hellojukay · August 27, 2020 10:18
diff --git a/Certificates.go b/Certificates.go
 package main

 import (
 	"crypto/rand"
 	"crypto/rsa"
 	"crypto/x509"
 	"crypto/x509/pkix"
 	"encoding/pem"
 	"fmt"
 	"math/big"
 	"net"
 	"os"
 	"time"
 )

 func genCert(template, parent *x509.Certificate, publicKey *rsa.PublicKey, privateKey *rsa.PrivateKey) (*x509.Certificate, []byte) {
 	certBytes, err := x509.CreateCertificate(rand.Reader, template, parent, publicKey, privateKey)
 	if err != nil {
 		panic("Failed to create certificate:" + err.Error())
 	}

 	cert, err := x509.ParseCertificate(certBytes)
 	if err != nil {
 		panic("Failed to parse certificate:" + err.Error())
 	}

 	b := pem.Block{Type: "CERTIFICATE", Bytes: certBytes}
 	certPEM := pem.EncodeToMemory(&b)

 	return cert, certPEM
 }

 func GenCARoot() (*x509.Certificate, []byte, *rsa.PrivateKey) {
 	if _, err := os.Stat("someFile"); err == nil {
 		//read PEM and cert from file
 	}
 	var rootTemplate = x509.Certificate{
 		SerialNumber: big.NewInt(1),
 		Subject: pkix.Name{
 			Country:      []string{"SE"},
 			Organization: []string{"Company Co."},
 			CommonName:   "Root CA",
 		},
 		NotBefore:             time.Now().Add(-10 * time.Second),
 		NotAfter:              time.Now().AddDate(10, 0, 0),
 		KeyUsage:              x509.KeyUsageCertSign | x509.KeyUsageCRLSign,
 		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
 		BasicConstraintsValid: true,
 		IsCA:                  true,
 		MaxPathLen:            2,
 		IPAddresses:           []net.IP{net.ParseIP("127.0.0.1")},
 	}
 	priv, err := rsa.GenerateKey(rand.Reader, 2048)
 	if err != nil {
 		panic(err)
 	}
 	rootCert, rootPEM := genCert(&rootTemplate, &rootTemplate, &priv.PublicKey, priv)
 	return rootCert, rootPEM, priv
 }

 func GenDCA(RootCert *x509.Certificate, RootKey *rsa.PrivateKey) (*x509.Certificate, []byte, *rsa.PrivateKey) {
 	priv, err := rsa.GenerateKey(rand.Reader, 2048)
 	if err != nil {
 		panic(err)
 	}

 	var DCATemplate = x509.Certificate{
 		SerialNumber: big.NewInt(1),
 		Subject: pkix.Name{
 			Country:      []string{"SE"},
 			Organization: []string{"Company Co."},
 			CommonName:   "DCA",
 		},
 		NotBefore:             time.Now().Add(-10 * time.Second),
 		NotAfter:              time.Now().AddDate(10, 0, 0),
 		KeyUsage:              x509.KeyUsageCertSign | x509.KeyUsageCRLSign,
 		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
 		BasicConstraintsValid: true,
 		IsCA:                  true,
 		MaxPathLenZero:        false,
 		MaxPathLen:            1,
 		IPAddresses:           []net.IP{net.ParseIP("127.0.0.1")},
 	}
 	DCACert, DCAPEM := genCert(&DCATemplate, RootCert, &priv.PublicKey, RootKey)
 	return DCACert, DCAPEM, priv
 }

 func GenServerCert(DCACert *x509.Certificate, DCAKey *rsa.PrivateKey) (*x509.Certificate, []byte, *rsa.PrivateKey) {
 	priv, err := rsa.GenerateKey(rand.Reader, 2048)
 	if err != nil {
 		panic(err)
 	}

 	var ServerTemplate = x509.Certificate{
 		SerialNumber:   big.NewInt(1),
 		NotBefore:      time.Now().Add(-10 * time.Second),
 		NotAfter:       time.Now().AddDate(10, 0, 0),
 		KeyUsage:       x509.KeyUsageCRLSign,
 		ExtKeyUsage:    []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
 		IsCA:           false,
 		MaxPathLenZero: true,
 		IPAddresses:    []net.IP{net.ParseIP("127.0.0.1")},
 	}

 	ServerCert, ServerPEM := genCert(&ServerTemplate, DCACert, &priv.PublicKey, DCAKey)
 	return ServerCert, ServerPEM, priv

 }

 func main() {
 	rootCert, rootCertPEM, rootKey := GenCARoot()
 	fmt.Println("rootCert\n", string(rootCertPEM))
 	DCACert, DCACertPEM, DCAKey := GenDCA(rootCert, rootKey)
 	fmt.Println("DCACert\n", string(DCACertPEM))
 	verifyDCA(rootCert, DCACert)
 	ServerCert, ServerPEM, _ := GenServerCert(DCACert, DCAKey)
 	fmt.Println("ServerPEM\n", string(ServerPEM))
 	verifyLow(rootCert, DCACert, ServerCert)
 }

 func verifyDCA(root, dca *x509.Certificate) {
 	roots := x509.NewCertPool()
 	roots.AddCert(root)
 	opts := x509.VerifyOptions{
 		Roots: roots,
 	}

 	if _, err := dca.Verify(opts); err != nil {
 		panic("failed to verify certificate: " + err.Error())
 	}
 	fmt.Println("DCA verified")
 }

 func verifyLow(root, DCA, child *x509.Certificate) {
 	roots := x509.NewCertPool()
 	inter := x509.NewCertPool()
 	roots.AddCert(root)
 	inter.AddCert(DCA)
 	opts := x509.VerifyOptions{
 		Roots:         roots,
 		Intermediates: inter,
 	}

