[lxc-devel] [lxd/master] shared: Create non-self-signed certificates

monstermunchkin on Github lxc-bot at linuxcontainers.org
Mon Oct 28 17:03:29 UTC 2019


A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 547 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20191028/67099c11/attachment.bin>
-------------- next part --------------
From 4f05de9f8445fed3c400d5b74aa9c4877d37180b Mon Sep 17 00:00:00 2001
From: Thomas Hipp <thomas.hipp at canonical.com>
Date: Tue, 22 Oct 2019 09:28:48 +0200
Subject: [PATCH] shared: Create non-self-signed certificates

This adds a new function `GenCertWithCA()` which takes an additional
`ca` argument. It's used to sign the generated certificate instead of
creating a self-signed certificate.

Signed-off-by: Thomas Hipp <thomas.hipp at canonical.com>
---
 shared/cert.go | 29 +++++++++++++++++++++++++++--
 1 file changed, 27 insertions(+), 2 deletions(-)

diff --git a/shared/cert.go b/shared/cert.go
index b38fa93a67..8261a0be2b 100644
--- a/shared/cert.go
+++ b/shared/cert.go
@@ -225,8 +225,18 @@ func FindOrGenCert(certf string, keyf string, certtype bool) error {
 	return nil
 }
 
+// GenCertWithCA will create and populate a certificate file and a key file
+// signed by the provided CA.
+func GenCertWithCA(certf string, keyf string, certtype bool, ca *x509.Certificate) error {
+	return genCert(certf, keyf, certtype, ca)
+}
+
 // GenCert will create and populate a certificate file and a key file
 func GenCert(certf string, keyf string, certtype bool) error {
+	return genCert(certf, keyf, certtype, nil)
+}
+
+func genCert(certf string, keyf string, certtype bool, ca *x509.Certificate) error {
 	/* Create the basenames if needed */
 	dir := path.Dir(certf)
 	err := os.MkdirAll(dir, 0750)
@@ -239,7 +249,7 @@ func GenCert(certf string, keyf string, certtype bool) error {
 		return err
 	}
 
-	certBytes, keyBytes, err := GenerateMemCert(certtype)
+	certBytes, keyBytes, err := generateMemCert(ca, certtype)
 	if err != nil {
 		return err
 	}
@@ -260,9 +270,19 @@ func GenCert(certf string, keyf string, certtype bool) error {
 	return nil
 }
 
+// GenerateMemCertWithCA creates client or server certificate and key pair,
+// signed by the provided ca, returning them as byte arrays in memory.
+func GenerateMemCertWithCA(ca *x509.Certificate, client bool) ([]byte, []byte, error) {
+	return generateMemCert(ca, client)
+}
+
 // GenerateMemCert creates client or server certificate and key pair,
 // returning them as byte arrays in memory.
 func GenerateMemCert(client bool) ([]byte, []byte, error) {
+	return generateMemCert(nil, client)
+}
+
+func generateMemCert(ca *x509.Certificate, client bool) ([]byte, []byte, error) {
 	privk, err := ecdsa.GenerateKey(elliptic.P384(), rand.Reader)
 	if err != nil {
 		return nil, nil, fmt.Errorf("Failed to generate key: %v", err)
@@ -327,7 +347,12 @@ func GenerateMemCert(client bool) ([]byte, []byte, error) {
 		}
 	}
 
-	derBytes, err := x509.CreateCertificate(rand.Reader, &template, &template, &privk.PublicKey, privk)
+	parent := ca
+	if parent == nil {
+		parent = &template
+	}
+
+	derBytes, err := x509.CreateCertificate(rand.Reader, &template, parent, &privk.PublicKey, privk)
 	if err != nil {
 		return nil, nil, fmt.Errorf("Failed to create certificate: %v", err)
 	}


More information about the lxc-devel mailing list