make cert creation a little easier to read (#1607)

Make separate "CreateCertificate" and "CreateSelfSignedCertificate"
functions to take the two roles of NewCert. These names should help
clarify that they actually make certificates and not just allocate new
"Cert" or "Certificate" objects.

Secondly, in the case of non-self-signed certs, require a public and a
private key to be passed in instead of two private keys, because it's
pretty hard to tell when reading code which one is meant to be the
signer and which one is the signee. With a public and private key, you
know.

(These are some changes I made in the course of the openssl port,
because the NewCert function kept being confusing to me. It's possible
I'm just being ridiculous, and this doesn't help improve readability for
anyone else, but if I'm not being ridiculous let's get this in)
This commit is contained in:
paul cannon 2019-04-03 17:21:32 -06:00 committed by GitHub
parent 4d925f783c
commit bb892d33d1
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
7 changed files with 39 additions and 42 deletions

View File

@ -111,7 +111,7 @@ func saveIdentityTar(path string, key crypto.PrivateKey, id storj.NodeID) error
return err
}
caCert, err := peertls.NewSelfSignedCert(key, ct)
caCert, err := peertls.CreateSelfSignedCertificate(key, ct)
if err != nil {
return err
}

View File

@ -33,9 +33,9 @@ func NewCertChain(length int) (keys []crypto.PrivateKey, certs []*x509.Certifica
var cert *x509.Certificate
if i == 0 {
cert, err = peertls.NewSelfSignedCert(key, template)
cert, err = peertls.CreateSelfSignedCertificate(key, template)
} else {
cert, err = peertls.NewCert(pkcrypto.PublicKeyFromPrivate(key), keys[i-1], template, certs[i-1:][0])
cert, err = peertls.CreateCertificate(pkcrypto.PublicKeyFromPrivate(key), keys[i-1], template, certs[i-1:][0])
}
if err != nil {
return nil, nil, err

View File

@ -163,11 +163,12 @@ func NewCA(ctx context.Context, opts NewCAOptions) (_ *FullCertificateAuthority,
return nil, err
}
var c *x509.Certificate
if opts.ParentKey == nil {
opts.ParentKey = selectedKey
c, err = peertls.CreateSelfSignedCertificate(selectedKey, ct)
} else {
c, err = peertls.CreateCertificate(pkcrypto.PublicKeyFromPrivate(selectedKey), opts.ParentKey, ct, opts.ParentCert)
}
c, err := peertls.NewCert(pkcrypto.PublicKeyFromPrivate(selectedKey), opts.ParentKey, ct, opts.ParentCert)
if err != nil {
return nil, err
}
@ -370,7 +371,7 @@ func (ca *FullCertificateAuthority) NewIdentity(exts ...pkix.Extension) (*FullId
return nil, err
}
leafCert, err := peertls.NewCert(pkcrypto.PublicKeyFromPrivate(leafKey), ca.Key, leafTemplate, ca.Cert)
leafCert, err := peertls.CreateCertificate(pkcrypto.PublicKeyFromPrivate(leafKey), ca.Key, leafTemplate, ca.Cert)
if err != nil {
return nil, err
}
@ -445,7 +446,7 @@ func (ca *FullCertificateAuthority) AddExtension(ext ...pkix.Extension) error {
return err
}
updatedCert, err := peertls.NewSelfSignedCert(ca.Key, ca.Cert)
updatedCert, err := peertls.CreateSelfSignedCertificate(ca.Key, ca.Cert)
if err != nil {
return err
}

View File

@ -478,7 +478,7 @@ func (manageableIdent *ManageablePeerIdentity) AddExtension(ext ...pkix.Extensio
return err
}
updatedCert, err := peertls.NewCert(manageableIdent.Leaf.PublicKey, manageableIdent.CA.Key, manageableIdent.Leaf, manageableIdent.CA.Cert)
updatedCert, err := peertls.CreateCertificate(manageableIdent.Leaf.PublicKey, manageableIdent.CA.Key, manageableIdent.Leaf, manageableIdent.CA.Cert)
if err != nil {
return err
}

View File

@ -32,7 +32,7 @@ func TestPeerIdentityFromCertChain(t *testing.T) {
caTemplate, err := peertls.CATemplate()
assert.NoError(t, err)
caCert, err := peertls.NewSelfSignedCert(caKey, caTemplate)
caCert, err := peertls.CreateSelfSignedCertificate(caKey, caTemplate)
assert.NoError(t, err)
leafTemplate, err := peertls.LeafTemplate()
@ -41,7 +41,7 @@ func TestPeerIdentityFromCertChain(t *testing.T) {
leafKey, err := pkcrypto.GeneratePrivateKey()
assert.NoError(t, err)
leafCert, err := peertls.NewCert(pkcrypto.PublicKeyFromPrivate(leafKey), caKey, leafTemplate, caTemplate)
leafCert, err := peertls.CreateCertificate(pkcrypto.PublicKeyFromPrivate(leafKey), caKey, leafTemplate, caTemplate)
assert.NoError(t, err)
peerIdent, err := identity.PeerIdentityFromCerts(leafCert, caCert, nil)
@ -58,7 +58,7 @@ func TestFullIdentityFromPEM(t *testing.T) {
caTemplate, err := peertls.CATemplate()
assert.NoError(t, err)
caCert, err := peertls.NewSelfSignedCert(caKey, caTemplate)
caCert, err := peertls.CreateSelfSignedCertificate(caKey, caTemplate)
assert.NoError(t, err)
assert.NoError(t, err)
assert.NotEmpty(t, caCert)
@ -69,7 +69,7 @@ func TestFullIdentityFromPEM(t *testing.T) {
leafKey, err := pkcrypto.GeneratePrivateKey()
assert.NoError(t, err)
leafCert, err := peertls.NewCert(pkcrypto.PublicKeyFromPrivate(leafKey), caKey, leafTemplate, caTemplate)
leafCert, err := peertls.CreateCertificate(pkcrypto.PublicKeyFromPrivate(leafKey), caKey, leafTemplate, caTemplate)
assert.NoError(t, err)
assert.NotEmpty(t, leafCert)

