make cert creation a little easier to read (#1607)

Make separate "CreateCertificate" and "CreateSelfSignedCertificate" functions to take the two roles of NewCert. These names should help clarify that they actually make certificates and not just allocate new "Cert" or "Certificate" objects. Secondly, in the case of non-self-signed certs, require a public and a private key to be passed in instead of two private keys, because it's pretty hard to tell when reading code which one is meant to be the signer and which one is the signee. With a public and private key, you know. (These are some changes I made in the course of the openssl port, because the NewCert function kept being confusing to me. It's possible I'm just being ridiculous, and this doesn't help improve readability for anyone else, but if I'm not being ridiculous let's get this in)
2019-04-03 17:21:32 -06:00 · 2019-04-03 17:21:32 -06:00 · bb892d33d1
commit bb892d33d1
parent 4d925f783c
7 changed files with 39 additions and 42 deletions
--- a/cmd/identity/batch.go
+++ b/cmd/identity/batch.go
@ -111,7 +111,7 @@ func saveIdentityTar(path string, key crypto.PrivateKey, id storj.NodeID) error
 		return err
 	}

-	caCert, err := peertls.NewSelfSignedCert(key, ct)
+	caCert, err := peertls.CreateSelfSignedCertificate(key, ct)
 	if err != nil {
 		return err
 	}
--- a/internal/testpeertls/certificates.go
+++ b/internal/testpeertls/certificates.go
@ -33,9 +33,9 @@ func NewCertChain(length int) (keys []crypto.PrivateKey, certs []*x509.Certifica

 		var cert *x509.Certificate
 		if i == 0 {
-			cert, err = peertls.NewSelfSignedCert(key, template)
+			cert, err = peertls.CreateSelfSignedCertificate(key, template)
 		} else {
-			cert, err = peertls.NewCert(pkcrypto.PublicKeyFromPrivate(key), keys[i-1], template, certs[i-1:][0])
+			cert, err = peertls.CreateCertificate(pkcrypto.PublicKeyFromPrivate(key), keys[i-1], template, certs[i-1:][0])
 		}
 		if err != nil {
 			return nil, nil, err
--- a/pkg/identity/certificate_authority.go
+++ b/pkg/identity/certificate_authority.go
@ -163,11 +163,12 @@ func NewCA(ctx context.Context, opts NewCAOptions) (_ *FullCertificateAuthority,
 		return nil, err
 	}

+	var c *x509.Certificate
 	if opts.ParentKey == nil {
-		opts.ParentKey = selectedKey
+		c, err = peertls.CreateSelfSignedCertificate(selectedKey, ct)
+	} else {
+		c, err = peertls.CreateCertificate(pkcrypto.PublicKeyFromPrivate(selectedKey), opts.ParentKey, ct, opts.ParentCert)
 	}
-
-	c, err := peertls.NewCert(pkcrypto.PublicKeyFromPrivate(selectedKey), opts.ParentKey, ct, opts.ParentCert)
 	if err != nil {
 		return nil, err
 	}
@ -370,7 +371,7 @@ func (ca *FullCertificateAuthority) NewIdentity(exts ...pkix.Extension) (*FullId
 		return nil, err
 	}

-	leafCert, err := peertls.NewCert(pkcrypto.PublicKeyFromPrivate(leafKey), ca.Key, leafTemplate, ca.Cert)
+	leafCert, err := peertls.CreateCertificate(pkcrypto.PublicKeyFromPrivate(leafKey), ca.Key, leafTemplate, ca.Cert)
 	if err != nil {
 		return nil, err
 	}
@ -445,7 +446,7 @@ func (ca *FullCertificateAuthority) AddExtension(ext ...pkix.Extension) error {
 		return err
 	}

-	updatedCert, err := peertls.NewSelfSignedCert(ca.Key, ca.Cert)
+	updatedCert, err := peertls.CreateSelfSignedCertificate(ca.Key, ca.Cert)
 	if err != nil {
 		return err
 	}
--- a/pkg/identity/identity.go
+++ b/pkg/identity/identity.go
@ -478,7 +478,7 @@ func (manageableIdent *ManageablePeerIdentity) AddExtension(ext ...pkix.Extensio
 		return err
 	}

