cluster/clustercfg/certs/x509.go - hscloud - Gitiles

 package certs

 import (
 	"bytes"
 	"crypto/x509"
 	"crypto/x509/pkix"
 	"fmt"
 	"strings"
 	"time"
 )

 var (
 	// From RFC 5280 Section 4.1.2.5
 	unknownNotAfter = time.Unix(253402300799, 0)
 )

 // compareCertData returns an error if any of the 'important' bits of the two
 // certificates differ. Those are the bits that we template ourselves, and that
 // are not issue-dependent (ie. not time or serial or kid or ...).
 func compareCertData(template, cert *x509.Certificate) error {
 	if want, got := template.Subject.String(), cert.Subject.String(); want != got {
 		return fmt.Errorf("issued for different subject, wanted %s, got %s", want, got)
 	}
 	if want, got := strings.Join(template.DNSNames, ","), strings.Join(cert.DNSNames, ","); want != got {
 		return fmt.Errorf("issued for different DNS names, wanted %s, got %s", want, got)
 	}
 	if want, got := len(template.IPAddresses), len(cert.IPAddresses); want != got {
 		return fmt.Errorf("issued for different IP addresses, wanted %v, got %v", want, got)
 	} else {
 		for i := 0; i < len(template.IPAddresses); i++ {
 			if want, got := template.IPAddresses[i], cert.IPAddresses[i]; !bytes.Equal(want, got) {
 				return fmt.Errorf("issued for different IP addresses, wanted %v, got %v", want, got)
 			}
 		}
 	}
 	if want, got := template.KeyUsage, cert.KeyUsage; want != got {
 		return fmt.Errorf("issued for different key usage, wanted %d, got %d", want, got)
 	}
 	if want, got := len(template.ExtKeyUsage), len(cert.ExtKeyUsage); want != got {
 		return fmt.Errorf("issued for different ext key usage, wanted %v, got %v", want, got)
 	} else {
 		for i := 0; i < len(template.ExtKeyUsage); i++ {
 			if want, got := template.ExtKeyUsage[i], cert.ExtKeyUsage[i]; want != got {
 				return fmt.Errorf("issued for different ext key usage, wanted %v, got %v", want, got)
 			}
 		}
 	}
 	if want, got := template.IsCA, cert.IsCA; want != got {
 		return fmt.Errorf("issued for different IsCA, wanted %v, got %v", want, got)
 	}
 	if want, got := template.BasicConstraintsValid, cert.BasicConstraintsValid; want != got {
 		return fmt.Errorf("issued for different basic constraints valid, wanted %v, got %v", want, got)
 	}
 	return nil
 }

 // template builds an x509 'template' certificate, ie. makes an
 // x509.Certificate with all the fields built up from the data contained in
 // Certificate, but without any per-issue fields like times, serial number,
 // etc.
 func (c *Certificate) template() *x509.Certificate {
 	template := &x509.Certificate{
 		Subject: pkix.Name{
 			CommonName: c.cn,
 		},
 		DNSNames:    c.san,
 		IPAddresses: c.ips,
 	}
 	if c.o != "" {
 		template.Subject.Organization = []string{c.o}
 	}
 	switch c.kind {
 	case kindServer:
 		template.KeyUsage = x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment
 		template.ExtKeyUsage = []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth}
 		template.DNSNames = c.san
 	case kindClient:
 		template.KeyUsage = x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment
 		template.ExtKeyUsage = []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth}
 		template.DNSNames = c.san
 	case kindClientServer:
 		template.KeyUsage = x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment
 		template.ExtKeyUsage = []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth}
 	case kindCA:
 		template.IsCA = true
 		template.BasicConstraintsValid = true
 		template.KeyUsage = x509.KeyUsageCertSign | x509.KeyUsageCRLSign | x509.KeyUsageDigitalSignature
 		template.ExtKeyUsage = []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageOCSPSigning}
 		template.AuthorityKeyId = template.SubjectKeyId
 	case kindProdvider:
 		template.IsCA = true
 		template.BasicConstraintsValid = true
 		template.KeyUsage = x509.KeyUsageCertSign | x509.KeyUsageCRLSign | x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment
 		template.ExtKeyUsage = []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageOCSPSigning}
 		template.AuthorityKeyId = template.SubjectKeyId
 	}
 	return template
 }
	package certs

	import (
	"bytes"
	"crypto/x509"
	"crypto/x509/pkix"
	"fmt"
	"strings"
	"time"
	)

	var (
	// From RFC 5280 Section 4.1.2.5
	unknownNotAfter = time.Unix(253402300799, 0)
	)

