本文整理汇总了Golang中crypto/x509.Certificate类的典型用法代码示例。如果您正苦于以下问题:Golang Certificate类的具体用法?Golang Certificate怎么用?Golang Certificate使用的例子?那么恭喜您, 这里精选的类代码示例或许可以为您提供帮助。
在下文中一共展示了Certificate类的20个代码示例,这些例子默认根据受欢迎程度排序。您可以为喜欢或者感觉有用的代码点赞,您的评价将有助于我们的系统推荐出更棒的Golang代码示例。
示例1: ValidateEccentricCertificate
// ValidateEccentricCertificate verifies that the given certificate parses to a real x509 certificate
// and that it is signed by the FPCA
// DANE/TLSA record it specifies in the CN.
// TODO: Deprecate this function as it handles only direct signing by the FPCA, no SubCAs
// Use ValidateEccentricCertificateChain instead
func ValidateEccentricCertificate(cl_cert *x509.Certificate) (caCert *x509.Certificate, err error) {
log.Printf("Validate Eccentric Certificate got client certificate: Issuer: %#v\nand Subject: %#v", cl_cert.Issuer, cl_cert.Subject)
// Check the cn if it has the @@ in it.
cn := cl_cert.Subject.CommonName // the chosen [email protected]@realm
log.Printf("Subject CommonName is %v\n", cn)
_, _, err = ParseCN(cn)
if err != nil {
return nil, err
}
// Now fetch the issuer. That must be the FPCA.
issuer := cl_cert.Issuer.CommonName
if issuer == "" {
return nil, errors.New("Certificate does not look like an Eccentric Authenticated client certificate. It has an empty Issuer.CommonName. We expect the fqdn of its FPCA.")
}
unb := unbound.New()
caCert, err = unb.GetCACert(issuer)
check(err)
log.Printf("Got certificate: Issuer: %#v\nand Subject: %#v", caCert.Issuer, caCert.Subject)
err = cl_cert.CheckSignatureFrom(caCert)
check(err) // TODO: give out neat error at validation failure, not a panic.
return caCert, nil
}
开发者ID:gwitmond,项目名称:eccentric-authentication,代码行数:31,代码来源:eccentric.go
示例2: CreateTLS
func CreateTLS() *tls.Config {
priv, err := rsa.GenerateKey(rand.Reader, 2048)
if err != nil {
log.Fatal("failed to generate private key:", err)
}
var notBefore time.Time
notBefore = time.Now()
notAfter := notBefore.Add(365 * 24 * time.Hour)
serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)
serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
if err != nil {
log.Fatal("failed to generate serial number:", err)
}
template := x509.Certificate{
SerialNumber: serialNumber,
Subject: pkix.Name{
Organization: []string{"Wago"},
},
NotBefore: notBefore,
NotAfter: notAfter,
KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
BasicConstraintsValid: true,
}
hosts := []string{"127.0.0.1", "::1", "localhost"}
for _, h := range hosts {
if ip := net.ParseIP(h); ip != nil {
template.IPAddresses = append(template.IPAddresses, ip)
} else {
template.DNSNames = append(template.DNSNames, h)
}
}
template.IsCA = true
template.KeyUsage |= x509.KeyUsageCertSign
derBytes, err := x509.CreateCertificate(rand.Reader, &template, &template, &priv.PublicKey, priv)
if err != nil {
log.Fatal("Failed to create certificate:", err)
}
certPEMBlock := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: derBytes})
keyPEMBlock := pem.EncodeToMemory(&pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(priv)})
cert, err := tls.X509KeyPair(certPEMBlock, keyPEMBlock)
if err != nil {
log.Fatal(err)
}
return &tls.Config{
Certificates: []tls.Certificate{cert},
}
}
开发者ID:JonahBraun,项目名称:sweetdrop,代码行数:60,代码来源:tls.go
示例3: NewS3Session
func NewS3Session(auth *aws.Auth, region aws.Region) *s3.S3 {
var s3Session *s3.S3
cert := x509.Certificate{}
// go's systemVerify panics with no verify options set
// TODO: EVG-483
if runtime.GOOS == "windows" {
s3Session = s3.New(*auth, region)
s3Session.ReadTimeout = S3ReadTimeout
s3Session.WriteTimeout = S3WriteTimeout
s3Session.ConnectTimeout = S3ConnectTimeout
return s3Session
}
// no verify options so system root ca will be used
_, err := cert.Verify(x509.VerifyOptions{})
rootsError := x509.SystemRootsError{}
if err != nil && err.Error() == rootsError.Error() {
// create a Transport which includes our TLSConfig with InsecureSkipVerify
// and client timeouts.
