-
Notifications
You must be signed in to change notification settings - Fork 25
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
0 parents
commit 5db062f
Showing
3 changed files
with
212 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
dist/ | ||
certgen | ||
*~ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,36 @@ | ||
before: | ||
hooks: | ||
- go mod tidy | ||
builds: | ||
- | ||
goos: | ||
- darwin | ||
- linux | ||
- freebsd | ||
|
||
goarch: | ||
- amd64 | ||
- arm64 | ||
- ppc64le | ||
- s390x | ||
|
||
flags: | ||
- -trimpath | ||
- --tags=kqueue | ||
|
||
ldflags: | ||
- -s -w -X main.version={{.Tag}} | ||
|
||
env: | ||
- CGO_ENABLED=0 | ||
|
||
checksum: | ||
name_template: 'checksums.txt' | ||
snapshot: | ||
name_template: "{{ .Tag }}-next" | ||
changelog: | ||
sort: asc | ||
filters: | ||
exclude: | ||
- '^docs:' | ||
- '^test:' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,173 @@ | ||
// Copyright 2009 The Go Authors. All rights reserved. | ||
// Use of this source code is governed by a BSD-style | ||
// license that can be found in the LICENSE file. | ||
|
||
// Generate a self-signed X.509 certificate for a TLS server. Outputs to | ||
// 'public.crt' and 'private.key' and will overwrite existing files. | ||
|
||
package main | ||
|
||
import ( | ||
"crypto/ecdsa" | ||
"crypto/ed25519" | ||
"crypto/elliptic" | ||
"crypto/rand" | ||
"crypto/rsa" | ||
"crypto/x509" | ||
"crypto/x509/pkix" | ||
"encoding/pem" | ||
"flag" | ||
"log" | ||
"math/big" | ||
"net" | ||
"os" | ||
"strings" | ||
"time" | ||
) | ||
|
||
var version = "(dev)" | ||
|
||
var ( | ||
host = flag.String("host", "", "Comma-separated hostnames and IPs to generate a certificate for") | ||
validFrom = flag.String("start-date", "", "Creation date formatted as Jan 1 15:04:05 2011") | ||
validFor = flag.Duration("duration", 365*24*time.Hour, "Duration that certificate is valid for") | ||
isCA = flag.Bool("ca", false, "whether this cert should be its own Certificate Authority") | ||
rsaBits = flag.Int("rsa-bits", 2048, "Size of RSA key to generate. Ignored if --ecdsa-curve is set") | ||
ecdsaCurve = flag.String("ecdsa-curve", "", "ECDSA curve to use to generate a key. Valid values are P224, P256 (recommended), P384, P521") | ||
ed25519Key = flag.Bool("ed25519", false, "Generate an Ed25519 key") | ||
orgName = flag.String("org-name", "Acme Co", "Organization name used when generating the certs") | ||
) | ||
|
||
func publicKey(priv interface{}) interface{} { | ||
switch k := priv.(type) { | ||
case *rsa.PrivateKey: | ||
return &k.PublicKey | ||
case *ecdsa.PrivateKey: | ||
return &k.PublicKey | ||
case ed25519.PrivateKey: | ||
return k.Public().(ed25519.PublicKey) | ||
default: | ||
return nil | ||
} | ||
} | ||
|
||
func main() { | ||
flag.Parse() | ||
|
||
if len(*host) == 0 { | ||
log.Fatalf("Missing required --host parameter") | ||
} | ||
|
||
var priv interface{} | ||
var err error | ||
switch *ecdsaCurve { | ||
case "": | ||
if *ed25519Key { | ||
_, priv, err = ed25519.GenerateKey(rand.Reader) | ||
} else { | ||
priv, err = rsa.GenerateKey(rand.Reader, *rsaBits) | ||
} | ||
case "P224": | ||
priv, err = ecdsa.GenerateKey(elliptic.P224(), rand.Reader) | ||
case "P256": | ||
priv, err = ecdsa.GenerateKey(elliptic.P256(), rand.Reader) | ||
case "P384": | ||
