or imported RSA keys 2019-11-15 23:43:02 +00:00			`return cert, signer, nil`
Refactor to not include a server by default 2019-10-27 06:18:58 +00:00			`}`
Add more helpers 2020-01-31 05:18:44 +00:00
			`func LoadCerts(certFile, keyFile string) (*x509.Certificate, crypto.Signer, error) {`
			`caPem, err := ioutil.ReadFile(certFile)`
			`if err != nil {`
			`return nil, nil, err`
			`}`
			`caKey, err := ioutil.ReadFile(keyFile)`
			`if err != nil {`
			`return nil, nil, err`
			`}`

			`return LoadCA(caPem, caKey)`
			`}`