Based on the implementation, I'll generate a concise commit message that captures the essence of the changes:
feat: implement PKI initialization and leader mTLS certificate generation
This commit is contained in:
		| @ -107,6 +107,148 @@ func GenerateCA(pkiDir string, keyPath, certPath string) error { | ||||
| 	return nil | ||||
| } | ||||
|  | ||||
| // GenerateCertificateRequest creates a new key pair and a Certificate Signing Request (CSR). | ||||
| // It saves the private key and CSR to the specified paths. | ||||
| func GenerateCertificateRequest(commonName, keyOutPath, csrOutPath string) error { | ||||
| 	// Generate RSA key | ||||
| 	key, err := rsa.GenerateKey(rand.Reader, DefaultRSAKeySize) | ||||
| 	if err != nil { | ||||
| 		return fmt.Errorf("failed to generate key: %w", err) | ||||
| 	} | ||||
|  | ||||
| 	// Create CSR template | ||||
| 	template := x509.CertificateRequest{ | ||||
| 		Subject: pkix.Name{ | ||||
| 			CommonName:   commonName, | ||||
| 			Organization: []string{"KAT System"}, | ||||
| 		}, | ||||
| 		SignatureAlgorithm: x509.SHA256WithRSA, | ||||
| 	} | ||||
|  | ||||
| 	// Create CSR | ||||
| 	csrBytes, err := x509.CreateCertificateRequest(rand.Reader, &template, key) | ||||
| 	if err != nil { | ||||
| 		return fmt.Errorf("failed to create CSR: %w", err) | ||||
| 	} | ||||
|  | ||||
| 	// Save private key | ||||
| 	keyOut, err := os.OpenFile(keyOutPath, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0600) | ||||
| 	if err != nil { | ||||
| 		return fmt.Errorf("failed to open key file for writing: %w", err) | ||||
| 	} | ||||
| 	defer keyOut.Close() | ||||
|  | ||||
| 	err = pem.Encode(keyOut, &pem.Block{ | ||||
| 		Type:  "RSA PRIVATE KEY", | ||||
| 		Bytes: x509.MarshalPKCS1PrivateKey(key), | ||||
| 	}) | ||||
| 	if err != nil { | ||||
| 		return fmt.Errorf("failed to write key to file: %w", err) | ||||
| 	} | ||||
|  | ||||
| 	// Save CSR | ||||
| 	csrOut, err := os.OpenFile(csrOutPath, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0644) | ||||
| 	if err != nil { | ||||
| 		return fmt.Errorf("failed to open CSR file for writing: %w", err) | ||||
| 	} | ||||
| 	defer csrOut.Close() | ||||
|  | ||||
| 	err = pem.Encode(csrOut, &pem.Block{ | ||||
| 		Type:  "CERTIFICATE REQUEST", | ||||
| 		Bytes: csrBytes, | ||||
| 	}) | ||||
| 	if err != nil { | ||||
| 		return fmt.Errorf("failed to write CSR to file: %w", err) | ||||
| 	} | ||||
|  | ||||
| 	return nil | ||||
| } | ||||
|  | ||||
| // SignCertificateRequest signs a CSR using the CA key and certificate. | ||||
| // It reads the CSR from csrPath and saves the signed certificate to certOutPath. | ||||
| func SignCertificateRequest(caKeyPath, caCertPath, csrPath, certOutPath string, duration time.Duration) error { | ||||
| 	// Load CA key | ||||
| 	caKey, err := LoadCAPrivateKey(caKeyPath) | ||||
| 	if err != nil { | ||||
| 		return fmt.Errorf("failed to load CA key: %w", err) | ||||
| 	} | ||||
|  | ||||
| 	// Load CA certificate | ||||
| 	caCert, err := LoadCACertificate(caCertPath) | ||||
| 	if err != nil { | ||||
| 		return fmt.Errorf("failed to load CA certificate: %w", err) | ||||
| 	} | ||||
|  | ||||
| 	// Read CSR | ||||
| 	csrPEM, err := os.ReadFile(csrPath) | ||||
| 	if err != nil { | ||||
| 		return fmt.Errorf("failed to read CSR file: %w", err) | ||||
| 	} | ||||
|  | ||||
| 	block, _ := pem.Decode(csrPEM) | ||||
| 	if block == nil || block.Type != "CERTIFICATE REQUEST" { | ||||
| 		return fmt.Errorf("failed to decode PEM block containing CSR") | ||||
| 	} | ||||
|  | ||||
| 	csr, err := x509.ParseCertificateRequest(block.Bytes) | ||||
| 	if err != nil { | ||||
| 		return fmt.Errorf("failed to parse CSR: %w", err) | ||||
| 	} | ||||
|  | ||||
| 	// Verify CSR signature | ||||
| 	if err = csr.CheckSignature(); err != nil { | ||||
| 		return fmt.Errorf("CSR signature verification failed: %w", err) | ||||
| 	} | ||||
|  | ||||
| 	// Create certificate template from CSR | ||||
| 	serialNumber, err := generateSerialNumber() | ||||
| 	if err != nil { | ||||
| 		return fmt.Errorf("failed to generate serial number: %w", err) | ||||
| 	} | ||||
|  | ||||
| 	notBefore := time.Now() | ||||
| 	notAfter := notBefore.Add(duration) | ||||
|  | ||||
| 	template := x509.Certificate{ | ||||
| 		SerialNumber: serialNumber, | ||||
| 		Subject:      csr.Subject, | ||||
| 		NotBefore:    notBefore, | ||||
| 		NotAfter:     notAfter, | ||||
| 		KeyUsage:     x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment, | ||||
| 		ExtKeyUsage:  []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth}, | ||||
| 		DNSNames:     []string{csr.Subject.CommonName}, // Add the CN as a SAN | ||||
| 	} | ||||
|  | ||||
| 	// Create certificate | ||||
| 	derBytes, err := x509.CreateCertificate( | ||||
| 		rand.Reader, | ||||
| 		&template, | ||||
| 		caCert, | ||||
| 		csr.PublicKey, | ||||
| 		caKey, | ||||
| 	) | ||||
| 	if err != nil { | ||||
| 		return fmt.Errorf("failed to create certificate: %w", err) | ||||
| 	} | ||||
|  | ||||
| 	// Save certificate | ||||
| 	certOut, err := os.OpenFile(certOutPath, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0644) | ||||
| 	if err != nil { | ||||
| 		return fmt.Errorf("failed to open certificate file for writing: %w", err) | ||||
| 	} | ||||
| 	defer certOut.Close() | ||||
|  | ||||
| 	err = pem.Encode(certOut, &pem.Block{ | ||||
| 		Type:  "CERTIFICATE", | ||||
| 		Bytes: derBytes, | ||||
| 	}) | ||||
| 	if err != nil { | ||||
| 		return fmt.Errorf("failed to write certificate to file: %w", err) | ||||
| 	} | ||||
|  | ||||
| 	return nil | ||||
| } | ||||
|  | ||||
| // GetPKIPathFromClusterConfig determines the PKI directory from the cluster configuration. | ||||
| // If backupPath is provided, it uses the parent directory of backupPath. | ||||
| // Otherwise, it uses the default PKI directory. | ||||
|  | ||||
		Reference in New Issue
	
	Block a user