kris
/
th5
1
0
Форкнуть 0
Код Задачи 0 Pull Request'ы 0 Релизы 0 Вики Активность
Alternative TLS implementation in Go
Вы не можете выбрать более 25 тем Темы должны начинаться с буквы или цифры, могут содержать дефисы(-) и должны содержать не более 35 символов.
264 коммитов
3 Ветки
2.6 MiB
 
 
Дерево: e15014c62b
Ветки Теги
${ item.name }
Создать ветку ${ searchTerm }
из 'e15014c62b'
${ noResults }
th5/generate_cert.go

162 строки
4.3 KiB
Исходник Вина История 

  1. // Copyright 2009 The Go Authors. All rights reserved.

  2. // Use of this source code is governed by a BSD-style

  3. // license that can be found in the LICENSE file.

  4. 

  5. // +build ignore

  6. 

  7. // Generate a self-signed X.509 certificate for a TLS server. Outputs to

  8. // 'cert.pem' and 'key.pem' and will overwrite existing files.

  9. 

  10. package main

  11. 

  12. import (

  13. 	"crypto/ecdsa"

  14. 	"crypto/elliptic"

  15. 	"crypto/rand"

  16. 	"crypto/rsa"

  17. 	"crypto/x509"

  18. 	"crypto/x509/pkix"

  19. 	"encoding/pem"

  20. 	"flag"

  21. 	"fmt"

  22. 	"log"

  23. 	"math/big"

  24. 	"net"

  25. 	"os"

  26. 	"strings"

  27. 	"time"

  28. )

  29. 

  30. var (

  31. 	host       = flag.String("host", "", "Comma-separated hostnames and IPs to generate a certificate for")

  32. 	validFrom  = flag.String("start-date", "", "Creation date formatted as Jan 1 15:04:05 2011")

  33. 	validFor   = flag.Duration("duration", 365*24*time.Hour, "Duration that certificate is valid for")

  34. 	isCA       = flag.Bool("ca", false, "whether this cert should be its own Certificate Authority")

  35. 	rsaBits    = flag.Int("rsa-bits", 2048, "Size of RSA key to generate. Ignored if --ecdsa-curve is set")

  36. 	ecdsaCurve = flag.String("ecdsa-curve", "", "ECDSA curve to use to generate a key. Valid values are P224, P256, P384, P521")

  37. )

  38. 

  39. func publicKey(priv interface{}) interface{} {

  40. 	switch k := priv.(type) {

  41. 	case *rsa.PrivateKey:

  42. 		return &k.PublicKey

  43. 	case *ecdsa.PrivateKey:

  44. 		return &k.PublicKey

  45. 	default:

  46. 		return nil

  47. 	}

  48. }

  49. 

  50. func pemBlockForKey(priv interface{}) *pem.Block {

  51. 	switch k := priv.(type) {

  52. 	case *rsa.PrivateKey:

  53. 		return &pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(k)}

  54. 	case *ecdsa.PrivateKey:

  55. 		b, err := x509.MarshalECPrivateKey(k)

  56. 		if err != nil {

  57. 			fmt.Fprintf(os.Stderr, "Unable to marshal ECDSA private key: %v", err)

  58. 			os.Exit(2)

  59. 		}

  60. 		return &pem.Block{Type: "EC PRIVATE KEY", Bytes: b}

  61. 	default:

  62. 		return nil

  63. 	}

  64. }

  65. 

  66. func main() {

  67. 	flag.Parse()

  68. 

  69. 	if len(*host) == 0 {

  70. 		log.Fatalf("Missing required --host parameter")

  71. 	}

  72. 

  73. 	var priv interface{}

  74. 	var err error

  75. 	switch *ecdsaCurve {

  76. 	case "":

  77. 		priv, err = rsa.GenerateKey(rand.Reader, *rsaBits)

  78. 	case "P224":

  79. 		priv, err = ecdsa.GenerateKey(elliptic.P224(), rand.Reader)

  80. 	case "P256":

  81. 		priv, err = ecdsa.GenerateKey(elliptic.P256(), rand.Reader)

  82. 	case "P384":

  83. 		priv, err = ecdsa.GenerateKey(elliptic.P384(), rand.Reader)

  84. 	case "P521":

  85. 		priv, err = ecdsa.GenerateKey(elliptic.P521(), rand.Reader)

  86. 	default:

  87. 		fmt.Fprintf(os.Stderr, "Unrecognized elliptic curve: %q", *ecdsaCurve)

  88. 		os.Exit(1)

  89. 	}

  90. 	if err != nil {

  91. 		log.Fatalf("failed to generate private key: %s", err)

  92. 	}

  93. 

  94. 	var notBefore time.Time

  95. 	if len(*validFrom) == 0 {

  96. 		notBefore = time.Now()

  97. 	} else {

  98. 		notBefore, err = time.Parse("Jan 2 15:04:05 2006", *validFrom)

  99. 		if err != nil {

  100. 			fmt.Fprintf(os.Stderr, "Failed to parse creation date: %s\n", err)

  101. 			os.Exit(1)

  102. 		}

  103. 	}

  104. 

  105. 	notAfter := notBefore.Add(*validFor)

  106. 

  107. 	serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)

  108. 	serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)

  109. 	if err != nil {

  110. 		log.Fatalf("failed to generate serial number: %s", err)

  111. 	}

  112. 

  113. 	template := x509.Certificate{

  114. 		SerialNumber: serialNumber,

  115. 		Subject: pkix.Name{

  116. 			Organization: []string{"Acme Co"},

  117. 		},

  118. 		NotBefore: notBefore,

  119. 		NotAfter:  notAfter,

  120. 

  121. 		KeyUsage:              x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,

  122. 		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},

  123. 		BasicConstraintsValid: true,

  124. 	}

  125. 

  126. 	hosts := strings.Split(*host, ",")

  127. 	for _, h := range hosts {

  128. 		if ip := net.ParseIP(h); ip != nil {

  129. 			template.IPAddresses = append(template.IPAddresses, ip)

  130. 		} else {

  131. 			template.DNSNames = append(template.DNSNames, h)

  132. 		}

  133. 	}

  134. 

  135. 	if *isCA {

  136. 		template.IsCA = true

  137. 		template.KeyUsage |= x509.KeyUsageCertSign

  138. 	}

  139. 

  140. 	derBytes, err := x509.CreateCertificate(rand.Reader, &template, &template, publicKey(priv), priv)

  141. 	if err != nil {

  142. 		log.Fatalf("Failed to create certificate: %s", err)

  143. 	}

  144. 

  145. 	certOut, err := os.Create("cert.pem")

  146. 	if err != nil {

  147. 		log.Fatalf("failed to open cert.pem for writing: %s", err)

  148. 	}

  149. 	pem.Encode(certOut, &pem.Block{Type: "CERTIFICATE", Bytes: derBytes})

  150. 	certOut.Close()

  151. 	log.Print("written cert.pem\n")

  152. 

  153. 	keyOut, err := os.OpenFile("key.pem", os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0600)

  154. 	if err != nil {

  155. 		log.Print("failed to open key.pem for writing:", err)

  156. 		return

  157. 	}

  158. 	pem.Encode(keyOut, pemBlockForKey(priv))

  159. 	keyOut.Close()

  160. 	log.Print("written key.pem\n")

  161. }