dynamiclistener/factory/ca.go

package factory

import (
	"crypto"
	"crypto/x509"
	"fmt"
	"io/ioutil"
	"os"
	"time"

	"github.com/rancher/dynamiclistener/cert"
)

func GenCA() (*x509.Certificate, crypto.Signer, error) {
	caKey, err := NewPrivateKey()
	if err != nil {
		return nil, nil, err
	}

	caCert, err := NewSelfSignedCACert(caKey, fmt.Sprintf("dynamiclistener-ca@%d", time.Now().Unix()), "dynamiclistener-org")
	if err != nil {
		return nil, nil, err
	}

	return caCert, caKey, nil
}

// Deprecated: Use LoadOrGenCAChain instead as it supports intermediate CAs
func LoadOrGenCA() (*x509.Certificate, crypto.Signer, error) {
	chain, signer, err := LoadOrGenCAChain()
	if err != nil {
		return nil, nil, err
	}
	return chain[0], signer, err
}

func LoadOrGenCAChain() ([]*x509.Certificate, crypto.Signer, error) {
	certs, key, err := loadCA()
	if err == nil {
		return certs, key, nil
	}

	cert, key, err := GenCA()
	if err != nil {
		return nil, nil, err
	}
	certs = []*x509.Certificate{cert}

	certBytes, keyBytes, err := MarshalChain(key, certs...)
	if err != nil {
		return nil, nil, err
	}

	if err := os.MkdirAll("./certs", 0700); err != nil {
		return nil, nil, err
	}

	if err := ioutil.WriteFile("./certs/ca.pem", certBytes, 0600); err != nil {
		return nil, nil, err
	}

	if err := ioutil.WriteFile("./certs/ca.key", keyBytes, 0600); err != nil {
		return nil, nil, err
	}

	return certs, key, nil
}

func loadCA() ([]*x509.Certificate, crypto.Signer, error) {
	return LoadCertsChain("./certs/ca.pem", "./certs/ca.key")
}

func LoadCA(caPem, caKey []byte) (*x509.Certificate, crypto.Signer, error) {
	chain, signer, err := LoadCAChain(caPem, caKey)
	if err != nil {
		return nil, nil, err
	}
	return chain[0], signer, nil
}

func LoadCAChain(caPem, caKey []byte) ([]*x509.Certificate, crypto.Signer, error) {
	key, err := cert.ParsePrivateKeyPEM(caKey)
	if err != nil {
		return nil, nil, err
	}
	signer, ok := key.(crypto.Signer)
	if !ok {
		return nil, nil, fmt.Errorf("key is not a crypto.Signer")
	}

	certs, err := cert.ParseCertsPEM(caPem)
	if err != nil {
		return nil, nil, err
	}

	return certs, signer, nil
}

// Deprecated: Use LoadCertsChain instead as it supports intermediate CAs
func LoadCerts(certFile, keyFile string) (*x509.Certificate, crypto.Signer, error) {
	chain, signer, err := LoadCertsChain(certFile, keyFile)
	if err != nil {
		return nil, nil, err
	}
	return chain[0], signer, err
}

func LoadCertsChain(certFile, keyFile string) ([]*x509.Certificate, crypto.Signer, error) {
	caPem, err := ioutil.ReadFile(certFile)
	if err != nil {
		return nil, nil, err
	}
	caKey, err := ioutil.ReadFile(keyFile)
	if err != nil {
		return nil, nil, err
	}

	return LoadCAChain(caPem, caKey)
}
Refactor to not include a server by default 2019-10-26 23:18:58 -07:00			`package factory`

			`import (`
Support old or imported RSA keys 2019-11-15 23:43:02 +00:00			`"crypto"`
Refactor to not include a server by default 2019-10-26 23:18:58 -07:00			`"crypto/x509"`
Support old or imported RSA keys 2019-11-15 23:43:02 +00:00			`"fmt"`
Refactor to not include a server by default 2019-10-26 23:18:58 -07:00			`"io/ioutil"`
			`"os"`
Send complete certificate chain, not just the leaf cert Also, print a warning when signing may change the issuer. Signed-off-by: Brad Davidson <brad.davidson@rancher.com> 2022-05-11 12:43:43 -07:00			`"time"`
Support old or imported RSA keys 2019-11-15 23:43:02 +00:00
			`"github.com/rancher/dynamiclistener/cert"`
Refactor to not include a server by default 2019-10-26 23:18:58 -07:00			`)`

