代码拉取完成,页面将自动刷新
/*
Copyright IBM Corp. All Rights Reserved.
SPDX-License-Identifier: Apache-2.0
*/
package tlsgen
import (
"crypto"
"crypto/ecdsa"
"crypto/elliptic"
"crypto/rand"
"crypto/x509"
"crypto/x509/pkix"
"encoding/pem"
"math/big"
"net"
"time"
"github.com/pkg/errors"
)
func newPrivKey() (*ecdsa.PrivateKey, []byte, error) {
privateKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
if err != nil {
return nil, nil, err
}
privBytes, err := x509.MarshalPKCS8PrivateKey(privateKey)
if err != nil {
return nil, nil, err
}
return privateKey, privBytes, nil
}
func newCertTemplate() (x509.Certificate, error) {
sn, err := rand.Int(rand.Reader, new(big.Int).Lsh(big.NewInt(1), 128))
if err != nil {
return x509.Certificate{}, err
}
return x509.Certificate{
Subject: pkix.Name{SerialNumber: sn.String()},
NotBefore: time.Now().Add(time.Hour * (-24)),
NotAfter: time.Now().Add(time.Hour * 24),
KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
SerialNumber: sn,
}, nil
}
func newCertKeyPair(isCA bool, isServer bool, host string, certSigner crypto.Signer, parent *x509.Certificate) (*CertKeyPair, error) {
privateKey, privBytes, err := newPrivKey()
if err != nil {
return nil, err
}
template, err := newCertTemplate()
if err != nil {
return nil, err
}
tenYearsFromNow := time.Now().Add(time.Hour * 24 * 365 * 10)
if isCA {
template.NotAfter = tenYearsFromNow
template.IsCA = true
template.KeyUsage |= x509.KeyUsageCertSign | x509.KeyUsageCRLSign
template.ExtKeyUsage = []x509.ExtKeyUsage{
x509.ExtKeyUsageClientAuth,
x509.ExtKeyUsageServerAuth,
}
template.BasicConstraintsValid = true
} else {
template.ExtKeyUsage = []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth}
}
if isServer {
template.NotAfter = tenYearsFromNow
template.ExtKeyUsage = append(template.ExtKeyUsage, x509.ExtKeyUsageServerAuth)
if ip := net.ParseIP(host); ip != nil {
template.IPAddresses = append(template.IPAddresses, ip)
} else {
template.DNSNames = append(template.DNSNames, host)
}
}
// If no parent cert, it's a self signed cert
if parent == nil || certSigner == nil {
parent = &template
certSigner = privateKey
}
rawBytes, err := x509.CreateCertificate(rand.Reader, &template, parent, &privateKey.PublicKey, certSigner)
if err != nil {
return nil, err
}
pubKey := encodePEM("CERTIFICATE", rawBytes)
block, _ := pem.Decode(pubKey)
if block == nil { // Never comes unless x509 or pem has bug
return nil, errors.Errorf("%s: wrong PEM encoding", pubKey)
}
cert, err := x509.ParseCertificate(block.Bytes)
if err != nil {
return nil, err
}
privKey := encodePEM("EC PRIVATE KEY", privBytes)
return &CertKeyPair{
Key: privKey,
Cert: pubKey,
Signer: privateKey,
TLSCert: cert,
}, nil
}
func encodePEM(keyType string, data []byte) []byte {
return pem.EncodeToMemory(&pem.Block{Type: keyType, Bytes: data})
}
此处可能存在不合适展示的内容,页面不予展示。您可通过相关编辑功能自查并修改。
如您确认内容无涉及 不当用语 / 纯广告导流 / 暴力 / 低俗色情 / 侵权 / 盗版 / 虚假 / 无价值内容或违法国家有关法律法规的内容,可点击提交进行申诉,我们将尽快为您处理。
马建仓 AI 助手
