infrastructure/cmd/config-generator/pki_generators.go

package main

import (
	"crypto/rand"
	"crypto/rsa"
	"crypto/x509"
	"crypto/x509/pkix"
	"encoding/pem"
	"log"
	"math/big"
	"time"
)

func createCertPEM(template, parent *x509.Certificate, pub, priv interface{}) string {
	caCertBytes, err := x509.CreateCertificate(rand.Reader, template, parent, pub, priv)
	if err != nil {
		log.Println("failed to generate CA certificate")
		panic(err)
	}

	return string(pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: caCertBytes}))
}

func keyToPem(key *rsa.PrivateKey) string {
	pkcs1 := x509.MarshalPKCS1PrivateKey(key)
	block := &pem.Block{
		Type:  "RSA PRIVATE KEY",
		Bytes: pkcs1,
	}
	encoded := pem.EncodeToMemory(block)
	return string(encoded)
}

func DirectoryReplicationServerCA() string {
	ca := &x509.Certificate{
		SerialNumber: big.NewInt(1653),
		Subject: pkix.Name{
			Organization:  []string{"ORGANIZATION_NAME"},
			Country:       []string{"COUNTRY_CODE"},
			Province:      []string{"PROVINCE"},
			Locality:      []string{"CITY"},
			StreetAddress: []string{"ADDRESS"},
			PostalCode:    []string{"POSTAL_CODE"},
		},
		NotBefore:             time.Now(),
		NotAfter:              time.Now().AddDate(10, 0, 0),
		IsCA:                  true,
		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth},
		KeyUsage:              x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
		BasicConstraintsValid: true,
	}

	caPrivateKey, _ := rsa.GenerateKey(rand.Reader, 2048)
	return createCertPEM(ca, ca, &caPrivateKey.PublicKey, caPrivateKey)
}

func GenerateAPNConfiguration() (a APNConfiguration) {
	ca := &x509.Certificate{
		SerialNumber: big.NewInt(1653),
		Subject: pkix.Name{
			Organization:  []string{"ORGANIZATION_NAME"},
			Country:       []string{"COUNTRY_CODE"},
			Province:      []string{"PROVINCE"},
			Locality:      []string{"CITY"},
			StreetAddress: []string{"ADDRESS"},
			PostalCode:    []string{"POSTAL_CODE"},
		},
		NotBefore:             time.Now(),
		NotAfter:              time.Now().AddDate(10, 0, 0),
		IsCA:                  true,
		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth},
		KeyUsage:              x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
		BasicConstraintsValid: true,
	}
	caPrivateKey, err := rsa.GenerateKey(rand.Reader, 2048)
	if err != nil {
		log.Println("Failied to generate 2048 bit RSA key for APN CA")
		panic(err)
	}

	caPem := createCertPEM(ca, ca, &caPrivateKey.PublicKey, caPrivateKey)

	privateKey, err := rsa.GenerateKey(rand.Reader, 2048)
	if err != nil {
		log.Println("Failied to generate 2048 bit RSA key for APN configuration")
		panic(err)
	}

	certPem := createCertPEM(&x509.Certificate{
		SerialNumber: big.NewInt(1653),
		Subject: pkix.Name{
			Organization:  []string{"ORGANIZATION_NAME"},
			Country:       []string{"COUNTRY_CODE"},
			Province:      []string{"PROVINCE"},
			Locality:      []string{"CITY"},
			StreetAddress: []string{"ADDRESS"},
			PostalCode:    []string{"POSTAL_CODE"},
		},
		NotBefore: time.Now(),
		NotAfter:  time.Now().AddDate(10, 0, 0),
		KeyUsage:  x509.KeyUsageDigitalSignature,
	}, ca, &privateKey.PublicKey, privateKey)

	a.PushCertificate = caPem + certPem
	a.PushKey = keyToPem(privateKey)
	a.BundleID = "a"
	return
}

func GenerateGCPSigningKey() string {
	key, err := rsa.GenerateKey(rand.Reader, 2048)
	if err != nil {
		panic(err)
	}
	return keyToPem(key)
}
Add tooling to generate a full config on the fly, doesn't quite work yet 2020-08-17 03:54:50 +00:00			`package main`

			`import (`
			`"crypto/rand"`
			`"crypto/rsa"`
			`"crypto/x509"`
			`"crypto/x509/pkix"`
			`"encoding/pem"`
			`"log"`
			`"math/big"`
			`"time"`
			`)`

