Last active
September 26, 2016 20:13
-
-
Save vbatts/5a7339e0f3cb30e8614b5eb317f59463 to your computer and use it in GitHub Desktop.
modification of the golang ./src/crypto/tls/generate_cert.go, but trying to play nice with google-chrome
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// Copyright 2009 The Go Authors. All rights reserved. | |
// Use of this source code is governed by a BSD-style | |
// license that can be found in the LICENSE file. | |
// +build ignore | |
// Generate a self-signed X.509 certificate for a TLS server. Outputs to | |
// 'cert.pem' and 'key.pem' and will overwrite existing files. | |
package main | |
import ( | |
"crypto/ecdsa" | |
"crypto/elliptic" | |
"crypto/rand" | |
"crypto/rsa" | |
"crypto/sha1" | |
"crypto/x509" | |
"crypto/x509/pkix" | |
"encoding/asn1" | |
"encoding/pem" | |
"flag" | |
"fmt" | |
"log" | |
"math/big" | |
"net" | |
"os" | |
"strings" | |
"time" | |
) | |
var ( | |
host = flag.String("host", "", "Comma-separated hostnames and IPs to generate a certificate for") | |
org = flag.String("org", "Acme Co", "Organization name (O)") | |
orgUnit = flag.String("org-unit", "Development", "Organization Unit name (OU)") | |
country = flag.String("country", "aa", "Country name") | |
serial = flag.Int64("serial", -1, "provide a serial number for the certificate (negative number will generate a random integer)") | |
commonName = flag.String("common-name", "Acme Co", "Common Name (CN)") | |
validFrom = flag.String("start-date", "", "Creation date formatted as Jan 1 15:04:05 2011") | |
validFor = flag.Duration("duration", 365*24*time.Hour, "Duration that certificate is valid for") | |
isCA = flag.Bool("ca", false, "whether this cert should be its own Certificate Authority") | |
rsaBits = flag.Int("rsa-bits", 2048, "Size of RSA key to generate. Ignored if --ecdsa-curve is set") | |
ecdsaCurve = flag.String("ecdsa-curve", "", "ECDSA curve to use to generate a key. Valid values are P224, P256, P384, P521") | |
) | |
func publicKey(priv interface{}) interface{} { | |
switch k := priv.(type) { | |
case *rsa.PrivateKey: | |
return &k.PublicKey | |
case *ecdsa.PrivateKey: | |
return &k.PublicKey | |
default: | |
return nil | |
} | |
} | |
func pemBlockForKey(priv interface{}) *pem.Block { | |
switch k := priv.(type) { | |
case *rsa.PrivateKey: | |
return &pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(k)} | |
case *ecdsa.PrivateKey: | |
b, err := x509.MarshalECPrivateKey(k) | |
if err != nil { | |
fmt.Fprintf(os.Stderr, "Unable to marshal ECDSA private key: %v", err) | |
os.Exit(2) | |
} | |
return &pem.Block{Type: "EC PRIVATE KEY", Bytes: b} | |
default: | |
return nil | |
} | |
} | |
func main() { | |
flag.Parse() | |
if len(*host) == 0 { | |
log.Fatalf("Missing required --host parameter") | |
} | |
var priv interface{} | |
var err error | |
switch *ecdsaCurve { | |
case "": | |
priv, err = rsa.GenerateKey(rand.Reader, *rsaBits) | |
case "P224": | |
priv, err = ecdsa.GenerateKey(elliptic.P224(), rand.Reader) | |
case "P256": | |
priv, err = ecdsa.GenerateKey(elliptic.P256(), rand.Reader) | |
case "P384": | |
priv, err = ecdsa.GenerateKey(elliptic.P384(), rand.Reader) | |
case "P521": | |
priv, err = ecdsa.GenerateKey(elliptic.P521(), rand.Reader) | |
default: | |
fmt.Fprintf(os.Stderr, "Unrecognized elliptic curve: %q", *ecdsaCurve) | |
os.Exit(1) | |
} | |
if err != nil { | |
log.Fatalf("failed to generate private key: %s", err) | |
} | |
var notBefore time.Time | |
if len(*validFrom) == 0 { | |
notBefore = time.Now() | |
} else { | |
notBefore, err = time.Parse("Jan 2 15:04:05 2006", *validFrom) | |
if err != nil { | |
fmt.Fprintf(os.Stderr, "Failed to parse creation date: %s\n", err) | |
os.Exit(1) | |
} | |
} | |
notAfter := notBefore.Add(*validFor) | |
serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128) | |
serialNumber, err := rand.Int(rand.Reader, serialNumberLimit) | |
if err != nil { | |
log.Fatalf("failed to generate serial number: %s", err) | |
} | |
if *serial > 0 { | |
serialNumber.SetInt64(*serial) | |
} | |
var mdata []byte | |
switch k := priv.(type) { | |
case *rsa.PrivateKey: | |
mdata, err = asn1.Marshal(k.PublicKey) | |
case *ecdsa.PrivateKey: | |
mdata, err = asn1.Marshal(k.PublicKey) | |
default: | |
mdata = []byte("") | |
} | |
if err != nil { | |
log.Fatalf("failed to get ASN1 of publickey: %s", err) | |
} | |
keyFingerprint := sha1.Sum(mdata) | |
template := x509.Certificate{ | |
SerialNumber: serialNumber, | |
SubjectKeyId: keyFingerprint[:], | |
//AuthorityKeyId: keyFingerprint[:], | |
Subject: pkix.Name{ | |
Organization: []string{*org}, | |
OrganizationalUnit: []string{*orgUnit}, | |
Country: []string{*country}, | |
CommonName: *commonName, | |
}, | |
NotBefore: notBefore, | |
NotAfter: notAfter, | |
KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature, | |
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth}, | |
BasicConstraintsValid: true, | |
} | |
hosts := strings.Split(*host, ",") | |
for _, h := range hosts { | |
if ip := net.ParseIP(h); ip != nil { | |
template.IPAddresses = append(template.IPAddresses, ip) | |
} else { | |
template.DNSNames = append(template.DNSNames, h) | |
} | |
} | |
if *isCA { | |
template.IsCA = true | |
template.KeyUsage |= x509.KeyUsageCertSign | |
} | |
derBytes, err := x509.CreateCertificate(rand.Reader, &template, &template, publicKey(priv), priv) | |
if err != nil { | |
log.Fatalf("Failed to create certificate: %s", err) | |
} | |
certOut, err := os.Create("cert.pem") | |
if err != nil { | |
log.Fatalf("failed to open cert.pem for writing: %s", err) | |
} | |
pem.Encode(certOut, &pem.Block{Type: "CERTIFICATE", Bytes: derBytes}) | |
certOut.Close() | |
log.Print("written cert.pem\n") | |
keyOut, err := os.OpenFile("key.pem", os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0600) | |
if err != nil { | |
log.Print("failed to open key.pem for writing:", err) | |
return | |
} | |
pem.Encode(keyOut, pemBlockForKey(priv)) | |
keyOut.Close() | |
log.Print("written key.pem\n") | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment