Merge ctrlcctrlv/minica2.go into support-ec

ctrlcctrlv · ctrlcctrlv · Feb 3, 2021 · Feb 4, 2021 · Dec 17, 2022 · Dec 17, 2022
commit a336445ce1e91dbb1001c5eb52eab61aba3aef0b
diff --git a/args.go b/args.go
@@ -2,6 +2,7 @@ package main
 
 import (
 	"crypto/x509/pkix"
+	"crypto/x509"
 	"flag"
 	"fmt"
 	"os"
@@ -11,7 +12,7 @@ import (
 )
 
 type Args struct {
-	caKey, caCert *string
+	caKey, caCert, caAlg *string
 	macValidity *bool
 	domains, ipAddresses ArgsArr
 	org, iorg, iunit, icountry, ilocale, iaddress, ipostal ArgsArr
@@ -65,6 +66,7 @@ func (args *Args) assignStringFlags() (flag.FlagSet) {
 	var sflag = flag.NewFlagSet("string", flag.ExitOnError)
 	args.caKey = sflag.String("ca-key", "minica-key.pem", "Root private key filename, PEM encoded.")
 	args.caCert = sflag.String("ca-cert", "minica.pem", "Root certificate filename, PEM encoded.")
+	args.caAlg = sflag.String("ca-alg", "rsa", "Root keypair algorithm: RSA or ECDSA. Only used if generating new.")
 	return *sflag
 }
 
@@ -97,6 +99,17 @@ func (args *Args) parseIssuer() (pkix.Name) {
 	}
 }
 
+func (args *Args) getAlg() (x509.PublicKeyAlgorithm) {
+	alg := x509.RSA
+	if strings.ToLower(*args.caAlg) == "ecdsa" {
+		alg = x509.ECDSA
+	} else if strings.ToLower(*args.caAlg) != "rsa" {
+		fmt.Printf("Unrecognized algorithm: %s (use RSA or ECDSA)\n", *args.caAlg)
+		os.Exit(1)
+	}
+	return alg
+}
+
 func (args *Args) parse() {
 	var flags = args.assignFlags()
 	flag.Usage = func() { printHelp(flags) }

diff --git a/ca.go b/ca.go
@@ -3,6 +3,8 @@ package main
 import (
 	"bytes"
 	"crypto"
+	"crypto/ecdsa"
+	"crypto/elliptic"
 	"crypto/rand"
 	"crypto/rsa"
 	"crypto/sha1"
@@ -65,10 +67,25 @@ func readPrivateKey(keyContents []byte) (crypto.Signer, error) {
 	block, _ := pem.Decode(keyContents)
 	if block == nil {
 		return nil, fmt.Errorf("no PEM found")
-	} else if block.Type != "RSA PRIVATE KEY" && block.Type != "ECDSA PRIVATE KEY" {
-		return nil, fmt.Errorf("incorrect PEM type %s", block.Type)
+	} else if block.Type == "PRIVATE KEY" {
+		signer, err := x509.ParsePKCS8PrivateKey(block.Bytes)
+		if err != nil {
+			return nil, fmt.Errorf("failed to parse PKCS8: %w", err)
+		}
+		switch t := signer.(type) {
+		case *rsa.PrivateKey:
+			return signer.(*rsa.PrivateKey), nil
+		case *ecdsa.PrivateKey:
+			return signer.(*ecdsa.PrivateKey), nil
+		default:
+			return nil, fmt.Errorf("unsupported PKCS8 key type: %t", t)
+		}
+	} else if block.Type == "RSA PRIVATE KEY" {
+		return x509.ParsePKCS1PrivateKey(block.Bytes)
+	} else if block.Type == "EC PRIVATE KEY" || block.Type == "ECDSA PRIVATE KEY" {
+		return x509.ParseECPrivateKey(block.Bytes)
 	}
-	return x509.ParsePKCS1PrivateKey(block.Bytes)
+	return nil, fmt.Errorf("incorrect PEM type %s", block.Type)
 }
 
 func readCert(certContents []byte) (*x509.Certificate, error) {
@@ -83,7 +100,7 @@ func readCert(certContents []byte) (*x509.Certificate, error) {
 
 func makeIssuer(args *Args) error {
 	keyFile, certFile := *args.caKey, *args.caCert
-	key, err := makeKey(keyFile)
+	key, err := makeKey(args, keyFile)
 	if err != nil {
 		return err
 	}
@@ -94,12 +111,23 @@ func makeIssuer(args *Args) error {
 	return nil
 }
 
