diff --git a/testing/certutil/certutil.go b/testing/certutil/certutil.go index b699a6c..d8caec8 100644 --- a/testing/certutil/certutil.go +++ b/testing/certutil/certutil.go @@ -71,14 +71,45 @@ func NewRSARootCA() (crypto.PrivateKey, *x509.Certificate, Pair, error) { return rootKey, cert, pair, err } -// GenerateChildCert generates a x509 Certificate as a child of caCert and -// returns the following: -// - the certificate in PEM format as a byte slice -// - the private key in PEM format as a byte slice +// GenerateChildCert generates a ECDSA (P-384) x509 Certificate as a child of +// caCert and returns the following: // - the certificate and private key as a tls.Certificate +// - a Pair with the certificate and its key im PEM format // // If any error occurs during the generation process, a non-nil error is returned. -func GenerateChildCert( +func GenerateChildCert(name string, ips []net.IP, caPrivKey crypto.PrivateKey, caCert *x509.Certificate) (*tls.Certificate, Pair, error) { + priv, err := rsa.GenerateKey(rand.Reader, 2048) + if err != nil { + return nil, Pair{}, fmt.Errorf("could not create RSA private key: %w", err) + } + + cert, childPair, err := + GenerateGenericChildCert( + name, + ips, + priv, + &priv.PublicKey, + caPrivKey, + caCert) + if err != nil { + return nil, Pair{}, fmt.Errorf( + "could not generate child TLS certificate CA: %w", err) + } + + return cert, childPair, nil +} + +// GenerateGenericChildCert generates a x509 Certificate using priv and pub +// as the certificate's private and public keys and as a child of caCert. +// Use this function if you need fine control over keys or ips and certificate name, +// otherwise prefer GenerateChildCert or NewRootAndChildCerts/NewRSARootAndChildCerts +// +// It returns the following: +// - the certificate and private key as a tls.Certificate +// - a Pair with the certificate and its key im PEM format +// +// If any error occurs during the generation process, a non-nil error is returned. +func GenerateGenericChildCert( name string, ips []net.IP, priv crypto.PrivateKey, @@ -263,7 +294,7 @@ func defaultChildCert( pub crypto.PublicKey, rootCACert *x509.Certificate) (Pair, error) { _, childPair, err := - GenerateChildCert( + GenerateGenericChildCert( "localhost", []net.IP{net.ParseIP("127.0.0.1")}, priv, diff --git a/testing/certutil/certutil_test.go b/testing/certutil/certutil_test.go index 1f9bad4..1c7e4a4 100644 --- a/testing/certutil/certutil_test.go +++ b/testing/certutil/certutil_test.go @@ -26,7 +26,7 @@ import ( "github.com/stretchr/testify/require" ) -func TestECCertificates(t *testing.T) { +func TestCertificates(t *testing.T) { ecRootPair, ecChildPair, err := NewRootAndChildCerts() require.NoError(t, err, "could not create EC certificates") diff --git a/testing/certutil/cmd/main.go b/testing/certutil/cmd/main.go index f6f2b9c..bd34829 100644 --- a/testing/certutil/cmd/main.go +++ b/testing/certutil/cmd/main.go @@ -15,7 +15,7 @@ // specific language governing permissions and limitations // under the License. -// nolint:errorlint,forbidigo // it's a cli application +//nolint:errorlint,forbidigo // it's a cli application package main import ( @@ -84,7 +84,7 @@ func main() { rootCert, rootKey := getCA(rsa, caPath, caKeyPath, dest, filePrefix) priv, pub := generateKey(rsa) - childCert, childPair, err := certutil.GenerateChildCert( + childCert, childPair, err := certutil.GenerateGenericChildCert( name, netIPs, priv,