git » chasquid » next » tree

[next] / test / util / generate_cert / generate_cert.go 

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
//go:build !coverage
// +build !coverage

// Utility to generate self-signed certificates.
// It generates a self-signed x509 certificate and key pair, and writes them
// to "fullchain.pem" and "privkey.pem".
//
// Intended for use in tests, not for production use.
package main

import (
	crand "crypto/rand"
	"crypto/rsa"
	"crypto/x509"
	"crypto/x509/pkix"
	"encoding/pem"
	"flag"
	"fmt"
	"math/big"
	"net"
	"os"
	"strings"
	"time"

	"golang.org/x/net/idna"
)

var (
	host = flag.String("host", "",
		"Hostnames/IPs to generate the certificate for (comma separated)")
	validFor = flag.Duration("validfor", 4*time.Hour,
		"How long will the certificate be valid for")
	isCA = flag.Bool("ca", false,
		"Should this cert be its own CA?")
)

func fatalf(f string, a ...interface{}) {
	fmt.Printf(f, a...)
	os.Exit(1)
}

func main() {
	flag.Parse()
	if *host == "" {
		fatalf("Required flag: --host")
	}

	// Build the certificate template.
	serial, err := crand.Int(crand.Reader, big.NewInt(1<<62))
	if err != nil {
		fatalf("Error generating serial number: %v\n", err)
	}
	tmpl := x509.Certificate{
		SerialNumber: serial,
		Subject:      pkix.Name{Organization: []string{"Test Cert Org"}},

		// Valid from now until `--validfor` in the future.
		// Extended certs can be useful for manual troubleshooting.
		NotBefore: time.Now(),
		NotAfter:  time.Now().Add(*validFor),

		KeyUsage: x509.KeyUsageKeyEncipherment |
			x509.KeyUsageDigitalSignature |
			x509.KeyUsageCertSign,
		ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},

		BasicConstraintsValid: true,
	}

	if *isCA {
		tmpl.IsCA = true
	}

	hosts := strings.Split(*host, ",")
	for _, h := range hosts {
		if ip := net.ParseIP(h); ip != nil {
			tmpl.IPAddresses = append(tmpl.IPAddresses, ip)
		} else {
			// We use IDNA-encoded DNS names, otherwise the TLS library won't
			// load the certificates.
			ih, err := idna.ToASCII(h)
			if err != nil {
				fatalf("Host %q cannot be IDNA-encoded: %v\n", h, err)
			}
			tmpl.DNSNames = append(tmpl.DNSNames, ih)
		}
	}

	// Generate a private key (RSA 2048).
	privK, err := rsa.GenerateKey(crand.Reader, 2048)
	if err != nil {
		fatalf("Error generating key: %v\n", err)
	}

	// Write the certificate.
	{
		derBytes, err := x509.CreateCertificate(
			crand.Reader, &tmpl, &tmpl, &privK.PublicKey, privK)
		if err != nil {
			fatalf("Failed to create certificate: %v\n", err)
		}

		fullchain, err := os.Create("fullchain.pem")
		if err != nil {
			fatalf("Failed to open fullchain.pem: %v\n", err)
		}
		err = pem.Encode(fullchain,
			&pem.Block{Type: "CERTIFICATE", Bytes: derBytes})
		if err != nil {
			fatalf("Error encoding certificate: %v\n", err)
		}
		fullchain.Close()
	}

	// Write the private key.
	{
		privkey, err := os.Create("privkey.pem")
		if err != nil {
			fatalf("failed to open privkey.pem: %v\n", err)
		}
		block := &pem.Block{Type: "RSA PRIVATE KEY",
			Bytes: x509.MarshalPKCS1PrivateKey(privK)}
		err = pem.Encode(privkey, block)
		if err != nil {
			fatalf("Error encoding private key: %v\n", err)
		}
		privkey.Close()
	}
}