Merge branch 'SSA-4-sign_client_cert_with_server_cert' into 'master'

Ssa 4 sign client cert with server cert See merge request !7

Merge branch 'SSA-4-sign_client_cert_with_server_cert' into 'master'
Ssa 4 sign client cert with server cert See merge request !7
3833bdfe · Gospodin Bodurov · 521ce31f · 43fe115f · 3833bdfe · 3833bdfe
Commit 3833bdfe authored 6 years ago by Gospodin Bodurov
--- a/.gitignore
+++ b/.gitignore
 bin/
 vendor/
 Gopkg.lock
+.idea/

--- a/handler/generate_certificate.go
+++ b/handler/generate_certificate.go
@@ -32,6 +32,7 @@ import (
 	"code.vereign.com/code/viam-apis/utils"
 	"code.vereign.com/code/viam-apis/versions"
 	"golang.org/x/net/context"
+	"encoding/asn1"
 )

 func (s *KeyStorageServerImpl) GenerateCertificate(ctx context.Context, in *api.GenerateCertificateRequest) (*api.GenerateCertificateResponse, error) {
@@ -98,18 +99,44 @@ func generateCertificate(publicKeyBytes []byte, caCertFilePath string, caPrivate
 	template := x509.Certificate{
 		SerialNumber: sn,
 		Subject: pkix.Name{
-			Country:            []string{certificateData.Country},
-			Organization:       []string{certificateData.Organization},
-			OrganizationalUnit: []string{certificateData.OrganizationalUnit},
 			CommonName:         certificateData.CommonName,
 		},
-		NotBefore:             notBeforeTime,
-		NotAfter:              notAfterTime,
-		KeyUsage:              x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
-		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
-		BasicConstraintsValid: true,
-		IsCA:     false,
-		DNSNames: []string{certificateData.Host},
+		NotBefore:             	notBeforeTime,
+		NotAfter:              	notAfterTime,
+		KeyUsage:              	x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment | x509.KeyUsageDataEncipherment | x509.KeyUsageCertSign | x509.KeyUsageCRLSign,
+		ExtKeyUsage:           	[]x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageEmailProtection, x509.ExtKeyUsageTimeStamping},
+		BasicConstraintsValid: 	true,
+		IsCA:     				true,
+	}
+
+	if certificateData.Country != "" {
+		template.Subject.Country = []string{certificateData.Country}
+	}
+	if certificateData.Locality != "" {
+		template.Subject.Locality = []string{certificateData.Locality}
+	}
+	if certificateData.Province != "" {
+		template.Subject.Province = []string{certificateData.Province}
+	}
+	if certificateData.Organization != "" {
+		template.Subject.Organization = []string{certificateData.Organization}
+	}
+	if certificateData.OrganizationalUnit != "" {
+		template.Subject.OrganizationalUnit = []string{certificateData.OrganizationalUnit}
+	}
+	if certificateData.Host != "" {
+		template.DNSNames = []string{certificateData.Host}
+	}
+	if certificateData.Email != "" {
+		template.EmailAddresses = []string{certificateData.Email}
+
+		oidPKCS9EmailAddress := asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 9, 1}
+		template.Subject.ExtraNames = []pkix.AttributeTypeAndValue{
+			{
+				Type:  oidPKCS9EmailAddress,
+				Value: certificateData.Email,
+			},
+		}
 	}

 	caCertificate, err := readCertificateFromFile(caCertFilePath)