make cert creation a little easier to read (#1607)
Make separate "CreateCertificate" and "CreateSelfSignedCertificate" functions to take the two roles of NewCert. These names should help clarify that they actually make certificates and not just allocate new "Cert" or "Certificate" objects. Secondly, in the case of non-self-signed certs, require a public and a private key to be passed in instead of two private keys, because it's pretty hard to tell when reading code which one is meant to be the signer and which one is the signee. With a public and private key, you know. (These are some changes I made in the course of the openssl port, because the NewCert function kept being confusing to me. It's possible I'm just being ridiculous, and this doesn't help improve readability for anyone else, but if I'm not being ridiculous let's get this in)
This commit is contained in:
parent
4d925f783c
commit
bb892d33d1
@ -111,7 +111,7 @@ func saveIdentityTar(path string, key crypto.PrivateKey, id storj.NodeID) error
|
||||
return err
|
||||
}
|
||||
|
||||
caCert, err := peertls.NewSelfSignedCert(key, ct)
|
||||
caCert, err := peertls.CreateSelfSignedCertificate(key, ct)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
@ -33,9 +33,9 @@ func NewCertChain(length int) (keys []crypto.PrivateKey, certs []*x509.Certifica
|
||||
|
||||
var cert *x509.Certificate
|
||||
if i == 0 {
|
||||
cert, err = peertls.NewSelfSignedCert(key, template)
|
||||
cert, err = peertls.CreateSelfSignedCertificate(key, template)
|
||||
} else {
|
||||
cert, err = peertls.NewCert(pkcrypto.PublicKeyFromPrivate(key), keys[i-1], template, certs[i-1:][0])
|
||||
cert, err = peertls.CreateCertificate(pkcrypto.PublicKeyFromPrivate(key), keys[i-1], template, certs[i-1:][0])
|
||||
}
|
||||
if err != nil {
|
||||
return nil, nil, err
|
||||
|
@ -163,11 +163,12 @@ func NewCA(ctx context.Context, opts NewCAOptions) (_ *FullCertificateAuthority,
|
||||
return nil, err
|
||||
}
|
||||
|
||||
var c *x509.Certificate
|
||||
if opts.ParentKey == nil {
|
||||
opts.ParentKey = selectedKey
|
||||
c, err = peertls.CreateSelfSignedCertificate(selectedKey, ct)
|
||||
} else {
|
||||
c, err = peertls.CreateCertificate(pkcrypto.PublicKeyFromPrivate(selectedKey), opts.ParentKey, ct, opts.ParentCert)
|
||||
}
|
||||
|
||||
c, err := peertls.NewCert(pkcrypto.PublicKeyFromPrivate(selectedKey), opts.ParentKey, ct, opts.ParentCert)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
@ -370,7 +371,7 @@ func (ca *FullCertificateAuthority) NewIdentity(exts ...pkix.Extension) (*FullId
|
||||
return nil, err
|
||||
}
|
||||
|
||||
leafCert, err := peertls.NewCert(pkcrypto.PublicKeyFromPrivate(leafKey), ca.Key, leafTemplate, ca.Cert)
|
||||
leafCert, err := peertls.CreateCertificate(pkcrypto.PublicKeyFromPrivate(leafKey), ca.Key, leafTemplate, ca.Cert)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
@ -445,7 +446,7 @@ func (ca *FullCertificateAuthority) AddExtension(ext ...pkix.Extension) error {
|
||||
return err
|
||||
}
|
||||
|
||||
updatedCert, err := peertls.NewSelfSignedCert(ca.Key, ca.Cert)
|
||||
updatedCert, err := peertls.CreateSelfSignedCertificate(ca.Key, ca.Cert)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
@ -478,7 +478,7 @@ func (manageableIdent *ManageablePeerIdentity) AddExtension(ext ...pkix.Extensio
|
||||
return err
|
||||
}
|
||||
|
||||
updatedCert, err := peertls.NewCert(manageableIdent.Leaf.PublicKey, manageableIdent.CA.Key, manageableIdent.Leaf, manageableIdent.CA.Cert)
