Implement creation of CACert

This commit is contained in:
Brian Picciano 2022-10-15 13:14:38 +02:00
parent 0e41a06121
commit 004be0c2aa

View File

@ -4,6 +4,7 @@ package nebula
import ( import (
crypticnet "cryptic-net" crypticnet "cryptic-net"
"crypto/ed25519"
"crypto/rand" "crypto/rand"
"fmt" "fmt"
"io" "io"
@ -32,6 +33,13 @@ type HostCert struct {
HostCert []byte HostCert []byte
} }
// CACert contains the certificate and private files which can be used to create
// HostCerts. Each file is PEM encoded.
type CACert struct {
CACert []byte
CAKey []byte
}
// NewHostCert generates a new key/cert for a nebula host using the CA key // NewHostCert generates a new key/cert for a nebula host using the CA key
// which will be found in the adminFS. // which will be found in the adminFS.
func NewHostCert( func NewHostCert(
@ -123,3 +131,42 @@ func NewHostCert(
HostCert: hostCrtPEM, HostCert: hostCrtPEM,
}, nil }, nil
} }
// NewCACert generates a CACert. The domain should be the network's root domain,
// and is included in the signing certificate's Name field.
func NewCACert(domain string) (CACert, error) {
pubKey, privKey, err := ed25519.GenerateKey(rand.Reader)
if err != nil {
panic(fmt.Errorf("generating ed25519 key: %w", err))
}
now := time.Now()
expireAt := now.Add(2 * 365 * 24 * time.Hour)
caCrt := cert.NebulaCertificate{
Details: cert.NebulaCertificateDetails{
Name: fmt.Sprintf("%s cryptic-net root cert", domain),
NotBefore: now,
NotAfter: expireAt,
PublicKey: pubKey,
IsCA: true,
},
}
if err := caCrt.Sign(privKey); err != nil {
return CACert{}, fmt.Errorf("signing caCrt: %w", err)
}
caKeyPEM := cert.MarshalEd25519PrivateKey(privKey)
caCrtPem, err := caCrt.MarshalToPEM()
if err != nil {
return CACert{}, fmt.Errorf("marshaling caCrt: %w", err)
}
return CACert{
CACert: caCrtPem,
CAKey: caKeyPEM,
}, nil
}