2010-07-02 18:00:18 +01:00
|
|
|
// Copyright 2009 The Go Authors. All rights reserved.
|
|
|
|
|
// Use of this source code is governed by a BSD-style
|
|
|
|
|
// license that can be found in the LICENSE file.
|
|
|
|
|
|
2012-02-14 21:39:20 +00:00
|
|
|
// +build ignore
|
|
|
|
|
|
2010-07-02 18:00:18 +01:00
|
|
|
// Generate a self-signed X.509 certificate for a TLS server. Outputs to
|
|
|
|
|
// 'cert.pem' and 'key.pem' and will overwrite existing files.
|
|
|
|
|
|
|
|
|
|
package main
|
|
|
|
|
|
|
|
|
|
import (
|
2014-07-28 22:46:34 +01:00
|
|
|
"crypto/ecdsa"
|
|
|
|
|
"crypto/elliptic"
|
2010-12-14 17:22:28 +00:00
|
|
|
"crypto/rand"
|
2011-07-06 21:22:21 +01:00
|
|
|
"crypto/rsa"
|
2010-07-02 18:00:18 +01:00
|
|
|
"crypto/x509"
|
2011-11-02 19:54:16 +00:00
|
|
|
"crypto/x509/pkix"
|
2010-07-02 18:00:18 +01:00
|
|
|
"encoding/pem"
|
2010-07-02 21:43:48 +01:00
|
|
|
"flag"
|
2013-02-15 15:40:17 +00:00
|
|
|
"fmt"
|
2010-07-02 18:00:18 +01:00
|
|
|
"log"
|
2011-11-08 23:40:58 +00:00
|
|
|
"math/big"
|
2013-02-15 15:40:17 +00:00
|
|
|
"net"
|
2010-07-02 18:00:18 +01:00
|
|
|
"os"
|
2013-02-15 15:40:17 +00:00
|
|
|
"strings"
|
2010-07-02 18:00:18 +01:00
|
|
|
"time"
|
|
|
|
|
)
|
|
|
|
|
|
2013-02-15 15:40:17 +00:00
|
|
|
var (
|
2014-07-28 22:46:34 +01:00
|
|
|
host = flag.String("host", "", "Comma-separated hostnames and IPs to generate a certificate for")
|
|
|
|
|
validFrom = flag.String("start-date", "", "Creation date formatted as Jan 1 15:04:05 2011")
|
|
|
|
|
validFor = flag.Duration("duration", 365*24*time.Hour, "Duration that certificate is valid for")
|
|
|
|
|
isCA = flag.Bool("ca", false, "whether this cert should be its own Certificate Authority")
|
|
|
|
|
rsaBits = flag.Int("rsa-bits", 2048, "Size of RSA key to generate. Ignored if --ecdsa-curve is set")
|
2017-04-10 18:22:26 +01:00
|
|
|
ecdsaCurve = flag.String("ecdsa-curve", "", "ECDSA curve to use to generate a key. Valid values are P224, P256 (recommended), P384, P521")
|
2013-02-15 15:40:17 +00:00
|
|
|
)
|
2010-07-02 18:00:18 +01:00
|
|
|
|
2014-07-28 22:46:34 +01:00
|
|
|
func publicKey(priv interface{}) interface{} {
|
|
|
|
|
switch k := priv.(type) {
|
|
|
|
|
case *rsa.PrivateKey:
|
|
|
|
|
return &k.PublicKey
|
|
|
|
|
case *ecdsa.PrivateKey:
|
|
|
|
|
return &k.PublicKey
|
|
|
|
|
default:
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func pemBlockForKey(priv interface{}) *pem.Block {
|
|
|
|
|
switch k := priv.(type) {
|
|
|
|
|
case *rsa.PrivateKey:
|
|
|
|
|
return &pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(k)}
|
|
|
|
|
case *ecdsa.PrivateKey:
|
|
|
|
|
b, err := x509.MarshalECPrivateKey(k)
|
|
|
|
|
if err != nil {
|
|
|
|
|
fmt.Fprintf(os.Stderr, "Unable to marshal ECDSA private key: %v", err)
|
|
|
|
|
os.Exit(2)
|
|
|
|
|
}
|
|
|
|
|
return &pem.Block{Type: "EC PRIVATE KEY", Bytes: b}
|
|
|
|
|
default:
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2010-07-02 21:43:48 +01:00
