[lxc-devel] [lxd/master] Generate client certificate with proper extended usage info

techtonik on Github lxc-bot at linuxcontainers.org
Sun Oct 2 20:29:31 UTC 2016 

A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 321 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20161002/40b68482/attachment.bin>
-------------- next part --------------
From 95161a8403285f334518c77848fd58042277189b Mon Sep 17 00:00:00 2001
From: anatoly techtonik <techtonik at gmail.com>
Date: Sun, 2 Oct 2016 20:33:38 +0300
Subject: [PATCH] Generate client certificate with proper extended usage info

Signed-off-by: anatoly techtonik <techtonik at gmail.com>
---
 lxc/remote.go       |  2 +-
 lxd/daemon.go       |  2 +-
 shared/cert.go      | 21 +++++++++++++--------
 shared/cert_test.go |  2 +-
 4 files changed, 16 insertions(+), 11 deletions(-)

diff --git a/lxc/remote.go b/lxc/remote.go
index c686df5..764555f 100644
--- a/lxc/remote.go
+++ b/lxc/remote.go
@@ -65,7 +65,7 @@ func generateClientCertificate(config *lxd.Config) error {
 	if !shared.PathExists(certf) || !shared.PathExists(keyf) {
 		fmt.Fprintf(os.Stderr, i18n.G("Generating a client certificate. This may take a minute...")+"\n")
 
-		return shared.FindOrGenCert(certf, keyf)
+		return shared.FindOrGenCert(certf, keyf, true)
 	}
 	return nil
 }
diff --git a/lxd/daemon.go b/lxd/daemon.go
index 1e4f7f5..c60ad6c 100644
--- a/lxd/daemon.go
+++ b/lxd/daemon.go
@@ -220,7 +220,7 @@ func readMyCert() (string, string, error) {
 	certf := shared.VarPath("server.crt")
 	keyf := shared.VarPath("server.key")
 	shared.LogDebug("Looking for existing certificates", log.Ctx{"cert": certf, "key": keyf})
-	err := shared.FindOrGenCert(certf, keyf)
+	err := shared.FindOrGenCert(certf, keyf, false)
 
 	return certf, keyf, err
 }
diff --git a/shared/cert.go b/shared/cert.go
index f28c016..d0c3911 100644
--- a/shared/cert.go
+++ b/shared/cert.go
@@ -64,14 +64,14 @@ func mynames() ([]string, error) {
 	return ret, nil
 }
 
-func FindOrGenCert(certf string, keyf string) error {
+func FindOrGenCert(certf string, keyf string, certtype bool) error {
 	if PathExists(certf) && PathExists(keyf) {
 		return nil
 	}
 
 	/* If neither stat succeeded, then this is our first run and we
 	 * need to generate cert and privkey */
-	err := GenCert(certf, keyf)
+	err := GenCert(certf, keyf, certtype)
 	if err != nil {
 		return err
 	}
@@ -80,7 +80,7 @@ func FindOrGenCert(certf string, keyf string) error {
 }
 
 // GenCert will create and populate a certificate file and a key file
-func GenCert(certf string, keyf string) error {
+func GenCert(certf string, keyf string, certtype bool) error {
 	/* Create the basenames if needed */
 	dir := path.Dir(certf)
 	err := os.MkdirAll(dir, 0750)
@@ -93,7 +93,7 @@ func GenCert(certf string, keyf string) error {
 		return err
 	}
 
-	certBytes, keyBytes, err := GenerateMemCert()
+	certBytes, keyBytes, err := GenerateMemCert(certtype)
 	if err != nil {
 		return err
 	}
@@ -116,9 +116,9 @@ func GenCert(certf string, keyf string) error {
 	return nil
 }
 
-// GenerateMemCert creates a certificate and key pair, returning them as byte
-// arrays in memory.
-func GenerateMemCert() ([]byte, []byte, error) {
+// GenerateMemCert creates client or server certificate and key pair,
+// returning them as byte arrays in memory.
+func GenerateMemCert(client bool) ([]byte, []byte, error) {
 	privk, err := rsa.GenerateKey(rand.Reader, 4096)
 	if err != nil {
 		log.Fatalf("failed to generate key")
@@ -167,10 +167,15 @@ func GenerateMemCert() ([]byte, []byte, error) {
 		NotAfter:  validTo,
 
 		KeyUsage:              x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
-		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
 		BasicConstraintsValid: true,
 	}
 
+	if client {
+		template.ExtKeyUsage = []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth}
+	} else {
+		template.ExtKeyUsage = []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth}
+	}
+
 	for _, h := range hosts {
 		if ip := net.ParseIP(h); ip != nil {
 			template.IPAddresses = append(template.IPAddresses, ip)
diff --git a/shared/cert_test.go b/shared/cert_test.go
index 6093f9b..60370b6 100644
--- a/shared/cert_test.go
+++ b/shared/cert_test.go
@@ -9,7 +9,7 @@ func TestGenerateMemCert(t *testing.T) {
 	if testing.Short() {
 		t.Skip("skipping cert generation in short mode")
 	}
-	cert, key, err := GenerateMemCert()
+	cert, key, err := GenerateMemCert(false)
 	if err != nil {
 		t.Error(err)
 		return

More information about the lxc-devel mailing list