rsa/pkg/ca/sign.go

/*
Package ca implements a disk file-backed certificate authority with a built-in
CRL signer. The certificate authority can issue new certificates (including the
creation of intermediate CAs) and revoke existing certificates, resulting in a
fresh CRL.
*/
package ca

import (
	"crypto/rand"
	"crypto/rsa"
	"crypto/x509"
	"fmt"
	"os"
	"path/filepath"

	"src.lwithers.me.uk/go/rsa/pkg/pemfile"
	"src.lwithers.me.uk/go/rsa/pkg/serial"
)

const (
	auditLogDir = "audit.log"
)

func (ca *CA) Sign(template *x509.Certificate, key *rsa.PublicKey) (*x509.Certificate, string, error) {
	if template.SerialNumber == nil {
		template.SerialNumber = serial.Rand()
	}

	// sign the certificate
	der, err := x509.CreateCertificate(rand.Reader, template, ca.root, key, ca.key)
	if err != nil {
		return nil, "",
			fmt.Errorf("failed to sign certificate: %w", err)
	}

	// parse the just-signed certificate
	cert, err := x509.ParseCertificate(der)
	if err != nil {
		return nil, "",
			fmt.Errorf("failed to parse certificate after signing: %w", err)
	}

	// save the newly-signed cert in the audit log
	auditDir := filepath.Join(ca.dir, auditLogDir, template.SerialNumber.Text(16))
	if err := os.MkdirAll(auditDir, 0700); err != nil {
		return nil, "",
			fmt.Errorf("failed to create audit log directory: %w", err)
	}

	if err := pemfile.Write(filepath.Join(auditDir, "cert.pem"), pemfile.TypeX509Certificate, der); err != nil {
		return nil, "",
			fmt.Errorf("failed to save certificate in audit log: %w", err)
	}

	return cert, auditDir, nil
}
Initial commit of pkg functions 2023-03-01 21:28:48 +00:00			`/*`
			`Package ca implements a disk file-backed certificate authority with a built-in`
			`CRL signer. The certificate authority can issue new certificates (including the`
			`creation of intermediate CAs) and revoke existing certificates, resulting in a`
			`fresh CRL.`
			`*/`
			`package ca`

			`import (`
			`"crypto/rand"`
			`"crypto/rsa"`
			`"crypto/x509"`
			`"fmt"`
			`"os"`
			`"path/filepath"`

			`"src.lwithers.me.uk/go/rsa/pkg/pemfile"`
			`"src.lwithers.me.uk/go/rsa/pkg/serial"`
			`)`

			`const (`
			`auditLogDir = "audit.log"`
			`)`

			`func (ca CA) Sign(template x509.Certificate, key rsa.PublicKey) (x509.Certificate, string, error) {`
			`if template.SerialNumber == nil {`
			`template.SerialNumber = serial.Rand()`
			`}`

			`// sign the certificate`
			`der, err := x509.CreateCertificate(rand.Reader, template, ca.root, key, ca.key)`
			`if err != nil {`
			`return nil, "",`
			`fmt.Errorf("failed to sign certificate: %w", err)`
			`}`

			`// parse the just-signed certificate`
			`cert, err := x509.ParseCertificate(der)`
			`if err != nil {`
			`return nil, "",`
			`fmt.Errorf("failed to parse certificate after signing: %w", err)`
			`}`

			`// save the newly-signed cert in the audit log`
			`auditDir := filepath.Join(ca.dir, auditLogDir, template.SerialNumber.Text(16))`
			`if err := os.MkdirAll(auditDir, 0700); err != nil {`
			`return nil, "",`
			`fmt.Errorf("failed to create audit log directory: %w", err)`
			`}`

			`if err := pemfile.Write(filepath.Join(auditDir, "cert.pem"), pemfile.TypeX509Certificate, der); err != nil {`
			`return nil, "",`
			`fmt.Errorf("failed to save certificate in audit log: %w", err)`
			`}`

			`return cert, auditDir, nil`
			`}`