tlsConfig := tls.Config{InsecureSkipVerify: true}
tr := http.Transport{
TLSClientConfig: &tlsConfig}
// add the Transport to our http client
client := &http.Client{Transport: &tr}
s3Session = s3.New(*auth, region, client)
} else {
s3Session = s3.New(*auth, region)
}
s3Session.ReadTimeout = S3ReadTimeout
s3Session.WriteTimeout = S3WriteTimeout
s3Session.ConnectTimeout = S3ConnectTimeout
return s3Session
}
开发者ID:himanshugpt,项目名称:evergreen,代码行数:32,代码来源:s3.go
示例4: TestTLSConnection
func TestTLSConnection(t *testing.T) {
reactor := NewReactor()
client := reactor.CreateServer("local")
initialiseServerConnection(client)
// generate a test certificate to use
priv, _ := ecdsa.GenerateKey(elliptic.P521(), rand.Reader)
duration30Days, _ := time.ParseDuration("-30h")
notBefore := time.Now().Add(duration30Days) // valid 30 hours ago
duration1Year, _ := time.ParseDuration("90h")
notAfter := notBefore.Add(duration1Year) // for 90 hours
serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)
serialNumber, _ := rand.Int(rand.Reader, serialNumberLimit)
template := x509.Certificate{
SerialNumber: serialNumber,
Subject: pkix.Name{
Organization: []string{"gIRC-Go Co"},
},
NotBefore: notBefore,
NotAfter: notAfter,
KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
BasicConstraintsValid: true,
IsCA: true,
}
template.IPAddresses = append(template.IPAddresses, net.ParseIP("127.0.0.1"))
template.IPAddresses = append(template.IPAddresses, net.ParseIP("::"))
template.DNSNames = append(template.DNSNames, "localhost")
derBytes, _ := x509.CreateCertificate(rand.Reader, &template, &template, &priv.PublicKey, priv)
c := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: derBytes})
b, _ := x509.MarshalECPrivateKey(priv)
k := pem.EncodeToMemory(&pem.Block{Type: "EC PRIVATE KEY", Bytes: b})
// we mock up a server connection to test the client
listenerKeyPair, _ := tls.X509KeyPair(c, k)
var listenerTLSConfig tls.Config
listenerTLSConfig.Certificates = make([]tls.Certificate, 0)
listenerTLSConfig.Certificates = append(listenerTLSConfig.Certificates, listenerKeyPair)
listener, _ := tls.Listen("tcp", ":0", &listenerTLSConfig)
// mock up the client side too
clientTLSCertPool := x509.NewCertPool()
clientTLSCertPool.AppendCertsFromPEM(c)
var clientTLSConfig tls.Config
clientTLSConfig.RootCAs = clientTLSCertPool
clientTLSConfig.ServerName = "localhost"
go client.Connect(listener.Addr().String(), true, &clientTLSConfig)
go client.ReceiveLoop()
testServerConnection(t, reactor, client, listener)
}
开发者ID:DanielOaks,项目名称:girc-go,代码行数:60,代码来源:reactor_test.go
示例5: GenerateSelfSignedCert
// GenerateSelfSignedCert creates a self-signed certificate and key for the given host.
// Host may be an IP or a DNS name
// The certificate will be created with file mode 0644. The key will be created with file mode 0600.
// If the certificate or key files already exist, they will be overwritten.
// Any parent directories of the certPath or keyPath will be created as needed with file mode 0755.