-	updatedCert, err := peertls.NewCert(manageableIdent.Leaf.PublicKey, manageableIdent.CA.Key, manageableIdent.Leaf, manageableIdent.CA.Cert)
+	updatedCert, err := peertls.CreateCertificate(manageableIdent.Leaf.PublicKey, manageableIdent.CA.Key, manageableIdent.Leaf, manageableIdent.CA.Cert)
 	if err != nil {
 		return err
 	}
--- a/pkg/identity/identity_test.go
+++ b/pkg/identity/identity_test.go
@ -32,7 +32,7 @@ func TestPeerIdentityFromCertChain(t *testing.T) {
 	caTemplate, err := peertls.CATemplate()
 	assert.NoError(t, err)

-	caCert, err := peertls.NewSelfSignedCert(caKey, caTemplate)
+	caCert, err := peertls.CreateSelfSignedCertificate(caKey, caTemplate)
 	assert.NoError(t, err)

 	leafTemplate, err := peertls.LeafTemplate()
@ -41,7 +41,7 @@ func TestPeerIdentityFromCertChain(t *testing.T) {
 	leafKey, err := pkcrypto.GeneratePrivateKey()
 	assert.NoError(t, err)

-	leafCert, err := peertls.NewCert(pkcrypto.PublicKeyFromPrivate(leafKey), caKey, leafTemplate, caTemplate)
+	leafCert, err := peertls.CreateCertificate(pkcrypto.PublicKeyFromPrivate(leafKey), caKey, leafTemplate, caTemplate)
 	assert.NoError(t, err)

 	peerIdent, err := identity.PeerIdentityFromCerts(leafCert, caCert, nil)
@ -58,7 +58,7 @@ func TestFullIdentityFromPEM(t *testing.T) {
 	caTemplate, err := peertls.CATemplate()
 	assert.NoError(t, err)

-	caCert, err := peertls.NewSelfSignedCert(caKey, caTemplate)
+	caCert, err := peertls.CreateSelfSignedCertificate(caKey, caTemplate)
 	assert.NoError(t, err)
 	assert.NoError(t, err)
 	assert.NotEmpty(t, caCert)
@ -69,7 +69,7 @@ func TestFullIdentityFromPEM(t *testing.T) {
 	leafKey, err := pkcrypto.GeneratePrivateKey()
 	assert.NoError(t, err)

-	leafCert, err := peertls.NewCert(pkcrypto.PublicKeyFromPrivate(leafKey), caKey, leafTemplate, caTemplate)
+	leafCert, err := peertls.CreateCertificate(pkcrypto.PublicKeyFromPrivate(leafKey), caKey, leafTemplate, caTemplate)
 	assert.NoError(t, err)
 	assert.NotEmpty(t, leafCert)

--- a/pkg/peertls/peertls.go
+++ b/pkg/peertls/peertls.go
@ -6,7 +6,6 @@ package peertls // import "storj.io/storj/pkg/peertls"
 import (
 	"bytes"
 	"crypto"
-	"crypto/ecdsa"
 	"crypto/rand"
 	"crypto/tls"
 	"crypto/x509"
@ -126,37 +125,35 @@ func ChainBytes(chain ...*x509.Certificate) ([]byte, error) {
 	return data.Bytes(), err
 }

-// NewSelfSignedCert returns a new x509 self-signed certificate using the provided // template and key,
-func NewSelfSignedCert(key crypto.PrivateKey, template *x509.Certificate) (*x509.Certificate, error) {
-	return NewCert(pkcrypto.PublicKeyFromPrivate(key), key, template, template)
+// CreateSelfSignedCertificate creates a new self-signed X.509v3 certificate
+// using fields from the given template.
+func CreateSelfSignedCertificate(key crypto.PrivateKey, template *x509.Certificate) (*x509.Certificate, error) {
+	return CreateCertificate(pkcrypto.PublicKeyFromPrivate(key), key, template, template)
 }

-// NewCert returns a new x509 certificate using the provided templates and key,
-// signed by the parent cert if provided; otherwise, self-signed.
-func NewCert(publicKey crypto.PublicKey, parentKey crypto.PrivateKey, template, parent *x509.Certificate) (*x509.Certificate, error) {
-	if parent == nil {
-		parent = template
+// CreateCertificate creates a new X.509v3 certificate based on a template.
+// The new certificate:
+//
+//  * will have the public key given as 'signee'
+//  * will be signed by 'signer' (which should be the private key of 'issuer')
+//  * will be issued by 'issuer'
+//  * will have metadata fields copied from 'template'
+//
+// Returns the new Certificate object.
+func CreateCertificate(signee crypto.PublicKey, signer crypto.PrivateKey, template, issuer *x509.Certificate) (*x509.Certificate, error) {
+	if _, ok := signer.(crypto.Signer); !ok {
+		// x509.CreateCertificate will panic in this case, so check here and make debugging easier
+		return nil, errs.New("can't sign certificate with signer key of type %T", signer)
 	}
-
-	publicECKey, ok := publicKey.(*ecdsa.PublicKey)
-	if !ok {
-		return nil, errs.New("unsupported public key type %T", publicKey)
-	}
-
 	cb, err := x509.CreateCertificate(
 		rand.Reader,
 		template,
-		parent,
-		publicECKey,
-		parentKey,
+		issuer,
+		signee,
+		signer,
 	)
 	if err != nil {
 		return nil, errs.Wrap(err)
 	}
-
-	cert, err := pkcrypto.CertFromDER(cb)
-	if err != nil {
-		return nil, errs.Wrap(err)
-	}
-	return cert, nil
+	return pkcrypto.CertFromDER(cb)
 }
--- a/pkg/peertls/peertls_test.go
+++ b/pkg/peertls/peertls_test.go
@ -30,7 +30,7 @@ func TestNewCert_CA(t *testing.T) {
 	caTemplate, err := peertls.CATemplate()
 	assert.NoError(t, err)

-	caCert, err := peertls.NewSelfSignedCert(caKey, caTemplate)
+	caCert, err := peertls.CreateSelfSignedCertificate(caKey, caTemplate)
 	assert.NoError(t, err)

 	assert.NotEmpty(t, caKey)
@ -48,7 +48,7 @@ func TestNewCert_Leaf(t *testing.T) {
 	caTemplate, err := peertls.CATemplate()
 	assert.NoError(t, err)

-	caCert, err := peertls.NewSelfSignedCert(caKey, caTemplate)
+	caCert, err := peertls.CreateSelfSignedCertificate(caKey, caTemplate)
 	assert.NoError(t, err)

 	leafKey, err := pkcrypto.GeneratePrivateKey()
@ -57,8 +57,7 @@ func TestNewCert_Leaf(t *testing.T) {
 	leafTemplate, err := peertls.LeafTemplate()
 	assert.NoError(t, err)

-	leafPublicKey := pkcrypto.PublicKeyFromPrivate(leafKey)
-	leafCert, err := peertls.NewCert(leafPublicKey, caKey, leafTemplate, caCert)
+	leafCert, err := peertls.CreateCertificate(pkcrypto.PublicKeyFromPrivate(leafKey), caKey, leafTemplate, caCert)
 	assert.NoError(t, err)

 	assert.NotEmpty(t, caKey)
@ -111,7 +110,7 @@ func TestVerifyPeerCertChains(t *testing.T) {
 	wrongKey, err := pkcrypto.GeneratePrivateKey()
 	assert.NoError(t, err)

-	leafCert, err = peertls.NewCert(pkcrypto.PublicKeyFromPrivate(leafKey), wrongKey, leafCert, caCert)
+	leafCert, err = peertls.CreateCertificate(pkcrypto.PublicKeyFromPrivate(leafKey), wrongKey, leafCert, caCert)
 	assert.NoError(t, err)

 	err = peertls.VerifyPeerFunc(peertls.VerifyPeerCertChains)([][]byte{leafCert.Raw, caCert.Raw}, nil)