Skip to content

Commit

Permalink
Add support for certificate signing requests with -csr
Browse files Browse the repository at this point in the history
Closes #55
  • Loading branch information
FiloSottile committed Feb 2, 2019
1 parent 592400a commit 99e15e2
Show file tree
Hide file tree
Showing 3 changed files with 102 additions and 19 deletions.
4 changes: 4 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -136,6 +136,10 @@ To only install the local root CA into a subset of them, you can set the `TRUST_
-pkcs12
Generate a ".p12" PKCS #12 file, also know as a ".pfx" file,
containing certificate and key for legacy applications.
-csr CSR
Generate a certificate based on the supplied CSR. Conflicts with
all other flags and arguments except -install and -cert-file.
```

### Mobile devices
Expand Down
98 changes: 80 additions & 18 deletions cert.go
Original file line number Diff line number Diff line change
Expand Up @@ -51,12 +51,8 @@ func (m *mkcert) makeCert(hosts []string) {
fatalIfErr(err, "failed to generate certificate key")
pub := priv.(crypto.Signer).Public()

serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)
serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
fatalIfErr(err, "failed to generate serial number")

tpl := &x509.Certificate{
SerialNumber: serialNumber,
SerialNumber: randomSerialNumber(),
Subject: pkix.Name{
Organization: []string{"mkcert development certificate"},
OrganizationalUnit: []string{userAndHostname},
Expand Down Expand Up @@ -100,7 +96,7 @@ func (m *mkcert) makeCert(hosts []string) {

err = ioutil.WriteFile(certFile, pem.EncodeToMemory(
&pem.Block{Type: "CERTIFICATE", Bytes: cert}), 0644)
fatalIfErr(err, "failed to save certificate key")
fatalIfErr(err, "failed to save certificate")
} else {
domainCert, _ := x509.ParseCertificate(cert)
pfxData, err := pkcs12.Encode(rand.Reader, priv, domainCert, []*x509.Certificate{m.caCert}, "changeit")
Expand All @@ -109,6 +105,17 @@ func (m *mkcert) makeCert(hosts []string) {
fatalIfErr(err, "failed to save PKCS#12")
}

m.printHosts(hosts)

if !m.pkcs12 {
log.Printf("\nThe certificate is at \"%s\" and the key at \"%s\"\n\n", certFile, keyFile)
} else {
log.Printf("\nThe PKCS#12 bundle is at \"%s\"\n", p12File)
log.Printf("\nThe legacy PKCS#12 encryption password is the often hardcoded default \"changeit\" ℹ️\n\n")
}
}

func (m *mkcert) printHosts(hosts []string) {
secondLvlWildcardRegexp := regexp.MustCompile(`(?i)^\*\.[0-9a-z_-]+$`)
log.Printf("\nCreated a new certificate valid for the following names 📜")
for _, h := range hosts {
Expand All @@ -124,13 +131,6 @@ func (m *mkcert) makeCert(hosts []string) {
break
}
}

if !m.pkcs12 {
log.Printf("\nThe certificate is at \"%s\" and the key at \"%s\"\n\n", certFile, keyFile)
} else {
log.Printf("\nThe PKCS#12 bundle is at \"%s\"\n", p12File)
log.Printf("\nThe legacy PKCS#12 encryption password is the often hardcoded default \"changeit\" ℹ️\n\n")
}
}

func (m *mkcert) generateKey(rootCA bool) (crypto.PrivateKey, error) {
Expand Down Expand Up @@ -166,6 +166,72 @@ func (m *mkcert) fileNames(hosts []string) (certFile, keyFile, p12File string) {
return
}

func randomSerialNumber() *big.Int {
serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)
serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
fatalIfErr(err, "failed to generate serial number")
return serialNumber
}

func (m *mkcert) makeCertFromCSR() {
if m.caKey == nil {
log.Fatalln("ERROR: can't create new certificates because the CA key (rootCA-key.pem) is missing")
}

csrPEMBytes, err := ioutil.ReadFile(m.csrPath)
fatalIfErr(err, "failed to read the CSR")
csrPEM, _ := pem.Decode(csrPEMBytes)
if csrPEM == nil {
log.Fatalln("ERROR: failed to read the CSR: unexpected content")
}
if csrPEM.Type != "CERTIFICATE REQUEST" {
log.Fatalln("ERROR: failed to read the CSR: expected CERTIFICATE REQUEST, got " + csrPEM.Type)
}
csr, err := x509.ParseCertificateRequest(csrPEM.Bytes)
fatalIfErr(err, "failed to parse the CSR")
fatalIfErr(csr.CheckSignature(), "invalid CSR signature")

tpl := &x509.Certificate{
SerialNumber: randomSerialNumber(),
Subject: csr.Subject,
ExtraExtensions: csr.Extensions, // includes requested SANs

NotAfter: time.Now().AddDate(10, 0, 0),
NotBefore: time.Now(),

KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
BasicConstraintsValid: true,

// If the CSR does not request a SAN extension, fix it up for them as
// the Common Name field does not work in modern browsers. Otherwise,
// this will get overridden.
