lbcutil/certgen.go

// Copyright (c) 2013-2015 The btcsuite developers
// Use of this source code is governed by an ISC
// license that can be found in the LICENSE file.

package lbcutil

import (
	"bytes"
	"crypto/ecdsa"
	"crypto/elliptic"
	"crypto/rand"
	_ "crypto/sha512" // Needed for RegisterHash in init
	"crypto/x509"
	"crypto/x509/pkix"
	"encoding/pem"
	"errors"
	"fmt"
	"math/big"
	"net"
	"os"
	"time"
)

// NewTLSCertPair returns a new PEM-encoded x.509 certificate pair
// based on a 521-bit ECDSA private key.  The machine's local interface
// addresses and all variants of IPv4 and IPv6 localhost are included as
// valid IP addresses.
func NewTLSCertPair(organization string, validUntil time.Time, extraHosts []string) (cert, key []byte, err error) {
	now := time.Now()
	if validUntil.Before(now) {
		return nil, nil, errors.New("validUntil would create an already-expired certificate")
	}

	priv, err := ecdsa.GenerateKey(elliptic.P521(), rand.Reader)
	if err != nil {
		return nil, nil, err
	}

	// end of ASN.1 time
	endOfTime := time.Date(2049, 12, 31, 23, 59, 59, 0, time.UTC)
	if validUntil.After(endOfTime) {
		validUntil = endOfTime
	}

	serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)
	serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
	if err != nil {
		return nil, nil, fmt.Errorf("failed to generate serial number: %s", err)
	}

	host, err := os.Hostname()
	if err != nil {
		return nil, nil, err
	}

	ipAddresses := []net.IP{net.ParseIP("127.0.0.1"), net.ParseIP("::1")}
	dnsNames := []string{host}
	if host != "localhost" {
		dnsNames = append(dnsNames, "localhost")
	}

	addIP := func(ipAddr net.IP) {
		for _, ip := range ipAddresses {
			if bytes.Equal(ip, ipAddr) {
				return
			}
		}
		ipAddresses = append(ipAddresses, ipAddr)
	}
	addHost := func(host string) {
		for _, dnsName := range dnsNames {
			if host == dnsName {
				return
			}
		}
		dnsNames = append(dnsNames, host)
	}

	addrs, err := interfaceAddrs()
	if err != nil {
		return nil, nil, err
	}
	for _, a := range addrs {
		ipAddr, _, err := net.ParseCIDR(a.String())
		if err == nil {
			addIP(ipAddr)
		}
	}

	for _, hostStr := range extraHosts {
		host, _, err := net.SplitHostPort(hostStr)
		if err != nil {
			host = hostStr
		}
		if ip := net.ParseIP(host); ip != nil {
			addIP(ip)
		} else {
			addHost(host)
		}
	}

	template := x509.Certificate{
		SerialNumber: serialNumber,
		Subject: pkix.Name{
			Organization: []string{organization},
			CommonName:   host,
		},
		NotBefore: now.Add(-time.Hour * 24),
		NotAfter:  validUntil,

		KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature |
			x509.KeyUsageCertSign,
		IsCA:                  true, // so can sign self.
		BasicConstraintsValid: true,

		DNSNames:    dnsNames,
		IPAddresses: ipAddresses,
	}

	derBytes, err := x509.CreateCertificate(rand.Reader, &template,
		&template, &priv.PublicKey, priv)
	if err != nil {
		return nil, nil, fmt.Errorf("failed to create certificate: %v", err)
	}

	certBuf := &bytes.Buffer{}
	err = pem.Encode(certBuf, &pem.Block{Type: "CERTIFICATE", Bytes: derBytes})
	if err != nil {
		return nil, nil, fmt.Errorf("failed to encode certificate: %v", err)
	}

	keybytes, err := x509.MarshalECPrivateKey(priv)
	if err != nil {
		return nil, nil, fmt.Errorf("failed to marshal private key: %v", err)
	}

	keyBuf := &bytes.Buffer{}
	err = pem.Encode(keyBuf, &pem.Block{Type: "EC PRIVATE KEY", Bytes: keybytes})
	if err != nil {
		return nil, nil, fmt.Errorf("failed to encode private key: %v", err)
	}

