mirror of https://github.com/status-im/consul.git
Merge pull request #7623 from FriedCircuits/patch-1
Add support for RSA private key to TLS utils.
This commit is contained in:
commit
3fd040be22
|
@ -5,6 +5,7 @@ import (
|
|||
"crypto"
|
||||
"crypto/ecdsa"
|
||||
"crypto/rand"
|
||||
"crypto/rsa"
|
||||
"crypto/sha256"
|
||||
"crypto/x509"
|
||||
"crypto/x509/pkix"
|
||||
|
@ -174,6 +175,7 @@ func GenerateCert(signer crypto.Signer, ca string, sn *big.Int, name string, day
|
|||
func keyID(raw interface{}) ([]byte, error) {
|
||||
switch raw.(type) {
|
||||
case *ecdsa.PublicKey:
|
||||
case *rsa.PublicKey:
|
||||
default:
|
||||
return nil, fmt.Errorf("invalid key type: %T", raw)
|
||||
}
|
||||
|
@ -208,18 +210,7 @@ func parseCert(pemValue string) (*x509.Certificate, error) {
|
|||
// ParseSigner parses a crypto.Signer from a PEM-encoded key. The private key
|
||||
// is expected to be the first block in the PEM value.
|
||||
func ParseSigner(pemValue string) (crypto.Signer, error) {
|
||||
// The _ result below is not an error but the remaining PEM bytes.
|
||||
block, _ := pem.Decode([]byte(pemValue))
|
||||
if block == nil {
|
||||
return nil, fmt.Errorf("no PEM-encoded data found")
|
||||
}
|
||||
|
||||
switch block.Type {
|
||||
case "EC PRIVATE KEY":
|
||||
return x509.ParseECPrivateKey(block.Bytes)
|
||||
default:
|
||||
return nil, fmt.Errorf("unknown PEM block type for signing key: %s", block.Type)
|
||||
}
|
||||
return connect.ParseSigner(pemValue)
|
||||
}
|
||||
|
||||
func Verify(caString, certString, dns string) error {
|
||||
|
|
|
@ -89,6 +89,25 @@ func TestGenerateCA(t *testing.T) {
|
|||
require.WithinDuration(t, cert.NotAfter, time.Now().AddDate(0, 0, 365), time.Minute)
|
||||
|
||||
require.Equal(t, x509.KeyUsageCertSign|x509.KeyUsageCRLSign|x509.KeyUsageDigitalSignature, cert.KeyUsage)
|
||||
|
||||
// Test what happens with a correct RSA Key
|
||||
s, err = rsa.GenerateKey(rand.Reader, 2048)
|
||||
require.Nil(t, err)
|
||||
ca, err = GenerateCA(s, sn, 365, nil)
|
||||
require.Nil(t, err)
|
||||
require.NotEmpty(t, ca)
|
||||
|
||||
cert, err = parseCert(ca)
|
||||
require.Nil(t, err)
|
||||
require.Equal(t, fmt.Sprintf("Consul Agent CA %d", sn), cert.Subject.CommonName)
|
||||
require.Equal(t, true, cert.IsCA)
|
||||
require.Equal(t, true, cert.BasicConstraintsValid)
|
||||
|
||||
require.WithinDuration(t, cert.NotBefore, time.Now(), time.Minute)
|
||||
require.WithinDuration(t, cert.NotAfter, time.Now().AddDate(0, 0, 365), time.Minute)
|
||||
|
||||
require.Equal(t, x509.KeyUsageCertSign|x509.KeyUsageCRLSign|x509.KeyUsageDigitalSignature, cert.KeyUsage)
|
||||
|
||||
}
|
||||
|
||||
func TestGenerateCert(t *testing.T) {
|
||||
|
|
Loading…
Reference in New Issue