Archives
/
ncdns
mirror of https://github.com/namecoin/ncdns
2
0
Fork 0
Code Issues Projects Releases Wiki Activity

gofmt -s generate_nmc_cert/main.go

Browse Source
pull/46/head
JeremyRand 7 years ago
parent 53adb64d85
commit 1fb4007fa7
No known key found for this signature in database
GPG Key ID: B3F2D165786D6570
1 changed files with 32 additions and 32 deletions
Show Stats Download Patch File Download Diff File

64
generate_nmc_cert/main.go
Unescape Escape View File

@ -5,7 +5,7 @@
// Generate a self-signed X.509 certificate for a TLS server. Outputs to // Generate a self-signed X.509 certificate for a TLS server. Outputs to
// 'cert.pem' and 'key.pem' and will overwrite existing files. // 'cert.pem' and 'key.pem' and will overwrite existing files.
// This code has been modified from the stock Go code to generate // This code has been modified from the stock Go code to generate
// "dehydrated certificates", suitable for inclusion in a Namecoin name. // "dehydrated certificates", suitable for inclusion in a Namecoin name.
package main package main
@ -22,12 +22,12 @@ import (
"encoding/pem" "encoding/pem"
"flag" "flag"
"fmt" "fmt"
"github.com/namecoin/ncdns/certdehydrate"
"github.com/namecoin/ncdns/x509"
"log" "log"
"math/big" "math/big"
"os" "os"
"time" "time"
"github.com/namecoin/ncdns/certdehydrate"
"github.com/namecoin/ncdns/x509"
) )
var ( var (
@ -106,19 +106,19 @@ func main() {
fmt.Fprintf(os.Stderr, "Failed to parse creation date: %s\n", err) fmt.Fprintf(os.Stderr, "Failed to parse creation date: %s\n", err)
os.Exit(1) os.Exit(1)
} }
var notAfter time.Time var notAfter time.Time
notAfter, err = time.Parse("Jan 2 15:04:05 2006", *validTo) notAfter, err = time.Parse("Jan 2 15:04:05 2006", *validTo)
if err != nil { if err != nil {
fmt.Fprintf(os.Stderr, "Failed to parse expiry date: %s\n", err) fmt.Fprintf(os.Stderr, "Failed to parse expiry date: %s\n", err)
os.Exit(1) os.Exit(1)
} }
timestampPrecision := int64(5 * 60) timestampPrecision := int64(5 * 60)
notBeforeFloored := time.Unix( ( notBefore.Unix() / timestampPrecision ) * timestampPrecision, 0 ) notBeforeFloored := time.Unix((notBefore.Unix()/timestampPrecision)*timestampPrecision, 0)
notAfterFloored := time.Unix( ( notAfter.Unix() / timestampPrecision ) * timestampPrecision, 0 ) notAfterFloored := time.Unix((notAfter.Unix()/timestampPrecision)*timestampPrecision, 0)
// Serial components // Serial components
pubkeyBytes, err := x509.MarshalPKIXPublicKey(publicKey(priv)) pubkeyBytes, err := x509.MarshalPKIXPublicKey(publicKey(priv))
if err != nil { if err != nil {
@ -127,12 +127,12 @@ func main() {
pubkeyB64 := base64.StdEncoding.EncodeToString(pubkeyBytes) pubkeyB64 := base64.StdEncoding.EncodeToString(pubkeyBytes)
notBeforeScaled := notBeforeFloored.Unix() / timestampPrecision notBeforeScaled := notBeforeFloored.Unix() / timestampPrecision
notAfterScaled := notAfterFloored.Unix() / timestampPrecision notAfterScaled := notAfterFloored.Unix() / timestampPrecision
// Calculate serial // Calculate serial
serialDehydrated := certdehydrate.DehydratedCertificate { serialDehydrated := certdehydrate.DehydratedCertificate{
PubkeyB64: pubkeyB64, PubkeyB64: pubkeyB64,
NotBeforeScaled: notBeforeScaled, NotBeforeScaled: notBeforeScaled,
NotAfterScaled: notAfterScaled, NotAfterScaled: notAfterScaled,
} }
serialNumber := big.NewInt(1) serialNumber := big.NewInt(1)