	return certBuf.Bytes(), keyBuf.Bytes(), nil
}
Add Common Name to certificate. Some applications fail to parse the certificate if the CN is not set, even if they (correctly) check SANs before the CN when validating a hostname. Even though the CN should be ignored if a matching SAN hostname was found, we can prevent the parse from failing by also including the hostname as the CN. Additionally, switch from maps to slices to prevent DNS names and IP addresses from being reordered when added to the certificate template. 2015-06-11 22:08:04 +02:00			`// Copyright (c) 2013-2015 The btcsuite developers`
Add NewTLSCertPair to generate a certificate pair. btcd, btcwallet, and an upcomming standalone tool to generate the TLS certificates all need a way to generate TLS certificate pairs. This function, adapted from the cert gen code in btcd, abstracts this logic so all programs can reuse the code. Unlike the older btcd certificate generation code, this new function allows specifying additional hostnames and IPs to add to the list of addresses for which the cert is valid. 2014-01-10 20:38:26 +01:00			`// Use of this source code is governed by an ISC`
			`// license that can be found in the LICENSE file.`

renamed package to lbcutil, updated refs to it 2021-09-10 22:30:39 +02:00			`package lbcutil`
Add NewTLSCertPair to generate a certificate pair. btcd, btcwallet, and an upcomming standalone tool to generate the TLS certificates all need a way to generate TLS certificate pairs. This function, adapted from the cert gen code in btcd, abstracts this logic so all programs can reuse the code. Unlike the older btcd certificate generation code, this new function allows specifying additional hostnames and IPs to add to the list of addresses for which the cert is valid. 2014-01-10 20:38:26 +01:00
			`import (`
			`"bytes"`
			`"crypto/ecdsa"`
			`"crypto/elliptic"`
			`"crypto/rand"`
			`_ "crypto/sha512" // Needed for RegisterHash in init`
			`"crypto/x509"`
			`"crypto/x509/pkix"`
			`"encoding/pem"`
			`"errors"`
			`"fmt"`
			`"math/big"`
			`"net"`
			`"os"`
			`"time"`
			`)`

			`// NewTLSCertPair returns a new PEM-encoded x.509 certificate pair`
			`// based on a 521-bit ECDSA private key. The machine's local interface`
			`// addresses and all variants of IPv4 and IPv6 localhost are included as`
			`// valid IP addresses.`
			`func NewTLSCertPair(organization string, validUntil time.Time, extraHosts []string) (cert, key []byte, err error) {`
			`now := time.Now()`
			`if validUntil.Before(now) {`
			`return nil, nil, errors.New("validUntil would create an already-expired certificate")`
			`}`

			`priv, err := ecdsa.GenerateKey(elliptic.P521(), rand.Reader)`
			`if err != nil {`
			`return nil, nil, err`
			`}`

			`// end of ASN.1 time`
			`endOfTime := time.Date(2049, 12, 31, 23, 59, 59, 0, time.UTC)`
			`if validUntil.After(endOfTime) {`
			`validUntil = endOfTime`
			`}`

Correct and improve cert generation. This commit changes three things with cert generation. - The extended key usage field has been removed since specifying the extended key usage field prevents the cert from working with firefox even when it specifies it can be used as a server - Creates a random serial number since browsers like firefox and chrome won't accept two certificates with the same issuer and serial number - Adds the digital signature key usage capability since some validators like node.js expect that instead of key encipherment 2014-01-29 10:41:59 +01:00			`serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)`
			`serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)`
			`if err != nil {`
			`return nil, nil, fmt.Errorf("failed to generate serial number: %s", err)`
			`}`

Add NewTLSCertPair to generate a certificate pair. btcd, btcwallet, and an upcomming standalone tool to generate the TLS certificates all need a way to generate TLS certificate pairs. This function, adapted from the cert gen code in btcd, abstracts this logic so all programs can reuse the code. Unlike the older btcd certificate generation code, this new function allows specifying additional hostnames and IPs to add to the list of addresses for which the cert is valid. 2014-01-10 20:38:26 +01:00			`host, err := os.Hostname()`
			`if err != nil {`
			`return nil, nil, err`
			`}`

