Newer
Older
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
/*
Copyright (c) 2018 Vereign AG [https://www.vereign.com]
This is free software: you can redistribute it and/or modify
it under the terms of the GNU Affero General Public License as
published by the Free Software Foundation, either version 3 of the
License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU Affero General Public License for more details.
You should have received a copy of the GNU Affero General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
package handler
import (
"crypto/rand"
"crypto/rsa"
"crypto/x509"
"crypto/x509/pkix"
"encoding/pem"
"io/ioutil"
"math/big"
"time"
"code.vereign.com/code/viam-apis/data-storage-agent/client"
"code.vereign.com/code/viam-apis/key-storage-agent/api"
"code.vereign.com/code/viam-apis/utils"
"code.vereign.com/code/viam-apis/versions"
"golang.org/x/net/context"
)
func (s *KeyStorageServerImpl) GenerateCertificate(ctx context.Context, in *api.GenerateCertificateRequest) (*api.GenerateCertificateResponse, error) {
auth := s.CreateAuthentication(ctx)
client := &client.DataStorageClientImpl{}
client.SetUpClient(auth, s.DataStorageUrl, s.CertFilePath)
defer client.CloseClient()
generateCertificateResponse := &api.GenerateCertificateResponse{}
Viktor Popov
committed
publicKeyMessage, statusList := getKey(client, in.Uuid, api.KeyType_PUBLIC)
if statusList != nil {
generateCertificateResponse.StatusList = statusList
return generateCertificateResponse, nil
}
Viktor Popov
committed
certificateBytes, err := generateCertificate(publicKeyMessage.Content, s.VereignCertFilePath,
s.VereignPrivateKeyFilePath, in.CertificateData)
if err != nil {
generateCertificateResponse.StatusList = utils.AddStatus(generateCertificateResponse.StatusList,
"400", api.StatusType_ERROR, err.Error())
return generateCertificateResponse, nil
}
certificateMessage := &api.Key{
Content: certificateBytes,
}
result, errors, err := client.DoPutDataCall("keys", in.Uuid+"/"+api.KeyType.String(api.KeyType_CERTIFICATE), certificateMessage, versions.EntitiesManagementAgentApiVersion)
generateCertificateResponse.StatusList = handlePutDataErrors(generateCertificateResponse.StatusList, errors, err)
if generateCertificateResponse.StatusList == nil || len(generateCertificateResponse.StatusList) == 0 {
generateCertificateResponse.StatusList = utils.AddStatus(generateCertificateResponse.StatusList,
"200", api.StatusType_INFO, result)
}
return generateCertificateResponse, nil
}
Viktor Popov
committed
func generateCertificate(publicKeyBytes []byte, caCertFilePath string, caPrivateKeyFilePath string,
certificateData *api.GenerateCertificateRequest_CertificateData) ([]byte, error) {
publicKeyPemBlock, _ := pem.Decode(publicKeyBytes)
publicKey, err := x509.ParsePKIXPublicKey(publicKeyPemBlock.Bytes)
if err != nil {
return nil, err
}
notBeforeTime := time.Unix(certificateData.NotBefore.Seconds, int64(certificateData.NotBefore.Nanos)).UTC()
notAfterTime := time.Unix(certificateData.NotAfter.Seconds, int64(certificateData.NotAfter.Nanos)).UTC()
template := x509.Certificate{
SerialNumber: big.NewInt(1),
Subject: pkix.Name{
Country: []string{certificateData.Country},
Organization: []string{certificateData.Organization},
OrganizationalUnit: []string{certificateData.OrganizationalUnit},
CommonName: certificateData.CommonName,
},
NotBefore: notBeforeTime,
NotAfter: notAfterTime,
KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
BasicConstraintsValid: true,
IsCA: false,
DNSNames: []string{certificateData.Host},
}
caCertificate, err := readCertificateFromFile(caCertFilePath)
if err != nil {
return nil, err
}
Viktor Popov
committed
caPrivateKey, err := readPrivateKeyFromFile(caPrivateKeyFilePath)
if err != nil {
return nil, err
}
Viktor Popov
committed
certificateBytes, err := x509.CreateCertificate(rand.Reader, &template, caCertificate, publicKey, caPrivateKey)
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
if err != nil {
return nil, err
}
return certificateBytes, nil
}
func readPrivateKeyFromFile(fileName string) (*rsa.PrivateKey, error) {
privateKeyPemBlock, err := readPemBlockFromFile(fileName)
if err != nil {
return nil, err
}
parseResult, err := x509.ParsePKCS8PrivateKey(privateKeyPemBlock.Bytes)
if err != nil {
return nil, err
}
privateKey := parseResult.(*rsa.PrivateKey)
return privateKey, nil
}
func readPemBlockFromFile(fileName string) (*pem.Block, error) {
fileBytes, err := ioutil.ReadFile(fileName)
if err != nil {
return nil, err
}
certificatePemBlock, _ := pem.Decode(fileBytes)
return certificatePemBlock, nil
}