priv, err = ecdsa.GenerateKey(elliptic.P384(), rand.Reader) | ||
case "P521": | ||
priv, err = ecdsa.GenerateKey(elliptic.P521(), rand.Reader) | ||
default: | ||
log.Fatalf("Unrecognized elliptic curve: %q", *ecdsaCurve) | ||
} | ||
if err != nil { | ||
log.Fatalf("Failed to generate private key: %v", err) | ||
} | ||
|
||
// ECDSA, ED25519 and RSA subject keys should have the DigitalSignature | ||
// KeyUsage bits set in the x509.Certificate template | ||
keyUsage := x509.KeyUsageDigitalSignature | ||
// Only RSA subject keys should have the KeyEncipherment KeyUsage bits set. In | ||
// the context of TLS this KeyUsage is particular to RSA key exchange and | ||
// authentication. | ||
if _, isRSA := priv.(*rsa.PrivateKey); isRSA { | ||
keyUsage |= x509.KeyUsageKeyEncipherment | ||
} | ||
|
||
var notBefore time.Time | ||
if len(*validFrom) == 0 { | ||
notBefore = time.Now() | ||
} else { | ||
notBefore, err = time.Parse("Jan 2 15:04:05 2006", *validFrom) | ||
if err != nil { | ||
log.Fatalf("Failed to parse creation date: %v", err) | ||
} | ||
} | ||
|
||
notAfter := notBefore.Add(*validFor) | ||
|
||
serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128) | ||
serialNumber, err := rand.Int(rand.Reader, serialNumberLimit) | ||
if err != nil { | ||
log.Fatalf("Failed to generate serial number: %v", err) | ||
} | ||
|
||
template := x509.Certificate{ | ||
SerialNumber: serialNumber, | ||
Subject: pkix.Name{ | ||
Organization: []string{orgName}, | ||
}, | ||
NotBefore: notBefore, | ||
NotAfter: notAfter, | ||
|
||
KeyUsage: keyUsage, | ||
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth}, | ||
BasicConstraintsValid: true, | ||
} | ||
|
||
hosts := strings.Split(*host, ",") | ||
for _, h := range hosts { | ||
if ip := net.ParseIP(h); ip != nil { | ||
template.IPAddresses = append(template.IPAddresses, ip) | ||
} else { | ||
template.DNSNames = append(template.DNSNames, h) | ||
} | ||
} | ||
|
||
if *isCA { | ||
template.IsCA = true | ||
template.KeyUsage |= x509.KeyUsageCertSign | ||
} | ||
|
||
derBytes, err := x509.CreateCertificate(rand.Reader, &template, &template, publicKey(priv), priv) | ||
if err != nil { | ||
log.Fatalf("Failed to create certificate: %v", err) | ||
} | ||
|
||
certOut, err := os.Create("public.crt") | ||
if err != nil { | ||
log.Fatalf("Failed to open public.crt for writing: %v", err) | ||
} | ||
if err := pem.Encode(certOut, &pem.Block{Type: "CERTIFICATE", Bytes: derBytes}); err != nil { | ||
log.Fatalf("Failed to write data to public.crt: %v", err) | ||
} | ||
if err := certOut.Close(); err != nil { | ||
log.Fatalf("Error closing public.crt: %v", err) | ||
} | ||
log.Println("wrote public.crt") | ||
|
||
keyOut, err := os.OpenFile("private.key", os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0600) | ||
if err != nil { | ||
log.Fatalf("Failed to open private.key for writing: %v", err) | ||
return | ||
} | ||
privBytes, err := x509.MarshalPKCS8PrivateKey(priv) | ||
if err != nil { | ||
log.Fatalf("Unable to marshal private key: %v", err) | ||
} | ||
if err := pem.Encode(keyOut, &pem.Block{Type: "PRIVATE KEY", Bytes: privBytes}); err != nil { | ||
log.Fatalf("Failed to write data to private.key: %v", err) | ||
} | ||
if err := keyOut.Close(); err != nil { | ||
log.Fatalf("Error closing private.key: %v", err) | ||
} | ||
log.Println("wrote private.key") | ||
} |