Add Common Name to certificate. Some applications fail to parse the certificate if the CN is not set, even if they (correctly) check SANs before the CN when validating a hostname. Even though the CN should be ignored if a matching SAN hostname was found, we can prevent the parse from failing by also including the hostname as the CN. Additionally, switch from maps to slices to prevent DNS names and IP addresses from being reordered when added to the certificate template. 2015-06-11 22:08:04 +02:00			`ipAddresses := []net.IP{net.ParseIP("127.0.0.1"), net.ParseIP("::1")}`
			`dnsNames := []string{host}`
			`if host != "localhost" {`
			`dnsNames = append(dnsNames, "localhost")`
			`}`

			`addIP := func(ipAddr net.IP) {`
			`for _, ip := range ipAddresses {`
			`if bytes.Equal(ip, ipAddr) {`
			`return`
			`}`
			`}`
			`ipAddresses = append(ipAddresses, ipAddr)`
Add NewTLSCertPair to generate a certificate pair. btcd, btcwallet, and an upcomming standalone tool to generate the TLS certificates all need a way to generate TLS certificate pairs. This function, adapted from the cert gen code in btcd, abstracts this logic so all programs can reuse the code. Unlike the older btcd certificate generation code, this new function allows specifying additional hostnames and IPs to add to the list of addresses for which the cert is valid. 2014-01-10 20:38:26 +01:00			`}`
Add Common Name to certificate. Some applications fail to parse the certificate if the CN is not set, even if they (correctly) check SANs before the CN when validating a hostname. Even though the CN should be ignored if a matching SAN hostname was found, we can prevent the parse from failing by also including the hostname as the CN. Additionally, switch from maps to slices to prevent DNS names and IP addresses from being reordered when added to the certificate template. 2015-06-11 22:08:04 +02:00			`addHost := func(host string) {`
			`for _, dnsName := range dnsNames {`
			`if host == dnsName {`
			`return`
			`}`
			`}`
			`dnsNames = append(dnsNames, host)`
Add NewTLSCertPair to generate a certificate pair. btcd, btcwallet, and an upcomming standalone tool to generate the TLS certificates all need a way to generate TLS certificate pairs. This function, adapted from the cert gen code in btcd, abstracts this logic so all programs can reuse the code. Unlike the older btcd certificate generation code, this new function allows specifying additional hostnames and IPs to add to the list of addresses for which the cert is valid. 2014-01-10 20:38:26 +01:00			`}`

Made App Engine runtime compatible. 2014-08-29 10:44:41 +02:00			`addrs, err := interfaceAddrs()`
Add NewTLSCertPair to generate a certificate pair. btcd, btcwallet, and an upcomming standalone tool to generate the TLS certificates all need a way to generate TLS certificate pairs. This function, adapted from the cert gen code in btcd, abstracts this logic so all programs can reuse the code. Unlike the older btcd certificate generation code, this new function allows specifying additional hostnames and IPs to add to the list of addresses for which the cert is valid. 2014-01-10 20:38:26 +01:00			`if err != nil {`
			`return nil, nil, err`
			`}`
			`for _, a := range addrs {`
Add Common Name to certificate. Some applications fail to parse the certificate if the CN is not set, even if they (correctly) check SANs before the CN when validating a hostname. Even though the CN should be ignored if a matching SAN hostname was found, we can prevent the parse from failing by also including the hostname as the CN. Additionally, switch from maps to slices to prevent DNS names and IP addresses from being reordered when added to the certificate template. 2015-06-11 22:08:04 +02:00			`ipAddr, _, err := net.ParseCIDR(a.String())`
Add NewTLSCertPair to generate a certificate pair. btcd, btcwallet, and an upcomming standalone tool to generate the TLS certificates all need a way to generate TLS certificate pairs. This function, adapted from the cert gen code in btcd, abstracts this logic so all programs can reuse the code. Unlike the older btcd certificate generation code, this new function allows specifying additional hostnames and IPs to add to the list of addresses for which the cert is valid. 2014-01-10 20:38:26 +01:00			`if err == nil {`
Add Common Name to certificate. Some applications fail to parse the certificate if the CN is not set, even if they (correctly) check SANs before the CN when validating a hostname. Even though the CN should be ignored if a matching SAN hostname was found, we can prevent the parse from failing by also including the hostname as the CN. Additionally, switch from maps to slices to prevent DNS names and IP addresses from being reordered when added to the certificate template. 2015-06-11 22:08:04 +02:00			`addIP(ipAddr)`
Add NewTLSCertPair to generate a certificate pair. btcd, btcwallet, and an upcomming standalone tool to generate the TLS certificates all need a way to generate TLS certificate pairs. This function, adapted from the cert gen code in btcd, abstracts this logic so all programs can reuse the code. Unlike the older btcd certificate generation code, this new function allows specifying additional hostnames and IPs to add to the list of addresses for which the cert is valid. 2014-01-10 20:38:26 +01:00			`}`
			`}`

