crypto/tls, http: Make HTTPS servers easier.

R=r, adg, rsc CC=golang-dev https://golang.org/cl/1684051
2010-07-02 13:00:18 -04:00 · 2010-07-02 13:00:18 -04:00 · 7b22e867e7
commit 7b22e867e7
parent 06f6131702
2 changed files with 133 additions and 1 deletions
--- a/generate_cert.go
+++ b/generate_cert.go
@ -0,0 +1,79 @@
+// Copyright 2009 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Generate a self-signed X.509 certificate for a TLS server. Outputs to
+// 'cert.pem' and 'key.pem' and will overwrite existing files.
+
+package main
+
+import (
+	"crypto/rsa"
+	"crypto/x509"
+	"encoding/pem"
+	"fmt"
+	"log"
+	"os"
+	"time"
+)
+
+func main() {
+	if len(os.Args) != 2 {
+		fmt.Printf("Usage: %s <hostname of server>\n", os.Args[0])
+		return
+	}
+
+	hostName := os.Args[1]
+
+	urandom, err := os.Open("/dev/urandom", os.O_RDONLY, 0)
+	if err != nil {
+		log.Crashf("failed to open /dev/urandom: %s\n", err)
+		return
+	}
+
+	log.Stdoutf("Generating RSA key\n")
+	priv, err := rsa.GenerateKey(urandom, 1024)
+	if err != nil {
+		log.Crashf("failed to generate private key: %s\n", err)
+		return
+	}
+
+	now := time.Seconds()
+
+	template := x509.Certificate{
+		SerialNumber: []byte{0},
+		Subject: x509.Name{
+			CommonName:   hostName,
+			Organization: "Acme Co",
+		},
+		NotBefore: time.SecondsToUTC(now - 300),
+		NotAfter:  time.SecondsToUTC(now + 86400*365), // valid for 1 year.
+
+		SubjectKeyId: []byte{1, 2, 3, 4},
+		KeyUsage:     x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
+	}
+
+	derBytes, err := x509.CreateCertificate(urandom, &template, &template, &priv.PublicKey, priv)
+	if err != nil {
+		log.Crashf("Failed to create certificate: %s", err)
+		return
+	}
+
+	certOut, err := os.Open("cert.pem", os.O_WRONLY|os.O_CREAT, 0644)
+	if err != nil {
+		log.Crashf("failed to open cert.pem for writing: %s\n", err)
+		return
+	}
+	pem.Encode(certOut, &pem.Block{Type: "CERTIFICATE", Bytes: derBytes})
+	certOut.Close()
+	log.Stdoutf("written cert.pem\n")
+
+	keyOut, err := os.Open("key.pem", os.O_WRONLY|os.O_CREAT, 0600)
+	if err != nil {
+		log.Crashf("failed to open key.pem for writing: %s\n", err)
+		return
+	}
+	pem.Encode(keyOut, &pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(priv)})
+	keyOut.Close()
+	log.Stdoutf("written key.pem\n")
+}
--- a/tls.go
+++ b/tls.go
@ -6,8 +6,12 @@
 package tls

 import (
-	"os"
+	"io/ioutil"
 	"net"
+	"os"
+	"encoding/pem"
+	"crypto/rsa"
+	"crypto/x509"
 )

 func Server(conn net.Conn, config *Config) *Conn {
@ -65,3 +69,52 @@ func Dial(network, laddr, raddr string) (net.Conn, os.Error) {
 	}
 	return Client(c, nil), nil
 }
+
+// LoadX509KeyPair
+func LoadX509KeyPair(certFile string, keyFile string) (cert Certificate, err os.Error) {
+	certPEMBlock, err := ioutil.ReadFile(certFile)
+	if err != nil {
+		return
+	}
+
+	certDERBlock, _ := pem.Decode(certPEMBlock)
+	if certDERBlock == nil {
+		err = os.ErrorString("failed to parse certificate PEM data")
+		return
+	}
+
+	cert.Certificate = [][]byte{certDERBlock.Bytes}
+
+	keyPEMBlock, err := ioutil.ReadFile(keyFile)
+	if err != nil {
+		return
+	}
+
+	keyDERBlock, _ := pem.Decode(keyPEMBlock)
+	if keyDERBlock == nil {
+		err = os.ErrorString("failed to parse key PEM data")
+		return
+	}
+
+	key, err := x509.ParsePKCS1PrivateKey(keyDERBlock.Bytes)
+	if err != nil {
+		err = os.ErrorString("failed to parse key")
+		return
+	}
+
+	cert.PrivateKey = key
+
+	// We don't need to parse the public key for TLS, but we so do anyway
+	// to check that it looks sane and matches the private key.
+	x509Cert, err := x509.ParseCertificate(certDERBlock.Bytes)
+	if err != nil {
+		return
+	}
+
+	if x509Cert.PublicKeyAlgorithm != x509.RSA || x509Cert.PublicKey.(*rsa.PublicKey).N.Cmp(key.PublicKey.N) != 0 {
+		err = os.ErrorString("Private key does not match public key")
+		return
+	}
+
+	return
+}