Support old or imported RSA keys 2019-11-15 23:43:02 +00:00			`func GenCA() (*x509.Certificate, crypto.Signer, error) {`
Refactor to not include a server by default 2019-10-26 23:18:58 -07:00			`caKey, err := NewPrivateKey()`
			`if err != nil {`
			`return nil, nil, err`
			`}`

Send complete certificate chain, not just the leaf cert Also, print a warning when signing may change the issuer. Signed-off-by: Brad Davidson <brad.davidson@rancher.com> 2022-05-11 12:43:43 -07:00			`caCert, err := NewSelfSignedCACert(caKey, fmt.Sprintf("dynamiclistener-ca@%d", time.Now().Unix()), "dynamiclistener-org")`
Refactor to not include a server by default 2019-10-26 23:18:58 -07:00			`if err != nil {`
			`return nil, nil, err`
			`}`

			`return caCert, caKey, nil`
			`}`

Enable intermediate CA Certificates Signed-off-by: Jonas Wagner <jwagner@knoppiks.de> 2023-07-10 08:59:37 +02:00			`// Deprecated: Use LoadOrGenCAChain instead as it supports intermediate CAs`
Support old or imported RSA keys 2019-11-15 23:43:02 +00:00			`func LoadOrGenCA() (*x509.Certificate, crypto.Signer, error) {`
Enable intermediate CA Certificates Signed-off-by: Jonas Wagner <jwagner@knoppiks.de> 2023-07-10 08:59:37 +02:00			`chain, signer, err := LoadOrGenCAChain()`
Prevent Panic for empty Arrays on Error Co-authored-by: Brad Davidson <brad@oatmail.org> Signed-off-by: Jonas Wagner <jwagner@knoppiks.de> 2023-07-14 08:19:03 +02:00			`if err != nil {`
			`return nil, nil, err`
			`}`
Enable intermediate CA Certificates Signed-off-by: Jonas Wagner <jwagner@knoppiks.de> 2023-07-10 08:59:37 +02:00			`return chain[0], signer, err`
			`}`

			`func LoadOrGenCAChain() ([]*x509.Certificate, crypto.Signer, error) {`
			`certs, key, err := loadCA()`
Refactor to not include a server by default 2019-10-26 23:18:58 -07:00			`if err == nil {`
Enable intermediate CA Certificates Signed-off-by: Jonas Wagner <jwagner@knoppiks.de> 2023-07-10 08:59:37 +02:00			`return certs, key, nil`
Refactor to not include a server by default 2019-10-26 23:18:58 -07:00			`}`

Enable intermediate CA Certificates Signed-off-by: Jonas Wagner <jwagner@knoppiks.de> 2023-07-10 08:59:37 +02:00			`cert, key, err := GenCA()`
Refactor to not include a server by default 2019-10-26 23:18:58 -07:00			`if err != nil {`
			`return nil, nil, err`
			`}`
Enable intermediate CA Certificates Signed-off-by: Jonas Wagner <jwagner@knoppiks.de> 2023-07-10 08:59:37 +02:00			`certs = []*x509.Certificate{cert}`
Refactor to not include a server by default 2019-10-26 23:18:58 -07:00
Enable intermediate CA Certificates Signed-off-by: Jonas Wagner <jwagner@knoppiks.de> 2023-07-10 08:59:37 +02:00			`certBytes, keyBytes, err := MarshalChain(key, certs...)`
Refactor to not include a server by default 2019-10-26 23:18:58 -07:00			`if err != nil {`
			`return nil, nil, err`
			`}`

			`if err := os.MkdirAll("./certs", 0700); err != nil {`
			`return nil, nil, err`
			`}`

			`if err := ioutil.WriteFile("./certs/ca.pem", certBytes, 0600); err != nil {`
			`return nil, nil, err`
			`}`

			`if err := ioutil.WriteFile("./certs/ca.key", keyBytes, 0600); err != nil {`
			`return nil, nil, err`
			`}`

Enable intermediate CA Certificates Signed-off-by: Jonas Wagner <jwagner@knoppiks.de> 2023-07-10 08:59:37 +02:00			`return certs, key, nil`
Refactor to not include a server by default 2019-10-26 23:18:58 -07:00			`}`