func GenerateSelfSignedCert(host, certPath, keyPath string) error {
priv, err := rsa.GenerateKey(rand.Reader, 2048)
if err != nil {
return err
}
template := x509.Certificate{
SerialNumber: big.NewInt(1),
Subject: pkix.Name{
CommonName: fmt.Sprintf("%[email protected]%d", host, time.Now().Unix()),
},
NotBefore: time.Now(),
NotAfter: time.Now().Add(time.Hour * 24 * 365),
KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
BasicConstraintsValid: true,
}
if ip := net.ParseIP(host); ip != nil {
template.IPAddresses = append(template.IPAddresses, ip)
} else {
template.DNSNames = append(template.DNSNames, host)
}
derBytes, err := x509.CreateCertificate(rand.Reader, &template, &template, &priv.PublicKey, priv)
if err != nil {
return err
}
// Generate cert
certBuffer := bytes.Buffer{}
if err := pem.Encode(&certBuffer, &pem.Block{Type: "CERTIFICATE", Bytes: derBytes}); err != nil {
return err
}
// Generate key
keyBuffer := bytes.Buffer{}
if err := pem.Encode(&keyBuffer, &pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(priv)}); err != nil {
return err
}
// Write cert
if err := os.MkdirAll(filepath.Dir(certPath), os.FileMode(0755)); err != nil {
return err
}
if err := ioutil.WriteFile(certPath, certBuffer.Bytes(), os.FileMode(0644)); err != nil {
return err
}
// Write key
if err := os.MkdirAll(filepath.Dir(keyPath), os.FileMode(0755)); err != nil {
return err
}
if err := ioutil.WriteFile(keyPath, keyBuffer.Bytes(), os.FileMode(0600)); err != nil {
return err
}
return nil
}
开发者ID:hortonworks,项目名称:kubernetes-yarn,代码行数:65,代码来源:crypto.go
示例6: Sign
// Sign signs a new certificate based on the PEM-encoded client
// certificate or certificate request with the signing profile, specified by profileName.
// The certificate will be valid for the host named in the hostName parameter.
func (s *Signer) Sign(hostName string, in []byte, profileName string) (cert []byte, err error) {
profile := s.Policy.Profiles[profileName]
block, _ := pem.Decode(in)
if block == nil {
return nil, cferr.New(cferr.CertificateError, cferr.DecodeFailed, err)
}
var template *x509.Certificate
switch block.Type {
case "CERTIFICATE":
template, err = helpers.ParseSelfSignedCertificatePEM(in)
case "CERTIFICATE REQUEST":
template, err = s.parseCertificateRequest(block.Bytes)
default:
return nil, cferr.New(cferr.CertificateError, cferr.ParseFailed, errors.New("Not a certificate or csr."))
}
if err != nil {
return
}
if ip := net.ParseIP(hostName); ip != nil {
template.IPAddresses = []net.IP{ip}
} else {
template.DNSNames = []string{hostName}
}
return s.sign(template, profile)
}
开发者ID:kalw,项目名称:cfssl,代码行数:31,代码来源:signer.go
示例7: fetchCertificateChain
func fetchCertificateChain(cl_cert *x509.Certificate, root *x509.Certificate) (chain []x509.Certificate, err error) {
// check if cl_cert is signed by Root
if cl_cert.Issuer.CommonName == root.Subject.CommonName {
// client cert is signed by Root, there are no (more) intermediaries. We're done.
chain = append(chain, *root)
return chain, nil
}
issuer := cl_cert.Issuer.CommonName
if issuer == "" {
// chain is empty at this point.
return chain, errors.New("Certificate does not look like an Eccentric Authenticated Intermediate certificate. It has an empty Issuer.CommonName. We expect the fqdn of its FPCA.")
}
unb := unbound.New()
caCert, err := unb.GetCACert(issuer)
check(err)
log.Printf("Got certificate: Issuer: %#v\nand Subject: %#v", caCert.Issuer, caCert.Subject)
// check if the signature matches
err = cl_cert.CheckSignatureFrom(caCert)
check(err) // TODO: give out neat error at validation failure, not a panic.
// recurse to get higher up the tree.
