[lxc-devel] [lxd/master] Generate client certificate with proper extended usage info
techtonik on Github
lxc-bot at linuxcontainers.org
Sun Oct 2 20:29:31 UTC 2016
A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 321 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20161002/40b68482/attachment.bin>
-------------- next part --------------
From 95161a8403285f334518c77848fd58042277189b Mon Sep 17 00:00:00 2001
From: anatoly techtonik <techtonik at gmail.com>
Date: Sun, 2 Oct 2016 20:33:38 +0300
Subject: [PATCH] Generate client certificate with proper extended usage info
Signed-off-by: anatoly techtonik <techtonik at gmail.com>
---
lxc/remote.go | 2 +-
lxd/daemon.go | 2 +-
shared/cert.go | 21 +++++++++++++--------
shared/cert_test.go | 2 +-
4 files changed, 16 insertions(+), 11 deletions(-)
diff --git a/lxc/remote.go b/lxc/remote.go
index c686df5..764555f 100644
--- a/lxc/remote.go
+++ b/lxc/remote.go
@@ -65,7 +65,7 @@ func generateClientCertificate(config *lxd.Config) error {
if !shared.PathExists(certf) || !shared.PathExists(keyf) {
fmt.Fprintf(os.Stderr, i18n.G("Generating a client certificate. This may take a minute...")+"\n")
- return shared.FindOrGenCert(certf, keyf)
+ return shared.FindOrGenCert(certf, keyf, true)
}
return nil
}
diff --git a/lxd/daemon.go b/lxd/daemon.go
index 1e4f7f5..c60ad6c 100644
--- a/lxd/daemon.go
+++ b/lxd/daemon.go
@@ -220,7 +220,7 @@ func readMyCert() (string, string, error) {
certf := shared.VarPath("server.crt")
keyf := shared.VarPath("server.key")
shared.LogDebug("Looking for existing certificates", log.Ctx{"cert": certf, "key": keyf})
- err := shared.FindOrGenCert(certf, keyf)
+ err := shared.FindOrGenCert(certf, keyf, false)
return certf, keyf, err
}
diff --git a/shared/cert.go b/shared/cert.go
index f28c016..d0c3911 100644
--- a/shared/cert.go
+++ b/shared/cert.go
@@ -64,14 +64,14 @@ func mynames() ([]string, error) {
return ret, nil
}
-func FindOrGenCert(certf string, keyf string) error {
+func FindOrGenCert(certf string, keyf string, certtype bool) error {
if PathExists(certf) && PathExists(keyf) {
return nil
}
/* If neither stat succeeded, then this is our first run and we
* need to generate cert and privkey */
- err := GenCert(certf, keyf)
+ err := GenCert(certf, keyf, certtype)
if err != nil {
return err
}
@@ -80,7 +80,7 @@ func FindOrGenCert(certf string, keyf string) error {
}
// GenCert will create and populate a certificate file and a key file
-func GenCert(certf string, keyf string) error {
+func GenCert(certf string, keyf string, certtype bool) error {
/* Create the basenames if needed */
dir := path.Dir(certf)
err := os.MkdirAll(dir, 0750)
@@ -93,7 +93,7 @@ func GenCert(certf string, keyf string) error {
return err
}
- certBytes, keyBytes, err := GenerateMemCert()
+ certBytes, keyBytes, err := GenerateMemCert(certtype)
if err != nil {
return err
}
@@ -116,9 +116,9 @@ func GenCert(certf string, keyf string) error {
return nil
}
-// GenerateMemCert creates a certificate and key pair, returning them as byte
-// arrays in memory.
-func GenerateMemCert() ([]byte, []byte, error) {
+// GenerateMemCert creates client or server certificate and key pair,
+// returning them as byte arrays in memory.
+func GenerateMemCert(client bool) ([]byte, []byte, error) {
privk, err := rsa.GenerateKey(rand.Reader, 4096)
if err != nil {
log.Fatalf("failed to generate key")
@@ -167,10 +167,15 @@ func GenerateMemCert() ([]byte, []byte, error) {
NotAfter: validTo,
KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
- ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
BasicConstraintsValid: true,
}
+ if client {
+ template.ExtKeyUsage = []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth}
+ } else {
+ template.ExtKeyUsage = []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth}
+ }
+
for _, h := range hosts {
if ip := net.ParseIP(h); ip != nil {
template.IPAddresses = append(template.IPAddresses, ip)
diff --git a/shared/cert_test.go b/shared/cert_test.go
index 6093f9b..60370b6 100644
--- a/shared/cert_test.go
+++ b/shared/cert_test.go
@@ -9,7 +9,7 @@ func TestGenerateMemCert(t *testing.T) {
if testing.Short() {
t.Skip("skipping cert generation in short mode")
}
- cert, key, err := GenerateMemCert()
+ cert, key, err := GenerateMemCert(false)
if err != nil {
t.Error(err)
return
More information about the lxc-devel
mailing list