Gitiles
Code Review Sign In
gerrit-dev.monogon.dev / monogon / 4b0e5c075a81a7ea251c5c85af1d15c5ab54e962 / . / core / internal / consensus / ca / ca.go
blob: 925f030fcffbe983d398778a612f8fdb46757151 [file] [log] [blame]
Lorenz Bruna4ea9d02019-10-31 11:40:30 +0100[diff] [blame]1// Copyright 2020 The Monogon Project Authors.
2//
3// SPDX-License-Identifier: Apache-2.0
4//
5// Licensed under the Apache License, Version 2.0 (the "License");
6// you may not use this file except in compliance with the License.
7// You may obtain a copy of the License at
8//
9// http://www.apache.org/licenses/LICENSE-2.0
10//
11// Unless required by applicable law or agreed to in writing, software
12// distributed under the License is distributed on an "AS IS" BASIS,
13// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14// See the License for the specific language governing permissions and
15// limitations under the License.
16
17package ca
18
19import (
20 "crypto"
21 "crypto/ed25519"
22 "crypto/rand"
23 "crypto/sha1"
24 "crypto/x509"
25 "crypto/x509/pkix"
26 "encoding/asn1"
27 "errors"
28 "fmt"
29 "math/big"
30 "time"
31)
32
33var (
34 // From RFC 5280 Section 4.1.2.5
35 unknownNotAfter = time.Unix(253402300799, 0)
36)
37
38type CA struct {
39 // TODO: Potentially protect the key with memguard
40 PrivateKey *ed25519.PrivateKey
41 CACert *x509.Certificate
42 CACertRaw []byte
43 CRLRaw []byte
44 Revoked []pkix.RevokedCertificate
45}
46
47// Workaround for https://github.com/golang/go/issues/26676 in Go's crypto/x509. Specifically Go
48// violates Section 4.2.1.2 of RFC 5280 without this. Should eventually be redundant.
49//
50// Taken from https://github.com/FiloSottile/mkcert/blob/master/cert.go#L295 written by one of Go's
51// crypto engineers
52func calculateSKID(pubKey crypto.PublicKey) ([]byte, error) {
53 spkiASN1, err := x509.MarshalPKIXPublicKey(pubKey)
54 if err != nil {
55 return nil, err
56 }
57
58 var spki struct {
59 Algorithm pkix.AlgorithmIdentifier
60 SubjectPublicKey asn1.BitString
61 }
62 _, err = asn1.Unmarshal(spkiASN1, &spki)
63 if err != nil {
64 return nil, err
65 }
66 skid := sha1.Sum(spki.SubjectPublicKey.Bytes)
67 return skid[:], nil
68}
69
70func New(name string) (*CA, error) {
71 pubKey, privKey, err := ed25519.GenerateKey(rand.Reader)
72 if err != nil {
73 panic(err)
74 }
75
76 serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 127)
77 serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
78 if err != nil {
79 return nil, fmt.Errorf("Failed to generate serial number: %w", err)
80 }
81
82 skid, err := calculateSKID(pubKey)
83 if err != nil {
84 return nil, err
85 }
86
87 caCert := &x509.Certificate{
88 SerialNumber: serialNumber,
89 Subject: pkix.Name{
90 CommonName: name,
91 },
92 IsCA: true,
93 BasicConstraintsValid: true,
94 NotBefore: time.Now(),
95 NotAfter: unknownNotAfter,
96 KeyUsage: x509.KeyUsageCertSign | x509.KeyUsageCRLSign | x509.KeyUsageDigitalSignature,
97 ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageOCSPSigning},
98 AuthorityKeyId: skid,
99 SubjectKeyId: skid,
100 }
101
102 caCertRaw, err := x509.CreateCertificate(rand.Reader, caCert, caCert, pubKey, privKey)
103 if err != nil {
104 return nil, fmt.Errorf("Failed to create root certificate: %w", err)
105 }
106
107 ca := &CA{
108 PrivateKey: &privKey,
109 CACertRaw: caCertRaw,
110 CACert: caCert,
111 }
112 if ca.reissueCRL() != nil {
113 return nil, fmt.Errorf("failed to create initial CRL: %w", err)
114 }
115
116 return ca, nil
117}
118
119func FromCertificates(caCert []byte, caKey []byte, crl []byte) (*CA, error) {
120 if len(caKey) != ed25519.PrivateKeySize {
121 return nil, errors.New("Invalid CA private key size")
122 }
123 privateKey := ed25519.PrivateKey(caKey)
124
125 caCertVal, err := x509.ParseCertificate(caCert)
126 if err != nil {
127 return nil, err
128 }
129 crlVal, err := x509.ParseCRL(crl)
130 if err != nil {
131 return nil, err
132 }
133 return &CA{
134 PrivateKey: &privateKey,
135 CACertRaw: caCert,
136 CACert: caCertVal,
137 Revoked: crlVal.TBSCertList.RevokedCertificates,
138 CRLRaw: crl,
139 }, nil
140}
141
142func (ca *CA) IssueCertificate(hostname string) (cert []byte, privkey []byte, err error) {
143 serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 127)
144 serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
145 if err != nil {
146 err = fmt.Errorf("Failed to generate serial number: %w", err)
147 return
148 }
149
150 pubKey, privKeyRaw, err := ed25519.GenerateKey(rand.Reader)
151 if err != nil {
152 return
153 }
154 privkey, err = x509.MarshalPKCS8PrivateKey(privKeyRaw)
155 if err != nil {
156 return
157 }
158
159 etcdCert := &x509.Certificate{
160 SerialNumber: serialNumber,
161 Subject: pkix.Name{
162 CommonName: hostname,
163 OrganizationalUnit: []string{"etcd"},
164 },
165 IsCA: false,
166 BasicConstraintsValid: true,
167 NotBefore: time.Now(),
168 NotAfter: unknownNotAfter,
169 ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth},
170 DNSNames: []string{hostname},
171 }
172 cert, err = x509.CreateCertificate(rand.Reader, etcdCert, ca.CACert, pubKey, ca.PrivateKey)
173 return
174}
175
176func (ca *CA) reissueCRL() error {
177 compatCert := CompatCertificate(*ca.CACert)
178 newCRL, err := compatCert.CreateCRL(rand.Reader, ca.PrivateKey, ca.Revoked, time.Now(), unknownNotAfter)
179 if err != nil {
180 return err
181 }
182 ca.CRLRaw = newCRL
183 return nil
184}
185
186func (ca *CA) Revoke(serial *big.Int) error {
187 for _, revokedCert := range ca.Revoked {
188 if revokedCert.SerialNumber.Cmp(serial) == 0 {
189 return nil // Already revoked
190 }
191 }
192 ca.Revoked = append(ca.Revoked, pkix.RevokedCertificate{
193 SerialNumber: serial,
194 RevocationTime: time.Now(),
195 })
196 return ca.reissueCRL()
197}