[lxc-devel] [lxd/master] shared: Create non-self-signed certificates
monstermunchkin on Github
lxc-bot at linuxcontainers.org
Mon Oct 28 17:03:29 UTC 2019
A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 547 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20191028/67099c11/attachment.bin>
-------------- next part --------------
From 4f05de9f8445fed3c400d5b74aa9c4877d37180b Mon Sep 17 00:00:00 2001
From: Thomas Hipp <thomas.hipp at canonical.com>
Date: Tue, 22 Oct 2019 09:28:48 +0200
Subject: [PATCH] shared: Create non-self-signed certificates
This adds a new function `GenCertWithCA()` which takes an additional
`ca` argument. It's used to sign the generated certificate instead of
creating a self-signed certificate.
Signed-off-by: Thomas Hipp <thomas.hipp at canonical.com>
---
shared/cert.go | 29 +++++++++++++++++++++++++++--
1 file changed, 27 insertions(+), 2 deletions(-)
diff --git a/shared/cert.go b/shared/cert.go
index b38fa93a67..8261a0be2b 100644
--- a/shared/cert.go
+++ b/shared/cert.go
@@ -225,8 +225,18 @@ func FindOrGenCert(certf string, keyf string, certtype bool) error {
return nil
}
+// GenCertWithCA will create and populate a certificate file and a key file
+// signed by the provided CA.
+func GenCertWithCA(certf string, keyf string, certtype bool, ca *x509.Certificate) error {
+ return genCert(certf, keyf, certtype, ca)
+}
+
// GenCert will create and populate a certificate file and a key file
func GenCert(certf string, keyf string, certtype bool) error {
+ return genCert(certf, keyf, certtype, nil)
+}
+
+func genCert(certf string, keyf string, certtype bool, ca *x509.Certificate) error {
/* Create the basenames if needed */
dir := path.Dir(certf)
err := os.MkdirAll(dir, 0750)
@@ -239,7 +249,7 @@ func GenCert(certf string, keyf string, certtype bool) error {
return err
}
- certBytes, keyBytes, err := GenerateMemCert(certtype)
+ certBytes, keyBytes, err := generateMemCert(ca, certtype)
if err != nil {
return err
}
@@ -260,9 +270,19 @@ func GenCert(certf string, keyf string, certtype bool) error {
return nil
}
+// GenerateMemCertWithCA creates client or server certificate and key pair,
+// signed by the provided ca, returning them as byte arrays in memory.
+func GenerateMemCertWithCA(ca *x509.Certificate, client bool) ([]byte, []byte, error) {
+ return generateMemCert(ca, client)
+}
+
// GenerateMemCert creates client or server certificate and key pair,
// returning them as byte arrays in memory.
func GenerateMemCert(client bool) ([]byte, []byte, error) {
+ return generateMemCert(nil, client)
+}
+
+func generateMemCert(ca *x509.Certificate, client bool) ([]byte, []byte, error) {
privk, err := ecdsa.GenerateKey(elliptic.P384(), rand.Reader)
if err != nil {
return nil, nil, fmt.Errorf("Failed to generate key: %v", err)
@@ -327,7 +347,12 @@ func GenerateMemCert(client bool) ([]byte, []byte, error) {
}
}
- derBytes, err := x509.CreateCertificate(rand.Reader, &template, &template, &privk.PublicKey, privk)
+ parent := ca
+ if parent == nil {
+ parent = &template
+ }
+
+ derBytes, err := x509.CreateCertificate(rand.Reader, &template, parent, &privk.PublicKey, privk)
if err != nil {
return nil, nil, fmt.Errorf("Failed to create certificate: %v", err)
}
More information about the lxc-devel
mailing list