Serge Bazanski | 9f0e1e8 | 2023-03-31 22:36:54 +0000 | [diff] [blame] | 1 | package certs |
| 2 | |
| 3 | import ( |
| 4 | "bytes" |
| 5 | "crypto/x509" |
| 6 | "crypto/x509/pkix" |
| 7 | "fmt" |
| 8 | "strings" |
| 9 | "time" |
| 10 | ) |
| 11 | |
| 12 | var ( |
| 13 | // From RFC 5280 Section 4.1.2.5 |
| 14 | unknownNotAfter = time.Unix(253402300799, 0) |
| 15 | ) |
| 16 | |
| 17 | // compareCertData returns an error if any of the 'important' bits of the two |
| 18 | // certificates differ. Those are the bits that we template ourselves, and that |
| 19 | // are not issue-dependent (ie. not time or serial or kid or ...). |
| 20 | func compareCertData(template, cert *x509.Certificate) error { |
| 21 | if want, got := template.Subject.String(), cert.Subject.String(); want != got { |
| 22 | return fmt.Errorf("issued for different subject, wanted %s, got %s", want, got) |
| 23 | } |
| 24 | if want, got := strings.Join(template.DNSNames, ","), strings.Join(cert.DNSNames, ","); want != got { |
| 25 | return fmt.Errorf("issued for different DNS names, wanted %s, got %s", want, got) |
| 26 | } |
| 27 | if want, got := len(template.IPAddresses), len(cert.IPAddresses); want != got { |
| 28 | return fmt.Errorf("issued for different IP addresses, wanted %v, got %v", want, got) |
| 29 | } else { |
| 30 | for i := 0; i < len(template.IPAddresses); i++ { |
| 31 | if want, got := template.IPAddresses[i], cert.IPAddresses[i]; !bytes.Equal(want, got) { |
| 32 | return fmt.Errorf("issued for different IP addresses, wanted %v, got %v", want, got) |
| 33 | } |
| 34 | } |
| 35 | } |
| 36 | if want, got := template.KeyUsage, cert.KeyUsage; want != got { |
| 37 | return fmt.Errorf("issued for different key usage, wanted %d, got %d", want, got) |
| 38 | } |
| 39 | if want, got := len(template.ExtKeyUsage), len(cert.ExtKeyUsage); want != got { |
| 40 | return fmt.Errorf("issued for different ext key usage, wanted %v, got %v", want, got) |
| 41 | } else { |
| 42 | for i := 0; i < len(template.ExtKeyUsage); i++ { |
| 43 | if want, got := template.ExtKeyUsage[i], cert.ExtKeyUsage[i]; want != got { |
| 44 | return fmt.Errorf("issued for different ext key usage, wanted %v, got %v", want, got) |
| 45 | } |
| 46 | } |
| 47 | } |
| 48 | if want, got := template.IsCA, cert.IsCA; want != got { |
| 49 | return fmt.Errorf("issued for different IsCA, wanted %v, got %v", want, got) |
| 50 | } |
| 51 | if want, got := template.BasicConstraintsValid, cert.BasicConstraintsValid; want != got { |
| 52 | return fmt.Errorf("issued for different basic constraints valid, wanted %v, got %v", want, got) |
| 53 | } |
| 54 | return nil |
| 55 | } |
| 56 | |
| 57 | // template builds an x509 'template' certificate, ie. makes an |
| 58 | // x509.Certificate with all the fields built up from the data contained in |
| 59 | // Certificate, but without any per-issue fields like times, serial number, |
| 60 | // etc. |
| 61 | func (c *Certificate) template() *x509.Certificate { |
| 62 | template := &x509.Certificate{ |
| 63 | Subject: pkix.Name{ |
| 64 | CommonName: c.cn, |
| 65 | }, |
| 66 | DNSNames: c.san, |
| 67 | IPAddresses: c.ips, |
| 68 | } |
| 69 | if c.o != "" { |
| 70 | template.Subject.Organization = []string{c.o} |
| 71 | } |
| 72 | switch c.kind { |
| 73 | case kindServer: |
| 74 | template.KeyUsage = x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment |
| 75 | template.ExtKeyUsage = []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth} |
| 76 | template.DNSNames = c.san |
| 77 | case kindClient: |
| 78 | template.KeyUsage = x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment |
| 79 | template.ExtKeyUsage = []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth} |
| 80 | template.DNSNames = c.san |
| 81 | case kindClientServer: |
| 82 | template.KeyUsage = x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment |
| 83 | template.ExtKeyUsage = []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth} |
| 84 | case kindCA: |
| 85 | template.IsCA = true |
| 86 | template.BasicConstraintsValid = true |
| 87 | template.KeyUsage = x509.KeyUsageCertSign | x509.KeyUsageCRLSign | x509.KeyUsageDigitalSignature |
| 88 | template.ExtKeyUsage = []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageOCSPSigning} |
| 89 | template.AuthorityKeyId = template.SubjectKeyId |
| 90 | case kindProdvider: |
| 91 | template.IsCA = true |
| 92 | template.BasicConstraintsValid = true |
| 93 | template.KeyUsage = x509.KeyUsageCertSign | x509.KeyUsageCRLSign | x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment |
| 94 | template.ExtKeyUsage = []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageOCSPSigning} |
| 95 | template.AuthorityKeyId = template.SubjectKeyId |
| 96 | } |
| 97 | return template |
| 98 | } |