Files

 staging

/

cert.go

Blame

Blame

Latest commit

 

History

History

78 lines (69 loc) · 2.32 KB

 staging

/

cert.go

Top

File metadata and controls

• Code
• Blame

78 lines (69 loc) · 2.32 KB

Raw

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

// Copyright 2012, 2013 Canonical Ltd.

// Licensed under the AGPLv3, see LICENCE file for details.

package cert

import (

"crypto/x509"

"fmt"

"time"

"github.com/juju/errors"

"github.com/juju/utils/cert"

)

// Verify verifies that the given server certificate is valid with

// respect to the given CA certificate at the given time.

func Verify(srvCertPEM, caCertPEM string, when time.Time) error {

caCert, err := cert.ParseCert(caCertPEM)

if err != nil {

return errors.Annotate(err, "cannot parse CA certificate")

}

srvCert, err := cert.ParseCert(srvCertPEM)

if err != nil {

return errors.Annotate(err, "cannot parse server certificate")

}

pool := x509.NewCertPool()

pool.AddCert(caCert)

opts := x509.VerifyOptions{

DNSName: "anyServer",

Roots: pool,

CurrentTime: when,

}

_, err = srvCert.Verify(opts)

return err

}

// NewLeafKeyBits is the number of bits used for the cert.NewLeaf call.

var NewLeafKeyBits = 2048

// NewDefaultServer generates a certificate/key pair suitable for use by a server, with an

// expiry time of 10 years.

func NewDefaultServer(caCertPEM, caKeyPEM string, hostnames []string) (certPEM, keyPEM string, err error) {

// TODO(perrito666) 2016-05-02 lp:1558657

expiry := time.Now().UTC().AddDate(10, 0, 0)

return cert.NewLeaf(&cert.Config{

CommonName: "*",

CA: []byte(caCertPEM),

CAKey: []byte(caKeyPEM),

Expiry: expiry,

Hostnames: hostnames,

ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},

KeyBits: NewLeafKeyBits,

})

}

// NewServer generates a certificate/key pair suitable for use by a server.

func NewServer(caCertPEM, caKeyPEM string, expiry time.Time, hostnames []string) (certPEM, keyPEM string, err error) {

return cert.NewLeaf(&cert.Config{

CommonName: "*",

CA: []byte(caCertPEM),

CAKey: []byte(caKeyPEM),

Expiry: expiry,

Hostnames: hostnames,

ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},

KeyBits: NewLeafKeyBits,

})

}

// NewCA generates a CA certificate/key pair suitable for signing server

// keys for an environment with the given name.

// wrapper arount utils/cert#NewCA

var NewCA = newCA

func newCA(commonName, UUID string, expiry time.Time) (certPEM, keyPEM string, err error) {

return cert.NewCA(

fmt.Sprintf("juju-generated CA for model %q", commonName),

UUID, expiry, 0)

}