			`for _, hostStr := range extraHosts {`
			`host, _, err := net.SplitHostPort(hostStr)`
			`if err != nil {`
			`host = hostStr`
			`}`
			`if ip := net.ParseIP(host); ip != nil {`
Add Common Name to certificate. Some applications fail to parse the certificate if the CN is not set, even if they (correctly) check SANs before the CN when validating a hostname. Even though the CN should be ignored if a matching SAN hostname was found, we can prevent the parse from failing by also including the hostname as the CN. Additionally, switch from maps to slices to prevent DNS names and IP addresses from being reordered when added to the certificate template. 2015-06-11 22:08:04 +02:00			`addIP(ip)`
Add NewTLSCertPair to generate a certificate pair. btcd, btcwallet, and an upcomming standalone tool to generate the TLS certificates all need a way to generate TLS certificate pairs. This function, adapted from the cert gen code in btcd, abstracts this logic so all programs can reuse the code. Unlike the older btcd certificate generation code, this new function allows specifying additional hostnames and IPs to add to the list of addresses for which the cert is valid. 2014-01-10 20:38:26 +01:00			`} else {`
Add Common Name to certificate. Some applications fail to parse the certificate if the CN is not set, even if they (correctly) check SANs before the CN when validating a hostname. Even though the CN should be ignored if a matching SAN hostname was found, we can prevent the parse from failing by also including the hostname as the CN. Additionally, switch from maps to slices to prevent DNS names and IP addresses from being reordered when added to the certificate template. 2015-06-11 22:08:04 +02:00			`addHost(host)`
Add NewTLSCertPair to generate a certificate pair. btcd, btcwallet, and an upcomming standalone tool to generate the TLS certificates all need a way to generate TLS certificate pairs. This function, adapted from the cert gen code in btcd, abstracts this logic so all programs can reuse the code. Unlike the older btcd certificate generation code, this new function allows specifying additional hostnames and IPs to add to the list of addresses for which the cert is valid. 2014-01-10 20:38:26 +01:00			`}`
			`}`

Add Common Name to certificate. Some applications fail to parse the certificate if the CN is not set, even if they (correctly) check SANs before the CN when validating a hostname. Even though the CN should be ignored if a matching SAN hostname was found, we can prevent the parse from failing by also including the hostname as the CN. Additionally, switch from maps to slices to prevent DNS names and IP addresses from being reordered when added to the certificate template. 2015-06-11 22:08:04 +02:00			`template := x509.Certificate{`
			`SerialNumber: serialNumber,`
			`Subject: pkix.Name{`
			`Organization: []string{organization},`
			`CommonName: host,`
			`},`
			`NotBefore: now.Add(-time.Hour * 24),`
			`NotAfter: validUntil,`

			`KeyUsage: x509.KeyUsageKeyEncipherment \| x509.KeyUsageDigitalSignature \|`
			`x509.KeyUsageCertSign,`
build: replace travis with github ci 2020-05-13 15:25:32 +02:00			`IsCA: true, // so can sign self.`
Add Common Name to certificate. Some applications fail to parse the certificate if the CN is not set, even if they (correctly) check SANs before the CN when validating a hostname. Even though the CN should be ignored if a matching SAN hostname was found, we can prevent the parse from failing by also including the hostname as the CN. Additionally, switch from maps to slices to prevent DNS names and IP addresses from being reordered when added to the certificate template. 2015-06-11 22:08:04 +02:00			`BasicConstraintsValid: true,`

