生成证书

24天以前  |  阅读数:9 次  |     收藏

// Copyright (c) 2016- Daniel Oaks <daniel@danieloaks.net>
// released under the MIT license

package mkcerts

import (
    "crypto/ecdsa"
    "crypto/elliptic"
    "crypto/rand"
    "crypto/x509"
    "crypto/x509/pkix"
    "encoding/pem"
    "fmt"
    "math/big"
    "net"
    "os"
    "time"
)

// CreateCertBytes creates a testing ECDSA certificate, returning the cert and key bytes.
func CreateCertBytes(orgName string, host string) (certBytes []byte, keyBytes []byte, err error) {
    validFrom := time.Now()
    validFor := 365 * 24 * time.Hour
    notAfter := validFrom.Add(validFor)

    priv, err := ecdsa.GenerateKey(elliptic.P521(), rand.Reader)

    serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)
    serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
    if err != nil {
        return nil, nil, fmt.Errorf("failed to generate serial number: %s", err)
    }

    template := x509.Certificate{
        SerialNumber: serialNumber,
        Subject: pkix.Name{
            Organization: []string{orgName},
        },
        NotBefore: validFrom,
        NotAfter:  notAfter,

        KeyUsage:              x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
        ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
        BasicConstraintsValid: true,
    }

    // TODO: allow explicitly listing allowed addresses/names
    template.IPAddresses = append(template.IPAddresses, net.ParseIP("127.0.0.1"))
    template.IPAddresses = append(template.IPAddresses, net.ParseIP("::1"))
    if host != "" {
        template.DNSNames = append(template.DNSNames, host)
    }
    template.DNSNames = append(template.DNSNames, "localhost")

    derBytes, err := x509.CreateCertificate(rand.Reader, &template, &template, &priv.PublicKey, priv)
    if err != nil {
        return nil, nil, fmt.Errorf("Failed to create certificate: %s", err.Error())
    }

    certBytes = pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: derBytes})

    b, err := x509.MarshalECPrivateKey(priv)
    if err != nil {
        return nil, nil, fmt.Errorf("Unable to marshal ECDSA private key: %v", err.Error())
    }
    pemBlock := pem.Block{Type: "EC PRIVATE KEY", Bytes: b}
    keyBytes = pem.EncodeToMemory(&pemBlock)
    return certBytes, keyBytes, nil
}

// CreateCert creates a testing ECDSA certificate, outputting the cert and key at the given filenames.
func CreateCert(orgName string, host string, certFilename string, keyFilename string) error {
    certBytes, keyBytes, err := CreateCertBytes(orgName, host)

    if err != nil {
        return err
    }

    certOut, err := os.Create(certFilename)
    if err != nil {
        return fmt.Errorf("failed to open %s for writing: %s", certFilename, err.Error())
    }
    defer certOut.Close()
    _, err = certOut.Write(certBytes)
    if err != nil {
        return fmt.Errorf("failed to write out cert file %s: %s", certFilename, err.Error())
    }

    keyOut, err := os.OpenFile(keyFilename, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0600)
    if err != nil {
        return fmt.Errorf("failed to open %s for writing: %s", keyFilename, err.Error())
    }
    defer keyOut.Close()
    _, err = keyOut.Write(keyBytes)
    if err != nil {
        return fmt.Errorf("failed to write out key file %s: %s", keyFilename, err.Error())
    }

    return nil
}

相关文章:


SSH 登录失败:Host key verification failed

PHP分页显示制作详细讲解

PHP自定义函数获取搜索引擎来源关键字的方法

在Zeus Web Server中安装PHP语言支持

再谈PHP中单双引号的区别详解

让你成为最历害的git提交人

将二进制数据转为16进制以便显示

php+ajax+json 详解及实例代码

PHP实现简单爬虫的方法

Python 2与Python 3版本和编码的对比

php实现数组中索引关联数据转换成json对象的方法

桌面中心(一)创建数据库

PHP设计模式之工厂模式与单例模式

php数组合并array_merge()函数使用注意事项

php封装的page分页类完整实例

wget使用技巧

getAttribute和getAttributeNode

获取IMSI

Yii2汉字转拼音类的实例代码

python中执行shell的两种方法总结