|
||||
updatedCert, err := peertls.CreateCertificate(manageableIdent.Leaf.PublicKey, manageableIdent.CA.Key, manageableIdent.Leaf, manageableIdent.CA.Cert)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
@ -32,7 +32,7 @@ func TestPeerIdentityFromCertChain(t *testing.T) {
|
||||
caTemplate, err := peertls.CATemplate()
|
||||
assert.NoError(t, err)
|
||||
|
||||
caCert, err := peertls.NewSelfSignedCert(caKey, caTemplate)
|
||||
caCert, err := peertls.CreateSelfSignedCertificate(caKey, caTemplate)
|
||||
assert.NoError(t, err)
|
||||
|
||||
leafTemplate, err := peertls.LeafTemplate()
|
||||
@ -41,7 +41,7 @@ func TestPeerIdentityFromCertChain(t *testing.T) {
|
||||
leafKey, err := pkcrypto.GeneratePrivateKey()
|
||||
assert.NoError(t, err)
|
||||
|
||||
leafCert, err := peertls.NewCert(pkcrypto.PublicKeyFromPrivate(leafKey), caKey, leafTemplate, caTemplate)
|
||||
leafCert, err := peertls.CreateCertificate(pkcrypto.PublicKeyFromPrivate(leafKey), caKey, leafTemplate, caTemplate)
|
||||
assert.NoError(t, err)
|
||||
|
||||
peerIdent, err := identity.PeerIdentityFromCerts(leafCert, caCert, nil)
|
||||
@ -58,7 +58,7 @@ func TestFullIdentityFromPEM(t *testing.T) {
|
||||
caTemplate, err := peertls.CATemplate()
|
||||
assert.NoError(t, err)
|
||||
|
||||
caCert, err := peertls.NewSelfSignedCert(caKey, caTemplate)
|
||||
caCert, err := peertls.CreateSelfSignedCertificate(caKey, caTemplate)
|
||||
assert.NoError(t, err)
|
||||
assert.NoError(t, err)
|
||||
assert.NotEmpty(t, caCert)
|
||||
@ -69,7 +69,7 @@ func TestFullIdentityFromPEM(t *testing.T) {
|
||||
leafKey, err := pkcrypto.GeneratePrivateKey()
|
||||
assert.NoError(t, err)
|
||||
|
||||
leafCert, err := peertls.NewCert(pkcrypto.PublicKeyFromPrivate(leafKey), caKey, leafTemplate, caTemplate)
|
||||
leafCert, err := peertls.CreateCertificate(pkcrypto.PublicKeyFromPrivate(leafKey), caKey, leafTemplate, caTemplate)
|
||||
assert.NoError(t, err)
|
||||
assert.NotEmpty(t, leafCert)
|
||||
|
||||
|
@ -6,7 +6,6 @@ package peertls // import "storj.io/storj/pkg/peertls"
|
||||
import (
|
||||
"bytes"
|
||||
"crypto"
|
||||
"crypto/ecdsa"
|
||||
"crypto/rand"
|
||||
"crypto/tls"
|
||||
"crypto/x509"
|
||||
@ -126,37 +125,35 @@ func ChainBytes(chain ...*x509.Certificate) ([]byte, error) {
|
||||
return data.Bytes(), err
|
||||
}
|
||||
|
||||
// NewSelfSignedCert returns a new x509 self-signed certificate using the provided // template and key,
|
||||
func NewSelfSignedCert(key crypto.PrivateKey, template *x509.Certificate) (*x509.Certificate, error) {
|
||||
return NewCert(pkcrypto.PublicKeyFromPrivate(key), key, template, template)
|
||||
// CreateSelfSignedCertificate creates a new self-signed X.509v3 certificate
|
||||
// using fields from the given template.
|
||||
func CreateSelfSignedCertificate(key crypto.PrivateKey, template *x509.Certificate) (*x509.Certificate, error) {
|
||||
return CreateCertificate(pkcrypto.PublicKeyFromPrivate(key), key, template, template)
|
||||
}
|
||||
|
||||
// NewCert returns a new x509 certificate using the provided templates and key,
|
||||
// signed by the parent cert if provided; otherwise, self-signed.
|
||||
func NewCert(publicKey crypto.PublicKey, parentKey crypto.PrivateKey, template, parent *x509.Certificate) (*x509.Certificate, error) {
|
||||
if parent == nil {
|
||||
parent = template
|
||||
// CreateCertificate creates a new X.509v3 certificate based on a template.