-func makeKey(filename string) (*rsa.PrivateKey, error) {
-	key, err := rsa.GenerateKey(rand.Reader, 2048)
-	if err != nil {
-		return nil, err
+func makeKey(args *Args, filename string) (crypto.Signer, error) {
+	var key crypto.Signer
+	var err error
+	var alg = args.getAlg()
+	switch {
+	case alg == x509.RSA:
+		key, err = rsa.GenerateKey(rand.Reader, 2048)
+		if err != nil {
+			return nil, err
+		}
+	case alg == x509.ECDSA:
+		key, err = ecdsa.GenerateKey(elliptic.P384(), rand.Reader)
+		if err != nil {
+			return nil, err
+		}
 	}
-	der := x509.MarshalPKCS1PrivateKey(key)
+	der, err := x509.MarshalPKCS8PrivateKey(key)
 	if err != nil {
 		return nil, err
 	}
@@ -109,7 +137,7 @@ func makeKey(filename string) (*rsa.PrivateKey, error) {
 	}
 	defer file.Close()
 	err = pem.Encode(file, &pem.Block{
-		Type:  "RSA PRIVATE KEY",
+		Type:  "PRIVATE KEY",
 		Bytes: der,
 	})
 	if err != nil {
@@ -222,7 +250,7 @@ func sign(iss *Issuer, args *Args) (*x509.Certificate, error) {
 	if err != nil && !os.IsExist(err) {
 		return nil, err
 	}
-	key, err := makeKey(fmt.Sprintf("%s/key.pem", cnFolder))
+	key, err := makeKey(args, fmt.Sprintf("%s/key.pem", cnFolder))
 	if err != nil {
 		return nil, err
 	}

diff --git a/go.mod b/go.mod
@@ -1,3 +1,3 @@
-module github.com/jsha/minica
+module github.com/ctrlcctrlv/minica2.go
 
 go 1.15
diff --git a/main.go b/main.go
@@ -1,21 +1,6 @@
 package main
 
 import (
-	"bytes"
-	"crypto"
-	"crypto/ecdsa"
-	"crypto/elliptic"
-	"crypto/rand"
-	"crypto/rsa"
-	"crypto/sha1"
-	"crypto/x509"
-	"crypto/x509/pkix"
-	"encoding/asn1"
-	"encoding/hex"
-	"encoding/pem"
-	"flag"
-	"fmt"
-	"io/ioutil"
 	"log"
 )
 