chain, err = FetchCertificateChain(caCert, root)
if err != nil {
return
} // empty, err
chain = append(chain, *caCert)
return // chain, nil
}
开发者ID:gwitmond,项目名称:eccentric-authentication,代码行数:30,代码来源:eccentric.go
示例8: GenerateServer
func (crtkit *CertKit) GenerateServer(subject pkix.Name, host, email string, NotBefore ...time.Time) error {
var e error
var derBytes []byte
var notBefore time.Time
priv, err := rsa.GenerateKey(rand.Reader, 2048)
if err != nil {
return errors.New(fmt.Sprintf("failed to generate private key: %s", err))
}
if len(NotBefore) > 0 {
notBefore = NotBefore[0]
} else {
notBefore = time.Now()
}
serialNumber, err := rand.Int(rand.Reader, new(big.Int).Lsh(big.NewInt(1), 128))
if err != nil {
return errors.New(fmt.Sprintf("failed to generate serial number: %s", err))
}
if host == "" {
host, _ = os.Hostname()
}
Goose.Generator.Logf(6, "Certificate authority used: %#v", crtkit.CACert)
template := x509.Certificate{
SerialNumber: serialNumber,
Subject: subject,
IsCA: false,
NotBefore: notBefore,
NotAfter: notBefore.Add(365 * 24 * time.Hour),
DNSNames: []string{host, strings.Split(host, ".")[0]},
AuthorityKeyId: crtkit.CACert.SubjectKeyId,
KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageContentCommitment,
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth},
BasicConstraintsValid: true,
}
Goose.Generator.Logf(4, "X509 Template: %#v", template)
if crtkit.CACert.CRLDistributionPoints != nil {
template.CRLDistributionPoints = crtkit.CACert.CRLDistributionPoints
} else {
Goose.Generator.Logf(1, "Certificate authority without CRL distribution points")
}
crtkit.ServerKey = priv
crtkit.ServerCert = &template
derBytes, e = x509.CreateCertificate(rand.Reader, &template, crtkit.CACert, &priv.PublicKey, crtkit.CAKey)
if e != nil {
return errors.New(fmt.Sprintf("Failed to create certificate: %s", e))
}
Goose.Generator.Logf(4, "DER Certificate: %s", derBytes)
crtkit.ServerCertPem = pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: derBytes})
crtkit.ServerKeyPem = pem.EncodeToMemory(&pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(priv)})
Goose.Generator.Logf(4, "PEM Certificate: %s", crtkit.ServerCertPem)
return nil
}
开发者ID:luisfurquim,项目名称:stonelizard,代码行数:60,代码来源:gencert.go
示例9: upgradeCACertificate
// upgradeCACertificate upgrades a certificate to a self-signing CA certificate if the CN matches.
// Issue #108: Allow generated AWS API Gateway certs to be used for client cert authentication
func upgradeCACertificate(cert *x509.Certificate, caUpgradeCN string) {
if caUpgradeCN != "" && caUpgradeCN == cert.Issuer.CommonName {
cert.BasicConstraintsValid = true
cert.IsCA = true
cert.KeyUsage = x509.KeyUsageCertSign
log.Printf("[INFO] cert: Upgrading cert %s to CA cert", cert.Issuer.CommonName)
}
}
开发者ID:hilerchyn,项目名称:fabio,代码行数:10,代码来源:load.go
示例10: Certificate
func Certificate(host ...string) (tls.Certificate, error) {
priv, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
if err != nil {
return tls.Certificate{}, err
}
notBefore := time.Now()
notAfter := notBefore.Add(time.Hour * 24 * 365)
serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)
serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
if err != nil {
return tls.Certificate{}, err
}
template := x509.Certificate{
SerialNumber: serialNumber,
Subject: pkix.Name{
Organization: []string{"Acme Co"},
},
NotBefore: notBefore,
NotAfter: notAfter,
KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
BasicConstraintsValid: true,
}
for _, h := range host {
if ip := net.ParseIP(h); ip != nil {
template.IPAddresses = append(template.IPAddresses, ip)
} else {
template.DNSNames = append(template.DNSNames, h)
}
}
template.IsCA = true
template.KeyUsage |= x509.KeyUsageCertSign
derBytes, err := x509.CreateCertificate(rand.Reader, &template, &template, &priv.PublicKey, priv)
if err != nil {
return tls.Certificate{}, err
}
// create public key
certOut := bytes.NewBuffer(nil)
pem.Encode(certOut, &pem.Block{Type: "CERTIFICATE", Bytes: derBytes})
// create private key
keyOut := bytes.NewBuffer(nil)
b, err := x509.MarshalECPrivateKey(priv)
if err != nil {
return tls.Certificate{}, err
}
pem.Encode(keyOut, &pem.Block{Type: "EC PRIVATE KEY", Bytes: b})
return tls.X509KeyPair(certOut.Bytes(), keyOut.Bytes())
}
开发者ID:micro,项目名称:misc,代码行数:58,代码来源:tls.go
示例11: generateRSACerts
// generateRSACerts generates a basic self signed certificate using a key length
// of rsaBits, valid for validFor time.
