Add client cert handling

2022-03-13 02:24:11 +00:00 · 2022-03-13 02:24:11 +00:00 · c86bc8d7e1
commit c86bc8d7e1
parent 8c8c8966e0
4 changed files with 67 additions and 9 deletions
--- a/.idea/vcs.xml
+++ b/.idea/vcs.xml
@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project version="4">
+  <component name="VcsDirectoryMappings">
+    <mapping directory="$PROJECT_DIR$" vcs="Git" />
+  </component>
+</project>
--- a/ca.go
+++ b/ca.go
@ -15,11 +15,11 @@ func MakeCaTls() (*CertGen, error) {
 	ca := &x509.Certificate{
 		SerialNumber: big.NewInt(29052019),
 		Subject: pkix.Name{
-			Organization: []string{"Ski Creds Server"},
+			Organization: []string{"Ski Creds CA"},
 			Country:      []string{"GB"},
 			Province:     []string{""},
 			Locality:     []string{"London"},
-			CommonName:   "ski-creds-server",
+			CommonName:   "ski-creds-ca",
 		},
 		NotBefore:             time.Now(),
 		NotAfter:              time.Now().AddDate(10, 0, 0),
--- a/client.go
+++ b/client.go
@ -0,0 +1,52 @@
+package certgen
+
+import (
+	"crypto/rand"
+	"crypto/rsa"
+	"crypto/tls"
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"log"
+	"math/big"
+	"time"
+)
+
+func MakeClientTls() (*CertGen, error) {
+	cert := &x509.Certificate{
+		SerialNumber: big.NewInt(29052019),
+		Subject: pkix.Name{
+			Organization: []string{"Ski Creds Client"},
+			Country:      []string{"GB"},
+			Province:     []string{""},
+			Locality:     []string{"London"},
+			CommonName:   "ski-creds-client",
+		},
+		NotBefore:    time.Now(),
+		NotAfter:     time.Now().AddDate(10, 0, 0),
+		SubjectKeyId: []byte{1, 2, 3, 4, 6},
+		ExtKeyUsage:  []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth},
+		KeyUsage:     x509.KeyUsageDigitalSignature,
+	}
+
+	clientPrivKey, err := rsa.GenerateKey(rand.Reader, 4096)
+	if err != nil {
+		log.Fatalln("Failed to generate client private key:", err)
+	}
+
+	clientBytes, err := x509.CreateCertificate(rand.Reader, cert, cert, clientPrivKey.Public(), clientPrivKey)
+	if err != nil {
+		log.Fatalln("Failed to generate client certificate bytes:", err)
+	}
+	privKeyBytes := x509.MarshalPKCS1PrivateKey(clientPrivKey)
+	gen := &CertGen{cert: cert, certBytes: clientBytes, key: clientPrivKey, keyBytes: privKeyBytes}
+	err = gen.generatePem()
+	if err != nil {
+		return nil, err
+	}
+	caKeyPair, err := tls.X509KeyPair(gen.certPem, gen.keyPem)
+	if err != nil {
+		log.Fatalln("Failed to generate client key pair:", err)
+	}
+	gen.tlsCert = caKeyPair
+	return gen, nil
+}
--- a/server.go
+++ b/server.go
@ -21,12 +21,12 @@ func MakeServerTls(ca *CertGen) (*CertGen, error) {
 			Locality:     []string{"London"},
 			CommonName:   "ski-creds-server",
 		},
+		DNSNames:     []string{"panda.local"},
 		NotBefore:    time.Now(),
 		NotAfter:     time.Now().AddDate(10, 0, 0),
-		IsCA:                  true,
+		SubjectKeyId: []byte{1, 2, 3, 4, 6},
 		ExtKeyUsage:  []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth},
-		KeyUsage:              x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
-		BasicConstraintsValid: true,
+		KeyUsage:     x509.KeyUsageDigitalSignature,
 	}

 	serverPrivKey, err := rsa.GenerateKey(rand.Reader, 4096)
@ -46,7 +46,7 @@ func MakeServerTls(ca *CertGen) (*CertGen, error) {
 	}
 	caKeyPair, err := tls.X509KeyPair(gen.certPem, gen.keyPem)
 	if err != nil {
-		log.Fatalln("Failed to generate CA key pair:", err)
+		log.Fatalln("Failed to generate server key pair:", err)
 	}
 	gen.tlsCert = caKeyPair
 	return gen, nil