cacert-gosigner/x509/signing/signing.go

package signing

import (
	"crypto/x509"
	"crypto/x509/pkix"
	"fmt"
	"time"
)

type X509Signing struct {
	signer Signer
	repo   Repository
}

func NewX509Signing(signer Signer, repo Repository) *X509Signing {
	return &X509Signing{signer: signer, repo: repo}
}

type CertificatePolicyId int

type RequestSignature struct {
	rawCSRData         []byte
	subjectCommonName  string
	emails             []string
	dnsNames           []string
	duration           time.Duration
	signatureAlgorithm x509.SignatureAlgorithm
}

func NewRequestSignature(
	csrBytes []byte,
	cn string,
	emails, dnsNames []string,
	duration time.Duration,
	signatureAlgorithm x509.SignatureAlgorithm,
) *RequestSignature {
	return &RequestSignature{
		rawCSRData:         csrBytes,
		subjectCommonName:  cn,
		emails:             emails,
		dnsNames:           dnsNames,
		duration:           duration,
		signatureAlgorithm: signatureAlgorithm,
	}
}

type CertificateSigned struct {
	certificate *x509.Certificate
}

func (c CertificateSigned) Certificate() *x509.Certificate {
	return c.certificate
}

func (x *X509Signing) Sign(signingRequest *RequestSignature) (*CertificateSigned, error) {
	// validate request content
	csr, err := x509.ParseCertificateRequest(signingRequest.rawCSRData)
	if err != nil {
		return nil, fmt.Errorf("could not parse CSR data: %w", err)
	}

	certificateFromSigner, err := x.signer.SignCertificate(
		NewSignerRequest(
			csr,
			pkix.Name{CommonName: signingRequest.subjectCommonName},
			signingRequest.emails,
			signingRequest.dnsNames,
			signingRequest.duration,
			signingRequest.signatureAlgorithm,
		),
	)
	if err != nil {
		return nil, err
	}

	result := NewCertificateSigned(certificateFromSigner)
	err = x.repo.StoreCertificate(result)
	if err != nil {
		return nil, err
	}

	return result, nil
}

func NewCertificateSigned(signed SignerResponse) *CertificateSigned {
	return &CertificateSigned{certificate: signed.Certificate()}
}