76 lines
1.6 KiB
Go
76 lines
1.6 KiB
Go
package main
|
|
|
|
import (
|
|
"crypto/ecdsa"
|
|
"crypto/elliptic"
|
|
"crypto/rand"
|
|
"crypto/sha1"
|
|
"crypto/x509"
|
|
"crypto/x509/pkix"
|
|
"encoding/pem"
|
|
"math"
|
|
"math/big"
|
|
"time"
|
|
)
|
|
|
|
func main() {
|
|
err := innerMain()
|
|
if err == nil {
|
|
println("Success")
|
|
} else {
|
|
println("Error: ", err.Error())
|
|
}
|
|
}
|
|
|
|
func innerMain() error {
|
|
rootKey, err := ecdsa.GenerateKey(elliptic.P521(), rand.Reader)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
rootCert, err := issueRootCertificate(&rootKey.PublicKey, rootKey)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
println(string(pem.EncodeToMemory(&pem.Block{
|
|
Type: "CERTIFICATE",
|
|
Bytes: rootCert,
|
|
})))
|
|
return nil
|
|
}
|
|
|
|
func issueRootCertificate(pubKey, parentPrivKey any) ([]byte, error) {
|
|
now := time.Now()
|
|
template := x509.Certificate{
|
|
SerialNumber: generateSerialNumber(),
|
|
Subject: pkix.Name{
|
|
CommonName: "Root CA",
|
|
},
|
|
NotBefore: now.UTC(),
|
|
NotAfter: now.AddDate(100, 0, 0).UTC(),
|
|
BasicConstraintsValid: true,
|
|
IsCA: true,
|
|
MaxPathLen: 10,
|
|
// MaxPathLenZero: true,
|
|
SubjectKeyId: getKeyId(pubKey),
|
|
KeyUsage: x509.KeyUsageCertSign | x509.KeyUsageCRLSign,
|
|
}
|
|
parentCert := &template
|
|
return x509.CreateCertificate(rand.Reader, &template, parentCert, pubKey, parentPrivKey)
|
|
}
|
|
|
|
func getKeyId(pubKey any) []byte {
|
|
pubKeyBytes, err := x509.MarshalPKIXPublicKey(pubKey)
|
|
if err != nil {
|
|
panic("Should not happen")
|
|
}
|
|
return sha1.New().Sum(pubKeyBytes)
|
|
}
|
|
|
|
func generateSerialNumber() *big.Int {
|
|
randInt, err := rand.Int(rand.Reader, big.NewInt(math.MaxInt64))
|
|
if err != nil {
|
|
panic("Should not happen")
|
|
}
|
|
return randInt
|
|
}
|