|
|
|
func main() {
|
|
|
|
|
flag.Parse()
|
2010-07-02 18:00:18 +01:00
|
|
|
|
2013-02-15 15:40:17 +00:00
|
|
|
if len(*host) == 0 {
|
|
|
|
|
log.Fatalf("Missing required --host parameter")
|
|
|
|
|
}
|
|
|
|
|
|
2014-07-28 22:46:34 +01:00
|
|
|
var priv interface{}
|
|
|
|
|
var err error
|
|
|
|
|
switch *ecdsaCurve {
|
|
|
|
|
case "":
|
|
|
|
|
priv, err = rsa.GenerateKey(rand.Reader, *rsaBits)
|
|
|
|
|
case "P224":
|
|
|
|
|
priv, err = ecdsa.GenerateKey(elliptic.P224(), rand.Reader)
|
|
|
|
|
case "P256":
|
|
|
|
|
priv, err = ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
|
|
|
|
|
case "P384":
|
|
|
|
|
priv, err = ecdsa.GenerateKey(elliptic.P384(), rand.Reader)
|
|
|
|
|
case "P521":
|
|
|
|
|
priv, err = ecdsa.GenerateKey(elliptic.P521(), rand.Reader)
|
|
|
|
|
default:
|
|
|
|
|
fmt.Fprintf(os.Stderr, "Unrecognized elliptic curve: %q", *ecdsaCurve)
|
|
|
|
|
os.Exit(1)
|
|
|
|
|
}
|
2010-07-02 18:00:18 +01:00
|
|
|
if err != nil {
|
2011-03-13 03:35:41 +00:00
|
|
|
log.Fatalf("failed to generate private key: %s", err)
|
2010-07-02 18:00:18 +01:00
|
|
|
}
|
|
|
|
|
|
2013-02-15 15:40:17 +00:00
|
|
|
var notBefore time.Time
|
|
|
|
|
if len(*validFrom) == 0 {
|
|
|
|
|
notBefore = time.Now()
|
|
|
|
|
} else {
|
|
|
|
|
notBefore, err = time.Parse("Jan 2 15:04:05 2006", *validFrom)
|
|
|
|
|
if err != nil {
|
|
|
|
|
fmt.Fprintf(os.Stderr, "Failed to parse creation date: %s\n", err)
|
|
|
|
|
os.Exit(1)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
notAfter := notBefore.Add(*validFor)
|
|
|
|
|
|
2013-12-15 17:57:57 +00:00
|
|
|
serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)
|
|
|
|
|
serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
|
|
|
|
|
if err != nil {
|
|
|
|
|
log.Fatalf("failed to generate serial number: %s", err)
|
|
|
|
|
}
|
|
|
|
|
|
2010-07-02 18:00:18 +01:00
|
|
|
template := x509.Certificate{
|
2013-12-15 17:57:57 +00:00
|
|
|
SerialNumber: serialNumber,
|
2011-07-06 21:22:21 +01:00
|
|
|
Subject: pkix.Name{
|
2010-12-07 21:14:55 +00:00
|
|
|
Organization: []string{"Acme Co"},
|
2010-07-02 18:00:18 +01:00
|
|
|
},
|
2013-02-15 15:40:17 +00:00
|
|
|
NotBefore: notBefore,
|
|
|
|
|
NotAfter: notAfter,
|
|
|
|
|
|
|
|
|
|
KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
|
|
|
|
|
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
|
|
|
|
|
BasicConstraintsValid: true,
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
hosts := strings.Split(*host, ",")
|
|
|
|
|
for _, h := range hosts {
|
|
|
|
|
if ip := net.ParseIP(h); ip != nil {
|
|
|
|
|
template.IPAddresses = append(template.IPAddresses, ip)
|
|
|
|
|
} else {
|
|
|
|
|
template.DNSNames = append(template.DNSNames, h)
|
|
|
|
|
}
|
|
|
|
|
}
|
2010-07-02 18:00:18 +01:00
|
|
|
|
2013-02-15 15:40:17 +00:00
|
|
|
if *isCA {
|
|
|
|
|
template.IsCA = true
|
|
|
|
|
template.KeyUsage |= x509.KeyUsageCertSign
|
2010-07-02 18:00:18 +01:00
|
|
|
}
|
|
|
|
|
|