			`DNSNames: dnsNames,`
			`IPAddresses: ipAddresses,`
Add NewTLSCertPair to generate a certificate pair. btcd, btcwallet, and an upcomming standalone tool to generate the TLS certificates all need a way to generate TLS certificate pairs. This function, adapted from the cert gen code in btcd, abstracts this logic so all programs can reuse the code. Unlike the older btcd certificate generation code, this new function allows specifying additional hostnames and IPs to add to the list of addresses for which the cert is valid. 2014-01-10 20:38:26 +01:00			`}`

			`derBytes, err := x509.CreateCertificate(rand.Reader, &template,`
			`&template, &priv.PublicKey, priv)`
			`if err != nil {`
Add PEM encode error checking 2014-12-13 16:29:36 +01:00			`return nil, nil, fmt.Errorf("failed to create certificate: %v", err)`
Add NewTLSCertPair to generate a certificate pair. btcd, btcwallet, and an upcomming standalone tool to generate the TLS certificates all need a way to generate TLS certificate pairs. This function, adapted from the cert gen code in btcd, abstracts this logic so all programs can reuse the code. Unlike the older btcd certificate generation code, this new function allows specifying additional hostnames and IPs to add to the list of addresses for which the cert is valid. 2014-01-10 20:38:26 +01:00			`}`

			`certBuf := &bytes.Buffer{}`
Add PEM encode error checking 2014-12-13 16:29:36 +01:00			`err = pem.Encode(certBuf, &pem.Block{Type: "CERTIFICATE", Bytes: derBytes})`
			`if err != nil {`
			`return nil, nil, fmt.Errorf("failed to encode certificate: %v", err)`
			`}`
Add NewTLSCertPair to generate a certificate pair. btcd, btcwallet, and an upcomming standalone tool to generate the TLS certificates all need a way to generate TLS certificate pairs. This function, adapted from the cert gen code in btcd, abstracts this logic so all programs can reuse the code. Unlike the older btcd certificate generation code, this new function allows specifying additional hostnames and IPs to add to the list of addresses for which the cert is valid. 2014-01-10 20:38:26 +01:00
			`keybytes, err := x509.MarshalECPrivateKey(priv)`
			`if err != nil {`
Add PEM encode error checking 2014-12-13 16:29:36 +01:00			`return nil, nil, fmt.Errorf("failed to marshal private key: %v", err)`
Add NewTLSCertPair to generate a certificate pair. btcd, btcwallet, and an upcomming standalone tool to generate the TLS certificates all need a way to generate TLS certificate pairs. This function, adapted from the cert gen code in btcd, abstracts this logic so all programs can reuse the code. Unlike the older btcd certificate generation code, this new function allows specifying additional hostnames and IPs to add to the list of addresses for which the cert is valid. 2014-01-10 20:38:26 +01:00			`}`
Add PEM encode error checking 2014-12-13 16:29:36 +01:00
Add NewTLSCertPair to generate a certificate pair. btcd, btcwallet, and an upcomming standalone tool to generate the TLS certificates all need a way to generate TLS certificate pairs. This function, adapted from the cert gen code in btcd, abstracts this logic so all programs can reuse the code. Unlike the older btcd certificate generation code, this new function allows specifying additional hostnames and IPs to add to the list of addresses for which the cert is valid. 2014-01-10 20:38:26 +01:00			`keyBuf := &bytes.Buffer{}`
Add PEM encode error checking 2014-12-13 16:29:36 +01:00			`err = pem.Encode(keyBuf, &pem.Block{Type: "EC PRIVATE KEY", Bytes: keybytes})`
			`if err != nil {`
			`return nil, nil, fmt.Errorf("failed to encode private key: %v", err)`
			`}`
Add NewTLSCertPair to generate a certificate pair. btcd, btcwallet, and an upcomming standalone tool to generate the TLS certificates all need a way to generate TLS certificate pairs. This function, adapted from the cert gen code in btcd, abstracts this logic so all programs can reuse the code. Unlike the older btcd certificate generation code, this new function allows specifying additional hostnames and IPs to add to the list of addresses for which the cert is valid. 2014-01-10 20:38:26 +01:00
			`return certBuf.Bytes(), keyBuf.Bytes(), nil`
			`}`