server/admin/pki/ca.go

134 lines
3.1 KiB
Go

package pki
import (
"crypto/ecdsa"
"crypto/rand"
"crypto/x509"
"crypto/x509/pkix"
"encoding/pem"
"errors"
"io/ioutil"
"math/big"
"os"
"path"
"time"
)
var passwordCA string
func SetCAPassword(pass string) {
passwordCA = pass
}
func CACertPath() string {
return path.Join(PKIDir, "shared", "ca.pem")
}
func CAPrivkeyPath() string {
return path.Join(PKIDir, "ca.key")
}
func GenerateCA(notBefore time.Time, notAfter time.Time) error {
ca := &x509.Certificate{
SerialNumber: big.NewInt(0),
Subject: pkix.Name{
Organization: []string{"EPITA"},
OrganizationalUnit: []string{"SRS laboratory"},
Country: []string{"FR"},
Locality: []string{"Paris"},
CommonName: "FIC CA",
},
NotBefore: notBefore,
NotAfter: notAfter,
IsCA: true,
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth},
KeyUsage: x509.KeyUsageCertSign | x509.KeyUsageCRLSign,
BasicConstraintsValid: true,
}
// Ensure directories exists
os.Mkdir(PKIDir, 0751)
os.Mkdir(path.Join(PKIDir, "shared"), 0751)
pub, priv, err := GeneratePrivKey()
if err != nil {
return err
}
ca_b, err := x509.CreateCertificate(rand.Reader, ca, ca, pub, priv)
if err != nil {
return err
}
// Save certificate to file
if err := saveCertificate(CACertPath(), ca_b); err != nil {
return err
}
// Save private key to file
if err := savePrivateKeyEncrypted(CAPrivkeyPath(), priv, passwordCA); err != nil {
return err
}
return nil
}
func LoadCA() (priv ecdsa.PrivateKey, ca x509.Certificate, err error) {
// Load certificate
if fd, errr := os.Open(CACertPath()); errr != nil {
return priv, ca, errr
} else {
defer fd.Close()
if cert, errr := ioutil.ReadAll(fd); errr != nil {
return priv, ca, errr
} else {
block, _ := pem.Decode(cert)
if block == nil || block.Type != "CERTIFICATE" {
return priv, ca, errors.New("failed to decode PEM block containing certificate")
}
if catmp, errr := x509.ParseCertificate(block.Bytes); errr != nil {
return priv, ca, errr
} else if catmp == nil {
return priv, ca, errors.New("failed to parse certificate")
} else {
ca = *catmp
}
}
}
// Load private key
if fd, errr := os.Open(CAPrivkeyPath()); errr != nil {
return priv, ca, errr
} else {
defer fd.Close()
if privkey, errr := ioutil.ReadAll(fd); errr != nil {
return priv, ca, errr
} else {
block, _ := pem.Decode(privkey)
if block == nil || block.Type != "EC PRIVATE KEY" {
return priv, ca, errors.New("failed to decode PEM block containing EC private key")
}
var decrypted_der []byte
if x509.IsEncryptedPEMBlock(block) {
decrypted_der, err = x509.DecryptPEMBlock(block, []byte(passwordCA))
if err != nil {
return
}
} else {
decrypted_der = block.Bytes
}
if tmppriv, errr := x509.ParseECPrivateKey(decrypted_der); errr != nil {
return priv, ca, errr
} else if tmppriv == nil {
return priv, ca, errors.New("failed to parse private key")
} else {
priv = *tmppriv
}
}
}
return
}