b9ddc2767a
Subject Alternative Names in X.509 certificates may include IP addresses. This change adds support for marshaling, unmarshaling and verifying this form of SAN. It also causes IP addresses to only be checked against IP SANs, rather than against hostnames as was previously the case. This reflects RFC 6125. Fixes #4658. R=golang-dev, mikioh.mikioh, bradfitz CC=golang-dev https://golang.org/cl/7336046
119 lines
3.0 KiB
Go
119 lines
3.0 KiB
Go
// Copyright 2009 The Go Authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style
|
|
// license that can be found in the LICENSE file.
|
|
|
|
// +build ignore
|
|
|
|
// Generate a self-signed X.509 certificate for a TLS server. Outputs to
|
|
// 'cert.pem' and 'key.pem' and will overwrite existing files.
|
|
|
|
package main
|
|
|
|
import (
|
|
"crypto/rand"
|
|
"crypto/rsa"
|
|
"crypto/x509"
|
|
"crypto/x509/pkix"
|
|
"encoding/pem"
|
|
"flag"
|
|
"fmt"
|
|
"log"
|
|
"math/big"
|
|
"net"
|
|
"os"
|
|
"strings"
|
|
"time"
|
|
)
|
|
|
|
var (
|
|
host = flag.String("host", "", "Comma-separated hostnames and IPs to generate a certificate for")
|
|
validFrom = flag.String("start-date", "", "Creation date formatted as Jan 1 15:04:05 2011")
|
|
validFor = flag.Duration("duration", 365*24*time.Hour, "Duration that certificate is valid for")
|
|
isCA = flag.Bool("ca", false, "whether this cert should be its own Certificate Authority")
|
|
rsaBits = flag.Int("rsa-bits", 1024, "Size of RSA key to generate")
|
|
)
|
|
|
|
func main() {
|
|
flag.Parse()
|
|
|
|
if len(*host) == 0 {
|
|
log.Fatalf("Missing required --host parameter")
|
|
}
|
|
|
|
priv, err := rsa.GenerateKey(rand.Reader, *rsaBits)
|
|
if err != nil {
|
|
log.Fatalf("failed to generate private key: %s", err)
|
|
return
|
|
}
|
|
|
|
var notBefore time.Time
|
|
if len(*validFrom) == 0 {
|
|
notBefore = time.Now()
|
|
} else {
|
|
notBefore, err = time.Parse("Jan 2 15:04:05 2006", *validFrom)
|
|
if err != nil {
|
|
fmt.Fprintf(os.Stderr, "Failed to parse creation date: %s\n", err)
|
|
os.Exit(1)
|
|
}
|
|
}
|
|
|
|
notAfter := notBefore.Add(*validFor)
|
|
|
|
// end of ASN.1 time
|
|
endOfTime := time.Date(2049, 12, 31, 23, 59, 59, 0, time.UTC)
|
|
if notAfter.After(endOfTime) {
|
|
notAfter = endOfTime
|
|
}
|
|
|
|
template := x509.Certificate{
|
|
SerialNumber: new(big.Int).SetInt64(0),
|
|
Subject: pkix.Name{
|
|
Organization: []string{"Acme Co"},
|
|
},
|
|
NotBefore: notBefore,
|
|
NotAfter: notAfter,
|
|
|
|
KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
|
|
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
|
|
BasicConstraintsValid: true,
|
|
}
|
|
|
|
hosts := strings.Split(*host, ",")
|
|
for _, h := range hosts {
|
|
if ip := net.ParseIP(h); ip != nil {
|
|
template.IPAddresses = append(template.IPAddresses, ip)
|
|
} else {
|
|
template.DNSNames = append(template.DNSNames, h)
|
|
}
|
|
}
|
|
|
|
if *isCA {
|
|
template.IsCA = true
|
|
template.KeyUsage |= x509.KeyUsageCertSign
|
|
}
|
|
|
|
derBytes, err := x509.CreateCertificate(rand.Reader, &template, &template, &priv.PublicKey, priv)
|
|
if err != nil {
|
|
log.Fatalf("Failed to create certificate: %s", err)
|
|
return
|
|
}
|
|
|
|
certOut, err := os.Create("cert.pem")
|
|
if err != nil {
|
|
log.Fatalf("failed to open cert.pem for writing: %s", err)
|
|
return
|
|
}
|
|
pem.Encode(certOut, &pem.Block{Type: "CERTIFICATE", Bytes: derBytes})
|
|
certOut.Close()
|
|
log.Print("written cert.pem\n")
|
|
|
|
keyOut, err := os.OpenFile("key.pem", os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0600)
|
|
if err != nil {
|
|
log.Print("failed to open key.pem for writing:", err)
|
|
return
|
|
}
|
|
pem.Encode(keyOut, &pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(priv)})
|
|
keyOut.Close()
|
|
log.Print("written key.pem\n")
|
|
}
|