@@ -33,349 +18,3 @@ func main() {
 		log.Fatal(err)
 	}
 }
-
-type issuer struct {
-	key  crypto.Signer
-	cert *x509.Certificate
-}
-
-func getIssuer(keyFile, certFile string, alg x509.PublicKeyAlgorithm) (*issuer, error) {
-	keyContents, keyErr := ioutil.ReadFile(keyFile)
-	certContents, certErr := ioutil.ReadFile(certFile)
-	if os.IsNotExist(keyErr) && os.IsNotExist(certErr) {
-		err := makeIssuer(keyFile, certFile, alg)
-		if err != nil {
-			return nil, err
-		}
-		return getIssuer(keyFile, certFile, alg)
-	} else if keyErr != nil {
-		return nil, fmt.Errorf("%s (but %s exists)", keyErr, certFile)
-	} else if certErr != nil {
-		return nil, fmt.Errorf("%s (but %s exists)", certErr, keyFile)
-	}
-	key, err := readPrivateKey(keyContents)
-	if err != nil {
-		return nil, fmt.Errorf("reading private key from %s: %s", keyFile, err)
-	}
-
-	cert, err := readCert(certContents)
-	if err != nil {
-		return nil, fmt.Errorf("reading CA certificate from %s: %s", certFile, err)
-	}
-
-	equal, err := publicKeysEqual(key.Public(), cert.PublicKey)
-	if err != nil {
-		return nil, fmt.Errorf("comparing public keys: %s", err)
-	} else if !equal {
-		return nil, fmt.Errorf("public key in CA certificate %s doesn't match private key in %s",
-			certFile, keyFile)
-	}
-	return &issuer{key, cert}, nil
-}
-
-func readPrivateKey(keyContents []byte) (crypto.Signer, error) {
-	block, _ := pem.Decode(keyContents)
-	if block == nil {
-		return nil, fmt.Errorf("no PEM found")
-	} else if block.Type == "PRIVATE KEY" {
-		signer, err := x509.ParsePKCS8PrivateKey(block.Bytes)
-		if err != nil {
-			return nil, fmt.Errorf("failed to parse PKCS8: %w", err)
-		}
-		switch t := signer.(type) {
-		case *rsa.PrivateKey:
-			return signer.(*rsa.PrivateKey), nil
-		case *ecdsa.PrivateKey:
-			return signer.(*ecdsa.PrivateKey), nil
-		default:
-			return nil, fmt.Errorf("unsupported PKCS8 key type: %t", t)
-		}
-	} else if block.Type == "RSA PRIVATE KEY" {
-		return x509.ParsePKCS1PrivateKey(block.Bytes)
-	} else if block.Type == "EC PRIVATE KEY" || block.Type == "ECDSA PRIVATE KEY" {
-		return x509.ParseECPrivateKey(block.Bytes)
-	}
-	return nil, fmt.Errorf("incorrect PEM type %s", block.Type)
-}
-
-func readCert(certContents []byte) (*x509.Certificate, error) {
-	block, _ := pem.Decode(certContents)
-	if block == nil {
-		return nil, fmt.Errorf("no PEM found")
-	} else if block.Type != "CERTIFICATE" {
-		return nil, fmt.Errorf("incorrect PEM type %s", block.Type)
-	}
-	return x509.ParseCertificate(block.Bytes)
-}
-
-func makeIssuer(keyFile, certFile string, alg x509.PublicKeyAlgorithm) error {
-	key, err := makeKey(keyFile, alg)
-	if err != nil {
-		return err
-	}
-	_, err = makeRootCert(key, certFile)
-	if err != nil {
-		return err
-	}
-	return nil
-}
-
-func makeKey(filename string, alg x509.PublicKeyAlgorithm) (crypto.Signer, error) {
-	var key crypto.Signer
-	var err error
-	switch {
-	case alg == x509.RSA:
-		key, err = rsa.GenerateKey(rand.Reader, 2048)
-		if err != nil {
-			return nil, err
-		}
-	case alg == x509.ECDSA:
-		key, err = ecdsa.GenerateKey(elliptic.P384(), rand.Reader)
-		if err != nil {
-			return nil, err
-		}
-	}
-	der, err := x509.MarshalPKCS8PrivateKey(key)
-	if err != nil {
-		return nil, err
-	}
-	file, err := os.OpenFile(filename, os.O_CREATE|os.O_EXCL|os.O_WRONLY, 0600)
-	if err != nil {
-		return nil, err
-	}
-	defer file.Close()
-	err = pem.Encode(file, &pem.Block{
-		Type:  "PRIVATE KEY",
-		Bytes: der,
-	})
-	if err != nil {
-		return nil, err
-	}