DNSNames: []string{csr.Subject.CommonName},
}

cert, err := x509.CreateCertificate(rand.Reader, tpl, m.caCert, csr.PublicKey, m.caKey)
fatalIfErr(err, "failed to generate certificate")

var hosts []string
hosts = append(hosts, csr.DNSNames...)
hosts = append(hosts, csr.EmailAddresses...)
for _, ip := range csr.IPAddresses {
hosts = append(hosts, ip.String())
}
if len(hosts) == 0 {
hosts = []string{csr.Subject.CommonName}
}
certFile, _, _ := m.fileNames(hosts)

err = ioutil.WriteFile(certFile, pem.EncodeToMemory(
&pem.Block{Type: "CERTIFICATE", Bytes: cert}), 0644)
fatalIfErr(err, "failed to save certificate")

m.printHosts(hosts)

log.Printf("\nThe certificate is at \"%s\"\n\n", certFile)
}

// loadCA will load or create the CA at CAROOT.
func (m *mkcert) loadCA() {
if _, err := os.Stat(filepath.Join(m.CAROOT, rootName)); os.IsNotExist(err) {
Expand Down Expand Up @@ -202,10 +268,6 @@ func (m *mkcert) newCA() {
fatalIfErr(err, "failed to generate the CA key")
pub := priv.(crypto.Signer).Public()

serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)
serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
fatalIfErr(err, "failed to generate serial number")

spkiASN1, err := x509.MarshalPKIXPublicKey(pub)
fatalIfErr(err, "failed to encode public key")

Expand All @@ -219,7 +281,7 @@ func (m *mkcert) newCA() {
skid := sha1.Sum(spki.SubjectPublicKey.Bytes)

tpl := &x509.Certificate{
SerialNumber: serialNumber,
SerialNumber: randomSerialNumber(),
Subject: pkix.Name{
Organization: []string{"mkcert development CA"},
OrganizationalUnit: []string{userAndHostname},
Expand Down
19 changes: 18 additions & 1 deletion main.go
Original file line number Diff line number Diff line change
Expand Up @@ -55,6 +55,10 @@ const advancedUsage = `Advanced options:
Generate a ".p12" PKCS #12 file, also know as a ".pfx" file,
containing certificate and key for legacy applications.
-csr CSR
Generate a certificate based on the supplied CSR. Conflicts with
all other flags and arguments except -install and -cert-file.
-CAROOT
Print the CA certificate and key storage location.
Expand All @@ -79,6 +83,7 @@ func main() {
clientFlag = flag.Bool("client", false, "")
helpFlag = flag.Bool("help", false, "")
carootFlag = flag.Bool("CAROOT", false, "")
csrFlag = flag.String("csr", "", "")
certFileFlag = flag.String("cert-file", "", "")
keyFileFlag = flag.String("key-file", "", "")
p12FileFlag = flag.String("p12-file", "", "")
Expand All @@ -103,8 +108,14 @@ func main() {
if *installFlag && *uninstallFlag {
log.Fatalln("ERROR: you can't set -install and -uninstall at the same time")
}
if *csrFlag != "" && (*pkcs12Flag || *ecdsaFlag || *clientFlag) {
log.Fatalln("ERROR: can only combine -csr with -install and -cert-file")
}
if *csrFlag != "" && flag.NArg() != 0 {
log.Fatalln("ERROR: can't specify extra arguments when using -csr")
}
(&mkcert{
installMode: *installFlag, uninstallMode: *uninstallFlag,
installMode: *installFlag, uninstallMode: *uninstallFlag, csrPath: *csrFlag,
pkcs12: *pkcs12Flag, ecdsa: *ecdsaFlag, client: *clientFlag,
certFile: *certFileFlag, keyFile: *keyFileFlag, p12File: *p12FileFlag,
}).Run(flag.Args())
Expand All @@ -117,6 +128,7 @@ type mkcert struct {
installMode, uninstallMode bool
pkcs12, ecdsa, client bool
keyFile, certFile, p12File string
csrPath string

CAROOT string
caCert *x509.Certificate
Expand Down Expand Up @@ -163,6 +175,11 @@ func (m *mkcert) Run(args []string) {
}
}

if m.csrPath != "" {
m.makeCertFromCSR()
return
}

if len(args) == 0 {
flag.Usage()
return
Expand Down

0 comments on commit 99e15e2

Please sign in to comment.