func generateRSACerts(host string, isCA bool, keyOut, certOut io.Writer) error {
if len(host) == 0 {
return fmt.Errorf("Require a non-empty host for client hello")
}
priv, err := rsa.GenerateKey(rand.Reader, rsaBits)
if err != nil {
return fmt.Errorf("Failed to generate key: %v", err)
}
notBefore := time.Now()
notAfter := notBefore.Add(validFor)
serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)
serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
if err != nil {
return fmt.Errorf("failed to generate serial number: %s", err)
}
template := x509.Certificate{
SerialNumber: serialNumber,
Subject: pkix.Name{
CommonName: "default",
Organization: []string{"Acme Co"},
},
NotBefore: notBefore,
NotAfter: notAfter,
KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
BasicConstraintsValid: true,
}
hosts := strings.Split(host, ",")
for _, h := range hosts {
if ip := net.ParseIP(h); ip != nil {
template.IPAddresses = append(template.IPAddresses, ip)
} else {
template.DNSNames = append(template.DNSNames, h)
}
}
if isCA {
template.IsCA = true
template.KeyUsage |= x509.KeyUsageCertSign
}
derBytes, err := x509.CreateCertificate(rand.Reader, &template, &template, &priv.PublicKey, priv)
if err != nil {
return fmt.Errorf("Failed to create certificate: %s", err)
}
if err := pem.Encode(certOut, &pem.Block{Type: "CERTIFICATE", Bytes: derBytes}); err != nil {
return fmt.Errorf("Failed creating cert: %v", err)
}
if err := pem.Encode(keyOut, &pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(priv)}); err != nil {
return fmt.Errorf("Failed creating keay: %v", err)
}
return nil
}
开发者ID:jbeda,项目名称:kubernetes,代码行数:59,代码来源:ingress_utils.go
示例12: newCertificate
func (ca *CA) newCertificate(id string, pub *ecdsa.PublicKey, timestamp int64, opt ...pkix.Extension) ([]byte, error) {
Trace.Println("creating certificate for " + id)
notBefore := time.Now()
notAfter := notBefore.Add(time.Hour * 24 * 90)
isCA := ca.cert == nil
tmpl := x509.Certificate{
SerialNumber: big.NewInt(1),
Subject: pkix.Name{
CommonName: "OBC",
Organization: []string{"IBM"},
Country: []string{"US"},
},
NotBefore: notBefore,
NotAfter: notAfter,
SubjectKeyId: []byte{1, 2, 3, 4},
SignatureAlgorithm: x509.ECDSAWithSHA384,
KeyUsage: x509.KeyUsageDigitalSignature,
BasicConstraintsValid: true,
IsCA: isCA,
}
if len(opt) > 0 {
tmpl.Extensions = opt
tmpl.ExtraExtensions = opt
}
parent := ca.cert
if isCA {
parent = &tmpl
}
raw, err := x509.CreateCertificate(
rand.Reader,
&tmpl,
parent,
pub,
ca.priv,
)
if isCA && err != nil {
Panic.Panicln(err)
}
hash := sha3.New384()
hash.Write(raw)
if _, err = ca.db.Exec("INSERT INTO Certificates (id, timestamp, cert, hash) VALUES (?, ?, ?, ?)", id, timestamp, raw, hash.Sum(nil)); err != nil {
if isCA {
Panic.Panicln(err)
} else {
Error.Println(err)
}
}
return raw, err
}
开发者ID:masterDev1985,项目名称:obc-peer,代码行数:57,代码来源:ca.go
示例13: CreateGenericCRL
// CreateGenericCRL is a helper function that takes in all of the information above, and then calls the createCRL
// function. This outputs the bytes of the created CRL.
