summaryrefslogtreecommitdiff
path: root/modules/caddypki
diff options
context:
space:
mode:
Diffstat (limited to 'modules/caddypki')
-rw-r--r--modules/caddypki/ca.go10
-rw-r--r--modules/caddypki/certificates.go51
2 files changed, 39 insertions, 22 deletions
diff --git a/modules/caddypki/ca.go b/modules/caddypki/ca.go
index acf8d14..914eddf 100644
--- a/modules/caddypki/ca.go
+++ b/modules/caddypki/ca.go
@@ -121,7 +121,7 @@ func (ca *CA) Provision(ctx caddy.Context, id string, log *zap.Logger) error {
// load the certs and key that will be used for signing
var rootCert, interCert *x509.Certificate
- var rootKey, interKey any
+ var rootKey, interKey crypto.Signer
var err error
if ca.Root != nil {
if ca.Root.Format == "" || ca.Root.Format == "pem_file" {
@@ -239,7 +239,7 @@ func (ca *CA) NewAuthority(authorityConfig AuthorityConfig) (*authority.Authorit
return auth, nil
}
-func (ca CA) loadOrGenRoot() (rootCert *x509.Certificate, rootKey any, err error) {
+func (ca CA) loadOrGenRoot() (rootCert *x509.Certificate, rootKey crypto.Signer, err error) {
if ca.Root != nil {
return ca.Root.Load()
}
@@ -276,7 +276,7 @@ func (ca CA) loadOrGenRoot() (rootCert *x509.Certificate, rootKey any, err error
return rootCert, rootKey, nil
}
-func (ca CA) genRoot() (rootCert *x509.Certificate, rootKey any, err error) {
+func (ca CA) genRoot() (rootCert *x509.Certificate, rootKey crypto.Signer, err error) {
repl := ca.newReplacer()
rootCert, rootKey, err = generateRoot(repl.ReplaceAll(ca.RootCommonName, ""))
@@ -303,7 +303,7 @@ func (ca CA) genRoot() (rootCert *x509.Certificate, rootKey any, err error) {
return rootCert, rootKey, nil
}
-func (ca CA) loadOrGenIntermediate(rootCert *x509.Certificate, rootKey crypto.PrivateKey) (interCert *x509.Certificate, interKey crypto.PrivateKey, err error) {
+func (ca CA) loadOrGenIntermediate(rootCert *x509.Certificate, rootKey crypto.Signer) (interCert *x509.Certificate, interKey crypto.Signer, err error) {
interCertPEM, err := ca.storage.Load(ca.ctx, ca.storageKeyIntermediateCert())
if err != nil {
if !errors.Is(err, fs.ErrNotExist) {
@@ -338,7 +338,7 @@ func (ca CA) loadOrGenIntermediate(rootCert *x509.Certificate, rootKey crypto.Pr
return interCert, interKey, nil
}
-func (ca CA) genIntermediate(rootCert *x509.Certificate, rootKey crypto.PrivateKey) (interCert *x509.Certificate, interKey crypto.PrivateKey, err error) {
+func (ca CA) genIntermediate(rootCert *x509.Certificate, rootKey crypto.Signer) (interCert *x509.Certificate, interKey crypto.Signer, err error) {
repl := ca.newReplacer()
interCert, interKey, err = generateIntermediate(repl.ReplaceAll(ca.IntermediateCommonName, ""), rootCert, rootKey)
diff --git a/modules/caddypki/certificates.go b/modules/caddypki/certificates.go
index 442a0ad..c3b88a1 100644
--- a/modules/caddypki/certificates.go
+++ b/modules/caddypki/certificates.go
@@ -19,33 +19,50 @@ import (
"crypto/x509"
"time"
- "github.com/smallstep/cli/crypto/x509util"
+ "go.step.sm/crypto/keyutil"
+ "go.step.sm/crypto/x509util"
)
-func generateRoot(commonName string) (rootCrt *x509.Certificate, privateKey any, err error) {
- rootProfile, err := x509util.NewRootProfile(commonName)
+func generateRoot(commonName string) (*x509.Certificate, crypto.Signer, error) {
+ template, signer, err := newCert(commonName, x509util.DefaultRootTemplate, defaultRootLifetime)
if err != nil {
- return
+ return nil, nil, err
}
- rootProfile.Subject().NotAfter = time.Now().Add(defaultRootLifetime) // TODO: make configurable
- return newCert(rootProfile)
+ root, err := x509util.CreateCertificate(template, template, signer.Public(), signer)
+ if err != nil {
+ return nil, nil, err
+ }
+ return root, signer, nil
}
-func generateIntermediate(commonName string, rootCrt *x509.Certificate, rootKey crypto.PrivateKey) (cert *x509.Certificate, privateKey crypto.PrivateKey, err error) {
- interProfile, err := x509util.NewIntermediateProfile(commonName, rootCrt, rootKey)
+func generateIntermediate(commonName string, rootCrt *x509.Certificate, rootKey crypto.Signer) (*x509.Certificate, crypto.Signer, error) {
+ template, signer, err := newCert(commonName, x509util.DefaultIntermediateTemplate, defaultIntermediateLifetime)
if err != nil {
- return
+ return nil, nil, err
}
- interProfile.Subject().NotAfter = time.Now().Add(defaultIntermediateLifetime) // TODO: make configurable
- return newCert(interProfile)
+ intermediate, err := x509util.CreateCertificate(template, rootCrt, signer.Public(), rootKey)
+ if err != nil {
+ return nil, nil, err
+ }
+ return intermediate, signer, nil
}
-func newCert(profile x509util.Profile) (cert *x509.Certificate, privateKey crypto.PrivateKey, err error) {
- certBytes, err := profile.CreateCertificate()
+func newCert(commonName, templateName string, lifetime time.Duration) (cert *x509.Certificate, signer crypto.Signer, err error) {
+ signer, err = keyutil.GenerateDefaultSigner()
if err != nil {
- return
+ return nil, nil, err
}
- privateKey = profile.SubjectPrivateKey()
- cert, err = x509.ParseCertificate(certBytes)
- return
+ csr, err := x509util.CreateCertificateRequest(commonName, []string{}, signer)
+ if err != nil {
+ return nil, nil, err
+ }
+ template, err := x509util.NewCertificate(csr, x509util.WithTemplate(templateName, x509util.CreateTemplateData(commonName, []string{})))
+ if err != nil {
+ return nil, nil, err
+ }
+
+ cert = template.GetCertificate()
+ cert.NotBefore = time.Now().Truncate(time.Second)
+ cert.NotAfter = cert.NotBefore.Add(lifetime)
+ return cert, signer, nil
}