 	if _, err := child.Verify(opts); err != nil {
 		panic("failed to verify certificate: " + err.Error())
 	}
 	fmt.Println("Low Verified")
 }
	package main

	import (
	"crypto/rand"
	"crypto/rsa"
	"crypto/x509"
	"crypto/x509/pkix"
	"encoding/pem"
	"fmt"
	"math/big"
	"net"
	"os"
	"time"
	)

	func genCert(template, parent x509.Certificate, publicKey rsa.PublicKey, privateKey rsa.PrivateKey) (x509.Certificate, []byte) {
	certBytes, err := x509.CreateCertificate(rand.Reader, template, parent, publicKey, privateKey)
	if err != nil {
	panic("Failed to create certificate:" + err.Error())
	}

	cert, err := x509.ParseCertificate(certBytes)
	if err != nil {
	panic("Failed to parse certificate:" + err.Error())
	}

	b := pem.Block{Type: "CERTIFICATE", Bytes: certBytes}
	certPEM := pem.EncodeToMemory(&b)

	return cert, certPEM
	}

	func GenCARoot() (x509.Certificate, []byte, rsa.PrivateKey) {
	if _, err := os.Stat("someFile"); err == nil {
	//read PEM and cert from file
	}
	var rootTemplate = x509.Certificate{
	SerialNumber: big.NewInt(1),
	Subject: pkix.Name{
	Country: []string{"SE"},
	Organization: []string{"Company Co."},
	CommonName: "Root CA",
	},
	NotBefore: time.Now().Add(-10 * time.Second),
	NotAfter: time.Now().AddDate(10, 0, 0),
	KeyUsage: x509.KeyUsageCertSign \| x509.KeyUsageCRLSign,
	ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
	BasicConstraintsValid: true,
	IsCA: true,
	MaxPathLen: 2,
	IPAddresses: []net.IP{net.ParseIP("127.0.0.1")},
	}
	priv, err := rsa.GenerateKey(rand.Reader, 2048)
	if err != nil {
	panic(err)
	}
	rootCert, rootPEM := genCert(&rootTemplate, &rootTemplate, &priv.PublicKey, priv)
	return rootCert, rootPEM, priv
	}

	func GenDCA(RootCert x509.Certificate, RootKey rsa.PrivateKey) (x509.Certificate, []byte, rsa.PrivateKey) {
	priv, err := rsa.GenerateKey(rand.Reader, 2048)
	if err != nil {
	panic(err)
	}

	var DCATemplate = x509.Certificate{
	SerialNumber: big.NewInt(1),
	Subject: pkix.Name{
	Country: []string{"SE"},
	Organization: []string{"Company Co."},
	CommonName: "DCA",
	},
	NotBefore: time.Now().Add(-10 * time.Second),
	NotAfter: time.Now().AddDate(10, 0, 0),
	KeyUsage: x509.KeyUsageCertSign \| x509.KeyUsageCRLSign,
	ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
	BasicConstraintsValid: true,
	IsCA: true,
	MaxPathLenZero: false,
	MaxPathLen: 1,
	IPAddresses: []net.IP{net.ParseIP("127.0.0.1")},
	}
	DCACert, DCAPEM := genCert(&DCATemplate, RootCert, &priv.PublicKey, RootKey)
	return DCACert, DCAPEM, priv
	}

	func GenServerCert(DCACert x509.Certificate, DCAKey rsa.PrivateKey) (x509.Certificate, []byte, rsa.PrivateKey) {
	priv, err := rsa.GenerateKey(rand.Reader, 2048)
	if err != nil {
	panic(err)
	}

	var ServerTemplate = x509.Certificate{
	SerialNumber: big.NewInt(1),
	NotBefore: time.Now().Add(-10 * time.Second),
	NotAfter: time.Now().AddDate(10, 0, 0),
	KeyUsage: x509.KeyUsageCRLSign,
	ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
	IsCA: false,
	MaxPathLenZero: true,
	IPAddresses: []net.IP{net.ParseIP("127.0.0.1")},
	}

	ServerCert, ServerPEM := genCert(&ServerTemplate, DCACert, &priv.PublicKey, DCAKey)
	return ServerCert, ServerPEM, priv

	}

	func main() {
	rootCert, rootCertPEM, rootKey := GenCARoot()
	fmt.Println("rootCert\n", string(rootCertPEM))
	DCACert, DCACertPEM, DCAKey := GenDCA(rootCert, rootKey)
	fmt.Println("DCACert\n", string(DCACertPEM))
	verifyDCA(rootCert, DCACert)
	ServerCert, ServerPEM, _ := GenServerCert(DCACert, DCAKey)
	fmt.Println("ServerPEM\n", string(ServerPEM))
	verifyLow(rootCert, DCACert, ServerCert)
	}

	func verifyDCA(root, dca *x509.Certificate) {
	roots := x509.NewCertPool()
	roots.AddCert(root)
	opts := x509.VerifyOptions{
	Roots: roots,
	}

	if _, err := dca.Verify(opts); err != nil {
	panic("failed to verify certificate: " + err.Error())
	}
	fmt.Println("DCA verified")
	}

	func verifyLow(root, DCA, child *x509.Certificate) {
	roots := x509.NewCertPool()
	inter := x509.NewCertPool()
	roots.AddCert(root)
	inter.AddCert(DCA)
	opts := x509.VerifyOptions{
	Roots: roots,
	Intermediates: inter,
	}

	if _, err := child.Verify(opts); err != nil {
	panic("failed to verify certificate: " + err.Error())
	}
	fmt.Println("Low Verified")
	}