func CreateGenericCRL(certList []pkix.RevokedCertificate, key crypto.Signer, issuingCert *x509.Certificate, expiryTime time.Time) ([]byte, error) {
crlBytes, err := issuingCert.CreateCRL(rand.Reader, key, certList, time.Now(), expiryTime)
if err != nil {
log.Debug("error creating CRL: %s", err)
}
return crlBytes, err
}
开发者ID:nathany,项目名称:cfssl,代码行数:11,代码来源:crl.go
示例14: templateWithCA
func templateWithCA(template *x509.Certificate) *x509.Certificate {
template.IsCA = true
template.KeyUsage |= x509.KeyUsageCertSign
template.KeyUsage |= x509.KeyUsageKeyEncipherment
template.KeyUsage |= x509.KeyUsageKeyAgreement
template.ExtKeyUsage = nil
return template
}
开发者ID:vmware,项目名称:vic,代码行数:9,代码来源:certificate.go
示例15: TestCheckCert
func TestCheckCert(t *testing.T) {
testKey, _ := rsa.GenerateKey(rand.Reader, 1024)
checker := newChecker(nil)
fc := clock.NewFake()
fc.Add(time.Hour * 24 * 90)
checker.clock = fc
issued := checker.clock.Now().Add(-time.Hour * 24 * 45)
goodExpiry := issued.Add(checkPeriod)
serial := big.NewInt(1337)
// Problems
// Blacklsited common name
// Expiry period is too long
// Basic Constraints aren't set
// Wrong key usage (none)
rawCert := x509.Certificate{
Subject: pkix.Name{
CommonName: "example.com",
},
NotAfter: goodExpiry.AddDate(0, 0, 1), // Period too long
DNSNames: []string{"example-a.com"},
SerialNumber: serial,
BasicConstraintsValid: false,
}
brokenCertDer, err := x509.CreateCertificate(rand.Reader, &rawCert, &rawCert, &testKey.PublicKey, testKey)
test.AssertNotError(t, err, "Couldn't create certificate")
// Problems
// Digest doesn't match
// Serial doesn't match
// Expiry doesn't match
cert := core.Certificate{
Status: core.StatusValid,
DER: brokenCertDer,
Issued: issued,
Expires: goodExpiry.AddDate(0, 0, 2), // Expiration doesn't match
}
problems := checker.checkCert(cert)
test.AssertEquals(t, len(problems), 7)
// Fix the problems
rawCert.Subject.CommonName = "example-a.com"
rawCert.NotAfter = goodExpiry
rawCert.BasicConstraintsValid = true
rawCert.ExtKeyUsage = []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth}
goodCertDer, err := x509.CreateCertificate(rand.Reader, &rawCert, &rawCert, &testKey.PublicKey, testKey)
test.AssertNotError(t, err, "Couldn't create certificate")
parsed, err := x509.ParseCertificate(goodCertDer)
test.AssertNotError(t, err, "Couldn't parse created certificate")
cert.Serial = core.SerialToString(serial)
cert.Digest = core.Fingerprint256(goodCertDer)
cert.DER = goodCertDer
cert.Expires = parsed.NotAfter
problems = checker.checkCert(cert)
test.AssertEquals(t, len(problems), 0)
}
开发者ID:devpaul,项目名称:boulder,代码行数:56,代码来源:main_test.go
示例16: generateCertificate
func generateCertificate(c certificateConfig) ([]byte, *rsa.PrivateKey, error) {
serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
if err != nil {
return nil, nil, err
}
key, err := rsa.GenerateKey(rand.Reader, 2048)
if err != nil {
return nil, nil, err
}
// Generate the subject key ID
derEncodedPubKey, err := x509.MarshalPKIXPublicKey(&key.PublicKey)
if err != nil {
return nil, nil, err
}
pubKeyHash := sha1.New()
pubKeyHash.Write(derEncodedPubKey)
template := x509.Certificate{
SerialNumber: serialNumber,
Subject: pkix.Name{
Organization: []string{"Kubernetes"},
},
NotBefore: notBefore,
NotAfter: notAfter,
IsCA: c.isCA,
KeyUsage: c.keyUsage,
ExtKeyUsage: c.extKeyUsage,
BasicConstraintsValid: true,
SubjectKeyId: pubKeyHash.Sum(nil),
}
if c.hosts[0] != "" {
template.Subject.CommonName = c.hosts[0]
}
if c.isCA {
c.caCert = &template
c.caKey = key
}
for _, h := range c.hosts {
if ip := net.ParseIP(h); ip != nil {
template.IPAddresses = append(template.IPAddresses, ip)
} else {
template.DNSNames = append(template.DNSNames, h)
}
}
derBytes, err := x509.CreateCertificate(rand.Reader, &template, c.caCert, &key.PublicKey, c.caKey)
if err != nil {
return nil, nil, err
}
return derBytes, key, nil
}
开发者ID:GoogleCloudPlatform,项目名称:kubernetes-workshops,代码行数:56,代码来源:main.go
示例17: Verify
func Verify(options x509.VerifyOptions, cert *x509.Certificate) Result {
result := Result{Certificate: cert}
chains, err := cert.Verify(options)
result.Error = err
for _, chain := range chains {
result.Chains = append(result.Chains, CommonNamesFromChain(chain))
}
return result
}
开发者ID:spektroskop,项目名称:certutil,代码行数:10,代码来源:certutil.go
示例18: setHosts
// setHosts parses the comma separated host name / IP list and adds them to Subject Alternate Name list of a server/hosting certificate.