-	return key, nil
-}
-
-func makeRootCert(key crypto.Signer, filename string) (*x509.Certificate, error) {
-	serial, err := rand.Int(rand.Reader, big.NewInt(math.MaxInt64))
-	if err != nil {
-		return nil, err
-	}
-	skid, err := calculateSKID(key.Public())
-	if err != nil {
-		return nil, err
-	}
-	template := &x509.Certificate{
-		Subject: pkix.Name{
-			CommonName: "minica root ca " + hex.EncodeToString(serial.Bytes()[:3]),
-		},
-		SerialNumber: serial,
-		NotBefore:    time.Now(),
-		NotAfter:     time.Now().AddDate(100, 0, 0),
-
-		SubjectKeyId:          skid,
-		AuthorityKeyId:        skid,
-		KeyUsage:              x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
-		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth},
-		BasicConstraintsValid: true,
-		IsCA:                  true,
-		MaxPathLenZero:        true,
-	}
-
-	der, err := x509.CreateCertificate(rand.Reader, template, template, key.Public(), key)
-	if err != nil {
-		return nil, err
-	}
-	file, err := os.OpenFile(filename, os.O_CREATE|os.O_EXCL|os.O_WRONLY, 0600)
-	if err != nil {
-		return nil, err
-	}
-	defer file.Close()
-	err = pem.Encode(file, &pem.Block{
-		Type:  "CERTIFICATE",
-		Bytes: der,
-	})
-	if err != nil {
-		return nil, err
-	}
-	return x509.ParseCertificate(der)
-}
-
-func parseIPs(ipAddresses []string) ([]net.IP, error) {
-	var parsed []net.IP
-	for _, s := range ipAddresses {
-		p := net.ParseIP(s)
-		if p == nil {
-			return nil, fmt.Errorf("invalid IP address %s", s)
-		}
-		parsed = append(parsed, p)
-	}
-	return parsed, nil
-}
-
-func publicKeysEqual(a, b interface{}) (bool, error) {
-	aBytes, err := x509.MarshalPKIXPublicKey(a)
-	if err != nil {
-		return false, err
-	}
-	bBytes, err := x509.MarshalPKIXPublicKey(b)
-	if err != nil {
-		return false, err
-	}
-	return bytes.Compare(aBytes, bBytes) == 0, nil
-}
-
-func calculateSKID(pubKey crypto.PublicKey) ([]byte, error) {
-	spkiASN1, err := x509.MarshalPKIXPublicKey(pubKey)
-	if err != nil {
-		return nil, err
-	}
-
-	var spki struct {
-		Algorithm        pkix.AlgorithmIdentifier
-		SubjectPublicKey asn1.BitString
-	}
-	_, err = asn1.Unmarshal(spkiASN1, &spki)
-	if err != nil {
-		return nil, err
-	}
-	skid := sha1.Sum(spki.SubjectPublicKey.Bytes)
-	return skid[:], nil
-}
-
-func sign(iss *issuer, domains []string, ipAddresses []string) (*x509.Certificate, error) {
-	var cn string
-	if len(domains) > 0 {
-		cn = domains[0]
-	} else if len(ipAddresses) > 0 {
-		cn = ipAddresses[0]
-	} else {
-		return nil, fmt.Errorf("must specify at least one domain name or IP address")
-	}
-	var cnFolder = strings.Replace(cn, "*", "_", -1)
-	err := os.Mkdir(cnFolder, 0700)
-	if err != nil && !os.IsExist(err) {
-		return nil, err
-	}
-	key, err := makeKey(fmt.Sprintf("%s/key.pem", cnFolder), x509.RSA)
-	if err != nil {
-		return nil, err
-	}
-	parsedIPs, err := parseIPs(ipAddresses)
-	if err != nil {
-		return nil, err
-	}
-	serial, err := rand.Int(rand.Reader, big.NewInt(math.MaxInt64))
-	if err != nil {
-		return nil, err
-	}
-	template := &x509.Certificate{
-		DNSNames:    domains,
-		IPAddresses: parsedIPs,
-		Subject: pkix.Name{
-			CommonName: cn,
-		},
-		SerialNumber: serial,
-		NotBefore:    time.Now(),
-		// Set the validity period to 2 years and 30 days, to satisfy the iOS and
-		// macOS requirements that all server certificates must have validity
-		// shorter than 825 days:
-		// https://derflounder.wordpress.com/2019/06/06/new-tls-security-requirements-for-ios-13-and-macos-catalina-10-15/
