// Copyright 2009 The Go Authors, 2015-2016 Jeremy Rand. All rights reserved.
// Copyright 2009 The Go Authors. All rights reserved.
// Dehydrated certificate modifications Copyright 2015-2017 Jeremy Rand. All
// rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
// Generate a self-signed X.509 certificate for a TLS server. Outputs to
// 'cert.pem' and 'key.pem' and will overwrite existing files.
// This code has been modified from the stock Go code to generate
// "dehydrated certificates", suitable for inclusion in a Namecoin name.
// Last rebased against Go 1.8.3.
// Future rebases need to rebase both the main flow and the falseHost flow.
packagemain
import(
@ -26,14 +32,18 @@ import (
"github.com/namecoin/ncdns/x509"
"log"
"math/big"
//"net"
"os"
//"strings"
"time"
)
var(
host=flag.String("host","","Hostname to generate a certificate for (only use one)")
validFrom=flag.String("start-date","","Creation date formatted as Jan 1 15:04:05 2011")
validTo=flag.String("end-date","","End date formatted as Jan 1 15:04:05 2011")
validFor=flag.Duration("duration",365*24*time.Hour,"Duration that certificate is valid for")
//isCA = flag.Bool("ca", false, "whether this cert should be its own Certificate Authority")
//rsaBits = flag.Int("rsa-bits", 2048, "Size of RSA key to generate. Ignored if --ecdsa-curve is set")
ecdsaCurve=flag.String("ecdsa-curve","","ECDSA curve to use to generate a key. Valid values are P224, P256, P384, P521")
falseHost=flag.String("false-host","","(Optional) Generate a false cert for this host; used to test x.509 implementations for safety regarding handling of the CA flag and KeyUsage")
log.Fatalf("Error calculating serial number: %s",err)
log.Fatalf("failed to generate serial number: %s",err)
}
serialNumber.SetBytes(serialNumberBytes)
template:=x509.Certificate{
SerialNumber:serialNumber,
Subject:pkix.Name{
//Organization: []string{"Acme Co"},
CommonName:*host,
SerialNumber:"Namecoin TLS Certificate",
},
//NotBefore: notBefore,
NotBefore:notBeforeFloored,
//NotAfter: notAfter,
NotAfter:notAfterFloored,
// x509.KeyUsageKeyEncipherment is used for RSA key exchange, but not DHE/ECDHE key exchange. Since everyone should be using ECDHE (due to forward secrecy), we disallow x509.KeyUsageKeyEncipherment in our template.
// x509.KeyUsageKeyEncipherment is used for RSA key exchange,
// but not DHE/ECDHE key exchange. Since everyone should be
// using ECDHE (due to forward secrecy), we disallow
// x509.KeyUsageKeyEncipherment is used for RSA key exchange, but not DHE/ECDHE key exchange. Since everyone should be using ECDHE (due to forward secrecy), we disallow x509.KeyUsageKeyEncipherment in our template.
// x509.KeyUsageKeyEncipherment is used for RSA key exchange,
// but not DHE/ECDHE key exchange. Since everyone should be
// using ECDHE (due to forward secrecy), we disallow