func setHosts(host string, cert *x509.Certificate) {
hosts := strings.Split(host, ",")
for _, h := range hosts {
if ip := net.ParseIP(h); ip != nil {
cert.IPAddresses = append(cert.IPAddresses, ip)
} else {
cert.DNSNames = append(cert.DNSNames, h)
}
}
}
开发者ID:neptulon,项目名称:ca,代码行数:11,代码来源:ca.go
示例19: GenerateTestCerts
// GenerateTestCerts generate certs for testing or hacking
func GenerateTestCerts() (*Certs, error) {
priv, err := rsa.GenerateKey(rand.Reader, 2048)
if err != nil {
return nil, err
}
notBefore := time.Now()
notAfter := notBefore.Add(365 * 24 * time.Hour)
serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)
serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
if err != nil {
return nil, err
}
template := x509.Certificate{
SerialNumber: serialNumber,
Subject: pkix.Name{
Organization: []string{"Acme Co"},
},
NotBefore: notBefore,
NotAfter: notAfter,
KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
BasicConstraintsValid: true,
}
template.DNSNames = append(template.DNSNames, "example.com")
derBytes, err := x509.CreateCertificate(rand.Reader, &template, &template, &priv.PublicKey, priv)
if err != nil {
return nil, err
}
var cbuf bytes.Buffer
pem.Encode(&cbuf, &pem.Block{Type: "CERTIFICATE", Bytes: derBytes})
var kbuf bytes.Buffer
pem.Encode(&kbuf, &pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(priv)})
privateKey, err := crypto.ParseRSAPrivateKeyFromPEM(kbuf.Bytes())
if err != nil {
return nil, err
}
publicKey, err := crypto.ParseRSAPublicKeyFromPEM(cbuf.Bytes())
if err != nil {
return nil, err
}
return &Certs{PrivateKey: privateKey, PublicKey: publicKey}, nil
}
开发者ID:wolfeidau,项目名称:authinator,代码行数:56,代码来源:certs.go
示例20: GenerateSelfSignedCert
// You may also specify additional subject alt names (either ip or dns names) for the certificate
// The certificate will be created with file mode 0644. The key will be created with file mode 0600.
// If the certificate or key files already exist, they will be overwritten.
// Any parent directories of the certPath or keyPath will be created as needed with file mode 0755.
func GenerateSelfSignedCert(certPath, keyPath string, ips []net.IP, alternateDNS []string) error {
priv, err := rsa.GenerateKey(rand.Reader, 2048)
if err != nil {
return err
}
template := x509.Certificate{
SerialNumber: big.NewInt(1),
Subject: pkix.Name{
CommonName: "minishift",
},
NotBefore: time.Now(),
NotAfter: time.Now().Add(time.Hour * 24 * 365),
KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth},
BasicConstraintsValid: true,
IsCA: true,
}
template.IPAddresses = append(template.IPAddresses, ips...)
template.DNSNames = append(template.DNSNames, alternateDNS...)
derBytes, err := x509.CreateCertificate(rand.Reader, &template, &template, &priv.PublicKey, priv)
if err != nil {
return err
}
certBuffer := bytes.Buffer{}
if err := pem.Encode(&certBuffer, &pem.Block{Type: "CERTIFICATE", Bytes: derBytes}); err != nil {
return err
}
keyBuffer := bytes.Buffer{}
if err := pem.Encode(&keyBuffer, &pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(priv)}); err != nil {
return err
}
if err := os.MkdirAll(filepath.Dir(certPath), os.FileMode(0755)); err != nil {
return err
}
if err := ioutil.WriteFile(certPath, certBuffer.Bytes(), os.FileMode(0644)); err != nil {
return err
}
if err := os.MkdirAll(filepath.Dir(keyPath), os.FileMode(0755)); err != nil {
return err
}
if err := ioutil.WriteFile(keyPath, keyBuffer.Bytes(), os.FileMode(0600)); err != nil {
return err
}
return nil
}
开发者ID:rawlingsj,项目名称:gofabric8,代码行数:58,代码来源:crypto.go
注:本文中的crypto/x509.Certificate类示例整理自Github/MSDocs等源码及文档管理平台,相关代码片段筛选自各路编程大神贡献的开源项目,源码版权归原作者所有,传播和使用请参考对应项目的License;未经允许,请勿转载。 |
请发表评论