add support for generate intermediate ca

nothinux · May 1, 2022 · f79a1c1 · f79a1c1
1 parent ab63a10
commit f79a1c1
Show file tree

Hide file tree

Showing 7 changed files with 106 additions and 11 deletions.
diff --git a/cmd/certify/127.0.0.1-key.pem b/cmd/certify/127.0.0.1-key.pem
@@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIIuQU4ciKdoWKatOyMACXtA4MW0e1W2BAxLgP3yISKBCoAoGCCqGSM49
+AwEHoUQDQgAEX6RdebhEW2Qov6t68/hW4cEXkaSUQCVz66oAygNFy0zhIe3OZbEW
+PqJRuPRCuC8RDSANhitAKZcq7rQt+FgePw==
+-----END EC PRIVATE KEY-----
diff --git a/cmd/certify/127.0.0.1.pem b/cmd/certify/127.0.0.1.pem
@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBiTCCAS+gAwIBAgIRAIpKY34COzXtccpbFTdLHPwwCgYIKoZIzj0EAwIwJTEQ
+MA4GA1UEChMHY2VydGlmeTERMA8GA1UEAxMIbm90aGludXgwHhcNMjIwNTAxMDAw
+MTQyWhcNMjMwNTAxMDYwMTQyWjAlMRAwDgYDVQQKEwdjZXJ0aWZ5MREwDwYDVQQD
+Ewhub3RoaW51eDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABF+kXXm4RFtkKL+r
+evP4VuHBF5GklEAlc+uqAMoDRctM4SHtzmWxFj6iUbj0QrgvEQ0gDYYrQCmXKu60
+LfhYHj+jQDA+MB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATAMBgNVHRMB
+Af8EAjAAMA8GA1UdEQQIMAaHBH8AAAEwCgYIKoZIzj0EAwIDSAAwRQIgJalQKiYw
+K+t4g9N42+DgmAclLn8pKTFI0AIa38KC3wkCIQDOQIuLRHiCR3+UdOglpnrRgRzV
+1fa2d5/SEV0KxPP1nA==
+-----END CERTIFICATE-----
diff --git a/cmd/certify/__debug_bin b/cmd/certify/__debug_bin
diff --git a/cmd/certify/command.go b/cmd/certify/command.go
@@ -157,3 +157,19 @@ func createCertificate(args []string) error {
 
 	return nil
 }
+
+// createIntermediateCertificate generate intermediate certificate and signed with existing root CA
+func createIntermediateCertificate(args []string) error {
+	pkey, err := generatePrivateKey(caInterKeyPath)
+	if err != nil {
+		return err
+	}
+
+	fmt.Println("Private key file generated", caInterKeyPath)
+
+	if err := generateIntermediateCert(pkey.PrivateKey, args); err != nil {
+		return err
+	}
+
+	return nil
+}
diff --git a/cmd/certify/helper.go b/cmd/certify/helper.go
@@ -34,7 +34,7 @@ func generateCA(pkey *ecdsa.PrivateKey, cn string, path string) error {
 			CommonName:   parseCN(cn),
 		},
 		NotBefore: time.Now(),
-		NotAfter:  time.Now().Add(8766 * time.Hour),
+		NotAfter:  time.Now().Add(87660 * time.Hour),
 		IsCA:      true,
 	}
 
@@ -89,6 +89,50 @@ func generateCert(pkey *ecdsa.PrivateKey, args []string) error {
 	return err
 }
 
+func generateIntermediateCert(pkey *ecdsa.PrivateKey, args []string) error {
+	_, _, cn, expiry, _ := parseArgs(args)
+
+	parentKey, err := getCAPrivateKey()
+	if err != nil {
+		return err
+	}
+
+	parent, err := getCACert()
+	if err != nil {
+		return err
+	}
+
+	newCN := fmt.Sprintf("%s Intermediate", cn)
+
+	if expiry.Unix() > parent.NotAfter.Unix() {
+		return fmt.Errorf("intermediate certificate expiry date can't longer than root CA")
+	}
+
+	template := certify.Certificate{
+		Subject: pkix.Name{
+			Organization: []string{"certify"},
+			CommonName:   newCN,
+		},
+		NotBefore:        time.Now(),
+		NotAfter:         expiry,
+		IsCA:             true,
+		Parent:           parent,
+		ParentPrivateKey: parentKey,
+	}
+
+	cert, err := template.GetCertificate(pkey)
+	if err != nil {
+		return err
+	}
+
+	err = store(cert.String(), caInterPath)
+	if err == nil {
+		fmt.Println("Certificate file generated", caInterPath)
+	}
+
+	return err
+}
+
 // getFilename returns path based on given args
 // first it will check dnsnames, if nil, then check iplist, if iplist nil too
 // it will check common name

diff --git a/cmd/certify/main.go b/cmd/certify/main.go
@@ -20,7 +20,9 @@ $ certify server.local 172.17.0.1 cn:web-server eku:serverAuth expiry:1d
 
 Flags:
   -init
-	Initialize new CA Certificate and Key
+	Initialize new root CA Certificate and Key
+  -intermediate
+    Generate intermediate certificate
   -read  <filename>
 	Read certificate information from file server.local.pem
   -connect  <host:443>
@@ -29,12 +31,16 @@ Flags:
 	Generate client.p12 pem file containing certificate, private key and ca certificate
   -match  <private-key> <cert>
 	Verify cert-key.pem and cert.pem has same public key
+  -version
+    print certify version
 `
 
 var (
-	caPath    = "ca-cert.pem"
-	caKeyPath = "ca-key.pem"
-	Version   = "No version provided"
+	caPath         = "ca-cert.pem"
+	caKeyPath      = "ca-key.pem"
+	caInterPath    = "ca-intermediate.pem"
+	caInterKeyPath = "ca-intermediate-key.pem"
+	Version        = "No version provided"
 )
 
 func main() {
@@ -45,12 +51,13 @@ func main() {
 
 func runMain() error {
 	var (
-		initialize = flag.Bool("init", false, "initialize new CA Certificate and Key")
-		read       = flag.Bool("read", false, "read information from certificate")
-		match      = flag.Bool("match", false, "check if private key match with certificate")
-		ver        = flag.Bool("version", false, "see program version")
-		connect    = flag.Bool("connect", false, "show information about certificate on remote host")
-		epkcs12    = flag.Bool("export-p12", false, "export certificate and key to pkcs12 format")
+		initialize   = flag.Bool("init", false, "initialize new root CA Certificate and Key")
+		intermediate = flag.Bool("intermediate", false, "create intermediate certificate")
+		read         = flag.Bool("read", false, "read information from certificate")
+		match        = flag.Bool("match", false, "check if private key match with certificate")
+		ver          = flag.Bool("version", false, "see program version")
+		connect      = flag.Bool("connect", false, "show information about certificate on remote host")
+		epkcs12      = flag.Bool("export-p12", false, "export certificate and key to pkcs12 format")
 	)
 
 	flag.Usage = func() {
@@ -110,6 +117,13 @@ func runMain() error {
 		return fmt.Errorf("error CA Certificate or Key is not exists, run -init to create it")
 	}
 
+	if *intermediate {
+		if err := createIntermediateCertificate(os.Args); err != nil {
+			return err
+		}
+		return nil
+	}
+
 	if err := createCertificate(os.Args); err != nil {
 		return err
 	}

diff --git a/cmd/certify/util_test.go b/cmd/certify/util_test.go
@@ -0,0 +1,5 @@
+package main
+
+func getCN() {
+
+}