Merge pull request #7623 from FriedCircuits/patch-1
Add support for RSA private key to TLS utils.
This commit is contained in:
Kyle Havlovitz
GitHub
commit
b299e30db6
|
|
@ -5,6 +5,7 @@ import (
|
||||||
"crypto"
|
"crypto"
|
||||||
"crypto/ecdsa"
|
"crypto/ecdsa"
|
||||||
"crypto/rand"
|
"crypto/rand"
|
||||||
|
"crypto/rsa"
|
||||||
"crypto/sha256"
|
"crypto/sha256"
|
||||||
"crypto/x509"
|
"crypto/x509"
|
||||||
"crypto/x509/pkix"
|
"crypto/x509/pkix"
|
||||||
|
|
@ -174,6 +175,7 @@ func GenerateCert(signer crypto.Signer, ca string, sn *big.Int, name string, day
|
||||||
func keyID(raw interface{}) ([]byte, error) {
|
func keyID(raw interface{}) ([]byte, error) {
|
||||||
switch raw.(type) {
|
switch raw.(type) {
|
||||||
case *ecdsa.PublicKey:
|
case *ecdsa.PublicKey:
|
||||||
|
case *rsa.PublicKey:
|
||||||
default:
|
default:
|
||||||
return nil, fmt.Errorf("invalid key type: %T", raw)
|
return nil, fmt.Errorf("invalid key type: %T", raw)
|
||||||
}
|
}
|
||||||
|
|
@ -208,18 +210,7 @@ func parseCert(pemValue string) (*x509.Certificate, error) {
|
||||||
// ParseSigner parses a crypto.Signer from a PEM-encoded key. The private key
|
// ParseSigner parses a crypto.Signer from a PEM-encoded key. The private key
|
||||||
// is expected to be the first block in the PEM value.
|
// is expected to be the first block in the PEM value.
|
||||||
func ParseSigner(pemValue string) (crypto.Signer, error) {
|
func ParseSigner(pemValue string) (crypto.Signer, error) {
|
||||||
// The _ result below is not an error but the remaining PEM bytes.
|
return connect.ParseSigner(pemValue)
|
||||||
block, _ := pem.Decode([]byte(pemValue))
|
|
||||||
if block == nil {
|
|
||||||
return nil, fmt.Errorf("no PEM-encoded data found")
|
|
||||||
}
|
|
||||||
|
|
||||||
switch block.Type {
|
|
||||||
case "EC PRIVATE KEY":
|
|
||||||
return x509.ParseECPrivateKey(block.Bytes)
|
|
||||||
default:
|
|
||||||
return nil, fmt.Errorf("unknown PEM block type for signing key: %s", block.Type)
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
func Verify(caString, certString, dns string) error {
|
func Verify(caString, certString, dns string) error {
|
||||||
|
|
|
||||||
|
|
@ -89,6 +89,25 @@ func TestGenerateCA(t *testing.T) {
|
||||||
require.WithinDuration(t, cert.NotAfter, time.Now().AddDate(0, 0, 365), time.Minute)
|
require.WithinDuration(t, cert.NotAfter, time.Now().AddDate(0, 0, 365), time.Minute)
|
||||||
|
|
||||||
require.Equal(t, x509.KeyUsageCertSign|x509.KeyUsageCRLSign|x509.KeyUsageDigitalSignature, cert.KeyUsage)
|
require.Equal(t, x509.KeyUsageCertSign|x509.KeyUsageCRLSign|x509.KeyUsageDigitalSignature, cert.KeyUsage)
|
||||||
|
|
||||||
|
// Test what happens with a correct RSA Key
|
||||||
|
s, err = rsa.GenerateKey(rand.Reader, 2048)
|
||||||
|
require.Nil(t, err)
|
||||||
|
ca, err = GenerateCA(s, sn, 365, nil)
|
||||||
|
require.Nil(t, err)
|
||||||
|
require.NotEmpty(t, ca)
|
||||||
|
|
||||||
|
cert, err = parseCert(ca)
|
||||||
|
require.Nil(t, err)
|
||||||
|
require.Equal(t, fmt.Sprintf("Consul Agent CA %d", sn), cert.Subject.CommonName)
|
||||||
|
require.Equal(t, true, cert.IsCA)
|
||||||
|
require.Equal(t, true, cert.BasicConstraintsValid)
|
||||||
|
|
||||||
|
require.WithinDuration(t, cert.NotBefore, time.Now(), time.Minute)
|
||||||
|
require.WithinDuration(t, cert.NotAfter, time.Now().AddDate(0, 0, 365), time.Minute)
|
||||||
|
|
||||||
|
require.Equal(t, x509.KeyUsageCertSign|x509.KeyUsageCRLSign|x509.KeyUsageDigitalSignature, cert.KeyUsage)
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
func TestGenerateCert(t *testing.T) {
|
func TestGenerateCert(t *testing.T) {
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue