closed-social
/
gitea
3
0
Fork 0
Code Issues 0 Pull Requests 0 Projects 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
1576 Commits
2 Branches
178 MiB
Tree: 8d5a4cc9eb
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '8d5a4cc9eb'
${ noResults }
gitea/cmd/cert.go

158 lines
4.5 KiB
Raw Normal View History

Feature: Integrate crypto/tls/generate_cert.go command
10 years ago
 
  1. // Copyright 2009 The Go Authors. All rights reserved.

  2. // Copyright 2014 The Gogs Authors. All rights reserved.

  3. // Use of this source code is governed by a MIT-style

  4. // license that can be found in the LICENSE file.

  5. 

  6. package cmd
  7. 

  8. import (
  9. 	"crypto/ecdsa"
  10. 	"crypto/elliptic"
  11. 	"crypto/rand"
  12. 	"crypto/rsa"
  13. 	"crypto/x509"
  14. 	"crypto/x509/pkix"
  15. 	"encoding/pem"
  16. 	"log"
  17. 	"math/big"
  18. 	"net"
  19. 	"os"
  20. 	"strings"
  21. 	"time"
  22. 

  23. 	"github.com/codegangsta/cli"
  24. )
  25. 

  26. var CmdCert = cli.Command{
  27. 	Name:  "cert",
  28. 	Usage: "Generate self-signed certificate",
  29. 	Description: `Generate a self-signed X.509 certificate for a TLS server. 
  30. Outputs to 'cert.pem' and 'key.pem' and will overwrite existing files.`,
  31. 	Action: runCert,
  32. 	Flags: []cli.Flag{
  33. 		cli.StringFlag{"host", "", "Comma-separated hostnames and IPs to generate a certificate for", ""},
  34. 		cli.StringFlag{"ecdsa-curve", "", "ECDSA curve to use to generate a key. Valid values are P224, P256, P384, P521", ""},
  35. 		cli.IntFlag{"rsa-bits", 2048, "Size of RSA key to generate. Ignored if --ecdsa-curve is set", ""},
  36. 		cli.StringFlag{"start-date", "", "Creation date formatted as Jan 1 15:04:05 2011", ""},
  37. 		cli.DurationFlag{"duration", 365 * 24 * time.Hour, "Duration that certificate is valid for", ""},
  38. 		cli.BoolFlag{"ca", "whether this cert should be its own Certificate Authority", ""},
  39. 	},
  40. }
  41. 

  42. func publicKey(priv interface{}) interface{} {
  43. 	switch k := priv.(type) {
  44. 	case *rsa.PrivateKey:
  45. 		return &k.PublicKey
  46. 	case *ecdsa.PrivateKey:
  47. 		return &k.PublicKey
  48. 	default:
  49. 		return nil
  50. 	}
  51. }
  52. 

  53. func pemBlockForKey(priv interface{}) *pem.Block {
  54. 	switch k := priv.(type) {
  55. 	case *rsa.PrivateKey:
  56. 		return &pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(k)}
  57. 	case *ecdsa.PrivateKey:
  58. 		b, err := x509.MarshalECPrivateKey(k)
  59. 		if err != nil {
  60. 			log.Fatal("unable to marshal ECDSA private key: %v", err)
  61. 		}
  62. 		return &pem.Block{Type: "EC PRIVATE KEY", Bytes: b}
  63. 	default:
  64. 		return nil
  65. 	}
  66. }
  67. 

  68. func runCert(ctx *cli.Context) {
  69. 	if len(ctx.String("host")) == 0 {
  70. 		log.Fatal("Missing required --host parameter")
  71. 	}
  72. 

  73. 	var priv interface{}
  74. 	var err error
  75. 	switch ctx.String("ecdsa-curve") {
  76. 	case "":
  77. 		priv, err = rsa.GenerateKey(rand.Reader, ctx.Int("rsa-bits"))
  78. 	case "P224":
  79. 		priv, err = ecdsa.GenerateKey(elliptic.P224(), rand.Reader)
  80. 	case "P256":
  81. 		priv, err = ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
  82. 	case "P384":
  83. 		priv, err = ecdsa.GenerateKey(elliptic.P384(), rand.Reader)
  84. 	case "P521":
  85. 		priv, err = ecdsa.GenerateKey(elliptic.P521(), rand.Reader)
  86. 	default:
  87. 		log.Fatalf("Unrecognized elliptic curve: %q", ctx.String("ecdsa-curve"))
  88. 	}
  89. 	if err != nil {
  90. 		log.Fatalf("Failed to generate private key: %s", err)
  91. 	}
  92. 

  93. 	var notBefore time.Time
  94. 	if len(ctx.String("start-date")) == 0 {
  95. 		notBefore = time.Now()
  96. 	} else {
  97. 		notBefore, err = time.Parse("Jan 2 15:04:05 2006", ctx.String("start-date"))
  98. 		if err != nil {
  99. 			log.Fatalf("Failed to parse creation date: %s", err)
  100. 		}
  101. 	}
  102. 

  103. 	notAfter := notBefore.Add(ctx.Duration("duration"))
  104. 

  105. 	serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)
  106. 	serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
  107. 	if err != nil {
  108. 		log.Fatalf("Failed to generate serial number: %s", err)
  109. 	}
  110. 

  111. 	template := x509.Certificate{
  112. 		SerialNumber: serialNumber,
  113. 		Subject: pkix.Name{
  114. 			Organization: []string{"Acme Co"},
  115. 		},
  116. 		NotBefore: notBefore,
  117. 		NotAfter:  notAfter,
  118. 

  119. 		KeyUsage:              x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
  120. 		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
  121. 		BasicConstraintsValid: true,
  122. 	}
  123. 

  124. 	hosts := strings.Split(ctx.String("host"), ",")
  125. 	for _, h := range hosts {
  126. 		if ip := net.ParseIP(h); ip != nil {
  127. 			template.IPAddresses = append(template.IPAddresses, ip)
  128. 		} else {
  129. 			template.DNSNames = append(template.DNSNames, h)
  130. 		}
  131. 	}
  132. 

  133. 	if ctx.Bool("ca") {
  134. 		template.IsCA = true
  135. 		template.KeyUsage |= x509.KeyUsageCertSign
  136. 	}
  137. 

  138. 	derBytes, err := x509.CreateCertificate(rand.Reader, &template, &template, publicKey(priv), priv)
  139. 	if err != nil {
  140. 		log.Fatalf("Failed to create certificate: %s", err)
  141. 	}
  142. 

  143. 	certOut, err := os.Create("cert.pem")
  144. 	if err != nil {
  145. 		log.Fatalf("Failed to open cert.pem for writing: %s", err)
  146. 	}
  147. 	pem.Encode(certOut, &pem.Block{Type: "CERTIFICATE", Bytes: derBytes})
  148. 	certOut.Close()
  149. 	log.Println("Written cert.pem")
  150. 

  151. 	keyOut, err := os.OpenFile("key.pem", os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0600)
  152. 	if err != nil {
  153. 		log.Fatal("failed to open key.pem for writing: %v", err)
  154. 	}
  155. 	pem.Encode(keyOut, pemBlockForKey(priv))
  156. 	keyOut.Close()
  157. 	log.Println("Written key.pem")
  158. }