Enable intermediate CA Certificates Signed-off-by: Jonas Wagner <jwagner@knoppiks.de> 2023-07-10 08:59:37 +02:00			`func loadCA() ([]*x509.Certificate, crypto.Signer, error) {`
			`return LoadCertsChain("./certs/ca.pem", "./certs/ca.key")`
Refactor to not include a server by default 2019-10-26 23:18:58 -07:00			`}`

Add more helpers 2020-01-30 22:18:44 -07:00			`func LoadCA(caPem, caKey []byte) (*x509.Certificate, crypto.Signer, error) {`
Enable intermediate CA Certificates Signed-off-by: Jonas Wagner <jwagner@knoppiks.de> 2023-07-10 08:59:37 +02:00			`chain, signer, err := LoadCAChain(caPem, caKey)`
Prevent Panic for empty Arrays on Error Co-authored-by: Brad Davidson <brad@oatmail.org> Signed-off-by: Jonas Wagner <jwagner@knoppiks.de> 2023-07-14 08:19:03 +02:00			`if err != nil {`
			`return nil, nil, err`
			`}`
			`return chain[0], signer, nil`
Enable intermediate CA Certificates Signed-off-by: Jonas Wagner <jwagner@knoppiks.de> 2023-07-10 08:59:37 +02:00			`}`

			`func LoadCAChain(caPem, caKey []byte) ([]*x509.Certificate, crypto.Signer, error) {`
Support old or imported RSA keys 2019-11-15 23:43:02 +00:00			`key, err := cert.ParsePrivateKeyPEM(caKey)`
Refactor to not include a server by default 2019-10-26 23:18:58 -07:00			`if err != nil {`
			`return nil, nil, err`
			`}`
Support old or imported RSA keys 2019-11-15 23:43:02 +00:00			`signer, ok := key.(crypto.Signer)`
			`if !ok {`
			`return nil, nil, fmt.Errorf("key is not a crypto.Signer")`
			`}`
Refactor to not include a server by default 2019-10-26 23:18:58 -07:00
Enable intermediate CA Certificates Signed-off-by: Jonas Wagner <jwagner@knoppiks.de> 2023-07-10 08:59:37 +02:00			`certs, err := cert.ParseCertsPEM(caPem)`
Refactor to not include a server by default 2019-10-26 23:18:58 -07:00			`if err != nil {`
			`return nil, nil, err`
			`}`

Enable intermediate CA Certificates Signed-off-by: Jonas Wagner <jwagner@knoppiks.de> 2023-07-10 08:59:37 +02:00			`return certs, signer, nil`
Refactor to not include a server by default 2019-10-26 23:18:58 -07:00			`}`
Add more helpers 2020-01-30 22:18:44 -07:00
Enable intermediate CA Certificates Signed-off-by: Jonas Wagner <jwagner@knoppiks.de> 2023-07-10 08:59:37 +02:00			`// Deprecated: Use LoadCertsChain instead as it supports intermediate CAs`
Add more helpers 2020-01-30 22:18:44 -07:00			`func LoadCerts(certFile, keyFile string) (*x509.Certificate, crypto.Signer, error) {`
Enable intermediate CA Certificates Signed-off-by: Jonas Wagner <jwagner@knoppiks.de> 2023-07-10 08:59:37 +02:00			`chain, signer, err := LoadCertsChain(certFile, keyFile)`
Prevent Panic for empty Arrays on Error Co-authored-by: Brad Davidson <brad@oatmail.org> Signed-off-by: Jonas Wagner <jwagner@knoppiks.de> 2023-07-14 08:19:03 +02:00			`if err != nil {`
			`return nil, nil, err`
			`}`
Enable intermediate CA Certificates Signed-off-by: Jonas Wagner <jwagner@knoppiks.de> 2023-07-10 08:59:37 +02:00			`return chain[0], signer, err`
			`}`

			`func LoadCertsChain(certFile, keyFile string) ([]*x509.Certificate, crypto.Signer, error) {`
Add more helpers 2020-01-30 22:18:44 -07:00			`caPem, err := ioutil.ReadFile(certFile)`
			`if err != nil {`
			`return nil, nil, err`
			`}`
			`caKey, err := ioutil.ReadFile(keyFile)`
			`if err != nil {`
			`return nil, nil, err`
			`}`

Enable intermediate CA Certificates Signed-off-by: Jonas Wagner <jwagner@knoppiks.de> 2023-07-10 08:59:37 +02:00			`return LoadCAChain(caPem, caKey)`
Add more helpers 2020-01-30 22:18:44 -07:00			`}`