From c86bc8d7e19fb79e804f2a5b79adb59566d66ead Mon Sep 17 00:00:00 2001 From: MrMelon Date: Sun, 13 Mar 2022 02:24:11 +0000 Subject: [PATCH] Add client cert handling --- .idea/vcs.xml | 6 ++++++ ca.go | 4 ++-- client.go | 52 +++++++++++++++++++++++++++++++++++++++++++++++++++ server.go | 14 +++++++------- 4 files changed, 67 insertions(+), 9 deletions(-) create mode 100644 .idea/vcs.xml create mode 100644 client.go diff --git a/.idea/vcs.xml b/.idea/vcs.xml new file mode 100644 index 0000000..94a25f7 --- /dev/null +++ b/.idea/vcs.xml @@ -0,0 +1,6 @@ + + + + + + \ No newline at end of file diff --git a/ca.go b/ca.go index 1664ca1..3057b07 100644 --- a/ca.go +++ b/ca.go @@ -15,11 +15,11 @@ func MakeCaTls() (*CertGen, error) { ca := &x509.Certificate{ SerialNumber: big.NewInt(29052019), Subject: pkix.Name{ - Organization: []string{"Ski Creds Server"}, + Organization: []string{"Ski Creds CA"}, Country: []string{"GB"}, Province: []string{""}, Locality: []string{"London"}, - CommonName: "ski-creds-server", + CommonName: "ski-creds-ca", }, NotBefore: time.Now(), NotAfter: time.Now().AddDate(10, 0, 0), diff --git a/client.go b/client.go new file mode 100644 index 0000000..62d41ca --- /dev/null +++ b/client.go @@ -0,0 +1,52 @@ +package certgen + +import ( + "crypto/rand" + "crypto/rsa" + "crypto/tls" + "crypto/x509" + "crypto/x509/pkix" + "log" + "math/big" + "time" +) + +func MakeClientTls() (*CertGen, error) { + cert := &x509.Certificate{ + SerialNumber: big.NewInt(29052019), + Subject: pkix.Name{ + Organization: []string{"Ski Creds Client"}, + Country: []string{"GB"}, + Province: []string{""}, + Locality: []string{"London"}, + CommonName: "ski-creds-client", + }, + NotBefore: time.Now(), + NotAfter: time.Now().AddDate(10, 0, 0), + SubjectKeyId: []byte{1, 2, 3, 4, 6}, + ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth}, + KeyUsage: x509.KeyUsageDigitalSignature, + } + + clientPrivKey, err := rsa.GenerateKey(rand.Reader, 4096) + if err != nil { + log.Fatalln("Failed to generate client private key:", err) + } + + clientBytes, err := x509.CreateCertificate(rand.Reader, cert, cert, clientPrivKey.Public(), clientPrivKey) + if err != nil { + log.Fatalln("Failed to generate client certificate bytes:", err) + } + privKeyBytes := x509.MarshalPKCS1PrivateKey(clientPrivKey) + gen := &CertGen{cert: cert, certBytes: clientBytes, key: clientPrivKey, keyBytes: privKeyBytes} + err = gen.generatePem() + if err != nil { + return nil, err + } + caKeyPair, err := tls.X509KeyPair(gen.certPem, gen.keyPem) + if err != nil { + log.Fatalln("Failed to generate client key pair:", err) + } + gen.tlsCert = caKeyPair + return gen, nil +} diff --git a/server.go b/server.go index 8cb539c..6525273 100644 --- a/server.go +++ b/server.go @@ -21,12 +21,12 @@ func MakeServerTls(ca *CertGen) (*CertGen, error) { Locality: []string{"London"}, CommonName: "ski-creds-server", }, - NotBefore: time.Now(), - NotAfter: time.Now().AddDate(10, 0, 0), - IsCA: true, - ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth}, - KeyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign, - BasicConstraintsValid: true, + DNSNames: []string{"panda.local"}, + NotBefore: time.Now(), + NotAfter: time.Now().AddDate(10, 0, 0), + SubjectKeyId: []byte{1, 2, 3, 4, 6}, + ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth}, + KeyUsage: x509.KeyUsageDigitalSignature, } serverPrivKey, err := rsa.GenerateKey(rand.Reader, 4096) @@ -46,7 +46,7 @@ func MakeServerTls(ca *CertGen) (*CertGen, error) { } caKeyPair, err := tls.X509KeyPair(gen.certPem, gen.keyPem) if err != nil { - log.Fatalln("Failed to generate CA key pair:", err) + log.Fatalln("Failed to generate server key pair:", err) } gen.tlsCert = caKeyPair return gen, nil