View File

@ -6,7 +6,6 @@ package peertls // import "storj.io/storj/pkg/peertls"
import (
"bytes"
"crypto"
"crypto/ecdsa"
"crypto/rand"
"crypto/tls"
"crypto/x509"
@ -126,37 +125,35 @@ func ChainBytes(chain ...*x509.Certificate) ([]byte, error) {
return data.Bytes(), err
}
// NewSelfSignedCert returns a new x509 self-signed certificate using the provided // template and key,
func NewSelfSignedCert(key crypto.PrivateKey, template *x509.Certificate) (*x509.Certificate, error) {
return NewCert(pkcrypto.PublicKeyFromPrivate(key), key, template, template)
// CreateSelfSignedCertificate creates a new self-signed X.509v3 certificate
// using fields from the given template.
func CreateSelfSignedCertificate(key crypto.PrivateKey, template *x509.Certificate) (*x509.Certificate, error) {
return CreateCertificate(pkcrypto.PublicKeyFromPrivate(key), key, template, template)
}
// NewCert returns a new x509 certificate using the provided templates and key,
// signed by the parent cert if provided; otherwise, self-signed.
func NewCert(publicKey crypto.PublicKey, parentKey crypto.PrivateKey, template, parent *x509.Certificate) (*x509.Certificate, error) {
if parent == nil {
parent = template
// CreateCertificate creates a new X.509v3 certificate based on a template.
// The new certificate:
//
// * will have the public key given as 'signee'
// * will be signed by 'signer' (which should be the private key of 'issuer')
// * will be issued by 'issuer'
// * will have metadata fields copied from 'template'
//
// Returns the new Certificate object.
func CreateCertificate(signee crypto.PublicKey, signer crypto.PrivateKey, template, issuer *x509.Certificate) (*x509.Certificate, error) {
if _, ok := signer.(crypto.Signer); !ok {
// x509.CreateCertificate will panic in this case, so check here and make debugging easier
return nil, errs.New("can't sign certificate with signer key of type %T", signer)
}
publicECKey, ok := publicKey.(*ecdsa.PublicKey)
if !ok {
return nil, errs.New("unsupported public key type %T", publicKey)
}
cb, err := x509.CreateCertificate(
rand.Reader,
template,
parent,
publicECKey,
parentKey,
issuer,
signee,
signer,
)
if err != nil {
return nil, errs.Wrap(err)
}
cert, err := pkcrypto.CertFromDER(cb)
if err != nil {
return nil, errs.Wrap(err)
}
return cert, nil
return pkcrypto.CertFromDER(cb)
}

View File

@ -30,7 +30,7 @@ func TestNewCert_CA(t *testing.T) {
caTemplate, err := peertls.CATemplate()
assert.NoError(t, err)
caCert, err := peertls.NewSelfSignedCert(caKey, caTemplate)
caCert, err := peertls.CreateSelfSignedCertificate(caKey, caTemplate)
assert.NoError(t, err)
assert.NotEmpty(t, caKey)
@ -48,7 +48,7 @@ func TestNewCert_Leaf(t *testing.T) {
caTemplate, err := peertls.CATemplate()
assert.NoError(t, err)
caCert, err := peertls.NewSelfSignedCert(caKey, caTemplate)
caCert, err := peertls.CreateSelfSignedCertificate(caKey, caTemplate)
assert.NoError(t, err)
leafKey, err := pkcrypto.GeneratePrivateKey()
@ -57,8 +57,7 @@ func TestNewCert_Leaf(t *testing.T) {
leafTemplate, err := peertls.LeafTemplate()
assert.NoError(t, err)
leafPublicKey := pkcrypto.PublicKeyFromPrivate(leafKey)
leafCert, err := peertls.NewCert(leafPublicKey, caKey, leafTemplate, caCert)
leafCert, err := peertls.CreateCertificate(pkcrypto.PublicKeyFromPrivate(leafKey), caKey, leafTemplate, caCert)
assert.NoError(t, err)
assert.NotEmpty(t, caKey)
@ -111,7 +110,7 @@ func TestVerifyPeerCertChains(t *testing.T) {
wrongKey, err := pkcrypto.GeneratePrivateKey()
assert.NoError(t, err)
leafCert, err = peertls.NewCert(pkcrypto.PublicKeyFromPrivate(leafKey), wrongKey, leafCert, caCert)
leafCert, err = peertls.CreateCertificate(pkcrypto.PublicKeyFromPrivate(leafKey), wrongKey, leafCert, caCert)
assert.NoError(t, err)
err = peertls.VerifyPeerFunc(peertls.VerifyPeerCertChains)([][]byte{leafCert.Raw, caCert.Raw}, nil)