			`func createCertPEM(template, parent *x509.Certificate, pub, priv interface{}) string {`
			`caCertBytes, err := x509.CreateCertificate(rand.Reader, template, parent, pub, priv)`
			`if err != nil {`
			`log.Println("failed to generate CA certificate")`
			`panic(err)`
			`}`

			`return string(pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: caCertBytes}))`
			`}`

			`func keyToPem(key *rsa.PrivateKey) string {`
			`pkcs1 := x509.MarshalPKCS1PrivateKey(key)`
			`block := &pem.Block{`
			`Type: "RSA PRIVATE KEY",`
			`Bytes: pkcs1,`
			`}`
			`encoded := pem.EncodeToMemory(block)`
			`return string(encoded)`
			`}`

			`func DirectoryReplicationServerCA() string {`
			`ca := &x509.Certificate{`
			`SerialNumber: big.NewInt(1653),`
			`Subject: pkix.Name{`
			`Organization: []string{"ORGANIZATION_NAME"},`
			`Country: []string{"COUNTRY_CODE"},`
			`Province: []string{"PROVINCE"},`
			`Locality: []string{"CITY"},`
			`StreetAddress: []string{"ADDRESS"},`
			`PostalCode: []string{"POSTAL_CODE"},`
			`},`
			`NotBefore: time.Now(),`
			`NotAfter: time.Now().AddDate(10, 0, 0),`
			`IsCA: true,`
			`ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth},`
			`KeyUsage: x509.KeyUsageDigitalSignature \| x509.KeyUsageCertSign,`
			`BasicConstraintsValid: true,`
			`}`

			`caPrivateKey, _ := rsa.GenerateKey(rand.Reader, 2048)`
			`return createCertPEM(ca, ca, &caPrivateKey.PublicKey, caPrivateKey)`
			`}`

			`func GenerateAPNConfiguration() (a APNConfiguration) {`
			`ca := &x509.Certificate{`
			`SerialNumber: big.NewInt(1653),`
			`Subject: pkix.Name{`
			`Organization: []string{"ORGANIZATION_NAME"},`
			`Country: []string{"COUNTRY_CODE"},`
			`Province: []string{"PROVINCE"},`
			`Locality: []string{"CITY"},`
			`StreetAddress: []string{"ADDRESS"},`
			`PostalCode: []string{"POSTAL_CODE"},`
			`},`
			`NotBefore: time.Now(),`
			`NotAfter: time.Now().AddDate(10, 0, 0),`
			`IsCA: true,`
			`ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth},`
			`KeyUsage: x509.KeyUsageDigitalSignature \| x509.KeyUsageCertSign,`
			`BasicConstraintsValid: true,`
			`}`
			`caPrivateKey, err := rsa.GenerateKey(rand.Reader, 2048)`
			`if err != nil {`
			`log.Println("Failied to generate 2048 bit RSA key for APN CA")`
			`panic(err)`
			`}`

			`caPem := createCertPEM(ca, ca, &caPrivateKey.PublicKey, caPrivateKey)`

			`privateKey, err := rsa.GenerateKey(rand.Reader, 2048)`
			`if err != nil {`
			`log.Println("Failied to generate 2048 bit RSA key for APN configuration")`
			`panic(err)`
			`}`

			`certPem := createCertPEM(&x509.Certificate{`
			`SerialNumber: big.NewInt(1653),`
			`Subject: pkix.Name{`
			`Organization: []string{"ORGANIZATION_NAME"},`
			`Country: []string{"COUNTRY_CODE"},`
			`Province: []string{"PROVINCE"},`
			`Locality: []string{"CITY"},`
			`StreetAddress: []string{"ADDRESS"},`
			`PostalCode: []string{"POSTAL_CODE"},`
			`},`
			`NotBefore: time.Now(),`
			`NotAfter: time.Now().AddDate(10, 0, 0),`
			`KeyUsage: x509.KeyUsageDigitalSignature,`
			`}, ca, &privateKey.PublicKey, privateKey)`

			`a.PushCertificate = caPem + certPem`
			`a.PushKey = keyToPem(privateKey)`
			`a.BundleID = "a"`
			`return`
			`}`

			`func GenerateGCPSigningKey() string {`
			`key, err := rsa.GenerateKey(rand.Reader, 2048)`
			`if err != nil {`
			`panic(err)`
			`}`
			`return keyToPem(key)`
			`}`