github.com/kubernetes-incubator/kube-aws@v0.16.4/pki/x509.go (about) 1 package pki 2 3 import ( 4 "crypto/rand" 5 "crypto/rsa" 6 "crypto/x509" 7 "crypto/x509/pkix" 8 "errors" 9 "math" 10 "math/big" 11 "net" 12 "time" 13 ) 14 15 var ( 16 Duration365d = time.Hour * 24 * 365 17 ) 18 19 type CACertConfig struct { 20 CommonName string 21 Organization string 22 Duration time.Duration 23 } 24 25 type ServerCertConfig struct { 26 CommonName string 27 DNSNames []string 28 IPAddresses []string 29 Duration time.Duration 30 } 31 32 type ClientCertConfig struct { 33 CommonName string 34 Organization []string 35 DNSNames []string 36 IPAddresses []string 37 Duration time.Duration 38 } 39 40 func NewSelfSignedCACertificate(cfg CACertConfig, key *rsa.PrivateKey) (*x509.Certificate, error) { 41 if cfg.Duration <= 0 { 42 return nil, errors.New("self-signed CA cert duration must not be negative or zero") 43 } 44 45 tmpl := x509.Certificate{ 46 SerialNumber: new(big.Int).SetInt64(0), 47 Subject: pkix.Name{ 48 CommonName: cfg.CommonName, 49 Organization: []string{cfg.Organization}, 50 }, 51 NotBefore: time.Now().UTC(), 52 NotAfter: time.Now().Add(cfg.Duration).UTC(), 53 KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign, 54 BasicConstraintsValid: true, 55 IsCA: true, 56 } 57 58 certDERBytes, err := x509.CreateCertificate(rand.Reader, &tmpl, &tmpl, key.Public(), key) 59 if err != nil { 60 return nil, err 61 } 62 return x509.ParseCertificate(certDERBytes) 63 } 64 65 func NewSignedServerCertificate(cfg ServerCertConfig, key *rsa.PrivateKey, caCert *x509.Certificate, caKey *rsa.PrivateKey) (*x509.Certificate, error) { 66 ips := make([]net.IP, len(cfg.IPAddresses)) 67 for i, ipStr := range cfg.IPAddresses { 68 ips[i] = net.ParseIP(ipStr) 69 } 70 71 serial, err := rand.Int(rand.Reader, new(big.Int).SetInt64(math.MaxInt64)) 72 if err != nil { 73 return nil, err 74 } 75 76 if cfg.Duration <= 0 { 77 return nil, errors.New("signed server cert duration must not be negative or zero") 78 } 79 80 certTmpl := x509.Certificate{ 81 Subject: pkix.Name{ 82 CommonName: cfg.CommonName, 83 Organization: caCert.Subject.Organization, 84 }, 85 DNSNames: cfg.DNSNames, 86 IPAddresses: ips, 87 SerialNumber: serial, 88 NotBefore: caCert.NotBefore, 89 NotAfter: time.Now().Add(cfg.Duration).UTC(), 90 KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature, 91 ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth}, 92 } 93 certDERBytes, err := x509.CreateCertificate(rand.Reader, &certTmpl, caCert, key.Public(), caKey) 94 if err != nil { 95 return nil, err 96 } 97 return x509.ParseCertificate(certDERBytes) 98 } 99 100 func NewSignedClientCertificate(cfg ClientCertConfig, key *rsa.PrivateKey, caCert *x509.Certificate, caKey *rsa.PrivateKey) (*x509.Certificate, error) { 101 ips := make([]net.IP, len(cfg.IPAddresses)) 102 for i, ipStr := range cfg.IPAddresses { 103 ips[i] = net.ParseIP(ipStr) 104 } 105 106 serial, err := rand.Int(rand.Reader, new(big.Int).SetInt64(math.MaxInt64)) 107 if err != nil { 108 return nil, err 109 } 110 111 if cfg.Duration <= 0 { 112 return nil, errors.New("signed client cert duration must not be negative or zero") 113 } 114 115 certTmpl := x509.Certificate{ 116 Subject: pkix.Name{ 117 CommonName: cfg.CommonName, 118 Organization: append(caCert.Subject.Organization, cfg.Organization...), 119 }, 120 DNSNames: cfg.DNSNames, 121 IPAddresses: ips, 122 SerialNumber: serial, 123 NotBefore: caCert.NotBefore, 124 NotAfter: time.Now().Add(cfg.Duration).UTC(), 125 KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature, 126 ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth}, 127 } 128 certDERBytes, err := x509.CreateCertificate(rand.Reader, &certTmpl, caCert, key.Public(), caKey) 129 if err != nil { 130 return nil, err 131 } 132 return x509.ParseCertificate(certDERBytes) 133 }