|
||||
// The new certificate:
|
||||
//
|
||||
// * will have the public key given as 'signee'
|
||||
// * will be signed by 'signer' (which should be the private key of 'issuer')
|
||||
// * will be issued by 'issuer'
|
||||
// * will have metadata fields copied from 'template'
|
||||
//
|
||||
// Returns the new Certificate object.
|
||||
func CreateCertificate(signee crypto.PublicKey, signer crypto.PrivateKey, template, issuer *x509.Certificate) (*x509.Certificate, error) {
|
||||
if _, ok := signer.(crypto.Signer); !ok {
|
||||
// x509.CreateCertificate will panic in this case, so check here and make debugging easier
|
||||
return nil, errs.New("can't sign certificate with signer key of type %T", signer)
|
||||
}
|
||||
|
||||
publicECKey, ok := publicKey.(*ecdsa.PublicKey)
|
||||
if !ok {
|
||||
return nil, errs.New("unsupported public key type %T", publicKey)
|
||||
}
|
||||
|
||||
cb, err := x509.CreateCertificate(
|
||||
rand.Reader,
|
||||
template,
|
||||
parent,
|
||||
publicECKey,
|
||||
parentKey,
|
||||
issuer,
|
||||
signee,
|
||||
signer,
|
||||
)
|
||||
if err != nil {
|
||||
return nil, errs.Wrap(err)
|
||||
}
|
||||
|
||||
cert, err := pkcrypto.CertFromDER(cb)
|
||||
if err != nil {
|
||||
return nil, errs.Wrap(err)
|
||||
}
|
||||
return cert, nil
|
||||
return pkcrypto.CertFromDER(cb)
|
||||
}
|
||||
|
@ -30,7 +30,7 @@ func TestNewCert_CA(t *testing.T) {
|
||||
caTemplate, err := peertls.CATemplate()
|
||||
assert.NoError(t, err)
|
||||
|
||||
caCert, err := peertls.NewSelfSignedCert(caKey, caTemplate)
|
||||
caCert, err := peertls.CreateSelfSignedCertificate(caKey, caTemplate)
|
||||
assert.NoError(t, err)
|
||||
|
||||
assert.NotEmpty(t, caKey)
|
||||
@ -48,7 +48,7 @@ func TestNewCert_Leaf(t *testing.T) {
|
||||
caTemplate, err := peertls.CATemplate()
|
||||
assert.NoError(t, err)
|
||||
|
||||
caCert, err := peertls.NewSelfSignedCert(caKey, caTemplate)
|
||||
caCert, err := peertls.CreateSelfSignedCertificate(caKey, caTemplate)
|
||||
assert.NoError(t, err)
|
||||
|
||||
leafKey, err := pkcrypto.GeneratePrivateKey()
|
||||
@ -57,8 +57,7 @@ func TestNewCert_Leaf(t *testing.T) {
|
||||
leafTemplate, err := peertls.LeafTemplate()
|
||||
assert.NoError(t, err)
|
||||
|
||||
leafPublicKey := pkcrypto.PublicKeyFromPrivate(leafKey)
|
||||
leafCert, err := peertls.NewCert(leafPublicKey, caKey, leafTemplate, caCert)
|
||||
leafCert, err := peertls.CreateCertificate(pkcrypto.PublicKeyFromPrivate(leafKey), caKey, leafTemplate, caCert)
|
||||
assert.NoError(t, err)
|
||||
|
||||
assert.NotEmpty(t, caKey)
|
||||
@ -111,7 +110,7 @@ func TestVerifyPeerCertChains(t *testing.T) {
|
||||
wrongKey, err := pkcrypto.GeneratePrivateKey()
|
||||
assert.NoError(t, err)
|
||||
|
||||
leafCert, err = peertls.NewCert(pkcrypto.PublicKeyFromPrivate(leafKey), wrongKey, leafCert, caCert)
|
||||
leafCert, err = peertls.CreateCertificate(pkcrypto.PublicKeyFromPrivate(leafKey), wrongKey, leafCert, caCert)
|
||||
assert.NoError(t, err)
|
||||
|
||||
err = peertls.VerifyPeerFunc(peertls.VerifyPeerCertChains)([][]byte{leafCert.Raw, caCert.Raw}, nil)
|
||||
|
Loading…
Reference in New Issue
Block a user