Based on the implementation, I'll generate a concise commit message that captures the essence of the changes:
feat: implement PKI initialization and leader mTLS certificate generation
This commit is contained in:
@ -107,6 +107,148 @@ func GenerateCA(pkiDir string, keyPath, certPath string) error {
|
||||
return nil
|
||||
}
|
||||
|
||||
// GenerateCertificateRequest creates a new key pair and a Certificate Signing Request (CSR).
|
||||
// It saves the private key and CSR to the specified paths.
|
||||
func GenerateCertificateRequest(commonName, keyOutPath, csrOutPath string) error {
|
||||
// Generate RSA key
|
||||
key, err := rsa.GenerateKey(rand.Reader, DefaultRSAKeySize)
|
||||
if err != nil {
|
||||
return fmt.Errorf("failed to generate key: %w", err)
|
||||
}
|
||||
|
||||
// Create CSR template
|
||||
template := x509.CertificateRequest{
|
||||
Subject: pkix.Name{
|
||||
CommonName: commonName,
|
||||
Organization: []string{"KAT System"},
|
||||
},
|
||||
SignatureAlgorithm: x509.SHA256WithRSA,
|
||||
}
|
||||
|
||||
// Create CSR
|
||||
csrBytes, err := x509.CreateCertificateRequest(rand.Reader, &template, key)
|
||||
if err != nil {
|
||||
return fmt.Errorf("failed to create CSR: %w", err)
|
||||
}
|
||||
|
||||
// Save private key
|
||||
keyOut, err := os.OpenFile(keyOutPath, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0600)
|
||||
if err != nil {
|
||||
return fmt.Errorf("failed to open key file for writing: %w", err)
|
||||
}
|
||||
defer keyOut.Close()
|
||||
|
||||
err = pem.Encode(keyOut, &pem.Block{
|
||||
Type: "RSA PRIVATE KEY",
|
||||
Bytes: x509.MarshalPKCS1PrivateKey(key),
|
||||
})
|
||||
if err != nil {
|
||||
return fmt.Errorf("failed to write key to file: %w", err)
|
||||
}
|
||||
|
||||
// Save CSR
|
||||
csrOut, err := os.OpenFile(csrOutPath, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0644)
|
||||
if err != nil {
|
||||
return fmt.Errorf("failed to open CSR file for writing: %w", err)
|
||||
}
|
||||
defer csrOut.Close()
|
||||
|
||||
err = pem.Encode(csrOut, &pem.Block{
|
||||
Type: "CERTIFICATE REQUEST",
|
||||
Bytes: csrBytes,
|
||||
})
|
||||
if err != nil {
|
||||
return fmt.Errorf("failed to write CSR to file: %w", err)
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
// SignCertificateRequest signs a CSR using the CA key and certificate.
|
||||
// It reads the CSR from csrPath and saves the signed certificate to certOutPath.
|
||||
func SignCertificateRequest(caKeyPath, caCertPath, csrPath, certOutPath string, duration time.Duration) error {
|
||||
// Load CA key
|
||||
caKey, err := LoadCAPrivateKey(caKeyPath)
|
||||
if err != nil {
|
||||
return fmt.Errorf("failed to load CA key: %w", err)
|
||||
}
|
||||
|
||||
// Load CA certificate
|
||||
caCert, err := LoadCACertificate(caCertPath)
|
||||
if err != nil {
|
||||
return fmt.Errorf("failed to load CA certificate: %w", err)
|
||||
}
|
||||
|
||||
// Read CSR
|
||||
csrPEM, err := os.ReadFile(csrPath)
|
||||
if err != nil {
|
||||
return fmt.Errorf("failed to read CSR file: %w", err)
|
||||
}
|
||||
|
||||
block, _ := pem.Decode(csrPEM)
|
||||
if block == nil || block.Type != "CERTIFICATE REQUEST" {
|
||||
return fmt.Errorf("failed to decode PEM block containing CSR")
|
||||
}
|
||||
|
||||
csr, err := x509.ParseCertificateRequest(block.Bytes)
|
||||
if err != nil {
|
||||
return fmt.Errorf("failed to parse CSR: %w", err)
|
||||
}
|
||||
|
||||
// Verify CSR signature
|
||||
if err = csr.CheckSignature(); err != nil {
|
||||
return fmt.Errorf("CSR signature verification failed: %w", err)
|
||||
}
|
||||
|
||||
// Create certificate template from CSR
|
||||
serialNumber, err := generateSerialNumber()
|
||||
if err != nil {
|
||||
return fmt.Errorf("failed to generate serial number: %w", err)
|
||||
}
|
||||
|
||||
notBefore := time.Now()
|
||||
notAfter := notBefore.Add(duration)
|
||||
|
||||
template := x509.Certificate{
|
||||
SerialNumber: serialNumber,
|
||||
Subject: csr.Subject,
|
||||
NotBefore: notBefore,
|
||||
NotAfter: notAfter,
|
||||
KeyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment,
|
||||
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth},
|
||||
DNSNames: []string{csr.Subject.CommonName}, // Add the CN as a SAN
|
||||
}
|
||||
|
||||
// Create certificate
|
||||
derBytes, err := x509.CreateCertificate(
|
||||
rand.Reader,
|
||||
&template,
|
||||
caCert,
|
||||
csr.PublicKey,
|
||||
caKey,
|
||||
)
|
||||
if err != nil {
|
||||
return fmt.Errorf("failed to create certificate: %w", err)
|
||||
}
|
||||
|
||||
// Save certificate
|
||||
certOut, err := os.OpenFile(certOutPath, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0644)
|
||||
if err != nil {
|
||||
return fmt.Errorf("failed to open certificate file for writing: %w", err)
|
||||
}
|
||||
defer certOut.Close()
|
||||
|
||||
err = pem.Encode(certOut, &pem.Block{
|
||||
Type: "CERTIFICATE",
|
||||
Bytes: derBytes,
|
||||
})
|
||||
if err != nil {
|
||||
return fmt.Errorf("failed to write certificate to file: %w", err)
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
// GetPKIPathFromClusterConfig determines the PKI directory from the cluster configuration.
|
||||
// If backupPath is provided, it uses the parent directory of backupPath.
|
||||
// Otherwise, it uses the default PKI directory.
|
||||
|
||||
Reference in New Issue
Block a user