-		NotAfter: time.Now().AddDate(2, 0, 30),
-
-		KeyUsage:              x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment,
-		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth},
-		BasicConstraintsValid: true,
-		IsCA:                  false,
-	}
-	der, err := x509.CreateCertificate(rand.Reader, template, iss.cert, key.Public(), iss.key)
-	if err != nil {
-		return nil, err
-	}
-	file, err := os.OpenFile(fmt.Sprintf("%s/cert.pem", cnFolder), os.O_CREATE|os.O_EXCL|os.O_WRONLY, 0600)
-	if err != nil {
-		return nil, err
-	}
-	defer file.Close()
-	err = pem.Encode(file, &pem.Block{
-		Type:  "CERTIFICATE",
-		Bytes: der,
-	})
-	if err != nil {
-		return nil, err
-	}
-	return x509.ParseCertificate(der)
-}
-
-func split(s string) (results []string) {
-	if len(s) > 0 {
-		return strings.Split(s, ",")
-	}
-	return nil
-}
-
-func main2() error {
-	var caKey = flag.String("ca-key", "minica-key.pem", "Root private key filename, PEM encoded.")
-	var caCert = flag.String("ca-cert", "minica.pem", "Root certificate filename, PEM encoded.")
-	var caAlg = flag.String("ca-alg", "rsa", "Root keypair algorithm: RSA or ECDSA. Only used if generating new.")
-	var domains = flag.String("domains", "", "Comma separated domain names to include as Server Alternative Names.")
-	var ipAddresses = flag.String("ip-addresses", "", "Comma separated IP addresses to include as Server Alternative Names.")
-	flag.Usage = func() {
-		fmt.Fprintf(os.Stderr, "Usage of %s:\n", os.Args[0])
-		fmt.Fprintf(os.Stderr, `
-Minica is a simple CA intended for use in situations where the CA operator
-also operates each host where a certificate will be used. It automatically
-generates both a key and a certificate when asked to produce a certificate.
-It does not offer OCSP or CRL services. Minica is appropriate, for instance,
-for generating certificates for RPC systems or microservices.
-
-On first run, minica will generate a keypair and a root certificate in the
-current directory, and will reuse that same keypair and root certificate
-unless they are deleted.
-
-On each run, minica will generate a new keypair and sign an end-entity (leaf)
-certificate for that keypair. The certificate will contain a list of DNS names
-and/or IP addresses from the command line flags. The key and certificate are
-placed in a new directory whose name is chosen as the first domain name from
-the certificate, or the first IP address if no domain names are present. It
-will not overwrite existing keys or certificates.
-
-`)
-		flag.PrintDefaults()
-	}
-	flag.Parse()
-	if *domains == "" && *ipAddresses == "" {
-		flag.Usage()
-		os.Exit(1)
-	}
-	alg := x509.RSA
-	if strings.ToLower(*caAlg) == "ecdsa" {
-		alg = x509.ECDSA
-	} else if strings.ToLower(*caCert) != "rsa" {
-		fmt.Printf("Unrecognized algorithm: %s (use RSA or ECDSA)\n", *caAlg)
-		os.Exit(1)
-	}
-	if len(flag.Args()) > 0 {
-		fmt.Printf("Extra arguments: %s (maybe there are spaces in your domain list?)\n", flag.Args())
-		os.Exit(1)
-	}
-	domainSlice := split(*domains)
-	domainRe := regexp.MustCompile("^[A-Za-z0-9.*-]+$")
-	for _, d := range domainSlice {
-		if !domainRe.MatchString(d) {
-			fmt.Printf("Invalid domain name %q\n", d)
-			os.Exit(1)
-		}
-	}
-	ipSlice := split(*ipAddresses)
-	for _, ip := range ipSlice {
-		if net.ParseIP(ip) == nil {
-			fmt.Printf("Invalid IP address %q\n", ip)
-			os.Exit(1)
-		}
-	}
-	issuer, err := getIssuer(*caKey, *caCert, alg)
-	if err != nil {
-		return err
-	}
-	_, err = sign(issuer, domainSlice, ipSlice)
-	return err
-}