github.com/niedbalski/juju@v0.0.0-20190215020005-8ff100488e47/cert/cert.go

github.com/niedbalski/juju@v0.0.0-20190215020005-8ff100488e47/cert/cert.go (about)

     1  // Copyright 2012, 2013 Canonical Ltd.
     2  // Licensed under the AGPLv3, see LICENCE file for details.
     3  
     4  package cert
     5  
     6  import (
     7  	"crypto/x509"
     8  	"fmt"
     9  	"time"
    10  
    11  	"github.com/juju/errors"
    12  	"github.com/juju/utils/cert"
    13  )
    14  
    15  // Verify verifies that the given server certificate is valid with
    16  // respect to the given CA certificate at the given time.
    17  func Verify(srvCertPEM, caCertPEM string, when time.Time) error {
    18  	caCert, err := cert.ParseCert(caCertPEM)
    19  	if err != nil {
    20  		return errors.Annotate(err, "cannot parse CA certificate")
    21  	}
    22  	srvCert, err := cert.ParseCert(srvCertPEM)
    23  	if err != nil {
    24  		return errors.Annotate(err, "cannot parse server certificate")
    25  	}
    26  	pool := x509.NewCertPool()
    27  	pool.AddCert(caCert)
    28  	opts := x509.VerifyOptions{
    29  		Roots:       pool,
    30  		CurrentTime: when,
    31  	}
    32  	_, err = srvCert.Verify(opts)
    33  	return err
    34  }
    35  
    36  // NewLeafKeyBits is the number of bits used for the cert.NewLeaf call.
    37  var NewLeafKeyBits = 2048
    38  
    39  // NewDefaultServer generates a certificate/key pair suitable for use by a server, with an
    40  // expiry time of 10 years.
    41  func NewDefaultServer(caCertPEM, caKeyPEM string, hostnames []string) (certPEM, keyPEM string, err error) {
    42  	// TODO(perrito666) 2016-05-02 lp:1558657
    43  	expiry := time.Now().UTC().AddDate(10, 0, 0)
    44  	return cert.NewLeaf(&cert.Config{
    45  		CommonName:  "*",
    46  		CA:          []byte(caCertPEM),
    47  		CAKey:       []byte(caKeyPEM),
    48  		Expiry:      expiry,
    49  		Hostnames:   hostnames,
    50  		ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
    51  		KeyBits:     NewLeafKeyBits,
    52  	})
    53  }
    54  
    55  // NewServer generates a certificate/key pair suitable for use by a server.
    56  func NewServer(caCertPEM, caKeyPEM string, expiry time.Time, hostnames []string) (certPEM, keyPEM string, err error) {
    57  	return cert.NewLeaf(&cert.Config{
    58  		CommonName:  "*",
    59  		CA:          []byte(caCertPEM),
    60  		CAKey:       []byte(caKeyPEM),
    61  		Expiry:      expiry,
    62  		Hostnames:   hostnames,
    63  		ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
    64  		KeyBits:     NewLeafKeyBits,
    65  	})
    66  }
    67  
    68  // NewCA generates a CA certificate/key pair suitable for signing server
    69  // keys for an environment with the given name.
    70  // wrapper arount utils/cert#NewCA
    71  var NewCA = newCA
    72  
    73  func newCA(commonName, UUID string, expiry time.Time) (certPEM, keyPEM string, err error) {
    74  	return cert.NewCA(
    75  		fmt.Sprintf("juju-generated CA for model %q", commonName),
    76  		UUID, expiry, 0)
    77  }