	// compareCertData returns an error if any of the 'important' bits of the two
	// certificates differ. Those are the bits that we template ourselves, and that
	// are not issue-dependent (ie. not time or serial or kid or ...).
	func compareCertData(template, cert *x509.Certificate) error {
	if want, got := template.Subject.String(), cert.Subject.String(); want != got {
	return fmt.Errorf("issued for different subject, wanted %s, got %s", want, got)
	}
	if want, got := strings.Join(template.DNSNames, ","), strings.Join(cert.DNSNames, ","); want != got {
	return fmt.Errorf("issued for different DNS names, wanted %s, got %s", want, got)
	}
	if want, got := len(template.IPAddresses), len(cert.IPAddresses); want != got {
	return fmt.Errorf("issued for different IP addresses, wanted %v, got %v", want, got)
	} else {
	for i := 0; i < len(template.IPAddresses); i++ {
	if want, got := template.IPAddresses[i], cert.IPAddresses[i]; !bytes.Equal(want, got) {
	return fmt.Errorf("issued for different IP addresses, wanted %v, got %v", want, got)
	}
	}
	}
	if want, got := template.KeyUsage, cert.KeyUsage; want != got {
	return fmt.Errorf("issued for different key usage, wanted %d, got %d", want, got)
	}
	if want, got := len(template.ExtKeyUsage), len(cert.ExtKeyUsage); want != got {
	return fmt.Errorf("issued for different ext key usage, wanted %v, got %v", want, got)
	} else {
	for i := 0; i < len(template.ExtKeyUsage); i++ {
	if want, got := template.ExtKeyUsage[i], cert.ExtKeyUsage[i]; want != got {
	return fmt.Errorf("issued for different ext key usage, wanted %v, got %v", want, got)
	}
	}
	}
	if want, got := template.IsCA, cert.IsCA; want != got {
	return fmt.Errorf("issued for different IsCA, wanted %v, got %v", want, got)
	}
	if want, got := template.BasicConstraintsValid, cert.BasicConstraintsValid; want != got {
	return fmt.Errorf("issued for different basic constraints valid, wanted %v, got %v", want, got)
	}
	return nil
	}

	// template builds an x509 'template' certificate, ie. makes an
	// x509.Certificate with all the fields built up from the data contained in
	// Certificate, but without any per-issue fields like times, serial number,
	// etc.
	func (c Certificate) template() x509.Certificate {
	template := &x509.Certificate{
	Subject: pkix.Name{
	CommonName: c.cn,
	},
	DNSNames: c.san,
	IPAddresses: c.ips,
	}
	if c.o != "" {
	template.Subject.Organization = []string{c.o}
	}
	switch c.kind {
	case kindServer:
	template.KeyUsage = x509.KeyUsageDigitalSignature \| x509.KeyUsageKeyEncipherment
	template.ExtKeyUsage = []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth}
	template.DNSNames = c.san
	case kindClient:
	template.KeyUsage = x509.KeyUsageDigitalSignature \| x509.KeyUsageKeyEncipherment
	template.ExtKeyUsage = []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth}
	template.DNSNames = c.san
	case kindClientServer:
	template.KeyUsage = x509.KeyUsageDigitalSignature \| x509.KeyUsageKeyEncipherment
	template.ExtKeyUsage = []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth}
	case kindCA:
	template.IsCA = true
	template.BasicConstraintsValid = true
	template.KeyUsage = x509.KeyUsageCertSign \| x509.KeyUsageCRLSign \| x509.KeyUsageDigitalSignature
	template.ExtKeyUsage = []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageOCSPSigning}
	template.AuthorityKeyId = template.SubjectKeyId
	case kindProdvider:
	template.IsCA = true
	template.BasicConstraintsValid = true
	template.KeyUsage = x509.KeyUsageCertSign \| x509.KeyUsageCRLSign \| x509.KeyUsageDigitalSignature \| x509.KeyUsageKeyEncipherment
	template.ExtKeyUsage = []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageOCSPSigning}
	template.AuthorityKeyId = template.SubjectKeyId
	}
	return template
	}