automatic issuing certificates from provided CA

2026-04-08 23:06:01 -04:00 · 2018-04-10 12:42:02 +02:00
parent 8ba8ce7d6a
commit 318a36fe58
7 changed files with 366 additions and 45 deletions
--- a/common/protocol/tls/cert/cert.go
+++ b/common/protocol/tls/cert/cert.go
@@ -7,17 +7,39 @@ import (
 	"encoding/pem"
 	"math/big"
 	"time"
+
+	"v2ray.com/core/common"
 )

 //go:generate go run $GOPATH/src/v2ray.com/core/common/errors/errorgen/main.go -pkg cert -path Protocol,TLS,Cert

 type Certificate struct {
-	// Cerificate in x509 format
+	// Cerificate in ASN.1 DER format
 	Certificate []byte
-	// Private key in x509 format
+	// Private key in ASN.1 DER format
 	PrivateKey []byte
 }

+func ParseCertificate(certPEM []byte, keyPEM []byte) (*Certificate, error) {
+	certBlock, _ := pem.Decode(certPEM)
+	if certBlock == nil {
+		return nil, newError("failed to decode certificate")
+	}
+	keyBlock, _ := pem.Decode(keyPEM)
+	if keyBlock == nil {
+		return nil, newError("failed to decode key")
+	}
+	return &Certificate{
+		Certificate: certBlock.Bytes,
+		PrivateKey:  keyBlock.Bytes,
+	}, nil
+}
+
+func (c *Certificate) ToPEM() ([]byte, []byte) {
+	return pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: c.Certificate}),
+		pem.EncodeToMemory(&pem.Block{Type: "RSA PRIVATE KEY", Bytes: c.PrivateKey})
+}
+
 type Option func(*x509.Certificate)

 func Authority(isCA bool) Option {
@@ -50,10 +72,31 @@ func CommonName(name string) Option {
 	}
 }

-func Generate(parent *x509.Certificate, opts ...Option) (*Certificate, error) {
-	priv, err := rsa.GenerateKey(rand.Reader, 2048)
+func KeyUsage(usage x509.KeyUsage) Option {
+	return func(c *x509.Certificate) {
+		c.KeyUsage = usage
+	}
+}
+
+func MustGenerate(parent *Certificate, opts ...Option) *Certificate {
+	cert, err := Generate(parent, opts...)
+	common.Must(err)
+	return cert
+}
+
+func Generate(parent *Certificate, opts ...Option) (*Certificate, error) {
+	selfKey, err := rsa.GenerateKey(rand.Reader, 2048)
 	if err != nil {
-		return nil, newError("failed to generate RSA private key").Base(err)
+		return nil, newError("failed to generate self private key").Base(err)
+	}
+
+	parentKey := selfKey
+	if parent != nil {
+		pKey, err := x509.ParsePKCS1PrivateKey(parent.PrivateKey)
+		if err != nil {
+			return nil, newError("failed to parse parent private key").Base(err)
+		}
+		parentKey = pKey
 	}

 	serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)
@@ -75,20 +118,22 @@ func Generate(parent *x509.Certificate, opts ...Option) (*Certificate, error) {
 		opt(template)
 	}

-	if parent == nil {
-		parent = template
+	parentCert := template
+	if parent != nil {
+		pCert, err := x509.ParseCertificate(parent.Certificate)
+		if err != nil {
+			return nil, newError("failed to parse parent certificate").Base(err)
+		}
+		parentCert = pCert
 	}

-	derBytes, err := x509.CreateCertificate(rand.Reader, template, parent, priv.Public(), priv)
+	derBytes, err := x509.CreateCertificate(rand.Reader, template, parentCert, selfKey.Public(), parentKey)
 	if err != nil {
 		return nil, newError("failed to create certificate").Base(err)
 	}

-	certPEM := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: derBytes})
-	keyPEM := pem.EncodeToMemory(&pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(priv)})
-
 	return &Certificate{
-		Certificate: certPEM,
-		PrivateKey:  keyPEM,
+		Certificate: derBytes,
+		PrivateKey:  x509.MarshalPKCS1PrivateKey(selfKey),
 	}, nil
 }