v0.0.24

分支 (1)

标签 (24)

管理

管理

master

v0.0.24

v0.0.23

v0.0.22

v0.0.21

v0.0.20

v0.0.19

v0.0.18

v0.0.17

v0.0.16

v0.0.15

v0.0.14

v0.0.13

v0.0.12

v0.0.11

v0.0.10

v0.0.9

v0.0.8

v0.0.7

v0.0.6

v0.0.5

console-core-go
/
pkg
/
cfssl
/
cfssl.go

package cfssl

import (
	"fmt"
	"log"
	"os"

	"github.com/cloudflare/cfssl/cli/genkey"
	"github.com/cloudflare/cfssl/config"
	"github.com/cloudflare/cfssl/csr"
	"github.com/cloudflare/cfssl/helpers"
	"github.com/cloudflare/cfssl/initca"
	"github.com/cloudflare/cfssl/signer"
	"github.com/cloudflare/cfssl/signer/local"
	"github.com/cloudflare/cfssl/signer/universal"
)

// cfssl gencert -initca ca-csr.json | cfssljson -bare ca/ca -
func NewCA(req *csr.CertificateRequest) (cert []byte, csrPEM []byte, key []byte, err error) {
	if req.KeyRequest == nil {
		req.KeyRequest = csr.NewKeyRequest()
	}

	cert, csrPEM, key, err = initca.New(req)
	if err != nil {
		return
	}

	return
}

// cfssl gencert -initca -ca-key key CsrJSON
func RenewCACertByCaKeyAndJson(caKeyFile string, req *csr.CertificateRequest) (cert []byte, csrPEM []byte, key []byte, err error) {
	if req.KeyRequest == nil {
		req.KeyRequest = csr.NewKeyRequest()
	}

	// CNOverride
	// req.CN = CNOverride

	log.Println("re-generate a CA certificate from CSR and CA key")
	cert, csrPEM, err = initca.NewFromPEM(req, caKeyFile)
	if err != nil {
		return
	}

	return
}

// cfssl gencert -renewca -ca cert -ca-key key
func RenewCACertByCaKeyAndCert(caKeyFile string, caFile string) (cert []byte, err error) {
	log.Printf("re-generate a CA certificate from CA cert and key")
	cert, err = initca.RenewFromPEM(caFile, caKeyFile)
	if err != nil {
		return
	}

	return
}

// cfssl gencert -ca=ca/ca.pem -ca-key=ca/ca-key.pem -config=ca-config.json -profile=server server.json
func SignCert(caFile, caKeyFile string, caCfg *config.Config, profile string, req *csr.CertificateRequest, CRLOverride string) (cert []byte, csrPEM []byte, key []byte, err error) {
	// req.Hosts = signer.SplitHosts(c.Hostname)
	g := &csr.Generator{Validator: genkey.Validator}
	csrPEM, key, err = g.ProcessRequest(req)
	if err != nil {
		key = nil
		return
	}

	var signReq *signer.SignRequest
	signReq, err = newSignReq(csrPEM, profile, req, CRLOverride)
	if err != nil {
		return
	}

	var s signer.Signer
	s, err = newSignerFromFiles(caFile, caKeyFile, caCfg)
	if err != nil {
		return
	}

	cert, err = s.Sign(*signReq)
	if err != nil {
		return
	}

	return
}

// cfssl gencert -ca=ca/ca.pem -ca-key=ca/ca-key.pem -config=ca-config.json -profile=server server.json
func SignCertWithBytes(ca, caKey []byte, caPrivateKeyPassword string, caCfg *config.Config, profile string, req *csr.CertificateRequest, CRLOverride string) (cert []byte, csrPEM []byte, key []byte, err error) {
	g := &csr.Generator{Validator: genkey.Validator}
	csrPEM, key, err = g.ProcessRequest(req)
	if err != nil {
		key = nil
		return
	}

	var signReq *signer.SignRequest
	signReq, err = newSignReq(csrPEM, profile, req, CRLOverride)
	if err != nil {
		return
	}

	var s signer.Signer
	s, err = newSignerFromBytes(ca, caKey, caPrivateKeyPassword, caCfg)
	if err != nil {
		return
	}

	cert, err = s.Sign(*signReq)
	if err != nil {
		return
	}

	return
}

// perms os.FileMode
// .pem: 0664
// .key: 0600
// .csr: 0644
func WriteCertFileWithMode(filespec, contents string, perms os.FileMode) {
	err := os.WriteFile(filespec, []byte(contents), perms)
	if err != nil {
		fmt.Fprintf(os.Stderr, "%v\n", err)
		os.Exit(1)
	}
}
func WriteCertFile(filespec, contents string) {
	WriteCertFileWithMode(filespec, contents, 0664)
}
func WriteCertKeyFile(filespec, contents string) {
	WriteCertFileWithMode(filespec, contents, 0600)
}
func WriteCertCsrFile(filespec, contents string) {
	WriteCertFileWithMode(filespec, contents, 0644)
}

func newSignReq(csrPEM []byte, profile string, req *csr.CertificateRequest, CRLOverride string) (*signer.SignRequest, error) {
	signReq := signer.SignRequest{
		Request: string(csrPEM),
		Hosts:   req.Hosts, // signer.SplitHosts(c.Hostname),
		Profile: profile,
		// Label:   c.Label,
	}

	if CRLOverride != "" {
		signReq.CRLOverride = CRLOverride
	}

	return &signReq, nil
}

// cfssl, local.NewSignerFromFile 在windows下 当传入的caFile 路径是绝对路径会有有问题，因为冒号:的问题
// 传入路径只能用相对路径
func newSignerFromFiles(caFile, caKeyFile string, caCfg *config.Config) (signer.Signer, error) {
	// s, err := sign.SignerFromConfig(c)
	policy := caCfg.Signing

	root := universal.Root{
		Config: map[string]string{
			"cert-file": caFile,
			"key-file":  caKeyFile,
		},
		ForceRemote: false,
	}

	s, err := universal.NewSigner(root, policy)
	if err != nil {
		return nil, err
	}

	return s, nil
}
func newSignerFromBytes(ca, caKey []byte, caPrivateKeyPassword string, caCfg *config.Config) (signer.Signer, error) {
	policy := caCfg.Signing

	parsedCa, err := helpers.ParseCertificatePEM(ca)
	if err != nil {
		return nil, err
	}

	password := []byte(caPrivateKeyPassword)
	if caPrivateKeyPassword == "" {
		password = nil
	}

	priv, err := helpers.ParsePrivateKeyPEMWithPassword(caKey, password)
	if err != nil {
		return nil, fmt.Errorf("malformed private key %v", err)
	}

	return local.NewSigner(priv, parsedCa, signer.DefaultSigAlgo(priv), policy)
}

// equal with csr.NewKeyRequest()
func GetDefKeyRequest() *csr.KeyRequest {
	return &csr.KeyRequest{
		A: "ecdsa",
		S: 256,
	}
}