serialNumberBytes, err := serialDehydrated.SerialNumber(*host) serialNumberBytes, err := serialDehydrated.SerialNumber(*host)
@ -144,7 +144,7 @@ func main() {
template := x509.Certificate{ template := x509.Certificate{
SerialNumber: serialNumber, SerialNumber: serialNumber,
Subject: pkix.Name{ Subject: pkix.Name{
CommonName: *host, CommonName: *host,
SerialNumber: "Namecoin TLS Certificate", SerialNumber: "Namecoin TLS Certificate",
}, },
NotBefore: notBeforeFloored, NotBefore: notBeforeFloored,
@ -152,7 +152,7 @@ func main() {
// x509.KeyUsageKeyEncipherment is used for RSA key exchange, but not DHE/ECDHE key exchange. Since everyone should be using ECDHE (due to forward secrecy), we disallow x509.KeyUsageKeyEncipherment in our template. // x509.KeyUsageKeyEncipherment is used for RSA key exchange, but not DHE/ECDHE key exchange. Since everyone should be using ECDHE (due to forward secrecy), we disallow x509.KeyUsageKeyEncipherment in our template.
//KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature, //KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
KeyUsage: x509.KeyUsageDigitalSignature, KeyUsage: x509.KeyUsageDigitalSignature,
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth}, ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
BasicConstraintsValid: true, BasicConstraintsValid: true,
} }
@ -180,38 +180,38 @@ func main() {
pem.Encode(keyOut, pemBlockForKey(priv)) pem.Encode(keyOut, pemBlockForKey(priv))
keyOut.Close() keyOut.Close()
log.Print("written key.pem\n") log.Print("written key.pem\n")
parsedResult, err := x509.ParseCertificate(derBytes) parsedResult, err := x509.ParseCertificate(derBytes)
if err != nil { if err != nil {
log.Fatal("failed to parse output cert: ", err) log.Fatal("failed to parse output cert: ", err)
} }
dehydrated, err := certdehydrate.DehydrateCert(parsedResult) dehydrated, err := certdehydrate.DehydrateCert(parsedResult)
if err != nil { if err != nil {
log.Fatal("failed to dehydrate result cert: ", err) log.Fatal("failed to dehydrate result cert: ", err)
} }
rehydrated, err := certdehydrate.RehydrateCert(dehydrated) rehydrated, err := certdehydrate.RehydrateCert(dehydrated)
if err != nil { if err != nil {
log.Fatal("failed to rehydrate result cert: ", err) log.Fatal("failed to rehydrate result cert: ", err)
} }
rehydratedDerBytes, err := certdehydrate.FillRehydratedCertTemplate(*rehydrated, *host) rehydratedDerBytes, err := certdehydrate.FillRehydratedCertTemplate(*rehydrated, *host)
if err != nil { if err != nil {
log.Fatal("failed to fill rehydrated result cert: ", err) log.Fatal("failed to fill rehydrated result cert: ", err)
} }
if ! bytes.Equal(derBytes, rehydratedDerBytes) { if !bytes.Equal(derBytes, rehydratedDerBytes) {
log.Fatal("ERROR: The cert did not rehydrate to an identical form. This is a bug; do not use the generated certificate.") log.Fatal("ERROR: The cert did not rehydrate to an identical form. This is a bug; do not use the generated certificate.")
} }
log.Print("Your Namecoin cert is: {\"d8\":", dehydrated, "}") log.Print("Your Namecoin cert is: {\"d8\":", dehydrated, "}")
log.Print("SUCCESS: The cert rehydrated to an identical form. Place the generated files in your HTTPS server, and place the above JSON in the \"tls\" field for your Namecoin name."); log.Print("SUCCESS: The cert rehydrated to an identical form. Place the generated files in your HTTPS server, and place the above JSON in the \"tls\" field for your Namecoin name.")
