mirror/caddy
1
0
Fork 0
mirror of https://github.com/caddyserver/caddy.git synced 2026-01-13 18:10:20 -05:00
Code Issues Packages Projects Releases Wiki Activity

caddypki: Use go.step.sm/crypto to generate the PKI (#5217)

Browse Source 
This commit replaces the use of github.com/smallstep/cli to generate the
root and intermediate certificates and uses go.step.sm/crypto instead.

It also upgrades the version of github.com/smallstep/certificates to the
latest version.
This commit is contained in:
Mariano Cano
2022-11-23 19:47:42 -08:00
committed by GitHub
parent ac96455a9a
commit 6f8fe01da1
4 changed files with 149 additions and 111 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
modules/caddypki/ca.go
View File

@@ -121,7 +121,7 @@ func (ca *CA) Provision(ctx caddy.Context, id string, log *zap.Logger) error {
// load the certs and key that will be used for signing
var rootCert, interCert *x509.Certificate
var rootKey, interKey any
var rootKey, interKey crypto.Signer
var err error
if ca.Root != nil {
if ca.Root.Format == "" || ca.Root.Format == "pem_file" {
@@ -239,7 +239,7 @@ func (ca *CA) NewAuthority(authorityConfig AuthorityConfig) (*authority.Authorit
return auth, nil
}
func (ca CA) loadOrGenRoot() (rootCert *x509.Certificate, rootKey any, err error) {
func (ca CA) loadOrGenRoot() (rootCert *x509.Certificate, rootKey crypto.Signer, err error) {
if ca.Root != nil {
return ca.Root.Load()
}
@@ -276,7 +276,7 @@ func (ca CA) loadOrGenRoot() (rootCert *x509.Certificate, rootKey any, err error
return rootCert, rootKey, nil
}
func (ca CA) genRoot() (rootCert *x509.Certificate, rootKey any, err error) {
func (ca CA) genRoot() (rootCert *x509.Certificate, rootKey crypto.Signer, err error) {
repl := ca.newReplacer()
rootCert, rootKey, err = generateRoot(repl.ReplaceAll(ca.RootCommonName, ""))
@@ -303,7 +303,7 @@ func (ca CA) genRoot() (rootCert *x509.Certificate, rootKey any, err error) {
return rootCert, rootKey, nil
}
func (ca CA) loadOrGenIntermediate(rootCert *x509.Certificate, rootKey crypto.PrivateKey) (interCert *x509.Certificate, interKey crypto.PrivateKey, err error) {
func (ca CA) loadOrGenIntermediate(rootCert *x509.Certificate, rootKey crypto.Signer) (interCert *x509.Certificate, interKey crypto.Signer, err error) {
interCertPEM, err := ca.storage.Load(ca.ctx, ca.storageKeyIntermediateCert())
if err != nil {
if !errors.Is(err, fs.ErrNotExist) {
@@ -338,7 +338,7 @@ func (ca CA) loadOrGenIntermediate(rootCert *x509.Certificate, rootKey crypto.Pr
return interCert, interKey, nil
}
func (ca CA) genIntermediate(rootCert *x509.Certificate, rootKey crypto.PrivateKey) (interCert *x509.Certificate, interKey crypto.PrivateKey, err error) {
func (ca CA) genIntermediate(rootCert *x509.Certificate, rootKey crypto.Signer) (interCert *x509.Certificate, interKey crypto.Signer, err error) {
repl := ca.newReplacer()
interCert, interKey, err = generateIntermediate(repl.ReplaceAll(ca.IntermediateCommonName, ""), rootCert, rootKey)

51
modules/caddypki/certificates.go
View File

@@ -19,33 +19,50 @@ import (
"crypto/x509"
"time"
"github.com/smallstep/cli/crypto/x509util"
"go.step.sm/crypto/keyutil"
"go.step.sm/crypto/x509util"
)
func generateRoot(commonName string) (rootCrt *x509.Certificate, privateKey any, err error) {
rootProfile, err := x509util.NewRootProfile(commonName)
func generateRoot(commonName string) (*x509.Certificate, crypto.Signer, error) {
template, signer, err := newCert(commonName, x509util.DefaultRootTemplate, defaultRootLifetime)
if err != nil {
return
return nil, nil, err
}
rootProfile.Subject().NotAfter = time.Now().Add(defaultRootLifetime) // TODO: make configurable
return newCert(rootProfile)
root, err := x509util.CreateCertificate(template, template, signer.Public(), signer)
if err != nil {
return nil, nil, err
}
return root, signer, nil
}
func generateIntermediate(commonName string, rootCrt *x509.Certificate, rootKey crypto.PrivateKey) (cert *x509.Certificate, privateKey crypto.PrivateKey, err error) {
interProfile, err := x509util.NewIntermediateProfile(commonName, rootCrt, rootKey)
func generateIntermediate(commonName string, rootCrt *x509.Certificate, rootKey crypto.Signer) (*x509.Certificate, crypto.Signer, error) {
template, signer, err := newCert(commonName, x509util.DefaultIntermediateTemplate, defaultIntermediateLifetime)
if err != nil {
return
return nil, nil, err
}
interProfile.Subject().NotAfter = time.Now().Add(defaultIntermediateLifetime) // TODO: make configurable
return newCert(interProfile)
intermediate, err := x509util.CreateCertificate(template, rootCrt, signer.Public(), rootKey)
if err != nil {
return nil, nil, err
}
return intermediate, signer, nil
}
func newCert(profile x509util.Profile) (cert *x509.Certificate, privateKey crypto.PrivateKey, err error) {
certBytes, err := profile.CreateCertificate()
func newCert(commonName, templateName string, lifetime time.Duration) (cert *x509.Certificate, signer crypto.Signer, err error) {
signer, err = keyutil.GenerateDefaultSigner()
if err != nil {
return
return nil, nil, err
}
privateKey = profile.SubjectPrivateKey()
cert, err = x509.ParseCertificate(certBytes)
return
csr, err := x509util.CreateCertificateRequest(commonName, []string{}, signer)
if err != nil {
return nil, nil, err
}
template, err := x509util.NewCertificate(csr, x509util.WithTemplate(templateName, x509util.CreateTemplateData(commonName, []string{})))
if err != nil {
return nil, nil, err
}
cert = template.GetCertificate()
cert.NotBefore = time.Now().Truncate(time.Second)
cert.NotAfter = cert.NotBefore.Add(lifetime)
return cert, signer, nil
}