2014-07-28 22:46:34 +01:00
|
|
|
derBytes, err := x509.CreateCertificate(rand.Reader, &template, &template, publicKey(priv), priv)
|
2010-07-02 18:00:18 +01:00
|
|
|
if err != nil {
|
2011-03-13 03:35:41 +00:00
|
|
|
log.Fatalf("Failed to create certificate: %s", err)
|
2010-07-02 18:00:18 +01:00
|
|
|
}
|
|
|
|
|
|
2011-04-05 07:42:14 +01:00
|
|
|
certOut, err := os.Create("cert.pem")
|
2010-07-02 18:00:18 +01:00
|
|
|
if err != nil {
|
2011-03-13 03:35:41 +00:00
|
|
|
log.Fatalf("failed to open cert.pem for writing: %s", err)
|
2010-07-02 18:00:18 +01:00
|
|
|
}
|
2018-03-21 14:27:31 +00:00
|
|
|
pem.Encode(certOut, &pem.Block{Type: "CERTIFICATE", Bytes: derBytes})
|
|
|
|
|
certOut.Close()
|
|
|
|
|
log.Print("written cert.pem\n")
|
2010-07-02 18:00:18 +01:00
|
|
|
|
2011-05-27 12:06:50 +01:00
|
|
|
keyOut, err := os.OpenFile("key.pem", os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0600)
|
2010-07-02 18:00:18 +01:00
|
|
|
if err != nil {
|
log: new interface
New logging interface simplifies and generalizes.
1) Loggers now have only one output.
2) log.Stdout, Stderr, Crash and friends are gone.
Logging is now always to standard error by default.
3) log.Panic* replaces log.Crash*.
4) Exiting and panicking are not part of the logger's state; instead
the functions Exit* and Panic* simply call Exit or panic after
printing.
5) There is now one 'standard logger'. Instead of calling Stderr,
use Print etc. There are now triples, by analogy with fmt:
Print, Println, Printf
What was log.Stderr is now best represented by log.Println,
since there are now separate Print and Println functions
(and methods).
6) New functions SetOutput, SetFlags, and SetPrefix allow global
editing of the standard logger's properties. This is new
functionality. For instance, one can call
log.SetFlags(log.Lshortfile|log.Ltime|log.Lmicroseconds)
to get all logging output to show file name, line number, and
time stamp.
In short, for most purposes
log.Stderr -> log.Println or log.Print
log.Stderrf -> log.Printf
log.Crash -> log.Panicln or log.Panic
log.Crashf -> log.Panicf
log.Exit -> log.Exitln or log.Exit
log.Exitf -> log.Exitf (no change)
This has a slight breakage: since loggers now write only to one
output, existing calls to log.New() need to delete the second argument.
Also, custom loggers with exit or panic properties will need to be
reworked.
All package code updated to new interface.
The test has been reworked somewhat.
The old interface will be removed after the new release.
For now, its elements are marked 'deprecated' in their comments.
Fixes #1184.
R=rsc
CC=golang-dev
https://golang.org/cl/2419042
2010-10-12 20:59:18 +01:00
|
|
|
log.Print("failed to open key.pem for writing:", err)
|
2010-07-02 18:00:18 +01:00
|
|
|
return
|
|
|
|
|
}
|
2018-03-21 14:27:31 +00:00
|
|
|
pem.Encode(keyOut, pemBlockForKey(priv))
|
|
|
|
|
keyOut.Close()
|
|
|
|
|
log.Print("written key.pem\n")
|
2010-07-02 18:00:18 +01:00
|
|
|
}
|