if len(*falseHost) > 0 { if len(*falseHost) > 0 {
var falsePriv interface{} var falsePriv interface{}
switch *ecdsaCurve { switch *ecdsaCurve {
case "P224": case "P224":
falsePriv, err = ecdsa.GenerateKey(elliptic.P224(), rand.Reader) falsePriv, err = ecdsa.GenerateKey(elliptic.P224(), rand.Reader)
@ -228,32 +228,32 @@ func main() {
if err != nil { if err != nil {
log.Fatalf("failed to generate false private key: %s", err) log.Fatalf("failed to generate false private key: %s", err)
} }
falseSerialNumber := big.NewInt(2) falseSerialNumber := big.NewInt(2)
falseTemplate := x509.Certificate{ falseTemplate := x509.Certificate{
SerialNumber: falseSerialNumber, SerialNumber: falseSerialNumber,
Subject: pkix.Name{ Subject: pkix.Name{
CommonName: *falseHost, CommonName: *falseHost,
SerialNumber: "Namecoin TLS Certificate", SerialNumber: "Namecoin TLS Certificate",
}, },
NotBefore: notBefore, NotBefore: notBefore,
NotAfter: notAfter, NotAfter: notAfter,
// x509.KeyUsageKeyEncipherment is used for RSA key exchange, but not DHE/ECDHE key exchange. Since everyone should be using ECDHE (due to forward secrecy), we disallow x509.KeyUsageKeyEncipherment in our template. // x509.KeyUsageKeyEncipherment is used for RSA key exchange, but not DHE/ECDHE key exchange. Since everyone should be using ECDHE (due to forward secrecy), we disallow x509.KeyUsageKeyEncipherment in our template.
//KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature, //KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
KeyUsage: x509.KeyUsageDigitalSignature, KeyUsage: x509.KeyUsageDigitalSignature,
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth}, ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
BasicConstraintsValid: true, BasicConstraintsValid: true,
} }
falseTemplate.DNSNames = append(falseTemplate.DNSNames, *falseHost) falseTemplate.DNSNames = append(falseTemplate.DNSNames, *falseHost)
falseDerBytes, err := x509.CreateCertificate(rand.Reader, &falseTemplate, &template, publicKey(falsePriv), priv) falseDerBytes, err := x509.CreateCertificate(rand.Reader, &falseTemplate, &template, publicKey(falsePriv), priv)
if err != nil { if err != nil {
log.Fatalf("Failed to create false certificate: %s", err) log.Fatalf("Failed to create false certificate: %s", err)
} }
falseCertOut, err := os.Create("falseCert.pem") falseCertOut, err := os.Create("falseCert.pem")
if err != nil { if err != nil {
log.Fatalf("failed to open falseCert.pem for writing: %s", err) log.Fatalf("failed to open falseCert.pem for writing: %s", err)
@ -261,7 +261,7 @@ func main() {
pem.Encode(falseCertOut, &pem.Block{Type: "CERTIFICATE", Bytes: falseDerBytes}) pem.Encode(falseCertOut, &pem.Block{Type: "CERTIFICATE", Bytes: falseDerBytes})
falseCertOut.Close() falseCertOut.Close()
log.Print("written falseCert.pem\n") log.Print("written falseCert.pem\n")
falseKeyOut, err := os.OpenFile("falseKey.pem", os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0600) falseKeyOut, err := os.OpenFile("falseKey.pem", os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0600)
if err != nil { if err != nil {
log.Print("failed to open falseKey.pem for writing:", err) log.Print("failed to open falseKey.pem for writing:", err)

Write Preview
Loading…
Cancel
Save