...
1
16
17 package authority
18
19 import (
20 "crypto"
21 "crypto/rand"
22 "crypto/x509"
23 "fmt"
24 "math/big"
25 )
26
27 var serialNumberLimit = new(big.Int).Lsh(big.NewInt(1), 128)
28
29
30
31 type CertificateAuthority struct {
32
33 RawCert []byte
34
35 RawKey []byte
36
37 Certificate *x509.Certificate
38 PrivateKey crypto.Signer
39 }
40
41
42
43 func (ca *CertificateAuthority) Sign(crDER []byte, policy SigningPolicy) ([]byte, error) {
44 cr, err := x509.ParseCertificateRequest(crDER)
45 if err != nil {
46 return nil, fmt.Errorf("unable to parse certificate request: %v", err)
47 }
48 if err := cr.CheckSignature(); err != nil {
49 return nil, fmt.Errorf("unable to verify certificate request signature: %v", err)
50 }
51
52 serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
53 if err != nil {
54 return nil, fmt.Errorf("unable to generate a serial number for %s: %v", cr.Subject.CommonName, err)
55 }
56
57 tmpl := &x509.Certificate{
58 SerialNumber: serialNumber,
59 Subject: cr.Subject,
60 DNSNames: cr.DNSNames,
61 IPAddresses: cr.IPAddresses,
62 EmailAddresses: cr.EmailAddresses,
63 URIs: cr.URIs,
64 PublicKeyAlgorithm: cr.PublicKeyAlgorithm,
65 PublicKey: cr.PublicKey,
66 Extensions: cr.Extensions,
67 ExtraExtensions: cr.ExtraExtensions,
68 }
69 if err := policy.apply(tmpl, ca.Certificate.NotAfter); err != nil {
70 return nil, err
71 }
72
73 der, err := x509.CreateCertificate(rand.Reader, tmpl, ca.Certificate, cr.PublicKey, ca.PrivateKey)
74 if err != nil {
75 return nil, fmt.Errorf("failed to sign certificate: %v", err)
76 }
77 return der, nil
78 }
79
View as plain text