The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/lxd/pull/6361
This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.
=== Description (from pull-request) ===
This adds a new function `GenCertWithCA()` which takes an additional `ca` argument. It's used to sign the generated certificate instead of creating a self-signed certificate.
We'll be needing this for communicating with the future `lxd-agent`.
From 4f05de9f8445fed3c400d5b74aa9c4877d37180b Mon Sep 17 00:00:00 2001
From: Thomas Hipp <thomas.h...@canonical.com>
Date: Tue, 22 Oct 2019 09:28:48 +0200
Subject: [PATCH] shared: Create non-self-signed certificates
This adds a new function `GenCertWithCA()` which takes an additional
`ca` argument. It's used to sign the generated certificate instead of
creating a self-signed certificate.
Signed-off-by: Thomas Hipp <thomas.h...@canonical.com>
---
shared/cert.go | 29 +++++++++++++++++++++++++++--
1 file changed, 27 insertions(+), 2 deletions(-)
diff --git a/shared/cert.go b/shared/cert.go
index b38fa93a67..8261a0be2b 100644
--- a/shared/cert.go
+++ b/shared/cert.go
@@ -225,8 +225,18 @@ func FindOrGenCert(certf string, keyf string, certtype
bool) error {
return nil
}
+// GenCertWithCA will create and populate a certificate file and a key file
+// signed by the provided CA.
+func GenCertWithCA(certf string, keyf string, certtype bool, ca
*x509.Certificate) error {
+ return genCert(certf, keyf, certtype, ca)
+}
+
// GenCert will create and populate a certificate file and a key file
func GenCert(certf string, keyf string, certtype bool) error {
+ return genCert(certf, keyf, certtype, nil)
+}
+
+func genCert(certf string, keyf string, certtype bool, ca *x509.Certificate)
error {
/* Create the basenames if needed */
dir := path.Dir(certf)
err := os.MkdirAll(dir, 0750)
@@ -239,7 +249,7 @@ func GenCert(certf string, keyf string, certtype bool)
error {
return err
}
- certBytes, keyBytes, err := GenerateMemCert(certtype)
+ certBytes, keyBytes, err := generateMemCert(ca, certtype)
if err != nil {
return err
}
@@ -260,9 +270,19 @@ func GenCert(certf string, keyf string, certtype bool)
error {
return nil
}
+// GenerateMemCertWithCA creates client or server certificate and key pair,
+// signed by the provided ca, returning them as byte arrays in memory.
+func GenerateMemCertWithCA(ca *x509.Certificate, client bool) ([]byte, []byte,
error) {
+ return generateMemCert(ca, client)
+}
+
// GenerateMemCert creates client or server certificate and key pair,
// returning them as byte arrays in memory.
func GenerateMemCert(client bool) ([]byte, []byte, error) {
+ return generateMemCert(nil, client)
+}
+
+func generateMemCert(ca *x509.Certificate, client bool) ([]byte, []byte,
error) {
privk, err := ecdsa.GenerateKey(elliptic.P384(), rand.Reader)
if err != nil {
return nil, nil, fmt.Errorf("Failed to generate key: %v", err)
@@ -327,7 +347,12 @@ func GenerateMemCert(client bool) ([]byte, []byte, error) {
}
}
- derBytes, err := x509.CreateCertificate(rand.Reader, &template,
&template, &privk.PublicKey, privk)
+ parent := ca
+ if parent == nil {
+ parent = &template
+ }
+
+ derBytes, err := x509.CreateCertificate(rand.Reader, &template, parent,
&privk.PublicKey, privk)
if err != nil {
return nil, nil, fmt.Errorf("Failed to create certificate: %v",
err)
}
_______________________________________________
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel
