68 lines
2.2 KiB
Go
68 lines
2.2 KiB
Go
package crypto
|
|
|
|
import (
|
|
"crypto/rand"
|
|
"crypto/rsa"
|
|
"crypto/sha256"
|
|
"crypto/x509"
|
|
"crypto/x509/pkix"
|
|
"encoding/hex"
|
|
"encoding/pem"
|
|
"errors"
|
|
"fmt"
|
|
"math/big"
|
|
"time"
|
|
)
|
|
|
|
// CertValidity is how long self-signed certs are valid for. We use a
|
|
// long horizon because cert rotation is operator-driven, not automatic.
|
|
const CertValidity = 10 * 365 * 24 * time.Hour
|
|
|
|
// buildSelfSignedCert produces an X.509 certificate signed by `priv`
|
|
// itself, using the given common name. Returns the DER bytes.
|
|
func buildSelfSignedCert(priv *rsa.PrivateKey, commonName string) ([]byte, error) {
|
|
serial, err := rand.Int(rand.Reader, new(big.Int).Lsh(big.NewInt(1), 128))
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
tmpl := &x509.Certificate{
|
|
SerialNumber: serial,
|
|
Subject: pkix.Name{CommonName: commonName, Organization: []string{"quptime"}},
|
|
NotBefore: time.Now().Add(-1 * time.Hour),
|
|
NotAfter: time.Now().Add(CertValidity),
|
|
KeyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment,
|
|
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth},
|
|
BasicConstraintsValid: true,
|
|
IsCA: false,
|
|
}
|
|
return x509.CreateCertificate(rand.Reader, tmpl, tmpl, &priv.PublicKey, priv)
|
|
}
|
|
|
|
// Fingerprint computes the SHA-256 fingerprint of an X.509 certificate's
|
|
// SubjectPublicKeyInfo (the same hash used by `openssl x509 -pubkey -noout
|
|
// | openssl dgst -sha256`). Returns the lowercase hex digest with a
|
|
// "sha256:" prefix to match SSH conventions.
|
|
func Fingerprint(cert *x509.Certificate) string {
|
|
return FingerprintFromSPKI(cert.RawSubjectPublicKeyInfo)
|
|
}
|
|
|
|
// FingerprintFromSPKI is the underlying helper.
|
|
func FingerprintFromSPKI(spki []byte) string {
|
|
sum := sha256.Sum256(spki)
|
|
return "sha256:" + hex.EncodeToString(sum[:])
|
|
}
|
|
|
|
// FingerprintFromCertPEM parses a PEM-encoded certificate and returns
|
|
// its fingerprint.
|
|
func FingerprintFromCertPEM(certPEM []byte) (string, error) {
|
|
block, _ := pem.Decode(certPEM)
|
|
if block == nil {
|
|
return "", errors.New("cert: no PEM block")
|
|
}
|
|
cert, err := x509.ParseCertificate(block.Bytes)
|
|
if err != nil {
|
|
return "", fmt.Errorf("parse cert: %w", err)
|
|
}
|
|
return Fingerprint(cert), nil
|
|
}
|