jandd
/
cacert-gosigner
1
0
Fork 0
Code Issues Pull Requests Projects Releases Activity

Improve signer setup code

Browse Source 
- allow multiple attempts to setup certificates
- use CAB forum BR compliant CRLDistributionPoint for Subordinate CA
  certificates by referencing their own CRL instead of their parent CA's CRL
- store certificates in DER encoded form
main
Jan Dittberner 2 years ago
parent fffc65a540
commit de7e716a82
3 changed files with 17 additions and 33 deletions
Show Stats Download Patch File Download Diff File

4
internal/config/config.go
Unescape Escape View File

@ -270,8 +270,8 @@ func (c *SignerConfig) BuildOCSPURL(cert *CaCertificateEntry) string {
return c.global.URLPatterns.Ocsp
}
func (c *SignerConfig) BuildCRLUrl(cert *CaCertificateEntry) string {
return fmt.Sprintf(c.global.URLPatterns.CRL, cert.Parent)
func (c *SignerConfig) BuildCRLUrl(label string) string {
return fmt.Sprintf(c.global.URLPatterns.CRL, label)
}
func (c *SignerConfig) GetParentCA(label string) (*CaCertificateEntry, error) {

6
internal/config/config_test.go
Unescape Escape View File

@ -633,11 +633,11 @@ func TestSignerConfig_CertificateFileName(t *testing.T) {
func TestSignerConfig_BuildCRLUrl(t *testing.T) {
sc := loadSignerConfig(t)
ca, err := sc.GetCADefinition("sub1")
_, err := sc.GetCADefinition("sub1")
require.NoError(t, err)
url := sc.BuildCRLUrl(ca)
assert.Equal(t, "http://crl.example.org/root.crl", url)
url := sc.BuildCRLUrl("sub1")
assert.Equal(t, "http://crl.example.org/sub1.crl", url)
}
func TestSignerConfig_BuildIssuerUrl(t *testing.T) {

40
internal/hsm/hsm.go
Unescape Escape View File

@ -25,7 +25,6 @@ import (
"crypto/rsa"
"crypto/x509"
"encoding/asn1"
"encoding/pem"
"errors"
"fmt"
"math/big"
@ -175,16 +174,7 @@ func (c *caFile) loadCertificate(caDirectory string) (*x509.Certificate, error)
return nil, fmt.Errorf("could not read %s: %w", certFile, err)
}
pemData, _ := pem.Decode(certData)
if pemData == nil {
return nil, fmt.Errorf("no PEM data in %s", certFile)
}
if pemData.Type != "CERTIFICATE" {
return nil, fmt.Errorf("no certificate found in %s", certFile)
}
certificate, err := x509.ParseCertificate(pemData.Bytes)
certificate, err := x509.ParseCertificate(certData)
if err != nil {
return nil, fmt.Errorf("could not parse certificate from %s: %w", certFile, err)
}
@ -233,9 +223,11 @@ func (a *Access) GetRootCACertificate(label string) (*x509.Certificate, error) {
return certificate, nil
}
keyPair, err = a.getKeyPair(label, caCert.KeyInfo)
if err != nil {
return nil, err
if a.IsSetupMode() {
keyPair, err = a.getKeyPair(label, caCert.KeyInfo)
if err != nil {
return nil, err
}
}
if certificate != nil {
@ -244,6 +236,8 @@ func (a *Access) GetRootCACertificate(label string) (*x509.Certificate, error) {
return nil, err
}
caCert.Certificate, caCert.KeyPair = certificate, keyPair
return certificate, nil
}
@ -355,7 +349,7 @@ func (a *Access) GetSubordinateCACertificate(certLabel string) (*x509.Certificat
ExtKeyUsage: caCert.ExtKeyUsage,
IssuingCertificateURL: []string{sc.BuildIssuerURL(caCert)},
OCSPServer: []string{sc.BuildOCSPURL(caCert)},
CRLDistributionPoints: []string{sc.BuildCRLUrl(caCert)},
CRLDistributionPoints: []string{sc.BuildCRLUrl(certLabel)},
PolicyIdentifiers: []asn1.ObjectIdentifier{
// use policy identifiers from http://wiki.cacert.org/OidAllocation
oidCAcertClass3PolicyV1,
@ -414,15 +408,10 @@ func (a *Access) generateSubordinateCACertificate(
parent.KeyPair,
)
if err != nil {
return nil, fmt.Errorf("could not create subordinate CA certificate: %w", err)
return nil, fmt.Errorf("could not create subordinate CA certificate %s: %w", certLabel, err)
}
certBlock := &pem.Block{
Type: "CERTIFICATE",
Bytes: certBytes,
}
err = certFile.storeCertificate(a.caDirectory, pem.EncodeToMemory(certBlock))
err = certFile.storeCertificate(a.caDirectory, certBytes)
if err != nil {
return nil, err
}
@ -590,12 +579,7 @@ func (a *Access) generateRootCACertificate(
return nil, fmt.Errorf("could not create root certificate: %w", err)
}
certBlock := &pem.Block{
Type: "CERTIFICATE",
Bytes: certBytes,
}
if err = certFile.storeCertificate(a.caDirectory, pem.EncodeToMemory(certBlock)); err != nil {
if err = certFile.storeCertificate(a.caDirectory, certBytes); err != nil {
return nil, err
}

Write Preview
Loading…
Cancel
Save